When did the UAE PDPL take effect?

Federal Decree-Law No. 45 of 2021 was issued in 2021 and entered into force on 2 January 2022; full operational detail depends on executive regulations issued under the law.

Does the PDPL apply in the DIFC and ADGM free zones?

No. The DIFC and ADGM financial free zones maintain their own separate data protection laws and regulators, and are excluded from the federal PDPL's scope.

Who enforces the UAE PDPL?

The UAE Data Office is the federal regulator responsible for the law.

🇦🇪 United Arab Emirates · Data privacy

UAE PDPL

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data

The PDPL is the UAE's first comprehensive federal data protection law, issued in 2021 and in force from 2 January 2022. It sets a consent-based framework with controller and processor obligations, data subject rights, and rules on cross-border transfers. It applies across the UAE except in financial free zones such as DIFC and ADGM.

Jurisdiction:🇦🇪 United Arab Emirates

Type:Data privacy

In effect:2022

Authority:UAE Data Office

Who it applies to

Controllers and processors inside the UAE that process personal data, and those outside the UAE that process the personal data of data subjects within the UAE. The standalone DIFC and ADGM free-zone regimes fall outside its scope.

Identity requirements

Obtain a clear, demonstrable legal basis (commonly consent) before processing personal data, with the right to withdraw consent at any time
Honor data subject rights including access, rectification, erasure, restriction, and portability of personal data
Implement appropriate technical and organizational security measures to protect personal data against unauthorized access
Notify the UAE Data Office and affected individuals of personal data breaches that risk the privacy and confidentiality of data subjects
Appoint a Data Protection Officer where processing involves high risk, large-scale sensitive data, or systematic monitoring
Apply controls and an adequacy or safeguard basis for cross-border transfers of personal data outside the UAE

How it impacts identity systems

Identity area	Impact
Customer identity & consent (CIAM)	Consent-based processing and withdrawal rights require granular consent capture and management in customer identity systems.
Data residency & cross-border transfer	Transfers of personal data abroad are permitted only to adequate jurisdictions or under approved safeguards.
Breach notification	Controllers must notify the UAE Data Office and affected individuals of breaches that threaten the privacy of data subjects.
Audit, logging & accountability	Controllers must demonstrate compliance through records of processing and appropriate accountability measures.
Authentication & MFA	The requirement for appropriate security measures supports strong authentication to protect access to personal data.

Penalties

Administrative penalties for violations are set out in implementing executive regulations issued under the law by the Cabinet.

Official source

https://uaelegislation.gov.ae/en/legislations/1972

UAE PDPL: frequently asked questions

When did the UAE PDPL take effect?: Federal Decree-Law No. 45 of 2021 was issued in 2021 and entered into force on 2 January 2022; full operational detail depends on executive regulations issued under the law.
Does the PDPL apply in the DIFC and ADGM free zones?: No. The DIFC and ADGM financial free zones maintain their own separate data protection laws and regulators, and are excluded from the federal PDPL's scope.
Who enforces the UAE PDPL?: The UAE Data Office is the federal regulator responsible for the law.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all United Arab Emirates regulations or the full country index.