+44 (0) 121 582 0192 [email protected]


Data protection has become a paramount concern for individuals and businesses worldwide. The United Arab Emirates (UAE) has recognized this need to safeguard personal data and has enacted the UAE Federal Data Protection Law, ushering in a new era of data privacy. This article will delve into the critical aspects of this vital legislation.


Who Does the Law Apply To?

The UAE Federal Data Protection Law applies to all public and private entities that process personal data within the UAE’s territory. This includes businesses, government agencies, and non-profit organizations.

Furthermore, the law extends its jurisdiction to include controllers and processors located beyond the borders of the UAE, who engage in the processing of personal data belonging to UAE data subjects. This extra-territorial aspect mirrors the approach taken by the GDPR (General Data Protection Regulation).


Who Does the Law Not Apply To?

The Law’s applicability excludes government data, government entities responsible for managing or processing personal data, and personal data handled by security and judicial authorities. However, government-owned companies will fall under the Law’s purview. Notably, it does not encompass personal health data, financial data, or credit-related information, as these are governed by separate legislation. Furthermore, the Law does not extend to UAE free zones, such as the Dubai International Financial Centre and the Abu Dhabi Global Market, which have distinct data protection regulations. Lastly, the Law does not regulate the use of personal data for personal purposes by the data subject.


What Are the Law’s Key Personal Data Principles?

The Law employs the concept of “controls” when addressing personal data processing. These controls encompass several vital principles, including conducting just, transparent, and lawful processing. It emphasises collecting personal data for precise and explicit purposes, restricting processing to what is necessary for the designated purpose or closely related purposes. Additionally, it underscores the importance of maintaining the accuracy of personal data and rectifying or erasing any inaccuracies. The Law places a significant emphasis on data security and mandates the retention of personal data only for as long as necessary according to the specified purpose, followed by deletion or anonymization. It’s worth noting that these principles align with those embraced by global data protection laws, such as the GDPR.


What Are the Lawful Bases for Processing Personal Data Under the Law?

Incorporation into a contract with a data subject or the initiation, modification, or cessation of such a contract is one scenario where data processing becomes necessary. Another instance is when a data subject has made their personal data publicly available. Additionally, data processing is warranted when it serves the interests of the data subject or is essential for asserting legal rights or as part of legal, judicial, or security proceedings. As per applicable laws, specific medical and public health requirements may also require data processing. Preservation for archival purposes or for conducting scientific, historical, and statistical research in accordance with relevant legislation is another valid reason for data processing. Lastly, fulfilling obligations and exercising employment or social protection rights by a controller or data subject can also trigger the need for data processing.


What Are the Key Controller Obligations?

Data controllers are responsible for ensuring compliance with the law. If required, they must implement measures to protect personal data, conduct impact assessments, and appoint a Data Protection Officer (DPO). Controllers are also obliged to notify the authorities of data breaches.


What Are the Key Processor Obligations?

Data processors must only process data as instructed by the controller. They should also implement security measures and report any breaches promptly to the controller.


What Is the Process for Reporting a Personal Data Breach?

In the event of a personal data breach, organizations must report it to the UAE’s Data Protection Authority (DPA) within 72 hours of becoming aware of the breach. Data subjects affected by the breach must also be informed without undue delay. Data Controllers and Data Processors must keep a data breach register.


Will a Data Protection Officer Need to Be Appointed?

Appointing a Data Protection Officer (DPO) is mandatory for specific organizations. The DPO is pivotal in ensuring compliance, advising on data protection matters, and acting as a point of contact with the DPA. The legislation mandates that both the controller and processor designate a competent and well-informed Data Protection Officer (DPO) when the processing activities pose a substantial risk to personal data privacy. Such risks can arise from adopting new technologies or the sheer magnitude of personal data being processed. Furthermore, appointing a DPO becomes obligatory when processing involves evaluating sensitive personal data within profiling or automated processes or when handling extensive volumes of sensitive personal information. The executive regulations will outline additional guidance on identifying “high-risk” processing and the necessity of a DPO. It’s important to note that a DPO can also be located outside the UAE.


What are Data Subject Rights?

The following rights are available to individuals:

  • Right of Access
  • Right of Erasure
  • Right of Rectification
  • Right of Portability
  • Right to Restrict
  • Right to Object


What Do the Data Protection Impact Assessments Cover?

Data Protection Impact Assessments (DPIAs) are conducted to assess and mitigate risks associated with data processing activities. DPIAs are essential for identifying and addressing potential privacy concerns.


What Are the Rules Around Cross-Border Personal Data Transfers?

Cross-border transfers of personal data are permitted, provided that certain safeguards are in place, such as using standard contractual clauses or binding corporate rules. The law aims to ensure that data remains protected even when transferred internationally.


What Is the Law’s Penalty Regime?

Non-compliance with the UAE Federal Data Protection Law can result in significant penalties, including fines, suspension of data processing activities, and even criminal liability in some cases. Organisationsorganisations must take data protection seriously to avoid such consequences.

In conclusion, the UAE Federal Data Protection Law marks a significant step towards enhancing data privacy and security within the UAE. Businesses and organizations operating in the region must familiarize themselves with its provisions and take proactive measures to ensure compliance. By doing so, they can protect the rights and interests of data subjects while avoiding potential legal repercussions.



The UAE Federal Data Protection Law is a significant step towards fortifying data privacy and security within the country. Its comprehensive framework addresses the fundamental principles of fair and lawful data processing, ensuring that personal data remains protected. The law’s emphasis on transparency, purpose limitation, and accountability aligns with global data protection standards, particularly the GDPR.

Moreover, the provision of Data Protection Officers (DPOs) underscores the commitment to safeguarding data subjects’ rights and interests. The requirement to appoint a DPO in cases of high-risk processing, whether due to advanced technologies or extensive data volumes, reflects the law’s adaptability to evolving digital landscapes.

As organizations and individuals navigate the complex data protection landscape in the UAE, it is imperative to remain vigilant and proactive in complying with the law’s provisions. This not only safeguards the privacy of personal data but also mitigates the risk of penalties for non-compliance.