uaepdpl.com

UAE PDPL

BLOG

Menu

FAQ

How to Draft a Data Processing Agreement Under UAE PDPL 

By /

Crafting a clear, accessible Data Processing Agreement (DPA) under the UAE’s Personal Data Protection Law (PDPL) is both a legal necessity and an opportunity to build trust. A well-written DPA guides your organisation and its service providers through every step of handling personal data, ensuring compliance with Federal Decree-Law No. 45 of 2021 

Understanding the UAE PDPL 

The PDPL applies to any entity inside or outside the UAE, that processes personal data of individuals in the Emirates. It requires a valid legal basis for every processing activity, ensures respect for data‑subject rights (like access, correction, erasure, portability, objection), mandates robust security measures, and imposes strict controls on international data transfers. It also demands prompt breach notification to both the UAE Data Office and affected individuals where required. Embedding these principles in your DPA transforms complex legal framework into clear, actionable commitments that build trust. 

Defining Purpose, Scope and Duration 

Begin your DPA by stating its purpose in plain language: the agreement exists to ensure that personal data shared between your organisation (the controller) and the service provider (the processor) is used only for agreed-upon activities and always kept secure.  

Specify: 

  • Categories of data covered (e.g., names, contact info, purchase records). 
  • Purpose for processing (for example: order fulfilment, marketing insights, customer support). 
  • Retention period: clearly state how long the processor keeps the data, and that once this period ends, the data will be either returned or securely deleted. 

Clarifying Roles and Responsibilities 

A key to avoiding confusion is a concise, clear paragraph that spells out who does what: 

  • Controller: Decides why and how data is used whether it’s sending order confirmations, marketing updates, reporting, or analytics. 
  • Processor: Carries out those tasks only as per the controller’s documented instructions. 

This reflects Article 7 and Article 8 of the PDPL, which are clear that the controller sets the purpose and means, while the processor must stick strictly to instructions and support compliance efforts, especially when it comes to implementing technical and organisational measures, handling data only within the agreed scope and timeframe, and returning or deleting data when processing is done 

Establishing Lawful Bases for Processing 

Your DPA should briefly describe each lawful basis relying upon consent, contract necessity, legal obligation or legitimate interest and explain how you record and manage it.  

For example: 

  • Consent: Collected clearly (e.g., via an online checkbox), recorded in a central register, and easy to withdraw. 
  • Contract necessity: When data is essential to fulfil a service (like processing an order). 
  • Legal obligation: To comply with requirements under UAE law. 
  • Public interest or vital interests: If permitted under PDPL (e.g., public health, safety, or safeguarding someone’s vital interests) 

Respecting Data-Subject Rights 

Lay out a simple, step-by-step overview of how your organisation and processor will handle requests from individuals seeking to exercise their rights.  

  • How to submit a request: Individuals can email requests to a dedicated address or use your online portal. As Article 19 requires, you must provide clear and accessible contact channels 
  • Verify the requester: To protect privacy, you should confirm the person’s identity through a standard method such as a government ID scan, customer account check, or secure 2‑factor authentication before sharing any data 
  • Process the request within the legal deadline: While the law doesn’t specify an exact timeframe, the best practice (and in line with global standards) is to respond within 30 days. If you need more time, let the person know and explain why 
  • Walk through an example: When a customer asks to see their purchase history,(a) verify who they are, (b) collect the relevant records, and (c) send the information securely within 30 days.” This makes the process feel real and trustworthy. 
  • Include exceptions and follow‑ups: If you need to refuse a request (e.g., third‑party privacy, legal exemptions), explain clearly why and reference the relevant PDPL articles (e.g., Articles 13–18). Also provide a path for appeal mention that individuals can escalate matters to the UAE Data Office if they’re unhappy with the outcome 

Embedding Security Measures and Breach Response 

Translate the PDPL’s requirement for “appropriate technical and organisational measures” into clear commitments: 

Security Measures  

  • Processor will use industry-standard encryption (e.g., AES‑256/TLS) for data both in transit and at rest.  
  • Access will be restricted to staff on a need-to-know basis.  
  • Detailed activity logs will be maintained to monitor access and detect anomalies.  
  • Where possible, data will be pseudonymised to reduce risk. 

Breach-Notification Process  

  1. Processor notifies the controller immediately upon detecting a suspected breach.  
  1. Controller reports to the UAE Data Office promptly, as required under Article 9 PDPL 
  1. Controller notifies affected individuals if the breach poses a real risk to their privacy.  
  1. Written incident report delivered within 48 hours, detailing:  
  1. Nature and cause of the breach  
  1. Estimated scale (number of records/data subjects)  
  1. Data Protection Officer contact  
  1. Risks identified and remediation steps 
  1. Full cooperation in follow-up actions, including sharing logs, investigations, and corrective measures as per Articles 7, 8 and 20 PDPL  

These measures bring PDPL Articles 9 and 20 into practical effect, demonstrating that your organisation treats data protection as a top priority. 

Managing Cross-Border Transfers 

When personal data travels outside the UAE, your DPA must ensure it remains protected. Consider including the following: 

Cross‑Border Transfer Mechanisms 
You should specify which mechanism applies for transfers, based on PDPL Articles 2223

  • Adequacy Decision: To countries recognized by the UAE Data Office for having strong data protection. 
  • Standard Contractual Clauses / Binding Corporate Rules: Used if there’s no adequate decision, requiring the data importer to uphold PDPL-level protection. 
  • Derogations: Including explicit consent, necessity for contract performance, legal obligations, judicial cooperation, vital public interest, or public interest. 

Mapping & Due Diligence 

  • Clearly map your data flows: show where data travels, why, and what’s transferred. 
  • Assess risk before transfer, evaluate the legal framework and data protection in the destination country. 
  • Verify safeguards: Ensure contractual protections or consent forms are in place and valid. 

Documentation & Audit Trail 

  • Record each transfer, including destination, basis, safeguards, and date. 
  • Maintain logs and supporting documents to demonstrate compliance in audits or inspections 

Controlling Sub-Processors 

Because processors often rely on subcontractors, your DPA should include clear controls: 

  • Prior written approval: The processor may not engage or replace any sub-processor without first obtaining the controller’s documented consent. This ensures oversight and prevents unauthorized subcontracting. 
  • Flow-down of obligations: The processor must impose identical PDPL obligations on each sub-processor covering confidentiality, security measures, breach notification, and data return or deletion and remain fully liable if any sub-processor fails to comply.  
  • Transparency and updated registry: The processor should maintain an up-to-date list of all authorized sub-processors and provide it to the controller on request. Any changes to the list must be communicated in advance, and the controller should have the right to object before new sub‑processors are engaged. 

By framing this as a joint approval process, your DPA builds transparency and trust throughout the data-handling chain. 

Involving the Data Protection Officer and DPIAs 

If your organisation must appoint a Data Protection Officer (DPO), introduce their role in monitoring compliance, advising on risk and serving as the regulator’s point of contact. For any high-risk processing, the DPA should require the processor’s cooperation in conducting a Data Protection Impact Assessment (DPIA). By describing how the processor will supply necessary information and implement recommended safeguards, you reinforce that privacy risk management is a shared responsibility. 

Embedding a Review and Update Mechanism 

Finally, a DPA should be a living document. Include a clause committing both parties to meet at least once a year to review processing activities, security measures and any changes in the law or business operations. This ongoing dialogue ensures your agreement adapts to new PDPL executive regulations, evolving technologies, and emerging best practices. 

Are you confident your Data Processing Agreement (DPA) is a living, effective tool not just a legal formality in the dynamic world of data protection? 

Here’s how to find out: 

  1. Compare your DPA against the key sections we’ve outlined: roles, lawful basis, rights handling, security, breach response, transfers, sub-processors, DPO/DPIA, and review mechanism.  
  1. Perform a gap assessment against UAE PDPL standards and best practices, identify where your DPA shines and where it could go further.  
  1. Update or draft your DPA with the real-world, reader-friendly clauses discussed above, ensuring it’s both precise and engaging.  
  1. Embedded regular reviews set up a standing annual meeting to reassess processing activities, security controls, and regulatory changes. 

Need expert support? Our team at GoTrust helps you automate privacy compliance, streamline third-party governance, and reduce risk under UAE PDPL. Tap into our expertise in DPA drafting, DPIAs, breach response, and more.  

Scroll to Top