Personal Data Protection Law in UAE
Home Blog UAE Personal Data Protection Law (PDPL): A Complete Guide for UAE Businesses

UAE Personal Data Protection Law (PDPL): A Complete Guide for UAE Businesses

AEserver Author
Rohit S.
FAQ / Others / Security

If you collect personal data through a website, mobile app, CRM, or any digital service in the UAE, you are governed by one of the most significant legal reforms in the country’s recent history: the UAE Personal Data Protection Law (PDPL), introduced as Federal Decree-Law No. 45 of 2021. Alongside it sits a network of related laws that together define how UAE businesses must collect, store, transfer, and protect personal information.

This guide explains how the PDPL works, what it requires from businesses, how it interacts with the DIFC, ADGM, and sector-specific regimes, and what you practically need to do to stay compliant. It is written for UAE business owners, managers, developers, and marketers who need a clear operational picture, not a legal treatise. For binding legal advice, consult a qualified UAE lawyer.

⚠️ IMPORTANT: This guide provides general information. Laws and regulations change, and individual circumstances vary. For specific compliance decisions, consult a qualified UAE data protection lawyer or the UAE Data Office.

The UAE Data Protection Landscape at a Glance

The UAE does not have a single unified data protection regime. Different rules apply depending on where your business is registered and what type of data you process. Before you assess your obligations, identify which regime (or combination of regimes) governs your operations.

JurisdictionGoverning LawWho It Applies To
Onshore UAE (Mainland and most free zones) Federal Decree-Law No. 45 of 2021 (PDPL) Mainland companies and most free zone companies outside DIFC and ADGM
DIFC DIFC Law No. 5 of 2020 (DIFC Data Protection Law) Entities registered in the Dubai International Financial Centre
ADGM ADGM Data Protection Regulations 2021 Entities registered in the Abu Dhabi Global Market
Dubai Healthcare City (DHCC) DHCC Data Protection Regulations Healthcare entities registered in DHCC
Sector-specific Health, banking, credit, telecom laws Businesses in regulated sectors (additional rules on top of general regime)

The DIFC and ADGM have their own comprehensive data protection laws modelled closely on the EU GDPR, overseen by their own regulators. If your company is incorporated in those free zones, the onshore PDPL does not generally apply to you, but the principles are broadly similar. The rest of this guide focuses primarily on the onshore PDPL, with references to the other regimes where relevant.

PDPL: The Core Federal Law

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data is the UAE’s first comprehensive federal data protection law. Key facts:

ItemDetail
Full title Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data
Issued September 2021
Effective date 2 January 2022
Regulator UAE Data Office (established by Federal Decree-Law No. 44 of 2021)
Modelled on International best practices, with many similarities to the EU GDPR
Territorial reach Onshore UAE, extraterritorial application for processing of UAE residents’ data

Executive Regulations: The Pending Piece

The PDPL is a framework law. Many of its provisions, including exact notification timelines, specific penalty amounts, and detailed procedural rules, are meant to be set out in Executive Regulations to be issued by the UAE Cabinet on the proposal of the UAE Data Office.

The PDPL provides that Executive Regulations should be issued within six months of the law’s publication. At the time of writing this guide, the Executive Regulations have not yet been published. Once they are issued, organisations have a further six months (extendable by the Cabinet) to bring their operations into full compliance.

💡 TIP: This does not mean you can ignore the PDPL. The law is in force, its principles already shape best practice, and regulators have expressed clear expectations. Most legal practitioners and international businesses already apply PDPL principles proactively, exactly as they do with GDPR. When the Executive Regulations are published, you will want to already be most of the way there.

Who the PDPL Applies To

The PDPL applies broadly, with an extraterritorial reach similar to the GDPR. It covers:

  1. Data subjects residing or working in the UAE, whose personal data is being processed
  2. Controllers or processors established in the UAE processing personal data, regardless of whether the data subjects are in the UAE
  3. Controllers or processors outside the UAE that process personal data of data subjects inside the UAE

In practical terms: if your website collects names, emails, phone numbers, or payment details from users in the UAE, the PDPL likely applies to you, even if your servers or headquarters are abroad.

Who the PDPL Does NOT Apply To

The PDPL does not apply to several important categories. Your organisation may fall partially or entirely outside its scope if you operate in one of these areas, though sector-specific rules will typically still govern you.

  • Government data and processing by public authorities, which is governed separately
  • Personal health data, regulated by Federal Law No. 2 of 2019 on the Use of Information and Communication Technology in Health Fields
  • Banking and credit data, regulated by Federal Law No. 6 of 2010 on Credit Information and UAE Central Bank regulations
  • Data held by security and judicial authorities
  • Entities registered in the DIFC, which follow DIFC Law No. 5 of 2020
  • Entities registered in the ADGM, which follow the ADGM Data Protection Regulations 2021
  • Entities in Dubai Healthcare City, which have their own data protection regulations
⚠️ IMPORTANT: “Not subject to PDPL” never means “no data protection obligations.” It usually means a different, equally strict regime applies. DIFC and ADGM companies, for example, are regulated by laws modelled on GDPR and overseen by dedicated Data Protection Commissioners.

Key PDPL Concepts You Must Understand

The PDPL uses terminology that will be familiar to anyone who has worked with GDPR, but the specific UAE definitions matter. These are the core building blocks.

Personal Data

Any data relating to an identified or identifiable natural person. That includes names, identification numbers, email addresses, phone numbers, voice recordings, photos, electronic identifiers, location data, and physical, physiological, cultural, or social characteristics. IP addresses and cookie identifiers also qualify when they can be linked to an individual.

Sensitive Personal Data

A special category of personal data requiring heightened protection. This includes data relating to ethnic or racial origin, political or philosophical views, religious beliefs, criminal records, biometric data, genetic data, and health data. Processing sensitive personal data triggers additional safeguards and is a trigger for mandatory DPO appointment when done at scale.

Data Subject

The natural person whose personal data is being processed. Your customers, employees, website visitors, and newsletter subscribers are all data subjects.

Data Controller

The entity that determines the purposes and means of processing personal data. If you decide what data to collect from your customers and why, you are a controller. Most businesses are controllers with respect to their own customer and employee data.

Data Processor

An entity that processes personal data on behalf of a controller. Cloud hosting providers, payment processors, CRM platforms, and marketing automation tools typically act as processors when they handle your customer data on your instructions.

Lawful Bases for Processing

The PDPL requires a lawful basis for every processing activity. Consent is the most visible legal basis, but it is not the only one. The law recognises several grounds for processing personal data without consent.

  • Consent of the data subject, which must be clear, unambiguous, informed, and withdrawable
  • Necessity for the performance of a contract with the data subject or to take steps at their request before entering into a contract
  • Compliance with a legal obligation imposed on the controller
  • Protection of the vital interests of the data subject
  • Protection of public interest or public health
  • Archival, scientific, historical, or statistical purposes in line with UAE legislation
  • Employment, social security, or social protection obligations
  • Judicial or security procedures or legal claims
  • Data made public by the data subject
  • Additional cases specified in the Executive Regulations

When you rely on consent, the PDPL sets strict conditions. Consent must be specific, given through a clear affirmative action, and the data subject must be informed how to withdraw it. Implied consent through silence, pre-ticked boxes, or bundled acceptance of terms is not valid.

💡 TIP: For each processing activity your business carries out, identify and document the lawful basis. This is the first step of practical PDPL compliance and the foundation of your privacy policy.

Rights of Data Subjects

The PDPL gives data subjects a suite of rights that businesses must be prepared to handle. Your internal processes need mechanisms to receive, verify, and respond to these requests.

  1. Right to information, to be informed before processing begins about purposes, recipients, and security measures
  2. Right of access, to obtain personal data the controller holds about them
  3. Right to rectification, to request correction of inaccurate data
  4. Right to erasure, to request deletion under certain conditions
  5. Right to restrict processing, to request that processing stop in certain cases
  6. Right to data portability, to receive personal data in a machine-readable format
  7. Right to object to processing, including direct marketing
  8. Right to object to automated decision-making, including profiling that produces legal or similarly significant effects
  9. Right to withdraw consent, at any time and as easily as it was given

These rights are subject to certain exceptions under the PDPL, and the balance differs slightly from the GDPR. Practically, your privacy policy and support processes must describe how data subjects exercise these rights and what to expect in response.

Your Obligations as a Business

The PDPL imposes several concrete obligations on controllers and processors. These form the operational backbone of any compliance programme.

📋 Maintain a Record of Processing Activities (ROPA)

Both controllers and processors must keep a written record of their processing activities. This record typically includes the purposes of processing, categories of data subjects and data, recipients of data, retention periods, and the technical and organisational security measures in place. A ROPA is the evidence you produce if the UAE Data Office asks how you comply with the law.

👤 Appoint a Data Protection Officer (DPO) when required

Under Article 10 of the PDPL, a DPO must be appointed in three circumstances:

  • When processing is likely to result in a high risk to the privacy and confidentiality of personal data as a consequence of adopting new or data-size-based technologies
  • When processing involves systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing
  • When processing involves large volumes of sensitive personal data

The DPO can be an employee or an external service provider, and does not have to be located in the UAE. Their contact details must be shared with the UAE Data Office.

🔍 Conduct Data Protection Impact Assessments (DPIAs)

Under Article 21, controllers must perform a DPIA before starting any processing that is likely to result in a high risk to data subjects. Triggers commonly include systematic and extensive evaluation of individuals through automated processing or profiling, large-scale processing of sensitive data, and large-scale systematic monitoring.

🚨 Notify Personal Data Breaches

Under Article 9, controllers must notify the UAE Data Office of any personal data breach that would prejudice the privacy, confidentiality, or security of a data subject’s data. Notifications must include a description of the nature, form, and causes of the breach, approximate numbers affected, DPO contact details, likely consequences, and measures taken to mitigate. The exact timeline for notifications will be set by the Executive Regulations. If the breach poses a high risk, the affected data subjects must also be notified directly. Processors must notify controllers without delay when they become aware of a breach.

🔒 Implement Technical and Organisational Security Measures

Controllers and processors must implement measures appropriate to the risk, including encryption, access controls, authentication, backups, secure deletion, and staff training. The PDPL does not prescribe specific technologies, but it does require that the measures be appropriate to the sensitivity of the data and the nature of the processing.

📝 Sign Proper Data Processing Contracts

When you use processors, the relationship must be governed by a written contract that binds the processor to comply with the PDPL, implement appropriate security measures, assist you with data subject requests, and return or delete data at the end of the engagement. Generic terms and conditions are usually not enough.

Cross-Border Data Transfers: Why Data Residency Matters

Few parts of the PDPL matter more in practice than the rules on transferring personal data outside the UAE. Articles 22 and 23 regulate international transfers, and they directly shape your hosting and cloud decisions.

Article 22: Transfers to countries with adequate protection

Personal data may be freely transferred to a country that has adequate data protection legislation, similar to the EU “adequacy decision” model. The UAE Data Office is responsible for determining which countries qualify. The official list has not yet been published.

Article 23: Transfers to countries without adequate protection

In the absence of adequacy, transfers are still permitted under specific conditions. These include:

  • A written contract with the receiving party that imposes PDPL-level obligations (equivalent to standard contractual clauses)
  • Express consent of the data subject, given in a manner that does not conflict with UAE security or public interest
  • Necessity for the performance or execution of a contract between the controller and the data subject, or between the controller and a third party in the data subject’s interest
  • Necessity to fulfil obligations, or to establish, exercise, or defend legal claims
  • Necessity to protect public interest

In practice, this means that if you use cloud services or hosting providers outside the UAE, you are carrying out international data transfers that need a legal mechanism under Article 22 or 23. The paperwork and risk profile are meaningfully higher than keeping data in-country.

The hosting connection: Keeping your website, application, and customer databases on servers physically located in the UAE removes cross-border transfer complexity entirely. There is no transfer to assess, no SCC-equivalent to draft, no adequacy determination to wait on. This is one of the strongest practical reasons UAE businesses choose UAE-based hosting over international providers. AEserver operates its infrastructure in Tier III Dubai data centres, keeping customer data within UAE jurisdiction.

Penalties and Enforcement

The PDPL itself does not set specific penalty amounts. Instead, administrative penalties will be issued by a Council of Ministers decision on the proposal of the UAE Data Office, with specifics defined in the Executive Regulations. Until those are published, enforcement operates through guidance, complaints handling, and the expectation that organisations will align with PDPL principles.

Data subjects have the right to file complaints directly with the UAE Data Office if they believe the PDPL has been violated. Once the enforcement framework is fully operational, administrative fines are expected to apply alongside obligations to suspend or restrict non-compliant processing.

Outside the PDPL, other laws can impose criminal and financial penalties for data-related misconduct. Notably, Federal Decree-Law No. 34 of 2021 on Combating Rumors and Cybercrimes criminalises unauthorised access to and disclosure of personal data, with fines that can reach hundreds of thousands of dirhams and custodial sentences for serious cases.

The UAE Data Office

Established under Federal Decree-Law No. 44 of 2021, the UAE Data Office is the national regulator responsible for data protection. It sits within the Ministry of Cabinet Affairs and its functions include:

  • Proposing and developing data protection policies and legislation
  • Setting standards for monitoring compliance with the PDPL
  • Receiving, investigating, and adjudicating complaints from data subjects
  • Approving jurisdictions with an adequate level of protection for international transfers
  • Imposing administrative penalties once the enforcement framework is complete
  • Issuing guidelines, instructions, and awareness programmes
  • Exempting organisations that do not process large volumes of data from certain obligations

Free Zone Data Protection Regimes

If your business is registered in one of the UAE’s major financial free zones, different rules apply. These regimes are mature, fully enforceable today, and overseen by their own specialist regulators.

DIFC Data Protection Law (DIFC Law No. 5 of 2020)

Applies to entities registered in the Dubai International Financial Centre. Modelled closely on the GDPR, it is enforced by the DIFC Commissioner of Data Protection. DPOs are mandatory for DIFC Bodies and for controllers or processors carrying out high-risk processing on a systematic or regular basis.

ADGM Data Protection Regulations 2021

Applies to entities registered in the Abu Dhabi Global Market. Also modelled on GDPR, with its own Commissioner of Data Protection. A DPO is required when processing is carried out by a public authority, when core activities require regular and systematic monitoring of data subjects on a large scale, or when core activities involve large-scale processing of sensitive data.

DHCC Data Protection Regulations

Applies to healthcare entities in Dubai Healthcare City, with a particular focus on patient data.

Other UAE Laws That Affect Data Protection

The PDPL does not exist in isolation. Several other UAE laws contain privacy-related provisions that may apply to your business depending on sector, activity, and data type.

Federal Decree-Law No. 34 of 2021 (Cybercrime Law)

Also effective from 2 January 2022, this law replaced the older Federal Law No. 5 of 2012 on Combating Cybercrimes. It criminalises a broad range of online offences, including unauthorised access to information systems, data theft, identity fraud, hacking, phishing, and unlawful disclosure of personal data. Penalties can reach hundreds of thousands of dirhams in fines and custodial sentences for serious violations.

Federal Law No. 15 of 2020 (Consumer Protection Law)

Safeguards consumer rights, including the confidentiality of personal information. It prohibits businesses from using customer data for marketing or promotional purposes without proper consent.

Federal Law No. 2 of 2019 (ICT in Health Law)

Regulates the use of information and communication technology in healthcare, including how digital health records must be handled, stored, and protected. Health data is excluded from the PDPL and governed by this law instead, along with sector regulations issued by UAE health authorities.

Federal Law No. 6 of 2010 (Credit Information Law)

Governs how credit information is collected, stored, and protected. Banking and credit data are excluded from the PDPL and fall under this law and UAE Central Bank regulations.

Federal Decree-Law No. 46 of 2021 (Electronic Transactions and Trust Services Law)

Effective from 2 January 2022, this law repealed the older Federal Law No. 1 of 2006 on Electronic Commerce. It regulates electronic documents, electronic signatures, electronic seals, and trust service providers. The accompanying Executive Regulations were issued through Cabinet Resolution No. 28 of 2023. This law matters if your business issues, receives, or relies on digital signatures and electronic contracts.

Federal Law No. 3 of 2003 (UAE Telecommunications Law)

As amended, this law and its implementing regulations issued by TDRA set rules for telecommunications providers, including obligations relating to user data confidentiality and content regulation.

Dubai Law No. 26 of 2015 (Dubai Data Law)

Regulates the dissemination and exchange of data within the Emirate of Dubai. Its primary focus is on government-related data and the distinction between “open data” and “shared data” in the context of Dubai’s smart city initiatives. It is not a personal data protection law in the PDPL sense, but it interacts with data held by businesses that supply services to Dubai government entities.

Article 31 of the UAE Constitution

Guarantees the confidentiality of personal communications through post, telegraph, or other means of communication. This constitutional right underpins the specific data protection statutes and reinforces the general privacy framework.

How PDPL Affects Your Hosting and Infrastructure Choices

PDPL compliance is not only a policy and paperwork exercise. The infrastructure that stores and processes your data is part of the compliance picture, and the choices you make here carry real legal weight.

1. Data residency simplifies compliance

Hosting customer data in UAE-based data centres means there is no international transfer to justify under Articles 22 or 23. This removes an entire category of compliance paperwork and risk, particularly valuable while adequacy decisions from the UAE Data Office remain pending.

2. Your hosting provider may be a data processor

If your hosting provider operates the servers on which your customer database lives, they are processing personal data on your behalf. Under the PDPL, this makes them a data processor. You need a written agreement covering confidentiality, security measures, sub-processors, incident notification, and data return or deletion at the end of the engagement. Reputable UAE providers are familiar with these requirements.

3. Security measures must be demonstrable

Encryption at rest and in transit, access controls, tested backups, logging, and segregation of environments are expected of any modern provider. Certifications such as ISO 27001 and PCI-DSS at the data centre and provider level are not required by the PDPL, but they help you demonstrate the “appropriate measures” the law requires.

4. VAT and local billing

UAE-registered businesses typically need VAT-compliant invoices. Local providers issue AED-denominated invoices with proper UAE VAT treatment, which simplifies both accounting and regulatory relationships. International providers often cannot.

5. Incident response time matters

When a security incident affects personal data, you need fast, coordinated response to meet your Article 9 notification obligations. A local provider operating in your time zone with Arabic and English support cuts response time significantly compared with overseas-only support.

PDPL vs GDPR: Quick Comparison

UAE businesses that work with European customers often need to comply with both the GDPR and the PDPL. The two regimes are broadly aligned, but there are differences worth knowing.

AreaUAE PDPLEU GDPR
Lawful bases Consent default, with statutory exceptions Six bases, including legitimate interests as a general ground
Legitimate interests Not a general standalone basis Explicit ground (Article 6(1)(f))
Data subject rights Access, rectification, erasure, portability, objection, restrict processing Broadly similar rights, with some nuances
DPO requirement Mandatory for high-risk or large-scale sensitive data processing Mandatory for public authorities, large-scale monitoring, and large-scale sensitive data
Breach notification Required. Timeline set by Executive Regulations 72 hours to supervisory authority
International transfers Adequacy (list pending) or equivalent safeguards Adequacy decisions, SCCs, BCRs, derogations
Penalties Set in Executive Regulations (pending); Cybercrime Law imposes criminal penalties separately Up to 4% of global annual turnover or EUR 20 million
Regulator UAE Data Office National Data Protection Authorities

If you already run a GDPR-compliant programme, most of the work is reusable for the PDPL. You will mainly need to update territorial scope assessments, add UAE-specific notices, document your PDPL lawful bases separately, and review your international transfer arrangements for data moving in and out of the UAE.

Practical Compliance Checklist for UAE Businesses

This checklist translates the PDPL requirements into concrete actions. It does not replace legal advice, but it gives you a practical starting point.

  1. Map your data flows. Document every category of personal data you collect, where it comes from, where it is stored, who can access it, and where it flows (including to third parties and across borders).
  2. Identify your lawful basis for each processing activity. Consent is not the answer for everything. Contract, legal obligation, or public interest may fit better.
  3. Update your privacy policy. Make it specific, readable, and aligned with PDPL requirements. Describe purposes, lawful bases, retention, and rights.
  4. Update your consent mechanisms. No pre-ticked boxes, no bundled consents. Every consent should be specific, informed, and easy to withdraw.
  5. Build a ROPA. Even a simple spreadsheet is a start. Include purposes, data categories, recipients, retention, security measures, and international transfers.
  6. Review vendor and processor contracts. Ensure every third party that touches personal data is bound by a written agreement with PDPL-appropriate clauses.
  7. Assess cross-border transfers. Identify every flow leaving the UAE and document the Article 22 or 23 basis that supports it.
  8. Assess whether you need a DPO. Apply the Article 10 triggers. When in doubt, appoint one (internal or outsourced).
  9. Implement data subject rights processes. Provide a clear channel, verify identity, track requests, and respond promptly.
  10. Implement a breach response plan. Detection, containment, notification to the UAE Data Office, notification to affected data subjects, and post-incident review.
  11. Run DPIAs before high-risk new processing. Build this into your project lifecycle before launch, not after.
  12. Train your staff. Basic awareness for everyone who handles personal data. Deeper training for sales, support, marketing, and IT.
  13. Review your hosting and data residency. Keeping data in the UAE removes cross-border complexity and simplifies incident response.
  14. Monitor regulatory updates. Track the UAE Data Office for Executive Regulations, adequacy decisions, and guidance.

Key Takeaways

  1. The PDPL is the UAE’s core federal data protection law, in force since 2 January 2022 and overseen by the UAE Data Office.
  2. Executive Regulations are pending at the time of writing, which means exact penalty amounts and some procedural specifics are not yet finalised, but the substantive obligations already apply.
  3. DIFC, ADGM, and DHCC have their own regimes, and those take precedence over the PDPL for entities registered there.
  4. The PDPL applies extraterritorially to any organisation processing personal data of UAE residents, regardless of where the organisation is based.
  5. Health, banking, and credit data are excluded from the PDPL and governed by sector-specific laws instead.
  6. Cross-border data transfers are one of the most consequential areas for UAE businesses, and UAE-based hosting sidesteps most of the complexity.
  7. The PDPL largely mirrors the GDPR, so a well-run GDPR programme translates efficiently to PDPL compliance.
  8. Your hosting provider is typically a data processor, and you need written agreements governing that relationship.
  9. Related laws fill in the gaps, particularly the Cybercrime Law (Federal Decree-Law No. 34 of 2021), the Consumer Protection Law, and the Electronic Transactions Law.
  10. Compliance is a continuous programme, not a one-off project. Build habits and controls that scale with your business.

Frequently Asked Questions

Does the PDPL apply to my small UAE business?

If your business processes personal data of UAE residents (customer names, emails, phone numbers, payment details), the PDPL generally applies, regardless of company size. The Executive Regulations may introduce simplified requirements for SMEs, but the core obligations such as lawful basis, security measures, data subject rights, and breach handling apply broadly. Check whether you are instead subject to DIFC, ADGM, or DHCC rules based on where your entity is registered.

What happens if I am based outside the UAE but sell to UAE customers?

The PDPL has extraterritorial reach. If you process personal data of data subjects inside the UAE, you are covered even if your company and infrastructure are abroad. Foreign businesses serving UAE customers should treat the PDPL in the same way as the GDPR: review scope, update notices, document lawful bases, and put transfer safeguards in place.

Do I need a Data Protection Officer?

Under Article 10 of the PDPL, a DPO is required when processing is high-risk due to new or data-size-based technologies, involves systematic and comprehensive assessment of sensitive personal data (including profiling and automated processing), or involves large-scale processing of sensitive personal data. Many SMEs will not hit these triggers, but if you handle health data, biometric data, or large volumes of consumer profiles, the answer is likely yes. The DPO can be an external service provider.

Can I use AWS, Google Cloud, or Azure and still be PDPL-compliant?

Yes, but with added compliance work. If those services store data in regions outside the UAE, you are carrying out international data transfers under Articles 22 or 23 and need a legal basis for each transfer (typically a data processing agreement with appropriate safeguards). Hosting customer data in UAE-based data centres, whether with those providers’ UAE regions or with a local provider, removes this complexity.

What are the penalties for non-compliance with the PDPL?

The PDPL itself does not set specific penalty amounts. These will be defined in the Executive Regulations, which have not yet been published at the time of writing. Separately, the Cybercrime Law (Federal Decree-Law No. 34 of 2021) already imposes meaningful penalties for misuse of personal data, including fines and custodial sentences. Reputational and commercial consequences of a breach are often greater than the statutory fines.

How does the PDPL handle marketing consent?

Marketing typically relies on consent as the lawful basis. Consent must be specific (for marketing, not buried in general terms), informed, unambiguous, and easy to withdraw. Pre-ticked boxes, bundled consents, and silence do not qualify. The Consumer Protection Law (Federal Law No. 15 of 2020) reinforces these rules for consumer-facing businesses.

What should I do if I suffer a data breach?

Contain the incident immediately, assess the scope and affected data, and document everything. Under Article 9, you must notify the UAE Data Office if the breach would prejudice the privacy, confidentiality, or security of personal data. If the breach poses a high risk to data subjects, you must also notify them directly. The exact notification timeline is to be set by the Executive Regulations. Have a written incident response plan ready before you need it.

How does the PDPL relate to cookies and web tracking?

The UAE does not have a dedicated e-privacy or cookies law equivalent to the EU’s ePrivacy Directive. However, cookies that collect personal data fall within the PDPL, which means you need a lawful basis for their use and must provide transparency. In practice, UAE businesses targeting international audiences often apply GDPR-style cookie consent banners that satisfy both regimes.

Where can I find the official text of the PDPL?

The Federal Decree-Law No. 45 of 2021 is published on the UAE official legislation portal. The UAE Data Office and the UAE government portal (u.ae) publish guidance and updates. For binding interpretation, consult a UAE-qualified legal professional.

Final note: Compliance with the PDPL and related UAE data laws is easier when your hosting, email, and infrastructure sit inside UAE jurisdiction to begin with. AEserver has operated as a UAE-based provider since 2005, with web hosting, Cloud VPS, dedicated servers, and business email running from Dubai data centres, with AED-denominated VAT-compliant invoicing and UAE-based support. If you are reviewing your infrastructure as part of a PDPL readiness programme, local data residency is one of the clearest wins available.

Related Articles

UAE Web Hosting Our UAE Infrastructure Cloud VPS in Dubai Dedicated Servers in Dubai Business Email with UAE Data Residency SSL Certificates DMARC Force Email Security What Is a Domain Name Registrar
×
Rohit S.

Rohit S.

Partner Manager at AEserver and an expert in national domains (ccTLDs), as well as in protecting brands and intellectual property on the Internet. Specializes in domain portfolio management, digital positioning and legal protection through domain zones. Has been certified by Google in the basics of digital marketing. LinkedIn

Recent Posts

Domains
How to Check Domain Authority
Domains
How to Choose a Domain Name
Hosting
What is a Web Hosting?
Domains
What is a Domain Name
Domains / Events
AEserver at Webfair: Strengthening Global Connections
Events / News
AEserver attends CloudFest 2026

You Might Also Like

AEserver is UAE's top rated domain name and web hosting provider since 205
Domains
Everything You Need to Know About the .ae Registrant Warranties Policy
.ae domain policy explained
Domains
.ae Domain Name Policy Explained
.ae domain sale history
Domains
Notable .ae Domain Sales
uae domain name history
Domains
The History of .ae Domain
Thank you for your message. It has been sent.
.ae Price
.bh Price
icon-qa
Google_Cloud_Partner_UAE
icon-microsoft
cpanel uae partner logo
icon-ripe-ncc.svg
⚡ Build your website in 60 seconds with AI + WordPress — now 50% off
Build with AI ➔
This is default text for notification bar
Learn more