Support Centre

UAE

Summary

LawFederal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (the Law)

Regulator: UAE Data Office

Summary: On November 28, 2021, the UAE Cabinet announced that it had enacted the Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (only available in Arabic here) (PDPL), as issued on September 20, 2021. The PDPL covers the processing of personal data belonging to data subjects within the UAE, regardless of the location of the data controller or data processor. In addition, the PDPL outlines the conditions for consent, several data subject rights, and comprehensive requirements for controllers and processors, such as mandatory breach notification, the appointment of data protection officers, and the implementation of technical and organizational measures to support data security.

The PDPL entered into effect on January 2, 2022, and the Executive Regulations were expected to be issued within six months from the PDPL's date of issuance (March 20, 2022). However, they are yet to be published. Nonetheless, companies must comply with the PDPL within six months of the publication of the Executive Regulations. Notably, the PDPL does not apply to public entities or free zones in the UAE with their own data protection legislation (such as the DIFC and ADGM), nor does it apply to health or credit data governed by existing sectoral legislation. Furthermore, it repeals all laws which conflict with its provisions.

Moreover, the supervisory authority responsible for overseeing the enforcement of the PDPL, the UAE Data Office (the Data Office), was established by Federal Decree-Law No. 44 of 2021 (Law No. 44/2021), issued contemporaneously with the PDPL on September 20, 2021. Article 9 of Law No. 44/2021 stipulates that the Telecommunications and Digital Government Regulatory Authority (TDRA) will provide administrative and logistical support for the first two years of the Data Office's operation. Furthermore, Article 7 of Law No. 44/2021 states that the Data Office's first financial year shall commence from the effective date of Law No. 44/2021 (as per Article 11 of Law No. 44/2021). However, the Data Office is yet to be operational.

Browse more jurisdictions:

Dubai International Financial Centre
Abu Dhabi Global Market
Dubai Health Care City
UAE - Federal
Emirate of Abu Dhabi
Emirate of Dubai

News

Insights

October 2024

UAE: Consent in action - aligning marketing practices with data protection and telecommunications laws

In the UAE, the landscape for marketing communications has become increasingly regulated, particularly in how businesses obtain consent from consumers before sending marketing messages. Ensuring that explicit consent is secured before any marketing communication is sent, whether via SMS, email, or other channels, is central to complying with the legal framework. The most relevant laws governing these practices include the Personal Data Protection Law (PDPL), the Telecommunications Law, the Regulations on Unsolicited Electronic Communications (RUEC), the Mobile Spam Policy, and the Consumer Protection Law.

These laws create a clear framework for businesses, mandating that individuals must actively opt-in to marketing communications, and businesses must maintain accurate records of this consent. Failure to comply with these laws can result in penalties, blocked messages, and reputational damage. Anne-Caroline Albrecht, Partner at Bonnard Lawson, provides a comprehensive overview of how businesses can obtain and manage consent effectively while ensuring compliance with these key regulations.

March 2024

UAE: An overview of direct marketing requirements

The term 'direct marketing' refers to business practices whereby businesses sell, promote, or advertise their products or services directly to members of the public through means such as SMS, telephone, or email. In the UAE, there is a range of spam and privacy legislation and regulations that specifically restrict direct marketing practices. The UAE has a multi-territorial, multi-jurisdictional legal system that encompasses the federal legislature as well as so-called 'free zones,' which are special economic zones with their own company and commercial laws specifically applicable for companies incorporated within the respective free zone. Nick O'Connell, Andrew Fawcett, and Darya Ghasemzadeh, from Al Tamimi & Company, provide an overview of the federal regulations, as well as specific legislation in some of the UAE's free zones.   

January 2024

DIFC: Amendments to the Data Protection Law

In this Insight article, Maher Ghalloussi and Lucrezia Lorenzini, from Baker McKenzie LLP, delve into the significant amendments made to the Dubai International Financial Center (DIFC) Data Protection Law No. 5 of 2020 (the Data Protection Law). The updates aim to enhance data protection practices, with a focus on regulating the processing of personal data through autonomous and semi-autonomous systems, marking a pioneering move in the Middle East.

October 2023

UAE: The DIFC's approach to assessing adequacy of foreign data protection regimes

In this Insight article, Anne-Caroline Albrecht, Partner at Bonnard Lawson, Dubai, explores the evolving landscape of international data protection, with a focus on the Dubai International Financial Centre's (DIFC) pioneering efforts and its recent assessment of California's Data Protection Regime.

September 2023

DIFC: Proposed updates to data transfer guidance materials - part two

In this Insight Article, Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultancy, provide an update to part one of this series. As discussed previously, the Dubai International Financial Centre (DIFC) has a collection of tools for data processors and controllers to rely on, in terms of protection of data, specifically when they are transferring data outside of the DIFC.

July 2022

DIFC: Proposed updates to data transfer guidance materials - part one

In light of the global developments around data protection, specifically on the cross-border transfer of data, the Dubai International Financial Centre ('DIFC') seeks to provide enhanced tools to equip businesses and ensure compliance with both the DIFC, as well as international standards. Being a global business hub, the DIFC is home to international players that undertake both an inward and outward data flow, these businesses being at the crossroads of multiple jurisdictions when it comes to data compliance.

The DIFC has recently proposed updates to its data transfer guidance materials namely, the Standard Contractual Clauses ('SCCs'), the Ethical Data Management Risk Index ('EDMRI'), and the Data Export and Sharing Handbook ('DES Guide'). Dr. Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultants, provide an overview of the proposed updates and evaluates its impact in meeting the goals of the Data Protection Law, DIFC Law No.5 of 2020 ('the Law').

May 2022

DIFC: A look at the amendments to the Data Protection Law

On 21 May 2020, the DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law') was enacted, came into effect on 1 July 2020, and became enforceable from 1 October 2020, in addition to the Data Protection Regulations 2020 ('the Regulations'), (collectively, 'the DIFC Legislation'). More recently, on 8 March 2022, the DIFC enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 20221 ('the Amendment Law'), which incorporates amendments to several DIFC laws, including the Data Protection Law. This Insight article provides a summary of the key changes introduced by the amendments to the Data Protection Law following the enactment of the Amendment Law.

April 2022

UAE: What the new data protection law means for companies within the UAE - Part two

The Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law') became effective on 2 January 2022, and it is the UAE's first federally applicable, General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') style data protection law. The Law follows key international data protection principles and best practices, such as those found within the GDPR, and marks a positive step towards greater data protection harmonisation with international standards that is a necessity in today's interconnected age, which is characterised by cross border data flows on an international level. In part two of this series on the Law, Andrew Fawcett and Darya Ghasemzadeh, from Al Tamimi & Company, discuss some of the data subject rights under the Law, as well as its provisions on the role of a data protection officer ('DPO') and cross-border data transfers.

April 2022

UAE: What the new data protection law means for companies within the UAE - Part one

The Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law') became effective on 2 January 2022, and it is the UAE's first federally applicable, General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') style data protection law. The Law follows key international data protection principles and best practices, such as those found within the GDPR, and marks a positive step towards greater data protection harmonisation with international standards that is a necessity in today's interconnected age, which is characterised by cross border data flows on an international level. In part one of this two-part series on the Law, Andrew Fawcett and Darya Ghasemzadeh, from Al Tamimi & Company, provide an introduction to the provisions and scope of the Law, as well as the establishment of the UAE Data Office.

December 2021

DIFC: Round-up of guidance on the DIFC's data protection law and regulations – Part 3

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020, in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). Furthermore, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

November 2021

UAE: New Federal Law on Protection of Personal Data - What you need to know

As part of the UAE's comprehensive 'Year of the 50th' legislative reform1, which either amends or enacts over 40 further laws with the aim of boosting the economic competitiveness of the UAE, the UAE Cabinet ('the Cabinet') issued, on 20 September 2021, its awaited Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law'). Marked as one of the first projects of its legislative reform, the Law will come into effect and be published in the Official Gazette2 on 2 January 2022 as outlined in Article 31 of the Law, kicking off the transition period for organisations. This Insight article aims to provide a breakdown of the key obligations under the Law, with accompanying analysis on the impact of the Law for key stakeholders in the UAE from Dale Waterman, Managing Director for the Middle East and North Africa at Breakwater Solutions.

November 2021

DIFC: Round-up of guidance on the DIFC's data protection law and regulations – Part 2

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.