Other BriefingsUAE Data Protection Obligations and Cross-Border Data Transfer for Businesses
The UAE Personal Data Protection Law puts obligations for businesses on handling personal data and cross-border transfers. This article breaks down compliance requirements, sectoral rules, and how companies should manage third-party risks under the new legal regime.
As the United Arab Emirates (UAE) cements its place as a digital and commercial hub, its data protection obligations are becoming more stringent and internationally aligned. The Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), which came into effect on January 2, 2022, is the country’s first federal law on personal data and a turning point in the how businesses that collect, process, or transfer data operate in and out of the UAE.
Who is covered by the UAE’s data protection law
The PDPL applies broadly to all entities processing personal data within the UAE, regardless of whether they are based in mainland UAE or free zones such as the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM). It also applies to foreign businesses that process the data of UAE residents.
Excluded from the law are specific data types, such as information handled by government entities, like judicial and security authorities, personal banking and credit information, and health data.
But both data controllers, entities that determine why and how personal data is processed, and data processors, those who act on behalf of controllers, must comply with PDPL norms. They have to follow strict norms on data privacy, security, purpose limitation, and the rights of data subjects.
How companies can transfer data across borders
Cross-border data transfers are a central concern for multinational companies and UAE-based firms with international operations. The PDPL outlines a legal framework inspired by the European Union’s General Data Protection Regulation (GDPR), albeit tailored for the UAE’s domestic landscape.
Transfers of personal data to countries outside the UAE are permitted if the destination country is recognized by the UAE Data Office as offering adequate levels of data protection. This adequacy can be established either through the country’s own privacy laws or through its participation in binding international agreements.
In the absence of an adequacy decision, companies may proceed with data transfers using standard contractual clauses (SCCs) or binding corporate rules (BCRs). These legal mechanisms ensure that the recipient of the data agrees to uphold privacy protections aligned with UAE law. For multinational groups, BCRs offer a means of transferring data internally across different jurisdictions, provided they meet compliance thresholds set by UAE authorities.
Businesses have other pathways for cross-border transfer too. They can transfer data by securing explicit consent from the data subject, fulfilling contractual obligations, complying with international judicial assistance requests, or pursuing data flows that serve the public interest. These options offer businesses some leeway, but they require careful legal oversight.
How UAE rules differ from GDPR
While the PDPL borrows heavily from the European Union’s data protection law, General Data Protection Regulation (GDPR), in its structural framework and global outlook, there are meaningful differences. Like GDPR, the PDPL has extraterritorial reach, regulating companies even outside the UAE if they process UAE residents’ data.
GDPR imposes maximum fines of up to 4 percent of a company’s global turnover. The PDPL, in contrast, sets financial penalties between AED 50,000 (US$13,612.8) and AED 5 million (US$13.6 million). The UAE’s law also makes the appointment of a Data Protection Officer (DPO) optional for most businesses, except where data processing activities are considered high-risk. Regardless, early appointments of DPOs is advisable for companies that are handling sensitive or large volumes of personal data.
Mandatory localization for regulated sectors
Data localization remains a prominent feature in the UAE’s strategy for digital sovereignty. Businesses in certain regulated sectors are required to store and process data within the country.
Banking data must remain onshore, with any transfer abroad subject to Central Bank approval and the customer’s consent. Health records are also subject to localization rules under Federal Law No. 2 of 2019. Internet of Things (IoT) data related to government institutions and critical infrastructure is likewise restricted.
Non-compliance is not taken lightly. Companies that breach localization rules risk hefty fines, suspension of business licenses, or even criminal prosecution. Firms operating in these sectors must conduct proper audits of their Information Technology (IT) infrastructure to ensure all data hosting and transmission methods comply with UAE laws.
Read more about How to Get a Crypto License in UAE and the Rise of Islamic Crypto Banking
Plug the implementation gaps with third-party service providers
Businesses need to ensure that any third-party service providers they work with, who process personal data on their behalf, are fully compliant with UAE’s local data privacy requirements. If a data processor violates the law, liability may extend to the original data controller as well. This means businesses themselves need to include strong data protection clauses in their contracts with service providers.
Such contracts should clearly define the nature and purpose of the data processing, the types of data involved, responsibilities of each party, and obligations around data return or deletion at the end of the agreement. That said, contracts alone are not enough.
Firms should also assess a third party’s readiness to safeguard data through due diligence checks. Regular monitoring, such as audits and risk assessments, is advisable to ensure continued compliance. Businesses must also be aware if their processors subcontract any data work and ensure that sub-processors also meet the required standards.
Companies are encouraged to initiate internal audits, assess data flows, and examine existing contracts with third parties. Technical safeguards such as encryption, access controls, and regular risk assessments should be prioritized. Where necessary, businesses may appoint a DPO to lead compliance efforts and employee training.
A step toward global digital trust
The PDPL signals the UAE’s ambition to be a credible and competitive hub for global digital services. By outlining legal pathways for cross-border data transfers, mandating localization where necessary, and holding controllers and processors accountable, the new law aligns the UAE with international best practices while maintaining a sovereign legal identity.
Businesses that take early, proactive steps, especially in updating their contracts, documenting compliance, and enhancing their data protection governance, are better positioned to operate confidently in the UAE’s evolving digital ecosystem.
Read more: Dubai Launches First Time Home Buyer Program
(US$1 = AED 3.67)
