Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
UAE PDPL
Step into privacy research with GoTrust, your trusted hub for understanding the UAE’s Personal Data Protection Law (PDPL). Here, you’ll find the official regulation, along with provisions for compliance and key implementation details, all in one organized platform.
As your compliance partner, we simplify complex privacy requirements into actionable steps for your business. The PDPL is the UAE’s comprehensive data protection framework, designed to safeguard personal data, empower individuals with privacy rights, and ensure accountability in data processing across industries.
Personal Data Protection Law
The Personal Data Protection Law protects individuals' privacy and governs how organizations manage personal data. It ensures transparency, accountability, and secure handling of sensitive information, helping to build trust in the digital world.
Comparing the UAE PDPL with EU GDPR
Aspect of Law
EU GDPR
UAE PDPL
Scope & Applicability
Applies to any organization processing personal data of EU residents, regardless of where the organization is established.
Applies to entities established in the UAE and to those outside that process personal data of individuals in the UAE; certain sectors (e.g., government, personal health data) are exempt.
Territorial Reach
Extra-territorial: applies to processing of EU-resident data even if conducted outside the EU.
Similar to the GDPR, extra-territorial, covering both domestic and international entities processing personal data of individuals within the UAE.
Legal Basis for Processing
Provides six lawful bases (consent, contract, legal obligation, vital interests, public interest, legitimate interests).
Personal data processing is allowed when data subjects give explicit consent. Processing may also be permitted for purposes necessary to fulfil a contract, comply with legal obligations, protect vital interests, or serve the public interest.
Consent Requirements
Consent must be freely given, specific, informed, and unambiguous; withdrawal must be as easy as giving consent.
Emphasizes specific and informed consent, ensuring clear affirmation from data subjects. The data subjects have the right to withdraw consent easily.
Data Subject Rights
Grants extensive rights: access, rectification, erasure, restriction, data portability, objection, and protection against automated decision-making.
Provides similar rights such as access, correction, erasure, and restriction, although some rights may be subject to additional limitations or exceptions.
Data Breach Notification
Mandates notification to supervisory authorities within 72 hours if a breach poses a risk to data subjects.
Requires immediate notification of data breaches; precise timeframes and procedures will be detailed in upcoming executive regulations.
Data Protection Officer (DPO)
Requires the appointment of a DPO for high-risk or large-scale data processing operations.
Appointment of a DPO is required if processing involves high-risk technologies, large-scale sensitive data, or systematic profiling.
Keeping Records of Processing (RoPA)
Obliges controllers and processors to maintain detailed records of processing activities (RoPA).
Requires maintaining records of processing.
Cross-Border Data Transfers
Permits transfers to third countries if adequate safeguards (e.g., adequacy decisions or standard contractual clauses) are in place.
Allows transfers only to approved jurisdictions which have adequate provisions for data protection and to countries which have entered into bilateral treaties/agreements for transfer of data.
Penalties & Enforcement
Imposes fines up to €20 million or 4% of global annual turnover for severe violations.
Penalties are yet to be fully specified in the executive regulations; they may include fines and other sanctions, determined on a case by case basis.
Supervisory Authority
Each EU member state has an independent supervisory authority with extensive investigative and corrective powers.
The UAE Data Office is designated as the enforcement body, responsible for handling complaints, audits, and penalties.
Exemptions
Excludes certain data (e.g., information on deceased persons) and offers limited exemptions for small-scale processing.
Exempts specific sectors such as government data, public entities, and certain sensitive areas like banking and health data.
Quick Access
The content on this website is for information purposes only, and should not be construed as legal advice. GoTrust does not endorse the accuracy or reliability of any advice, opinion, statement, or other information displayed, uploaded, or distributed through the website.