Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE)
The UAE's Federal Decree-Law No. 45 of 2021 is the country's first federal data protection law, modeled on the GDPR and supervised by the UAE Data Office. It requires lawful bases, data subject rights, and breach notification, and applies outside the DIFC and ADGM free zones.
Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data is the first federal data protection law of the United Arab Emirates. It was issued in 2021 and entered into force on January 2, 2022, although its detailed obligations depend on executive regulations and a transition period for compliance. The law establishes the UAE Data Office to supervise and regulate data protection at the federal level. The PDPL draws heavily on the GDPR in its structure and concepts.
It is important to note that the UAE's financial free zones, the DIFC and the ADGM, have their own separate, well-established data protection laws. The federal PDPL applies outside those free zones.
Who It Applies To
The federal PDPL applies to the processing of personal data of data subjects inside the UAE, to controllers and processors established in the UAE that process personal data whether inside or outside the country, and to controllers and processors established outside the UAE that process the personal data of data subjects inside the UAE. It does not apply to government data, certain health and banking data already regulated by other laws, or to the DIFC and ADGM free zones, which have their own regimes.
Key Requirements
Processing generally requires the consent of the data subject unless an exception applies, such as performance of a contract, protection of public interest, legal obligation, or legitimate interests. Controllers must observe principles of fair and lawful processing, purpose limitation, accuracy, and security. Data subjects have rights to information, access, correction, erasure, restriction, portability, objection, and rights related to automated processing. Controllers and processors must keep records of processing, implement appropriate security measures, conduct assessments for high-risk processing, and appoint a Data Protection Officer in certain cases. Personal data breaches must be reported to the UAE Data Office, and to data subjects where the breach may cause harm. Cross-border transfers are permitted to countries with adequate protection or under appropriate safeguards.
Penalties for Non-Compliance
The specific administrative penalties are to be set out in executive regulations issued by the Cabinet. The Data Office is empowered to supervise compliance, investigate complaints, and impose administrative sanctions once the implementing framework is finalized.
How to Comply
Determine whether your processing falls under the federal PDPL or a free zone regime. Identify a legal basis for each activity and obtain consent where required. Maintain records of processing and apply purpose limitation and security measures. Build processes for the full set of data subject rights. Conduct assessments for high-risk processing and appoint a DPO where needed. Establish a breach notification process to the Data Office. Review cross-border transfers and apply adequacy or appropriate safeguards.