Federal Decree Law No. 45 United Arab Emirates

    Overview

    Federal Decree Law No. 45 of 2021 concerning the Protection of Personal Data is the United Arab Emirates’ primary legislation for personal data protection. It establishes clear rules for processing personal data, emphasizing transparency, fairness, and security. The law aligns UAE’s data protection framework with international standards while respecting the local context. It applies to businesses operating in the UAE, except those in the DIFC and ADGM, which have separate regulations. 

     

    Regulation Summary

    Timeline
    • September 26, 2021: PDPL issued by the UAE government.
    • January 2, 2022: Law comes into force.
    • March 20, 2022: Executive Regulations published to clarify compliance requirements.
    • September 21, 2022: Compliance deadline for businesses to align with PDPL requirements.
    What Businesses Are Affected
    • All private sector organizations that process personal data within the UAE.
    • Foreign companies handling data of UAE residents.
    Exemptions
    • Data processing for personal and household activities.
    • Governmental and security-related data processing.
    • Data handled by free-zone authorities with separate regulations.
    • Companies within the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), which follow separate data protection laws.
    Responsibilities for Businesses
    • Obtain explicit and informed consent before processing personal data.
    • Ensure data is collected for a specific, lawful purpose.
    • Implement security measures to prevent unauthorized access and breaches.
    • Allow individuals to access, correct, and delete their data.
    • Designate a Data Protection Officer (DPO) where required.
    • Conduct impact assessments for high-risk processing activities.
    Specific Responsibilities for Website Owners
    • Implement cookie consent mechanisms for data collection.
    • Provide a transparent privacy policy outlining data practices.
    • Secure online forms that collect personal information.
    • Enable users to exercise data rights via digital platforms.
    Additional Requirements
    • Cross-border data transfers must meet adequacy or contractual safeguard requirements.
    • Impact assessments required for high-risk data processing.
    • DPO appointments mandated for large-scale personal data handlers.
    Data Subject Rights
    • Access: Individuals can request a copy of their data.
    • Correction: Right to rectify inaccurate or incomplete data.
    • Erasure: Right to request deletion of personal data.
    • Objection: Right to object to certain processing activities.
    Enforcement
    • Regulatory Authority: UAE Data Office.
    • Penalties: Fines up to AED 5 million (approximately USD 1.36 million), with exact amounts defined by the enforcement authority.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596