DembriStart Free Trial
All guides

Guide basis

This guide is assembled from the source material in the SEO library. It is informational, not live customer data.

Source

SEO markdown library under public/seo

Scope

Single-topic compliance guidance

Use

Reference before you open a portal or call a consultant

UAE PDPL Compliance Guide 2026

The UAE Personal Data Protection Law (PDPL) — Federal Decree-Law No. 45 of 2021 — has been active federal law since 2 January 2022. Any UAE business that processes personal data of UAE residents must comply.

If you handle employee records, customer contact details, candidate CVs, patient information, or any other personal data tied to a UAE resident, this law applies to you.

What the PDPL Covers

The PDPL regulates how Controllers (entities that decide why and how personal data is processed) and Processors (entities that process data on a Controller's behalf) handle personal data of UAE-based individuals. Key obligations include:

  • Lawful basis for processing (Article 4)
  • Transparency and consent requirements (Articles 6 and 13)
  • Data subject rights (Articles 15-19)
  • Cross-border data transfer rules (Articles 22-23)
  • Breach notification (Article 9)
  • Appointment of a Data Protection Officer (DPO) in certain cases (Article 10)

The law is administered by the UAE Data Office, established under Federal Decree-Law No. 44 of 2021.

Who Must Comply

PDPL applies to:

  • UAE-based Controllers and Processors of any size
  • Non-UAE entities that process personal data of UAE residents
  • Cross-border processors handling UAE-origin data

Notable exemptions: government data processed for public functions, personal/household use, certain free zones with their own data laws (DIFC operates under Law No. 5 of 2020; ADGM under its 2021 Data Protection Regulations). If you operate inside DIFC or ADGM, you follow those frameworks instead of the federal PDPL — but if you serve customers outside those zones, federal PDPL still applies to that processing.

Lawful Basis for Processing

Under Article 4, personal data may be processed only if at least one of the following applies:

| Basis | Typical Use Case | |---|---| | Consent | Marketing, newsletter signups | | Contract necessity | Fulfilling a customer order | | Legal obligation | KYC for licensed financial activity | | Vital interest | Medical emergency | | Public interest | Statistical research | | Legitimate interest | B2B prospecting, fraud prevention |

For most SMEs, consent and contract necessity are the two most common bases. Legitimate interest exists but requires a documented balancing test.

Data Subject Rights

UAE residents have the right to:

  • Access their personal data
  • Correct inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict or object to processing
  • Receive their data in a portable format
  • Withdraw consent at any time

Controllers must respond within a reasonable timeframe (specified in Executive Regulations).

Breach Notification

Article 9 requires Controllers to notify the UAE Data Office of personal data breaches "within the period and in accordance with the measures and requirements set by the Executive Regulations." The primary law does NOT specify a 72-hour deadline — that timeframe is set by the Executive Regulations. Verify the current Executive Regulation requirement before publishing any internal incident-response procedure.

Cross-Border Data Transfers

Articles 22-23 govern data transfers outside the UAE. Two main paths:

  • Article 22 (Adequacy): transfers to jurisdictions with "appropriate level of protection" determined by the UAE Data Office. The list is updated by the Data Office; verify before relying on it.
  • Article 23 (Contractual Safeguards): transfers permitted if backed by contractual safeguards (similar to Standard Contractual Clauses), explicit consent, or contract necessity.

If you use US-hosted SaaS (Google Workspace, Slack, Notion, AWS regions outside UAE), you must have a Data Processing Agreement (DPA) with each vendor that incorporates the required safeguards.

DPO Requirement

A Data Protection Officer must be appointed if your business processes:

  • High-risk processing involving sensitive data (health, biometric, location, etc.)
  • Large-scale systematic monitoring of data subjects
  • Sensitive data on a large scale

The DPO can be employed or outsourced. Some sectors (e.g., regulated banking) may have additional sector-specific DPO rules — check your sector regulator.

Penalties

The PDPL provides for administrative fines, but the specific amounts and triggers are set by the Executive Regulations and the UAE Data Office. Beyond fines, the bigger commercial risk is contractual liability — your B2B customers will increasingly require PDPL compliance as a contract term and ask for evidence in their own audits.

5-Step Readiness Checklist

  1. Data inventory: list every system that holds personal data, what data, why, where, retention period.
  2. Lawful basis per processing activity: document which Article 4 basis applies to each.
  3. Update privacy notice + consent flows: align with Articles 6 and 13 transparency rules.
  4. Vendor DPAs: ensure every processor handling your data is contractually bound to PDPL standards.
  5. Breach response plan: assign internal owner, define detection-to-notification timeline, test the plan once.

How Dembri Helps

Dembri is an agentic compliance platform for UAE businesses, aligned with the UAE 2026 Agentic AI Framework. Dembri's agent monitors your PDPL compliance posture continuously — flagging vendor DPA gaps, tracking data subject request response times, alerting on Executive Regulation updates, and producing audit-ready evidence trails without spreadsheet work.

Start your free trial → · See all compliance guides → · Learn about agentic compliance →

Sources

Last verified: 30 May 2026 · This guide is informational, not legal advice. For business-specific decisions, consult licensed UAE counsel. Verify Executive Regulations and breach notification timeframes directly against current UAE Data Office guidance before publishing any internal procedure.