Book a Demo

,

PDPL (UAE)

What is PDPL (UAE)?

The Personal Data Protection Law (PDPL), formally known as Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, is the United Arab Emirates’ first comprehensive data protection framework. Commonly referred to as PDPL (UAE), it establishes a unified standard for safeguarding personal data, closely aligned with global privacy regimes such as the EU GDPR.

The PDPL applies to all organizations that process personal data of individuals residing in the UAE, regardless of whether the controller or processor is located inside or outside the country. It is relevant to a wide range of industries, from banking, healthcare, insurance, education, and government contractors, to technology firms and multinationals with operations in the UAE.

Oversight and enforcement are carried out by the UAE Data Office (the Bureau), which has the authority to issue guidance, exemptions, and penalties. Importantly, certain sectors with existing legislation (such as healthcare, banking/credit data, and free zones like DIFC or ADGM) are excluded or governed under parallel laws.

Since its introduction in 2021, the PDPL has been supported by Executive Regulations (2022–2023) clarifying obligations around breach reporting, DPO requirements, and cross-border data transfers. Organizations should monitor updates, as additional regulatory guidance continues to evolve.

What are the requirements for PDPL (UAE)?

Compliance with the PDPL requires organizations to establish a robust data protection program that demonstrates accountability and safeguards personal data across its lifecycle. Key requirements include:

  • Legal Basis for Processing: Organizations must obtain valid consent or meet one of the legal grounds (e.g., public interest, contract performance, vital interest, legal obligations).
  • Data Subject Rights: Implement processes to handle requests for access, correction, erasure, restriction, portability, objection, and human review of automated decisions.
  • Governance Roles: Appoint a Data Protection Officer (DPO) where high-risk processing applies, and maintain clear contracts with processors.
  • Records & Documentation: Maintain a Record of Processing Activities (RoPA) including categories of data, purposes, retention, security measures, and cross-border transfers.
  • Security Controls: Apply encryption, pseudonymisation, resilience, backup/recovery, and regular testing of security measures.
  • Risk Management: Conduct Data Protection Impact Assessments (DPIAs) before high-risk processing (e.g., profiling, sensitive data, new technologies).
  • Breach Notification: Notify the UAE Data Office (Bureau) and affected individuals of personal data breaches within prescribed timelines.
  • Cross-Border Transfers: Restrict transfers outside the UAE to jurisdictions with adequate protection or ensure safeguards (contracts, explicit consent, public interest, judicial necessity).
  • Regularisation: Organizations were initially required to regularize compliance within six months of the Executive Regulations, with extensions granted.

There is no formal “application” process. Organizations demonstrate compliance through policies, procedures, records, and evidence of implementation, subject to inspection by the Bureau.

Why should you be PDPL (UAE) compliant?

Achieving compliance with PDPL (UAE) is not just a legal obligation. It is also a competitive differentiator for organizations operating in or with the UAE.

Benefits of compliance:

  • Strengthens trust with customers and business partners by safeguarding personal data.
  • Aligns with international frameworks like GDPR, making global operations smoother.
  • Reduces risk of breaches, reputational harm, and litigation.
  • Enhances operational discipline through better data governance and risk management.

Risks of non-compliance:

  • Exposure to financial penalties and sanctions imposed by the UAE Data Office.
  • Potential suspension or limitation of business operations within the UAE.
  • Loss of trust from customers, investors, and regulators.
  • Increased vulnerability to cybersecurity risks and privacy breaches.

In short, compliance with PDPL (UAE) is essential for any organization that values market access, regulatory trust, and brand reputation in the Emirates and beyond.

How to Achieve Compliance?

Becoming compliant with PDPL (UAE) starts with putting the right controls, policies, and processes in place, from managing consent and data subject rights, to maintaining records of processing, securing personal data, and ensuring breach notification and cross-border transfer procedures.

With the Centraleyes platform, these requirements can be streamlined into actionable tasks:

  • Automated assessments map your existing controls against PDPL (UAE) obligations.
  • Pre-built questionnaires capture evidence for consent, security, DPIAs, and processor agreements.
  • Risk registers and dashboards highlight gaps, track remediation, and document compliance status.
  • Automated reporting provides regulators and stakeholders with audit-ready proof of compliance.

Most importantly, organizations can quickly identify where they stand, close gaps faster, and demonstrate compliance with confidence, reducing manual effort and accelerating the journey to PDPL (UAE) alignment.

Read more: https://www.uaelegislation.gov.ae/en/legislations/1972/download

Does your company need to be compliant with PDPL (UAE)?

Related Content

Security

OWASP AIMA

What is OWASP AIMA? OWASP AIMA (AI Maturity Assessment) is a framework developed by the Open…
Security

Centraleyes AI Framework (CAIF)

What is the CAIF? The Centraleyes AI Framework (CAIF) is a comprehensive compliance and governance tool…
Security

CRI Profile

What is the CRI Profile? The Cyber Risk Institute (CRI) Profile is a cybersecurity and risk…
Partner Login

Try the Centraleyes
Risk & Compliance

Free for 30 Days

Skip to content