New UAE Data Protection Regulation

The PDPL is broadly aligned with the UK and EU General Data Protection Regulation (GDPR).

New UAE Data Protection Regulation
New UAE Data Protection Regulation
Clive Mackintosh
November 17, 2023
International Data Transfers

In his latest blog, Clive Mackintosh, Founder of GDPR Rep, experts in GDPR Representative services looks at the new UAE Data Protection Regulation - the Protection of Personal Data (PDPL).

The new UAE data protection regime is based on Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). The PDPL is a comprehensive law that covers all aspects of data protection, including the collection, use, storage, transfer, and disposal of personal data. The law also sets out the rights of individuals in relation to their personal data, such as the right to access, rectify, and erase their personal data.

The PDPL is broadly aligned with the UK and EU General Data Protection Regulation (GDPR).

However, there are some key differences between the two laws. For example, the PDPL does not require organisations to obtain explicit consent from individuals before collecting and using their personal data.

Here are some of the key features of the new UAE data protection regime:


The PDPL applies to the processing of personal data by any person or entity, whether inside or outside the UAE.

Data protection principles

The PDPL sets out a number of data protection principles that businesses must comply with, including the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

Legitimate grounds for processing personal data

Businesses can only process personal data if they have a legitimate ground for doing so. The PDPL lists a number of legitimate grounds for processing personal data, such as consent, contract performance, legal obligation, and legitimate interests.

Data subject rights

Individuals have a number of rights in relation to their personal data, such as the right to access, rectify, erase, restrict, and object to the processing of their personal data.

Data breach notification

Businesses must notify the data protection authority and affected individuals of any data breaches that occur.

Data protection authority

The UAE Data Protection Authority (PDPA) is responsible for enforcing the PDPL. The PDPA has a number of powers, including the power to investigate breaches of the PDPL, issue fines, and impose other sanctions.

The new UAE data protection regime is a significant development for the country. The law is designed to protect the privacy of individuals and to promote trust in the digital economy. The PDPL is also expected to make it easier for businesses to do business in the UAE, as they will be able to rely on a clear and predictable data protection framework.

GDPR Rep is on a mission to help every business achieve and fulfil data protection obligations including EU and UK GDPR, FADP and other international requirements. If you are looking into how your organisation can fulfil its requirements why not schedule a no-commitment call with a GDPR representative expert today, or get a quote to understand how our value pricing makes compliance simple.

We use cookies on our site.
GDPREP.ORG would like to use performance and analytic cookies while you visit and browse our site to improve your experience. This means we may collect some of your data and you can read more about our use of cookies here. You can withdraw your consent at any time by emailing us at: View our Cookie Policy for more information.