UAE Personal Data Protection Law: Key Compliance Obligations for Businesses

The UAE introduced its first comprehensive data protection regime through Federal Decree-Law No. (45) of 2021 on the Protection of Personal Data (PDPL). The law regulates how personal data is collected, processed, stored, and transferred within the UAE.

It applies across industries and directly impacts how businesses handle customer, employee, and third-party data. As regulatory focus increases, compliance with the PDPL is becoming an essential legal requirement for companies operating in the UAE.

Scope and Application of the Law

The scope of the PDPL is set out under Article 2 of Federal Decree-Law No. (45) of 2021. It applies to entities established in the UAE that process personal data, as well as entities outside the UAE that process personal data of individuals within the UAE.

The law covers personal data processed through automated systems as well as structured manual processing. Personal data is broadly defined to include any information relating to an identified or identifiable natural person.

Certain categories fall outside the scope of the PDPL, including government data, personal data governed by specific sectoral legislation such as health and banking laws, and data processed by entities in financial free zones such as DIFC and ADGM, which operate under separate data protection regimes.

Lawful Basis for Processing Personal Data

Under Article 6, personal data may only be processed where there is a lawful basis.

Consent is one such basis, and where relied upon, it must be clear, specific, and given through an explicit and unambiguous action. However, the law also recognises other lawful grounds, including where processing is necessary for the performance of a contract, compliance with a legal obligation, protection of public interest, or other circumstances permitted under the law.

This means that businesses must be able to clearly identify and justify the legal basis on which personal data is processed.

Obligations on Data Controllers and Processors

The PDPL imposes direct obligations on entities responsible for processing personal data.

Under Articles 7 and 8, personal data must be collected for a specific and clear purpose, must be limited to what is necessary for that purpose, and must not be retained for longer than required. Businesses are also required to ensure that personal data is accurate and kept up to date.

In addition, appropriate technical and organisational measures must be implemented to ensure data security and to protect against unauthorised access, loss, or misuse.

Where processing involves high-risk activities, including large-scale processing or processing of sensitive personal data, Article 11 requires the appointment of a Data Protection Officer, who is responsible for monitoring compliance and acting as a point of contact with the competent authority.

Rights of Individuals

The PDPL grants specific rights to individuals in relation to their personal data.

Under Articles 13 to 18, individuals have the right to access their personal data, request correction of inaccurate information, request deletion in certain circumstances, restrict or object to processing, and request transfer of their data in a structured and usable format.

These rights impose a corresponding obligation on businesses to establish internal systems to respond to such requests within a reasonable timeframe.

Cross-Border Transfer of Personal Data

The transfer of personal data outside the UAE is regulated under Article 22.

Such transfers are permitted where the receiving jurisdiction ensures an adequate level of data protection. In the absence of such protection, transfers may still be allowed where appropriate safeguards are in place or where specific conditions under the law are satisfied.

This is particularly relevant for businesses that rely on international operations, cloud services, or third-party service providers located outside the UAE.

Data Protection and Breach Obligations

The PDPL requires businesses to implement measures proportionate to the nature of the data and the risks involved in its processing.

In the event of a personal data breach that may prejudice the privacy, confidentiality, or security of personal data, businesses may be required to notify the competent authority and, where applicable, the affected individuals. This increases the importance of having clear internal processes for identifying and managing such incidents.

Enforcement and Regulatory Oversight

The PDPL is overseen by the UAE Data Office, which is responsible for supervising the implementation of the law and issuing further guidance.

The law provides for administrative penalties in cases of non-compliance. While detailed penalty structures are subject to implementing decisions and regulations, the existence of enforcement powers highlights the need for businesses to ensure ongoing compliance.

Where Does the Risk Now Sit?

The PDPL makes it clear that risk is not limited to misuse of personal data. It also arises from failure to comply with procedural and operational requirements.

Exposure may arise where businesses process data without a valid legal basis, fail to implement adequate security measures, transfer data without meeting legal conditions, or do not respond appropriately to requests from individuals.

In practice, this shifts the focus from reactive compliance to continuous monitoring and internal control.

Conclusion

The PDPL represents a significant development in how personal data is regulated in the UAE.

The law establishes that personal data must be handled with defined legal responsibility. Businesses are now required to be clear about the purpose of data collection, the legal basis for processing, and the measures in place to protect such data.

As regulatory oversight increases, compliance with the PDPL will become a core part of business operations rather than a secondary legal consideration.

How We Can Assist

At Malhotra Legal Consultancy, we advise businesses on compliance with Federal Decree-Law No. (45) of 2021 on the Protection of Personal Data.

Our services include reviewing data handling practices, drafting privacy policies, advising on cross-border data transfers, and assisting with implementation of compliance measures.