The United Arab Emirates (UAE) has recently become a digital hub in the Middle East and North Africa. Artificial intelligence, fintech platforms, e-commerce stores, and government portals collect and process personal data on a massive scale. Individuals are concerned about their privacy and how their Personal Information is used. Without comprehensive legislation, individuals wouldn’t trust businesses and wouldn’t want to share their data. Thus, there was a need for a regulation.

The UAE’s Data Protection Law came into force in 2022. This law aims to safeguard individuals’ privacy while enabling innovation and digital growth. The law aligns closely with international standards such as the GDPR.

Let’s break down the key elements of the UAE’s personal data Protection Law, user rights, business obligations, and best practices to comply with the law.

What Is the UAE’s Personal Data Protection Law?

The UAE’s personal data Protection Law is the country’s first comprehensive data protection law that protects the personal data of individuals in UAE and regulates the collection, use, storage, and processing of personal data by public and private entities.

The UAE’s Personal Data Protection Law (PDPL) was enacted under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.

The legislation gives individuals greater control over their Personal Information and establishes clear compliance requirements for businesses and organizations that handle personal data.

Effective date: January 2, 2022.

Official law text: Federal Decree-Law No. 45 of 2021.  

The law establishes rules for personal data collection, use, storage, processing, and international transfer of personal data of UAE citizens.

It applies across the UAE, excluding free zones. Free zones maintain their own data protection laws.

Who Needs to Comply with the UAE’s Personal Data Protection Law?

The UAE’s Personal Data Protection Law applies to:

• Any data controller or data processor located in the UAE and processing the personal data of data subjects residing or working within or outside the UAE;
• Any data controller or data processor established outside the UAE processing the personal data of the UAE’s data subjects.

The UAE PDPL has an extraterritorial application similar to GDPR: the law applies to any data controller or data processor, independently on where it is based, if it carries out data processing activities for the UAE’s residents.

The UAE PDPL has several exemptions. It doesn’t apply to:

• Government data,
• Public entities,
• The processing of personal data for personal use,
• Health or credit data (they have their own legislation),
• Organizations and entities established in free zones (they have their own data protection laws).

Core Principles of Data Processing under the UAE PDPL

The UAE PDPL has these well-defined principles for the collection, processing, and management of personal data:

• Lawfulness, fairness, and transparency
  Organizations must respect the rights of the data subject and be open and honest about why and how they collect and use personal data.
• Purpose limitation
  Data should be collected for specific, clear, and legitimate purposes. It must not be used for other activities unless closely related to the original purpose.
• Data minimization
  Organizations must limit data collection to what is strictly necessary for the stated purpose. Collecting extra information is not allowed.
• Accuracy
  Organizations are responsible for ensuring that the data they hold is accurate and up to date. Inaccurate or outdated data must be corrected or deleted.
• Storage limitation
  Personal data must not be kept longer than necessary. Once the business fulfilled the original purpose, the data should be erased or anonymized.
• Integrity and confidentiality
  Organizations must implement appropriate technical, physical, and administrative measures to prevent breaches, unauthorized access, or misuse.

Data Subject Rights under the UAE’s Personal Data Protection Law

Individuals in the United Arab Emirates have legally protected rights over their personal data, including:

• Right to Access
  Data subjects have the right to request access to their personal data held by a data controller. Individuals have the right to know whether their data is being processed,
• Right to Rectification
  Data subjects have the right to request that any inaccurate or incomplete personal data be corrected or updated.
• Right to Erasure
  Data subjects have the right to request the deletion of their personal data, especially when it is no longer needed for its original purpose or when the data subject withdraws consent.
• Right to Object
  Data subjects have the right to data processing, particularly if it relates to direct marketing or profiling.
• Right to Data Portability
  Data subjects have the right to request that their data be transferred to another service provider in a machine-readable format.
• Right to withdraw consent
  Data subjects can revoke their consent at any time.
• Right to file complaints
  In case of data subject rights violations, they can file a complaint with the UAE Data Office.

Obligations of Data Controllers and Processors Under the UAE Law

Organizations acting as controllers or processors under the PDPL must comply with several core obligations to ensure the lawful and secure handling of personal data:

• Lawful basis for processing
  Data controllers must obtain explicit consent from data subjects before processing their personal data. user consent is not necessary in cases when another legal basis applies, such as fulfilling a contract or complying with legal obligations.
• Data minimization and purpose limitation
  Data controllers must collect only the personal data necessary for specific purposes and must ensure that data is processed solely for these purposes. Do not use the data for secondary purposes unless allowed by law.
• Data safety
  Controllers must protect data from loss, leaks, or misuse using adequate technical and organizational means.
• Rights of data subjects
  Controllers must enable data subjects to exercise their rights under the UAE PDPL. Respond to data subject requests in a timely manner.
• Data breach notification
  In the event of a data breach, controllers must promptly notify the UAE Data Office and affected data subjects, providing details about the breach and the steps taken to mitigate its effects.
• Record keeping
  Controllers are required to keep a detailed record of their data processing activities, including categories of personal data, access rights, processing times, erasure mechanisms, purposes, cross-border transfers, and applied security measures. These records must be submitted to the UAE Data Office upon request.
• Cross-border data transfers
  When transferring personal data outside the country, controllers must ensure that the destination country provides adequate data safety. Implement additional safeguards if necessary.
• Data Protection Impact Assessments (DPIAs)
  Controllers must conduct a DPIA before starting high-risk processing, especially when using automated processing or profiling that may significantly affect individuals or impact data subjects’ privacy, and when processing large volumes of sensitive personal data.
• Appointment of a Data Protection Officer
  In cases of large-scale processing of sensitive data, controllers may need to appoint a DPO. The DPO is responsible for ensuring compliance with the UAE PDPL and acting as a liaison with the UAE Data Office.
• Qualified processors
  Controllers must appoint processors that provide sufficient level of data security for PDPL compliance and enter into contractual relationships with processors.
• Sub-processing
  Processors must sign contracts with controllers, ensuring that sub-processors comply with the same data protection obligations.
• Cooperation with controllers and authorities
  Processors must assist controllers in meeting their PDPL obligations and cooperate with the UAE Data Office during audits or investigations.

Consent Requirements Under the UAE PDPL

Businesses must obtain consent before collecting or using any personal data.

Consent must be freely given, informed, explicit, specific to the processing activity, and revocable at any time.

Valid consent must meet strict conditions:

• Freely given: Data subjects should provide consent freely, without any pressure or coercion. Don’t use text on a cookie notice that encourages giving consent.
• Explicit: Data subjects should indicate affirmative action or provide a written or spoken statement allowing data processing. If the individual does not interact with the Cookie Banner, continues scrolling, or takes no action, it does not mean they consent to the collection of their data.
• Specific: Data controllers could process personal data only for specified purposes during the process of obtaining consent. Data processing beyond those agreed upon purposes is not allowed.
• Informed: Data controllers must request consent in clear and simple language and in an accessible format. Using dark patterns or other misleading behavior to obtain consent is not allowed. Consent is not valid if obtained without proper information.
• Freely revocable: Data subjects must be able to withdraw consent at any time, without affecting processing carried out before withdrawal.

When consent is not required by the UAE PDPL

Personal data may be processed without consent in certain cases, including:

• Alternative legal basis applies.
• Performance of a contractual necessity.
• Protection of public interest or public health.
• Publicly available data of the data subject.
• Legal claims, judicial or security procedures.
• Employment, social security, or social protection obligations.
• Occupational or preventive medicine, medical diagnosis, treatment, or health insurance services.
• Archival, scientific, historical, or statistical purposes in line with UAE legislation.
• Protecting the vital interests of the data subject.
• Compliance with other UAE laws.

Enforcement and Penalties

The UAE Data Office is the regulatory authority for the PDPL. It has the power to conduct audits, issue guidance, and enforce penalties for non-compliance.

Penalties for non-compliance with the PDPL include:

• Fines ranging from AED 50,000 to 5 million.
• Suspension or restriction of processing.

Although the Data Office is still solidifying its enforcement role, businesses should take compliance seriously to avoid penalties and associated risks.

Best Practices for Businesses to Ensure Compliance with the UAE PDPL

To ensure compliance with the UAE's PDPL, implement a comprehensive data protection strategy:

1. Conduct a data audit
   Begin by conducting a complete audit of all personal data you collect, process, and store. Identify the types of data, their sources, how they are processed, and where you store them.
2. Obtain and document consent
   Obtain freely given, informed, explicit, specific to the processing activity, and revocable consent from data subjects. Record consent logs for proof of compliance.
3. Ensure data subject rights
   Prepare processes to handle requests from data subjects, such as accessing, correcting, or deleting their personal data.
4. Respect purpose limitation and data minimization principles
   Limit processing to specific, lawful purposes. Collect personal data for the purposes disclosed at the time of collection and not process it further in a manner incompatible with those original purposes.
5. Establish clear data policies
   Establish clear policies on data processing, storage, and sharing. These policies should outline how to obtain and manage consent, the lawful bases for processing personal data, and the purposes for which data is collected.
6. Implement a Privacy Policy
   Create a comprehensive Privacy Policy that contains all mandatory elements and provide a privacy notice that contains an active link to the Privacy Policy. Regularly update your Privacy Policy.
7. Implement data security measures
   Implement robust technical (encryption, access controls), organizational (policies, training), and procedural (incident response) security measures to protect data.
8. Maintain a record of processing activities
   Log all records of personal data processing.
9. Appoint a Data Protection Officer
   In cases of large-scale processing of sensitive data, appoint a DPO.
10. Prepare for data breaches
    Develop and implement a data breach response plan and the procedures for detecting and reporting breaches, mitigating their impact, and notifying the UAE Data Office and affected individuals when required.
11. Sign contracts with service providers
    Sign contracts with data processors and third parties. Make sure they comply with the PDPL on your behalf.
12. Establish data retention deletion procedures
    Set clear procedures about how long you will retain data and securely delete it after the retention period.
13. Control cross-border data transfers
    When transferring personal data outside the UAE, ensure that the receiving country offers an adequate level of protection, or implement additional safeguards such as standard contractual clauses.
14. Train employees
    Train employees on data subject rights, internal processes for handling requests and data breaches.
15. Conduct DPIAs
    Conduct DPIAs before sensitive or high-risk data processing.
16. Conduct annual data security audits
    Conduct internal audits of compliance, documentation, and regular risk assessments.
17. Monitor regulatory developments
    The UAE PDPL is a new legislation and will evolve. Monitor regulatory developments and updates to respond to compliance requirements accordingly.
18. Implement a CMP
    Implement a Consent Management Platform (CMP) to deliver a cookie notice, obtain and store Cookie Consent, create a Privacy Policy, and respect user consent choices.

CookieScript CMP has the following features:

• Integrations with CMS platforms like Magento, WordPress, Shopify, etc.
• Cookie banner customization
• Google Consent Mode v2 integration
• IAB TCF v2.2 integration
• Google Tag Manager integration
• Certification by Google
• CookieScript API
• Cookie Scanner
• Consent recordings
• Third-party cookie blocking
• Geo-targeting 
• Self-hosted code 
• Cookie banner sharing 
• Cross-domain cookie consent sharing 

Frequently Asked Questions

What Is the UAE’s Personal Data Protection Law?

The UAE’s Personal Data Protection Law is the UAE’s first comprehensive data protection law that protects the personal data of residents of the UAE and regulates the collection, use, storage, and processing of personal data by public and private entities. The law came into force on January 2, 2022. Use CookieScript CMP to comply with the PDPL.

How does UAE PDPL differ from GDPR?

The UAE PDPL protects the personal data of UAE residents, while the GDPR covers EU residents. Both PDPL and GDPR offer broad data subject rights, including the rights to correction, deletion and access, and require explicit opt-in consent. Penalties are much higher under GDPR. CookieScript CMP has the geo-targeting feature that allows businesses to comply with PDPL, GDPR, and other privacy laws.

Who does the UAE’s Personal Data Protection Law apply to?

The UAE PDPL applies to any data controller or data processor located in the UAE that processes the personal data of UAE residents, or any data controller or data processor established outside the UAE processing the personal data of UAE data subjects. The UAE PDPL also has an extraterritorial application, meaning that it applies to any data controller or data processor, independently on where it is based, if it carries out data processing activities of the UAE’s residents.

What is personal data under the UAE PDPL?

Personal data is any data relating to a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his name, voice, picture, identification number, electronic identifier, geographical location, or one or more physical, physiological, cultural or social characteristics.

Does the UAE’s Personal Data Protection Law require appointing a DPO?

The UAE PDPL requires appointing a Data Protection Officer for large-scale processing of sensitive data. The DPO is responsible for ensuring compliance with the UAE PDPL and acting as a liaison with the UAE Data Office.

What are consent requirements under the UAE PDPL?

Under the PDPL, businesses must obtain consent before collecting or using any personal data. Consent must be freely given, informed, explicit, specific to the processing activity, and revocable at any time. Use CookieScript CMPP to provide a Cookie Banner, obtain and store user consent, and comply with the PDPL.

What are the penalties for non-compliance with the UAE PDPL?

Penalties for non-compliance with the PDPL include fines ranging from AED 50,000 to 5 million, and suspension or restriction of processing. Use CookieScript CMP to comply with the PDPL and avoid penalties.

How to comply with the UAE’s Personal Data Protection Law?

To comply with the UAE PDPL, conduct a data audit, ensure data subject rights, obtain user consent, respect purpose limitation and data minimization principles, implement security measures, sign contracts with service providers, appoint a DPO, and prepare for data breaches. Implement a Consent Management Platform like CookieScript to ensure compliance with the PDPL.