The UAE Personal Data Protection Law (PDPL) — Federal Decree-Law No. 45 of 2021 — is now fully in effect. For free zone companies that collect customer data, employee information, or user analytics, compliance is no longer optional.
This guide breaks down what the PDPL requires from UAE businesses in 2026, how it interacts with DIFC and ADGM data protection regimes, and the practical steps to achieve compliance without hiring a full legal team.
What Is the UAE PDPL?
The PDPL is the UAE's federal data protection law, modelled on the EU's GDPR but adapted for the UAE context. It governs how businesses collect, process, store, and share personal data.
Key Facts
| Aspect | Detail |
|---|---|
| Law | Federal Decree-Law No. 45 of 2021 |
| Enforcement authority | UAE Data Office |
| Effective date | 2022 (with phased enforcement) |
| Full enforcement | 2025 onwards |
| Applies to | All entities processing personal data in or from the UAE |
| Exemptions | DIFC, ADGM (have own data laws), Dubai Healthcare City |
| Penalties | Up to AED 5,000,000 |
Who Must Comply?
Every free zone company that:
- Collects customer names, emails, or phone numbers
- Maintains employee records
- Uses website analytics or cookies
- Processes payment information
- Stores any personally identifiable information (PII)
If you have a website with a contact form, you need to comply.
PDPL vs. DIFC vs. ADGM Data Laws
The UAE has three data protection regimes:
| Regime | Applies To | Key Law | Enforcement Body |
|---|---|---|---|
| UAE PDPL | All mainland + most free zones | Federal Decree-Law No. 45/2021 | UAE Data Office |
| DIFC Data Protection Law | DIFC-registered entities | DIFC Law No. 5 of 2020 | Commissioner of Data Protection |
| ADGM Data Protection Regulations | ADGM-registered entities | ADGM Data Protection Regulations 2021 | ADGM Registration Authority |
Which Law Applies to Your Free Zone?
| Free Zone | Data Protection Law |
|---|---|
| Shams | UAE PDPL |
| RAKEZ | UAE PDPL |
| IFZA | UAE PDPL |
| Meydan | UAE PDPL |
| DWTC | UAE PDPL |
| JAFZA | UAE PDPL |
| DMCC | UAE PDPL |
| DIFC | DIFC Data Protection Law |
| ADGM | ADGM Data Protection Regulations |
DIFC and ADGM laws are more detailed and closely aligned with the EU GDPR. The UAE PDPL is broadly similar but has some unique features.
Core PDPL Requirements
1. Legal Basis for Processing
You must have a legal basis to collect and process personal data. The PDPL recognises these bases:
| Legal Basis | When It Applies | Example |
|---|---|---|
| Consent | Individual explicitly agrees | Newsletter signup, cookie consent |
| Contractual necessity | Processing needed to perform a contract | Employee payroll, customer orders |
| Legal obligation | Required by UAE law | Tax reporting, AML compliance |
| Vital interests | Protecting someone's life | Medical emergencies |
| Public interest | Serving a public purpose | Public health, research |
| Legitimate interest | Reasonable business need (with safeguards) | Fraud detection, direct marketing (with opt-out) |
Consent requirements:
- Must be freely given, specific, informed, and unambiguous
- Must be an affirmative action (no pre-ticked boxes)
- Must be withdrawable at any time
- Parental consent required for data of individuals under 18
2. Data Subject Rights
Individuals have the right to:
| Right | Description | Response Deadline |
|---|---|---|
| Access | Request a copy of their personal data | 10 business days |
| Rectification | Correct inaccurate or incomplete data | 10 business days |
| Erasure | Request deletion of their data | 10 business days |
| Restriction | Limit processing of their data | 10 business days |
| Portability | Receive data in a structured, machine-readable format | 10 business days |
| Objection | Object to processing (especially direct marketing) | Immediately |
You must have a process to handle these requests. For small businesses, this can be as simple as a dedicated email address (e.g., privacy@yourcompany.com) and a documented procedure.
3. Data Processing Records
Maintain a record of all processing activities, including:
- What personal data you collect
- Why you collect it (legal basis)
- Who has access to it
- Where it is stored
- How long you retain it
- What security measures protect it
4. Data Protection Impact Assessment (DPIA)
A DPIA is required for processing that is likely to result in high risk to individuals:
- Large-scale profiling
- Systematic monitoring of public areas
- Processing sensitive data (health, biometrics, religion)
- Automated decision-making with legal effects
- New technologies with unknown privacy impacts
Most small free zone companies do not need a DPIA unless they handle sensitive data at scale.
5. Data Breach Notification
If a data breach occurs:
| Action | Deadline |
|---|---|
| Notify UAE Data Office | Without undue delay (aim for 72 hours) |
| Notify affected individuals | If breach is likely to result in high risk |
| Document the breach internally | Immediately |
6. Cross-Border Data Transfers
Transferring personal data outside the UAE requires:
- Adequate level of protection in the receiving country, OR
- Appropriate safeguards (standard contractual clauses, binding corporate rules), OR
- Explicit consent from the data subject
The UAE Data Office maintains a list of countries with adequate protection. Key countries typically considered adequate include EU member states, UK, and countries with GDPR-equivalent laws.
7. Data Protection Officer (DPO)
A DPO must be appointed if:
- You process sensitive personal data on a large scale
- You systematically monitor individuals on a large scale
- You use AI or automated profiling
Most small free zone companies do not need a DPO. If you do, it can be an external appointment.
| DPO Option | Annual Cost (AED) |
|---|---|
| External DPO service | 8,000–25,000 |
| Internal DPO (dedicated) | 120,000–300,000 (salary) |
| Part-time consultant | 15,000–40,000 |
Penalties for Non-Compliance
The PDPL establishes significant penalties:
| Violation | Penalty |
|---|---|
| Processing without legal basis | Up to AED 5,000,000 |
| Failure to implement security measures | Up to AED 3,000,000 |
| Failure to notify data breach | Up to AED 2,000,000 |
| Unlawful cross-border transfer | Up to AED 5,000,000 |
| Failure to respond to data subject requests | Up to AED 1,000,000 |
| Failure to maintain processing records | Up to AED 500,000 |
Penalties can be imposed per incident. Repeated violations can result in licence suspension.
Practical Compliance Steps
Step 1: Data Audit (Week 1-2)
Map all personal data your business collects and processes:
| Data Category | Examples | Where Stored | Legal Basis |
|---|---|---|---|
| Customer data | Name, email, phone | CRM, email | Consent / Contract |
| Employee data | Name, passport, salary | HR system | Contract / Legal obligation |
| Website visitors | IP address, cookies | Analytics | Consent |
| Payment data | Card details, bank info | Payment processor | Contract |
| Marketing data | Email list, preferences | Email platform | Consent |
Step 2: Privacy Policy (Week 2-3)
Create and publish a privacy policy that covers:
- What data you collect and why
- Legal basis for each type of processing
- Who you share data with
- How long you retain data
- Data subject rights and how to exercise them
- Contact information for privacy queries
- Cross-border transfer information
Cost: AED 2,000–5,000 (lawyer-drafted) or AED 500–1,000 (template-based)
Step 3: Cookie Consent (Week 3)
If your website uses cookies or tracking:
- Implement a cookie consent banner
- Allow granular consent (necessary, analytics, marketing)
- Do not load non-essential cookies before consent
- Record consent for audit purposes
Tools: CookieYes, OneTrust, Cookiebot — AED 500–3,000/year
Step 4: Data Processing Agreements (Week 3-4)
Sign Data Processing Agreements (DPAs) with every third party that processes data on your behalf:
- Cloud hosting providers (AWS, Google Cloud, Azure)
- Email marketing platforms (Mailchimp, SendGrid)
- CRM systems (HubSpot, Salesforce)
- Payment processors (Stripe, PayTabs)
- Analytics tools (Google Analytics, Mixpanel)
Most major providers have standard DPAs available. Review and sign them.
Step 5: Internal Procedures (Week 4-6)
Establish:
- Data subject request procedure: How to handle access, deletion, and correction requests
- Breach notification procedure: Who to contact, what to document, notification templates
- Data retention schedule: How long each type of data is kept and when it is deleted
- Employee training: Brief all staff who handle personal data
Step 6: Security Measures (Ongoing)
Implement appropriate technical and organisational measures:
| Measure | Cost | Priority |
|---|---|---|
| Strong passwords + 2FA | Free | Critical |
| Data encryption (at rest and in transit) | Free–AED 1,000 | Critical |
| Access controls (role-based) | Free–AED 2,000 | High |
| Regular backups | AED 500–2,000/year | High |
| Employee security training | AED 1,000–3,000 | Medium |
| Security audit | AED 5,000–15,000 | Annual |
Compliance Cost Summary
Small Free Zone Company (1-5 People)
| Item | One-Time Cost (AED) | Annual Cost (AED) |
|---|---|---|
| Privacy policy (lawyer-drafted) | 3,000 | — |
| Cookie consent tool | — | 500–1,500 |
| Data audit (internal) | 0 | 0 |
| DPA review | 1,000 | — |
| Employee training | — | 1,000 |
| Total | 4,000 | 1,500–2,500 |
Medium Company (5-25 People)
| Item | One-Time Cost (AED) | Annual Cost (AED) |
|---|---|---|
| Privacy policy + notices | 5,000 | 1,000 (updates) |
| Cookie consent tool | — | 2,000–3,000 |
| Data audit (consultant) | 5,000 | 3,000 |
| DPA review and management | 3,000 | 1,000 |
| External DPO (if needed) | — | 15,000–25,000 |
| Security audit | — | 5,000–10,000 |
| Employee training | — | 3,000–5,000 |
| Total | 13,000 | 30,000–47,000 |
DIFC Data Protection: Key Differences
If your company is in DIFC, the DIFC Data Protection Law No. 5 of 2020 applies:
| Feature | UAE PDPL | DIFC Law |
|---|---|---|
| Breach notification | "Without undue delay" | 72 hours |
| DPO requirement | High-risk processing | More prescriptive |
| Cross-border transfers | Adequate country or safeguards | Adequate country, SCCs, or BCRs |
| Supervisory authority | UAE Data Office | DIFC Commissioner |
| Penalties | Up to AED 5M | Up to USD 100,000 per violation |
| GDPR alignment | Moderate | High |
ADGM Data Protection: Key Differences
For ADGM companies:
| Feature | UAE PDPL | ADGM Regulations |
|---|---|---|
| Based on | UAE-specific | UK GDPR-aligned |
| Breach notification | "Without undue delay" | 72 hours |
| Supervisory authority | UAE Data Office | ADGM Registration Authority |
| Penalties | Up to AED 5M | Up to USD 28M |
| GDPR alignment | Moderate | Very high |
Common Compliance Mistakes
1. Collecting Data Without Consent
Adding someone to a mailing list without explicit opt-in violates the PDPL. Use double opt-in for email marketing.
2. No Privacy Policy
Every website, app, and service must have a published privacy policy. No exceptions.
3. Ignoring Employee Data
Employee personal data (passport copies, salary information, medical records) is subject to the same protection requirements as customer data.
4. Using US-Based Services Without Safeguards
Storing personal data on US servers without appropriate transfer mechanisms (standard contractual clauses) violates cross-border transfer rules.
5. Retaining Data Indefinitely
The PDPL requires data minimisation — keep data only as long as necessary for the purpose it was collected. Set retention periods and enforce them.
Bottom Line
The UAE PDPL is real, enforced, and carries significant penalties. But for most free zone companies, compliance is achievable for AED 4,000–15,000 in initial setup and AED 1,500–5,000 per year in ongoing costs.
The minimum viable compliance package:
- Privacy policy on your website (AED 3,000)
- Cookie consent banner (AED 500–1,500/year)
- Data subject request process (email address + procedure document)
- Data processing agreements with your vendors (free — most have standard DPAs)
- Basic security measures (strong passwords, 2FA, encryption)
This costs less than a single day's non-compliance penalty. Start now.
Explore our tools