kb-data-privacy-uae-pdpl
Rating is derived from the repo's GitHub stars and shown for reference.
name: kb-data-privacy-uae-pdpl
description: Use when a matter involves personal data processing, privacy obligations, or data-breach response in UAE (onshore). Covers the UAE Federal Personal Data Protection Law (Federal Decree-Law 45/2021) and its executive regulations, TDRA oversight, lawful bases, sensitive data categories, cross-border transfer rules, data subject rights, and fines up to AED 20 million. Also covers the separate data-protection regimes of DIFC (DIFC Data Protection Law 5/2020) and ADGM (DP Regulations 2021) for free-zone entities. Triggers on UAE data privacy compliance, UAE PDPL, TDRA, DIFC DP, ADGM DP questions.
license: MIT
metadata:
id: kb.data-privacy-UAE-PDPL
category: kb
practice_area: Data Privacy & Technology Law
jurisdictions: [UAE]
priority: P2
intent: [data-privacy, UAE-PDPL, TDRA, DIFC-DP, ADGM-DP, personal-data, compliance]
related: [kb-data-privacy-gdpr, kb-data-privacy-ksa-pdpl, kb-data-privacy-egypt, kb-fintech-licensing-difc, kb-healthcare-regulation-mena]
source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal)
version: "1.0"
Knowledge Pack — UAE Data Protection Law (Federal Decree-Law 45/2021 + DIFC + ADGM)
Overview: Three Parallel Regimes
The UAE has three distinct data-protection regimes depending on where the entity is established:
| Regime | Applicable To | Regulator |
|---|---|---|
| UAE Federal PDPL (DL 45/2021) | Onshore UAE entities + extra-territorial scope | TDRA (Telecommunications and Digital Government Regulatory Authority) |
| DIFC Data Protection Law 5/2020 | DIFC-registered entities | DIFC Commissioner of Data Protection |
| ADGM Data Protection Regulations 2021 | ADGM-registered entities | ADGM Registration Authority + ADGM Courts |
DIFC and ADGM have both received EU adequacy decisions making them recognized as providing adequate data protection for EU data transfers.
Part 1: UAE Federal PDPL (Decree-Law 45/2021)
Scope
Applies to:
- Any entity (public or private) that processes personal data of individuals in the UAE.
- Extra-territorial: foreign entities processing UAE residents' data to offer goods/services or monitor behavior.
- Excludes: purely personal/household use; public security, defense, judicial processing; anonymized/aggregated data.
Key Definitions
- Personal data: any data relating to an identified or identifiable natural person.
- Sensitive data: health/medical data; genetic/biometric data; data on children; financial data; credit information; religious/political views; ethnic origin; criminal records.
- Controller: determines purposes and means.
- Processor: processes on controller's behalf.
Lawful Bases
- Consent — written or electronic; explicit for sensitive data; freely given; withdrawable.
- Contract — necessary to perform a contract with the data subject.
- Legal obligation — required by UAE law.
- Vital interests — protection of life or health.
- Public interest — task of public authority.
- Legitimate interests — balancing test; not available for sensitive data.
Data Subject Rights
| Right | Deadline |
|---|---|
| Access | 30 days |
| Rectification | 30 days |
| Erasure | 30 days |
| Restriction | Without undue delay |
| Portability | 30 days |
| Object to processing (especially direct marketing) | Immediately |
| Withdraw consent | At any time |
Cross-Border Transfers
Transfer outside UAE permitted only if:
- The destination country is on TDRA's approved jurisdictions list (includes EU/EEA, DIFC, ADGM, UK, and others with adequacy);
- Contractual safeguards (TDRA-approved SCCs or binding corporate rules);
- Explicit consent of the data subject;
- Contract performance, legal claims, vital interests, or public interest.
Breach Notification
- Notify TDRA within 72 hours of becoming aware.
- Notify data subjects without undue delay if the breach is likely to cause high risk.
- Maintain internal breach register.
Penalties (Decree-Law 45/2021)
| Violation | Fine |
|---|---|
| Processing special data without consent | AED 5,000,000 – 20,000,000 |
| Transfer outside UAE without authorization | AED 5,000,000 – 20,000,000 |
| Failure to implement security measures | AED 1,000,000 – 10,000,000 |
| Violation of data subject rights | AED 250,000 – 1,000,000 |
| General non-compliance | AED 500,000 – 5,000,000 |
- Repeat violations: doubled fines.
- Criminal liability for intentional violations causing damage.
Part 2: DIFC Data Protection Law 5/2020 (DIFC DP)
Scope
Applies to controllers and processors established in the DIFC or processing data of DIFC residents/employees.
Alignment with GDPR
DIFC DP Law 5/2020 closely mirrors GDPR structure:
- Same six lawful bases (Art 6 equivalent)
- Same special-category data list (Art 9 equivalent)
- Same data subject rights (Arts 15–22 equivalent)
- DPO requirement mirrors GDPR
- 72-hour breach notification
- SCCs for international transfers
- DIFC Commissioner of Data Protection as supervisory authority
DIFC EU Adequacy
DIFC has an EU adequacy decision — EU personal data may be transferred to DIFC-registered entities without additional safeguards.
Penalties (DIFC DP)
- Up to USD 100,000 per violation (Commissioner determination).
- Commissioner may issue enforcement notices, warnings, and audit requirements.
Part 3: ADGM Data Protection Regulations 2021
Scope
Applies to controllers and processors registered in ADGM.
Alignment with GDPR
ADGM DP Regulations 2021 similarly align closely with GDPR:
- Same six lawful bases
- Special category data
- Data subject rights
- DPO requirement
- Breach notification
- International transfer safeguards
ADGM EU Adequacy
ADGM (Abu Dhabi Global Market) also holds an EU adequacy decision.
Penalties (ADGM DP)
- Up to USD 28,000,000 (broadly capped; ADGM Registration Authority determines).
Practical Mapping: Which Regime Applies?
Is the entity registered in DIFC? → Apply DIFC DP Law 5/2020
Is the entity registered in ADGM? → Apply ADGM DP Regulations 2021
Is the entity onshore UAE (Dubai, Abu Dhabi, SPC, other mainland)?
→ Apply UAE Federal PDPL (DL 45/2021)
Does the entity have presences in multiple zones?
→ Multiple regimes apply; compliance with each required
Comparison Table
| Feature | UAE PDPL | DIFC DP | ADGM DP | GDPR |
|---|---|---|---|---|
| Regulator | TDRA | DIFC CDP | ADGM RA | National DPA |
| EU adequacy | No | Yes | Yes | N/A |
| Max fine | AED 20M | USD 100K | USD 28M | €20M / 4% |
| Breach notification | 72 hrs | 72 hrs | 72 hrs | 72 hrs |
| DPO required | Certain controllers | Mirrors GDPR | Mirrors GDPR | Certain controllers |
| Extra-territorial | Yes | Yes | Yes | Yes |
Compliance Checklist
- Determine which regime(s) apply (onshore / DIFC / ADGM)
- Map personal data flows
- Document lawful basis for each processing activity
- Ensure consent mechanisms are compliant (explicit for sensitive data)
- Update privacy notices (Arabic and English for federal; English for DIFC/ADGM)
- Assess DPO requirement
- Implement cross-border transfer mechanisms
- Establish 72-hour breach notification procedure
- Put Data Processing Agreements in place with processors
- Implement security controls proportionate to risk
- Verify sector-specific layered obligations (CBUAE for banking, MOH/DHA/DOH for health)
Caveats & Currency
The UAE Federal PDPL executive regulations have been issued in phases; TDRA guidance continues to develop. DIFC and ADGM publish their own updated guidance and enforcement decisions. EU adequacy for DIFC and ADGM should be verified for continued validity. Sector-specific requirements from CBUAE, DHA, DOH, and MOH add layers not covered here — verify current guidance.
Related Skills
- [[kb-data-privacy-gdpr]]
- [[kb-data-privacy-ksa-pdpl]]
- [[kb-data-privacy-egypt]]
- [[kb-fintech-licensing-difc]]
- [[kb-healthcare-regulation-mena]]
- [[draft-data-processing-agreement]]
- [[draft-privacy-policy]]