🇦🇪
UAE Personal Data Protection Law
Federal Decree-Law No. 45 of 2021 — Effective January 2, 2022
The UAE's first comprehensive federal data protection law, establishing rules for collecting, processing, and storing personal data. The UAE also has two major financial free zone data protection regimes: DIFC (Dubai) and ADGM (Abu Dhabi), each with their own GDPR-aligned laws. Organizations operating in the UAE must navigate this multi-layered framework.
AED 2M
max fine under federal PDPL
~$545,000 USD
~$545,000 USD
UAE's Three Data Protection Frameworks
FEDERAL
Federal PDPL
Decree-Law No. 45/2021 + Executive Regulations 2023- Applies across all UAE mainland
- UAE Data Office is supervisory authority
- Covers personal data of individuals in the UAE
- Excludes government data, health data (separate law), banking data (CBUAE regulated)
DIFC
DIFC Data Protection Law
DIFC Law No. 5 of 2020 (amended 2024)- Applies within Dubai International Financial Centre
- Commissioner of Data Protection (DIFC) supervises
- Closely aligned with GDPR
- Mandatory for DIFC-registered entities
- Max fine: $100,000 per violation
ADGM
ADGM Data Protection Regs
Data Protection Regulations 2021- Applies within Abu Dhabi Global Market
- Office of Data Protection (ADGM) supervises
- Modeled on GDPR principles
- Mandatory for ADGM-registered entities
- Max fine: $28M per violation
Banking Implication:
Banks registered in DIFC or ADGM must comply with the respective free zone law in addition to any applicable federal requirements. Banks on UAE mainland follow the federal PDPL plus Central Bank of UAE (CBUAE) regulations. Many banks operate across multiple zones.
Federal PDPL: Key Principles Articles 4-7
1. Lawfulness & Transparency
Personal data must be processed lawfully, fairly, and transparently. Data subjects must be informed of processing purposes.2. Purpose Limitation
Data collected for specified purposes only. Further processing must be compatible with original purpose or require fresh consent.3. Data Minimisation
Only collect personal data that is adequate, relevant, and necessary for the stated purpose.4. Accuracy
Personal data must be accurate and kept up to date. Inaccurate data should be corrected or erased without delay.5. Storage Limitation
Data must not be retained longer than necessary. Defined retention periods required.6. Security & Confidentiality
Appropriate technical and organizational measures must be taken to protect personal data.Lawful Bases for Processing Articles 5-6
1. Consent
Clear, specific, informed, and unambiguous consent of the data subject
Clear, specific, informed, and unambiguous consent of the data subject
2. Contractual Necessity
Performance of a contract to which the data subject is a party
Performance of a contract to which the data subject is a party
3. Legal Obligation
Compliance with legal obligations under UAE law
Compliance with legal obligations under UAE law
4. Public Interest
Necessary for performing a task in the public interest
Necessary for performing a task in the public interest
5. Vital Interests
Protection of vital interests of the data subject or another person
Protection of vital interests of the data subject or another person
6. Legitimate Interests
Controller's legitimate interest (not overriding data subject rights)
Controller's legitimate interest (not overriding data subject rights)
Data Subject Rights Articles 13-18
Right to be Informed
Transparent privacy notices
Transparent privacy notices
Right of Access
Access their personal data
Access their personal data
Right to Rectification
Correct inaccurate data
Correct inaccurate data
Right to Erasure
Delete when no longer needed
Delete when no longer needed
Right to Restrict
Halt processing temporarily
Halt processing temporarily
Right to Portability
Receive data in common format
Receive data in common format
Right to Object
Object to processing
Object to processing
Automated Decisions
Not be subject to solely automated decisions
Not be subject to solely automated decisions
Cross-Border Data Transfers Articles 22-23
Permitted Transfers
- To countries on the UAE Data Office's approved list (adequate protection)
- With explicit consent of the data subject
- Under standard contractual clauses (SCCs) approved by the UAE Data Office
- Necessary for contractual performance
- Required by UAE law or international agreements
Restrictions
- Controller must ensure adequate data protection in the receiving country
- Records of all cross-border transfers must be maintained
- DIFC: transfers only to countries with adequate protection or with safeguards
- ADGM: Binding Corporate Rules (BCRs) or approved mechanisms required
- CBUAE may impose additional restrictions on banking data transfers
Key Organizational Requirements
| Requirement | Framework | What It Means | Platform Feature |
|---|---|---|---|
| Data Protection Officer | Federal DIFC | Appoint a DPO for large-scale or sensitive data processing | Users & Roles |
| Records of Processing | Federal DIFC ADGM | Maintain detailed records of all processing activities | Technical Metadata + Glossary |
| Data Protection Impact Assessment | DIFC ADGM | Assess risks before high-risk processing activities | CDE Registry |
| Breach Notification | Federal DIFC ADGM | Report data breaches to authority & affected individuals promptly | Audit Log |
| Data Protection by Design | DIFC ADGM | Build privacy into systems from inception | Data Classification |
| Consent Management | Federal | Obtain and record clear consent; allow easy withdrawal | Approval Workflows |
Penalty Structure
FEDERAL PDPL
AED 2M
Maximum fine (~$545K USD). Fines determined by the UAE Data Office based on severity, nature, and duration of violation.
DIFC
$100K
Per violation. DIFC Commissioner can also issue enforcement notices, warnings, and compliance orders.
ADGM
$28M
Maximum financial penalty. ADGM can also issue enforcement actions, public censure, and impose conditions.
Central Bank of UAE (CBUAE) Data Regulations
Banks operating in the UAE must also comply with CBUAE regulations which impose additional data governance requirements:
- Consumer Protection Regulation: Strict rules on collecting and using customer financial data
- Outsourcing Regulation: Requirements for third-party data processing including cloud services
- Cyber Security Framework: Technical controls for protecting customer data
- Data localization: Certain financial data must remain within the UAE or approved jurisdictions
- AML/KYC requirements: Customer due diligence data retention and processing obligations
- Open Banking: Emerging framework for customer data sharing between licensed institutions