M S Sulthan Legal Associates

sl
UAE Federal PDP Law: 10 Key Compliance Points & GDPR Comparison

UAE Federal Personal Data Protection Law

1. Introduction
Considering the demands of contemporary digital culture, the UAE enacted Federal Decree Law No. 45 of 2021—the Federal Personal Data Protection Law (“PDP Law”)—to implement Article 31 of the Constitution guaranteeing privacy rights. Effective January 2, 2022, with Executive Regulations following within six months, the PDP Law represents the first federal data-privacy framework developed in collaboration with major technology companies.

2. Scope, Applicability & Exemptions

The PDP Law protects the personal data of UAE residents and applies both territorially and extraterritorially:

  • Territorial scope: Entities in the UAE processing personal data of individuals inside or outside the country.
  • Extraterritorial scope: Entities outside the UAE processing personal data of UAE residents.

Exemptions include:

  • Government data and agencies
  • Free-zone entities governed by DIFC/ADGM laws
  • Judicial and security authorities
  • Personal or household data processing
  • Banking and credit data under other statutes

3. Ten Key Compliance Points

  1. Privacy Principles Personal data must be processed fairly, transparently and legitimately (Art. 5), with accuracy, data minimization, secure storage and destruction controls.
  2. Consent for Processing Consent is mandatory (Art. 4), except where processing serves public interest, health, contracts or legal obligations.
  3. Individual Privacy Rights Data subjects may access, rectify, delete or object to processing of their data; businesses must establish procedures to handle such requests.
  4. Record of Processing Controllers must maintain detailed processing records—data categories, access controls, purposes, retention and erasure mechanisms (Art. 7).
  5. Third-Party Management Due diligence and contractual safeguards are required before sharing data with processors.
  6. Cross-Border Transfers Transfers only to jurisdictions with adequate protection (Art. 22); otherwise derogations apply (e.g. Standard Contractual Clauses per Art. 23).
  7. Processor Obligations Data processors may only act on controller instructions, maintain confidentiality, and delete data at the end of processing (Art. 8).
  8. Privacy Impact Assessments Conduct DPIAs for any new processing likely to affect data subject rights, documenting nature, scope, purpose and risks (Art. 21).
  9. Breach Notification Notify data subjects and the Data Office without undue delay upon any personal data breach (Art. 9).
  10. Data Protection Officer Appoint a qualified DPO to oversee compliance, for both controllers and processors (Art. 10).

4. Comparison with EU GDPR

  1. Scope & Extraterritoriality Both laws apply beyond borders, but the PDP Law applies automatically to all processing of UAE resident data, whereas GDPR’s extraterritorial reach is activity-based (Art. 3 GDPR).
  2. Legal Basis for Processing GDPR recognizes six bases; the PDP Law relies primarily on consent, with limited exceptions.
  3. Data Subject Rights Both grant rights of access, rectification, erasure, restriction, objection and portability, though PDP Law may restrict rights for public security or repetitive requests.
  4. Children’s Data GDPR prescribes age thresholds and parental consent; the PDP Law contains no specific children’s provisions.
  5. Record-Keeping Both require detailed processing records.
  6. Enforcement & Penalties GDPR fines up to €20 million or 4% of turnover; PDP Law vests fine power in the Council of Ministers, but amounts remain unspecified.

5. Conclusion

The PDP Law aligns the UAE with global best practices while reflecting local priorities. Businesses expanding into the UAE should leverage their GDPR frameworks, update policies, appoint DPOs and implement robust DPIAs to ensure seamless compliance.

Last updated: July 2025

Frequently Asked Questions

What is the UAE Federal Personal Data Protection Law?

Enacted as Federal Decree Law No. 45/2021 and effective January 2 2022, the PDP Law is the UAE’s first comprehensive federal data privacy framework, developed in line with Article 31 of the Constitution.

Who does the PDP Law apply to?

It applies to any for-profit entity processing personal data of UAE residents—whether based inside or outside the UAE—subject to CPRA-style thresholds. Exemptions include government bodies, free-zone entities under DIFC/ADGM laws, personal data for private use, judicial authorities, and banking/health data under other regimes.

What are the key data subject rights?

Individuals have rights to access, rectify, erase, restrict or object to processing, and data portability. These mirror GDPR rights but may be limited for national security, public order, or repetitive requests.

What must businesses do before launching new data-driven features?

Conduct a Privacy Impact Assessment (DPIA) evaluating purpose, scope, data uses, and risks to data subjects—and implement mitigation measures before deployment.

Can personal data be transferred outside the UAE?

Only to jurisdictions with “adequate” data protection per Art. 22. If adequacy is absent, businesses may rely on exceptions such as Standard Contractual Clauses under Art. 23.

How does the PDP Law compare with the EU GDPR?

Both have extraterritorial reach and similar data subject rights. The PDP Law relies mainly on consent (with limited exceptions), while GDPR provides six legal bases. GDPR has detailed children’s data provisions; the PDP Law does not.

What are the penalties for non-compliance?

Administrative fines may be imposed by the Council of Ministers upon complaint to the Data Office. Specific amounts are determined by regulation and are designed to align with global best practices.

Who enforces the PDP Law?

Enforcement is overseen by the UAE Data Office, which may investigate breaches, impose injunctions, and recommend fines to the Council of Ministers.

Newsletter

Don't miss our future updates! Get subscribed today!

MS Sulthan

Legal Associates

MENU

CONTACT

+919847980019

contact@mssulthan.com

136/2, Rameshwar Nagar, Model Town, New Delhi – 110033

T1, Hi-Lite Business Park, Kozhikode, Kerala - 673014

© 2025 MS Sulthan Legal Associates. All rights reserved.