Personal Data Protection Law UAE PDPL

In this article we will be diving deep about this interesting topic Personal Data Protection Law UAE PDPL.

Now, let us see what it means !


    – The long-awaited Federal Decree-Law No. 45 of 2021 regulating the Protection of Personal Data was published by the UAE Cabinet (PDPL). One of the initial initiatives of the UAE’s legislative reform, the PDPL will take effect on January 2, 2022. By March 20, 2022, executive regulations must be published.
    – The UAE’s government has been working on a comprehensive data protection law for a while now in an effort to raise its standards for data processing and protection to par with global best practices. The Cabinet is aware that protecting personal data is crucial in a time when customers, consumers, and governments value data privacy and how it is handled.
    – The PDPL emphasizes the rights and obligations of all parties involved while providing a legal framework to safeguard the confidentiality and security of personal information.

A Regulatory Body

The “UAE Data Office” will be the name given by the UAE government to a single national data privacy authority. The “Office” will be created in accordance with a different regulation to control how the PDPL is used.
    The regulatory body will be in charge of a number of duties, such as :
    – creating and recommending data protection strategies
    – putting up and approving the revered guidelines for assessing how federal law is being applied to protect data subjects’ privacy
    – constructing and approving methods for grievances and complaints
    – releasing policies and guidelines for the application of data protection laws.

Who Must Obey the Law

– Material Purpose
        – According to Article 2(1) of the PDPL, it applies to any data controller or data processor based in the UAE who processes the personal data of data subjects who reside or work in the UAE or outside of it. It includes the private information of those who live or work in the UAE.
    – Territory Covered
        – The PDPL is also applicable to any data controller or processor based outside of the UAE who processes data concerning data subjects within the UAE.
    – So, like GDPR, the PDPL has an extraterritorial application.
    – According to Article 2(2) of the PDPL, it does not apply to organizations and entities established in free zones with their own personal data protection laws, government data, public entities, the processing of personal data for personal use, health or credit data governed by their own respective legislation, and the processing of personal data for government or health purposes (as an example the Dubai International Financial Centre has data protection laws already).

Key Term Definitions

    – Individual Data genuine person who may be recognized by a unique identifier such as his name, voice, photo, or identification number, either directly or indirectly through the linkage of data, electronic identifier, geographical location, or one or more physical, physiological, cultural, or social characteristics, is said to have provided personal data under the PDPL.
    – Sensitive Personal Information
        – Sensitive information is anything that, in accordance with the PDPL, directly or indirectly discloses a person’s :
            – Race
            – Ethnicity
            – philosophies of politics
            – religious convictions
            – a criminal history
            – data biometrics
            – Health information
            – Any details pertaining to that person’s health, including their sexual state.

Obligations Of PDPL

    – Legal Grounds for the Processing
        – Except in certain legal situations, the PDPL states that personal data can only be processed with the data subject’s consent. These required conditions include:
            – The processing is required to enter into, amend, or terminate any contract with a data subject, as well as to fulfil any contractual obligations
            – When a data subject has made personal information publicly available
            – To safeguard the data subject’s interests
            – When processing is required to exercise a legal right or comply with judicial or security requirements
            – Where processing is required (in line with applicable law) for specific medical conditions or problems of public health
            – For archival purposes, or for historical, statistical, and scientific research (in compliance with applicable law)
            – Where processing is required to serve the public interest
            – When processing is required to ensure that the data controller is in compliance with legal requirements
            – Any further situations mentioned in the Executive Regulations published under the PDPL.

– According to Article 6 of the PDPL, the following requirements must be met before a data subject can give their legitimate consent to have his or her personal information processed :
        – If the data subject’s consent is used as a legal justification for the processing of his or her personal information, the data controller must demonstrate the data subject’s consent.
        – The consent could be acquired verbally or in writing, but it needs to be done in a way that is understandable, uncomplicated, and straightforward.
        – The process for getting consent should specify how the data subject may revoke their consent, and the process must be simple for them to follow.
    – The PDPL further states that data subjects have the right to revoke their consent at any time, and that doing so should have no bearing on the legality of the processing that had already been done prior to the withdrawal. The PDPL contains a provision for “opt-in” permission comparable to that found in the GDPR.

Security Conditions

    – The PDPL requires the data controller and processor to take the proper organizational and technical steps to maintain a high level of information security that is commensurate with the risks involved with the processing in accordance with the highest global standards and practices. These techniques may consist of:
        – Encrypting the data subject’s personal information
        – Data pseudonymization implementation
        – Adoption of measures to ensure ongoing flexibility in processing systems and services, as well as confidentiality, integrity, and safety
        – The adoption of procedures that ensure prompt access to personal data in the event of any technical or real breakdown.


That’s all about the Personal Data Protection Law UAE PDPL. After reading this essay, I hope you found it enjoyable and learned something new. We have learned what is Personal Data Protection Law UAE PDPL, it’s regulatory body, who obeys the law, it’s obligations, it’s requirements consent, it’s security conditions.

Call Us