UAE Federal Personal Data Protection Law

1. Introduction
Considering the demands of contemporary digital culture, the UAE enacted Federal Decree Law No. 45 of 2021—the Federal Personal Data Protection Law (“PDP Law”)—to implement Article 31 of the Constitution guaranteeing privacy rights. Effective January 2, 2022, with Executive Regulations following within six months, the PDP Law represents the first federal data-privacy framework developed in collaboration with major technology companies.

2. Scope, Applicability & Exemptions

The PDP Law protects the personal data of UAE residents and applies both territorially and extraterritorially:

• Territorial scope: Entities in the UAE processing personal data of individuals inside or outside the country.
• Extraterritorial scope: Entities outside the UAE processing personal data of UAE residents.

Exemptions include:

• Government data and agencies
• Free-zone entities governed by DIFC/ADGM laws
• Judicial and security authorities
• Personal or household data processing
• Banking and credit data under other statutes

3. Ten Key Compliance Points

1. Privacy Principles Personal data must be processed fairly, transparently and legitimately (Art. 5), with accuracy, data minimization, secure storage and destruction controls.
2. Consent for Processing Consent is mandatory (Art. 4), except where processing serves public interest, health, contracts or legal obligations.
3. Individual Privacy Rights Data subjects may access, rectify, delete or object to processing of their data; businesses must establish procedures to handle such requests.
4. Record of Processing Controllers must maintain detailed processing records—data categories, access controls, purposes, retention and erasure mechanisms (Art. 7).
5. Third-Party Management Due diligence and contractual safeguards are required before sharing data with processors.
6. Cross-Border Transfers Transfers only to jurisdictions with adequate protection (Art. 22); otherwise derogations apply (e.g. Standard Contractual Clauses per Art. 23).
7. Processor Obligations Data processors may only act on controller instructions, maintain confidentiality, and delete data at the end of processing (Art. 8).
8. Privacy Impact Assessments Conduct DPIAs for any new processing likely to affect data subject rights, documenting nature, scope, purpose and risks (Art. 21).
9. Breach Notification Notify data subjects and the Data Office without undue delay upon any personal data breach (Art. 9).
10. Data Protection Officer Appoint a qualified DPO to oversee compliance, for both controllers and processors (Art. 10).

4. Comparison with EU GDPR

1. Scope & Extraterritoriality Both laws apply beyond borders, but the PDP Law applies automatically to all processing of UAE resident data, whereas GDPR’s extraterritorial reach is activity-based (Art. 3 GDPR).
2. Legal Basis for Processing GDPR recognizes six bases; the PDP Law relies primarily on consent, with limited exceptions.
3. Data Subject Rights Both grant rights of access, rectification, erasure, restriction, objection and portability, though PDP Law may restrict rights for public security or repetitive requests.
4. Children’s Data GDPR prescribes age thresholds and parental consent; the PDP Law contains no specific children’s provisions.
5. Record-Keeping Both require detailed processing records.
6. Enforcement & Penalties GDPR fines up to €20 million or 4% of turnover; PDP Law vests fine power in the Council of Ministers, but amounts remain unspecified.

5. Conclusion

The PDP Law aligns the UAE with global best practices while reflecting local priorities. Businesses expanding into the UAE should leverage their GDPR frameworks, update policies, appoint DPOs and implement robust DPIAs to ensure seamless compliance.

Last updated: July 2025