_1.png)
.png)
Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”) establishes the UAE’s first comprehensive federal data protection regime. It aligns the country with leading international privacy frameworks and supports its development as a global digital and financial hub. The law regulates how personal data is collected, used, stored, disclosed and transferred, and introduces enforceable rights for individuals alongside structured compliance responsibilities for organisations operating in or targeting the UAE.
The PDPL applies to the processing of personal data relating to individuals in the UAE, whether the controller or processor is located inside or outside the country. This provides the law with both territorial and extraterritorial reach. The regime applies to public and private sector entities, subject to limited exclusions, including entities in financial free zones such as the DIFC and ADGM, which maintain their own data protection frameworks.
The law is principle-based and technology-neutral, enabling it to adapt to evolving business models, digital transformation and emerging technologies while protecting privacy, confidentiality and individual autonomy. The UAE Data Office oversees enforcement and may issue implementing regulations, guidance and compliance expectations.
Core principles and governance duties
The PDPL is built on fundamental data protection principles that must guide all processing activities. These include lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Controllers must comply with these principles and be able to demonstrate compliance through appropriate governance measures.
In practice, this requires organisations to specify clear purposes for processing, collect only the personal data necessary to fulfil those purposes, maintain data accuracy, apply retention periods, and implement security measures proportionate to the risks to individuals. Accountability also requires organisations to establish internal policies, allocate responsibilities, train employees and maintain records of processing activities.
Legal bases, consent and Article 4 exceptions
Consent remains an important legal basis under the PDPL, but the law does not require explicit consent for all processing activities. Where organisations rely on consent, it must be clear, specific, informed and freely given, and individuals must be able to withdraw it. Controllers carry the burden of proving that valid consent was obtained.
Article 4 is particularly significant, as it identifies several legal bases that permit processing without consent. These include processing necessary for the performance of a contract, compliance with legal obligations, activities in the public interest or in the exercise of official authority, protection of vital interests, the establishment or defence of legal claims, certain employment-related purposes, and specific public health, research, archival or statistical processing where safeguards apply. These legal bases do not remove other obligations: transparency, purpose limitation, security and respect for data subject rights still apply. They simply prevent the unnecessary or inappropriate use of consent where another lawful basis exists.
Rights of data subjects
The PDPL grants individuals a set of rights intended to increase transparency and give greater control over their personal data. These include the right to be informed, the right of access, and the right to rectification of inaccurate or incomplete data. In defined circumstances, individuals may also have the right to erasure or restriction of processing.
Individuals may object to certain processing activities, including direct marketing, request data portability, and seek human intervention in decisions based solely on automated processing. Controllers must implement procedures to respond to such requests within prescribed timeframes and must verify the identity of individuals making requests. Organisations should maintain records of each request to demonstrate compliance during audits or investigations.
Controllers, processors and the DPO role
The PDPL distinguishes between controllers, who determine the purposes and means of processing, and processors, who process personal data on behalf of controllers. Controllers must ensure that processors provide adequate security and confidentiality guarantees and that processing activities are governed by written contracts. These contracts should address sub-processing, confidentiality, security measures, and the return or deletion of personal data at the end of the engagement.
In circumstances involving large-scale, high-risk or sensitive personal data processing, the PDPL anticipates the appointment of a Data Protection Officer (DPO). The DPO should have suitable expertise, operate with an appropriate level of independence, and have sufficient resources to advise on compliance, monitor internal practices, raise awareness and act as the contact point with the UAE Data Office.
Security, breach management and DPIAs
Security is central to the PDPL. Controllers and processors must implement technical and organisational measures to protect personal data from unauthorised access, alteration, disclosure, loss or destruction. Depending on the risks involved, such measures may include encryption, pseudonymisation, access controls, activity logging, resilience and recovery capabilities, and regular testing of controls.
Where a personal data breach is likely to present a risk to individuals’ rights or freedoms, the controller must notify the competent authority and, in some cases, the affected individuals, within required timeframes. For high-risk processing operations, the PDPL contemplates the use of Data Protection Impact Assessments (DPIAs) to assess and mitigate privacy risks before initiating processing, particularly when new technologies, large-scale profiling or extensive sensitive data processing are involved.
Cross-border transfers and international operations
The PDPL recognises the importance of cross-border data flows and establishes a framework to regulate international transfers of personal data. Transfers may take place to jurisdictions that the UAE Data Office recognises as providing an adequate level of protection. Transfers to other jurisdictions require appropriate safeguards, such as contractual protections or approved intra-group arrangements, or may rely on limited derogations in specific circumstances.
These derogations include transfers necessary for the performance of a contract, important public interest reasons, the establishment or defence of legal claims, or the protection of vital interests when the individual cannot give consent. Organisations with regional or global operations should identify their data transfer flows, determine the appropriate transfer mechanism and ensure their contractual and operational arrangements meet PDPL requirements.
Enforcement and practical next steps for organisations
The UAE Data Office supervises compliance with the PDPL and may issue guidance, carry out investigations and impose administrative measures or penalties for breaches. When assessing a breach, factors such as the nature and duration of the infringement, the volume and sensitivity of the data involved, the level of negligence or intent, and the degree of cooperation are likely to be relevant.
From a practical perspective, organisations should prioritise mapping their processing activities; identifying appropriate legal bases with close attention to Article 4; updating privacy notices, internal policies and contracts with processors; appointing a DPO where required; and implementing staff training. Establishing procedures for data subject rights, breach response, DPIAs and cross-border transfer governance will support compliance and help build trust with customers, employees and stakeholders in an increasingly data-driven environment.
Note: This Legal Update / Newsletter is intended for general informational purposes only and should not be construed as legal advice. It is based on laws and legal interpretations in effect as of the date of publication. Laws and regulations may change over time, and their application can vary depending on individual circumstances. Readers are strongly encouraged to seek specific legal counsel before acting on any of the information provided herein.