Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
UAE PDPL
Step into privacy research with GoTrust, your trusted hub for understanding the UAE’s Personal Data Protection Law (PDPL). You can click on the button below to find the official PDF of the law, along with provisions for compliance and key implementation details, all in one organized platform.
As your compliance partner, we simplify complex privacy requirements into actionable steps for your business. The PDPL is the UAE’s comprehensive data protection framework, designed to safeguard personal data, empower individuals with privacy rights, and ensure accountability in data processing across industries.
Personal Data Protection Law
The Personal Data Protection Law protects individuals' privacy and governs how organizations manage personal data. It ensures transparency, accountability, and secure handling of sensitive information, helping to build trust in the digital world.
Comparing the UAE PDPL with EU GDPR
Aspect of Law
EU GDPR
UAE PDPL
Scope & Applicability
Applies to any organization processing personal data of EU residents, regardless of where the organization is established.
Applies to entities established in the UAE and to those outside that process personal data of individuals in the UAE; certain sectors (e.g., government, personal health data) are exempt.
Territorial Reach
Extra-territorial: applies to processing of EU-resident data even if conducted outside the EU.
Similar to the GDPR, extra-territorial, covering both domestic and international entities processing personal data of individuals within the UAE.
Legal Basis for Processing
Provides six lawful bases (consent, contract, legal obligation, vital interests, public interest, legitimate interests).
Personal data processing is allowed when data subjects give explicit consent. Processing may also be permitted for purposes necessary to fulfil a contract, comply with legal obligations, protect vital interests, or serve the public interest.
Consent Requirements
Consent must be freely given, specific, informed, and unambiguous; withdrawal must be as easy as giving consent.
Emphasizes specific and informed consent, ensuring clear affirmation from data subjects. The data subjects have the right to withdraw consent easily.
Data Subject Rights
Grants extensive rights: access, rectification, erasure, restriction, data portability, objection, and protection against automated decision-making.
Provides similar rights such as access, correction, erasure, and restriction, although some rights may be subject to additional limitations or exceptions.
Data Breach Notification
Mandates notification to supervisory authorities within 72 hours if a breach poses a risk to data subjects.
Requires immediate notification of data breaches; precise timeframes and procedures will be detailed in upcoming executive regulations.
Data Protection Officer (DPO)
Requires the appointment of a DPO for high-risk or large-scale data processing operations.
Appointment of a DPO is required if processing involves high-risk technologies, large-scale sensitive data, or systematic profiling.
Keeping Records of Processing (RoPA)
Obliges controllers and processors to maintain detailed records of processing activities (RoPA).
Requires maintaining records of processing.
Cross-Border Data Transfers
Permits transfers to third countries if adequate safeguards (e.g., adequacy decisions or standard contractual clauses) are in place.
Allows transfers only to approved jurisdictions which have adequate provisions for data protection and to countries which have entered into bilateral treaties/agreements for transfer of data.
Penalties & Enforcement
Imposes fines up to €20 million or 4% of global annual turnover for severe violations.
Penalties are yet to be fully specified in the executive regulations; they may include fines and other sanctions, determined on a case by case basis.
Supervisory Authority
Each EU member state has an independent supervisory authority with extensive investigative and corrective powers.
The UAE Data Office is designated as the enforcement body, responsible for handling complaints, audits, and penalties.
Exemptions
Excludes certain data (e.g., information on deceased persons) and offers limited exemptions for small-scale processing.
Exempts specific sectors such as government data, public entities, and certain sensitive areas like banking and health data.
Quick Access
FAQs
UAE PDPL is the Personal Data Protection Law enacted by the UAE to regulate how personal data of individuals is collected, processed, stored, and shared by organizations operating in the UAE. Its primary aim is to protect individual privacy and ensure responsible data handling practices.
The UAE PDPL applies to:
- All companies and organizations operating within the UAE mainland and federal entities.
- Foreign entities that process the personal data of UAE residents.
It excludes free zones that have their own established data protection laws, such as the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM).
The UAE PDPL officially came into effect on January 2, 2022.
Key obligations under the UAE PDPL include:
- Obtaining clear consent for data processing, with specific exceptions to consent being defined by the law.
- Providing individuals with rights, including the right to access, correct, delete, and object to the processing of their data.
- Implementing robust data security measures to protect personal data.
- Appointing a Data Protection Officer (DPO) if the organization engages in high-risk data processing activities.
- Notifying the UAE Data Office of any data breaches.
Key differences between the UAE PDPL and GDPR:
- Scope:
- GDPR (EU): Applies globally to organizations processing the data of EU individuals, regardless of the organization’s location.
- PDPL (UAE): Applies to entities within the UAE mainland and federal territories; it specifically excludes free zones with their own data protection regulations (e.g., DIFC, ADGM).
- Supervisory Body:
- GDPR: Each EU member country has its own independent Data Protection Authority (DPA).
- PDPL: Regulated by a centralized authority, the UAE Data Office.
- Breach Notification:
- GDPR: Requires mandatory notification to relevant authorities within 72 hours of becoming aware of a data breach.
- PDPL: Breach notification is required, but the specific timeline for notification is yet to be fully defined by executive regulations.
- Penalties:
- GDPR: Allows for significant fines, up to €20 million or 4% of global annual turnover, whichever is higher.
- PDPL: As of 2025, the PDPL allows for fines up to AED 5 million (approximately USD 1.36 million). Further details and potential increases for repeat offenses are expected to be set by regulation.
Yes, cross-border data transfers are allowed, but only if:
- The receiving country provides an adequate level of data protection, as assessed by the UAE Data Office; OR
- There are appropriate safeguards or contractual clauses in place to ensure the protection of the transferred data.
Yes, your company may need to comply with both PDPL and GDPR if:
- You are based in the UAE and process the personal data of EU citizens or residents.
- Your organization operates globally and, therefore, must adhere to both local regulations (like PDPL) and international data protection regulations (like GDPR) that apply to the data you process.
The content on this website is for information purposes only, and should not be construed as legal advice. GoTrust does not endorse the accuracy or reliability of any advice, opinion, statement, or other information displayed, uploaded, or distributed through the website.