United Arab Emirates · Last reviewed April 2026

Does the UAE PDPL Apply to Your Business? [2026 Guide]

Free applicability checker with statutory citations — covers UAE PDPL scope, obligations, and penalties.

PrivacyLawApplies.com Editorial Team

CAMS · AIGP (IAPP) · Reviewed April 2026

Quick UAE PDPL applicability check

Do you have users or customers in the United Arab Emirates?

Does your organisation have an establishment in the UAE?

Do you offer goods or services to individuals in the UAE?

Do you process personal data of individuals located in the UAE?

About UAE PDPL

The UAE Personal Data Protection Law (PDPL) — formally Federal Decree-Law No. 45 of 2021 Regarding Personal Data Protection — is the United Arab Emirates' first comprehensive federal data protection law. It came into effect on 2 January 2022, with a one-year implementation period for existing data processing activities. The Telecommunications and Digital Government Regulatory Authority (TDRA) is the primary supervisory authority.

Territorial scope: The UAE PDPL applies to: (1) any controller established in the UAE; and (2) any controller established outside the UAE that processes personal data of individuals located in the UAE. This broad territorial scope means that international businesses with UAE customers or users must assess their obligations under the law regardless of where they are based.

Note on free zones: Certain UAE free zones — including the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) — have their own separate data protection frameworks that pre-date the federal PDPL. The DIFC Data Protection Law (DIFC Law No. 5 of 2020) and the ADGM Data Protection Regulations 2021 apply within their respective jurisdictions. Organisations operating exclusively within DIFC or ADGM should assess their obligations under those frameworks rather than (or in addition to) the federal PDPL.

Consent and lawful bases: The UAE PDPL requires a lawful basis for processing personal data. Consent must be explicit, informed, and specific. Processing is also permitted for the performance of a contract, compliance with a legal obligation, vital interests, public interest tasks, and the legitimate interests of the controller (subject to a balancing test). Sensitive personal data — including health data, genetic data, biometric data, racial or ethnic origin, and criminal records — requires explicit consent or falls within limited exceptions.

Key obligations under UAE PDPL

Immediate

Obtain clear consent or establish another lawful basis for processing

UAE Federal Decree-Law No. 45 of 2021, Art. 5 — conditions for lawful processing

Immediate

Publish a privacy notice disclosing processing activities

UAE PDPL Art. 9 — transparency obligations

Ongoing

Respond to data subject requests within 30 days

UAE PDPL Art. 12

Ongoing

Report data breaches to the UAE Telecommunications and Digital Government Regulatory Authority (TDRA) within 72 hours

UAE PDPL Art. 17

Max: AED 5,000,000 to AED 20,000,000 depending on violationBreach: 72 hours to UAE TDRAAuthority: UAE Telecommunications and Digital Government Regulatory Authority (TDRA)

Frequently asked questions

Does the UAE PDPL apply to companies outside the UAE?

Yes. The UAE PDPL applies to any controller established outside the UAE that processes personal data of individuals located in the UAE. A US company, a UK company, or any other non-UAE entity that processes data of UAE residents — for example, by offering goods or services to UAE customers — is subject to the UAE PDPL.

What is the difference between UAE PDPL and DIFC / ADGM data protection laws?

The UAE federal PDPL applies throughout the UAE mainland and non-financial free zones. The DIFC (Dubai International Financial Centre) and ADGM (Abu Dhabi Global Market) are financial free zones with their own independent data protection frameworks. Organisations operating within DIFC are subject to the DIFC Data Protection Law 2020; those within ADGM are subject to the ADGM Data Protection Regulations 2021. These are separate regimes from the federal PDPL and may impose different obligations.

What are the UAE PDPL penalties?

The UAE PDPL provides for financial penalties ranging from AED 50,000 to AED 20,000,000 (approximately USD $14,000 to USD $5.4 million) depending on the nature and severity of the violation. The TDRA has authority to impose administrative sanctions, fines, and require remedial action. Certain violations involving sensitive data or intentional breaches attract higher penalties.

What is the data breach notification deadline under UAE PDPL?

Under Art. 17 of the UAE PDPL, controllers must notify the TDRA of personal data breaches within 72 hours of becoming aware of the breach. Affected data subjects must also be notified without undue delay when the breach is likely to result in high risk to their rights and freedoms.

Does UAE PDPL apply to B2B data processing?

The UAE PDPL applies to the processing of personal data of natural persons (individuals). Business-to-business data — such as corporate contact information processed strictly in a professional context — may fall outside the definition of personal data under the law. However, any processing that involves identifiable natural persons (including business contacts, employees, or contractors) is likely covered.

Related privacy laws

GDPR

EU/EEA

View guide →

India DPDP

India

View guide →

LGPD

Brazil

View guide →

Not sure if UAE PDPL applies?

Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.

Start free assessment →

Compare with other laws

GDPR vs CCPA vs PIPEDA →Full law comparison matrix →

Last reviewed: April 2026
Not legal advice — educational information only