Back to Journal Privacy & Data Protection

UAE Personal Data Protection Law - Compliance Guide for Organisations Operating in the UAE

A complete guide to the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection — what it covers, who it applies to, key requirements, sector-specific considerations, and how to build a UAE PDPL compliance program.

Savadub GRC Team ·
UAE Personal Data Protection Law - Compliance Guide for Organisations Operating in the UAE

UAE Personal Data Protection Law: Building Compliance in the Middle East's Largest Economy

The UAE's Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) came into force in January 2022, establishing the UAE's first comprehensive federal personal data protection framework. For the thousands of international organisations that operate in or process data related to UAE residents, understanding and implementing UAE PDPL requirements is both a legal obligation and a commercial necessity in one of the world's most important business hubs.

UAE PDPL Scope and Applicability

UAE PDPL applies to the processing of personal data of individuals in the UAE by:

  • Organisations established in the UAE
  • Organisations outside the UAE that process data related to UAE residents where the processing is connected to offering goods or services to UAE residents or monitoring their behaviour

Excluded entities: The UAE PDPL does not apply to government entities, security and judicial authorities (which have separate frameworks), processing for purely personal or family purposes, and data controllers subject to UAE free zone data protection laws (DIFC and ADGM have their own comprehensive data protection regimes).

DIFC and ADGM distinction: Organisations operating in the Dubai International Financial Centre (DIFC) or Abu Dhabi Global Market (ADGM) are subject to those free zones' own data protection laws — DIFC Data Protection Law 2020 and ADGM Data Protection Regulations 2021 respectively — which are modelled more closely on GDPR than the federal PDPL.

Key UAE PDPL Requirements

Consent as primary lawful basis: Unlike GDPR's six lawful bases, UAE PDPL places greater emphasis on consent as the primary basis for personal data processing. Consent must be explicit, informed, and freely given, with specific requirements for consent to sensitive data processing.

Transparency and notice: Data subjects must be informed of the identity of the controller, the purpose of processing, the categories of data collected, recipients of data, retention periods, and their rights.

Data subject rights: Rights to access, rectification, erasure, restriction, objection, and data portability — implemented through procedures that meet UAE PDPL's timeframe and format requirements.

Data localisation: UAE PDPL requires that personal data be stored within the UAE unless the UAE Cabinet approves transfer to specified countries or the transfer is pursuant to an approved mechanism (bilateral agreement, binding corporate rules, or explicit consent).

Security requirements: Controllers must implement appropriate technical and organisational measures to protect personal data — with specific requirements for notification of breaches to the UAE Data Office.

Data Protection Officer: Controllers processing large volumes of personal data or special categories of data must appoint a DPO.

UAE Data Office registration: Certain categories of controllers must register with the UAE Data Office and comply with additional regulatory requirements.

Sensitive Data Under UAE PDPL

UAE PDPL treats several categories of data as sensitive and subjects them to heightened protection and processing restrictions:

  • Racial or ethnic origin
  • Political or philosophical opinions
  • Religious or ideological beliefs
  • Trade union membership
  • Criminal convictions and offences
  • Biometric data that can identify natural persons
  • Genetic data
  • Health and medical data

Processing of sensitive personal data requires explicit consent unless a specific legal exception applies, and must be conducted with enhanced security measures.

UAE PDPL and DIFC/ADGM: Managing Multiple Frameworks

International organisations operating in the UAE often face the complexity of managing multiple applicable frameworks simultaneously:

Federal PDPL applies to operations and customers in mainland UAE.

DIFC Data Protection Law 2020 (closely modelled on GDPR) applies to organisations established in DIFC or processing data in connection with DIFC activities.

ADGM Data Protection Regulations 2021 (also GDPR-aligned) apply to organisations in ADGM.

For organisations with presence across multiple UAE jurisdictions, a unified data protection programme that satisfies the requirements of all applicable frameworks — using the highest common denominator approach where requirements differ — is the most efficient compliance strategy.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like