Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 28
The Executive Regulation
The Council of Ministers, based upon a suggestion from the General Director of the Bureau, shall issue the Executive Regulations of this Decree by Law within six (6) months as of the date on which the Decree by Law is promulgated.
FAQs
The Executive Regulations serve to clarify, supplement, and operationalize the provisions of the PDPL. They provide detailed guidance on key areas such as consent requirements, cross-border transfers, Data Protection Impact Assessments (DPIAs), data breach notifications, and enforcement procedures. Their purpose is to ensure consistent interpretation and practical implementation of the law across sectors.
Article 28 requires the Executive Regulations to be issued within six months from the date the PDPL came into effect. This timeline was set to ensure that organizations had adequate legal guidance during the early phases of compliance while giving the UAE Data Office time to consult stakeholders and develop robust regulatory standards.
Yes. While the Executive Regulations cannot contradict the core provisions of the PDPL, they are authorized to introduce supplementary requirements, procedures, and compliance measures that support the law’s objectives. These may include sector-specific rules, recordkeeping standards, or additional data protection safeguards, provided they remain within the framework and intent of the PDPL.