Data Privacy in the United Arab Emirates

Data Privacy in the United Arab Emirates, Data Protection Law 2020 & PDPL

Data privacy in the United Arab Emirates was issued by the Dubai International Financial Center (DIFC) and titled the Data Protection Law 2020, which went into effect July 1, 2020. The law was made and enforced by ‘The Ruler’ and is governed by the Data Protection Law, DIFC Law No. 5 of 2020 and the Data Protection Regulations. This law is designed to create a standard for free movement of data and data privacy in the United Arab Emirates.

In September 2021, the United Arab Emirates (UAE) drafted new laws and legislative amendments as well as the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (PDPL), which went into effect January 2022. The amendments develop legislative structure in various sectors, as well as laws related to society and personal security, including the Online Security Law. The PDPL draws similarities from various international data protection laws, especially the European Union’s GDPR.

Data Privacy in the the United Arab Emirates – Scope

  • The processing of personal data of people residing in the UAE, or people having a business within the UAE
  • Each Controller or Processor inside the UAE, irrespective of whether the personal data they process is of individuals inside or outside the UAE
  • Each Controller or Processor located outside the UAE, who carries out processing activities of data subjects that are inside the UAE

Data Privacy in the the United Arab Emirates – Exceptions

  • Processing of personal data by an individual for a purely personal or household activity
  • Processing of personal data by a competent authority for any law enforcement purposes
  • Similar to Certain activities including processing covered by the Law Enforcement Directive, and processing for national security purposes

Key Definitions

Personal Data

Personal data is defined as any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as name, voice, picture, identification number, electronic, identifier, geographical location, or one or more physical, physiological, cultural or social characteristics.

Sensitive Personal Data

Sensitive information is defined as any information that directly or indirectly reveals a person’s race, ethnicity, political and religious views, criminal record, biometric data, health data and sexual state.

Key Principles of PDPL

The provisions of the law apply to the processing of personal data, whether in full or part through electronic systems, inside or outside the country.

The law defines the controls for the processing of personal data and the general obligations of companies with personal data to secure it and maintain its confidentiality and privacy. It prohibits the processing of personal data without the consent of its owner, except for some cases in which the processing is necessary to protect a public interest or carry out any legal procedures and rights.

PDPL provides the necessary conditions for obtaining valid consent from the data subjects for the processing of his/her personal information.

The law gives the owner of the data the right to request corrections of inaccurate personal data, as well as restrict or stop the processing of his/her personal data.

PDPL sets the requirements for cross-border transfer and sharing of personal data for processing purposes.

Before processing a data subject’s personal data, a controller must provide the data subject with the purposes for the personal data processing, any third parties that the personal data will be shared with and the protection measures put in place to cover any cross-border data transfers.

PDPL demands the data controller and processor implement appropriate technical and organizational measures and actions to ensure a high information security level appropriate to the risks associated with the processing according to the best international standards and practices.

Data controllers and data processors are both separately required to keep records concerning the personal data they process. The content requirements for such records are primarily aligned with the equivalent requirements under the GDPR but with some additional points.

The data controller shall immediately notify the Office and data subjects of any Personal Data Breach relating to a data subject which might result in a risk to privacy, confidentiality, and security of his/her data within a period specified in the Executive Regulations.

Processing Personal Data

Personal data can only be processed with the consent of the data subject except in certain lawful circumstances, including:

  • When necessary to fulfill a contractual obligation or public service
  • When the data subject has made the data public
  • When necessary to protect the interest of the data subject
  • When necessary for judicial and security procedures
  • When necessary for medical purposes or matters of public health
  • When necessary for archival purposes
  • When necessary for the data controller’s compliance with legal obligations
  • Any other circumstances specified by the Executive Regulations issued under the PDPL


A controller has legal obligations where a processor is involved. GDPR places further obligations on controllers to ensure contracts with processors comply with the GDPR.

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

Ready to get started?

Request a demo