An overview of the main obligations under the new UAE data law and its impact on businesses.
The United Arab Emirates (UAE) continues to strengthen its data protection framework to align with international privacy standards and support its digital economy. The Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) entered into force in January 2022 and became fully enforceable in 2023. By 2025, both the PDPL and the free-zone data protection regimes, notably those of the DIFC and ADGM, have evolved through amendments and updated guidance designed to ensure consistency with global best practices.
This article highlights the main compliance developments for 2025, explains the practical differences between the UAE’s federal and free-zone data protection laws, and outlines essential actions organisations must take to remain compliant.
1. Scope and Applicability
1.1 Federal Law (PDPL)
The PDPL applies to controllers and processors that handle personal data of individuals within the UAE, regardless of whether the processing takes place inside or outside the country. It has extraterritorial effect when processing concerns UAE-based data subjects. Certain activities remain exempt, such as processing conducted for judicial, security, health, or banking purposes, which are governed by sector-specific legislation.
The UAE Data Office, established under Cabinet Resolution No. 21 of 2022, oversees implementation and can issue further regulatory decisions, including cross-border transfer mechanisms and breach-notification procedures.
1.2 Free-Zone Regulations (DIFC and ADGM)
Free zones with independent legal systems, such as the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM), maintain their own data protection regimes. The DIFC Data Protection Law No. 5 of 2020, recently amended in July 2025, enhances transparency obligations and introduces new transfer-impact assessment requirements. The ADGM Data Protection Regulations 2021 remain closely aligned with the GDPR, particularly regarding lawful bases and accountability obligations.
An organisation may therefore fall under both the PDPL and a free-zone law if it operates across jurisdictions, necessitating a dual-compliance strategy.
2. Core Principles of Data Processing
The PDPL and the free-zone frameworks share several key principles comparable to the EU GDPR.
Lawfulness, fairness, and transparency require that processing rely on a valid legal basis and be clearly disclosed to data subjects. The principle of purpose limitation ensures that data is processed only for explicit and legitimate purposes. Data minimisation requires organisations to collect only the minimum data necessary for the stated purpose. Accuracy mandates that personal data be correct and updated as needed. The principle of storage limitation prevents retaining data longer than necessary unless legally required. Integrity and confidentiality demand appropriate technical and organisational measures to protect data from unauthorised access or loss. Finally, accountability obliges controllers to demonstrate compliance through documentation, audits, and internal policies.
3. Data Subject Rights
Individuals enjoy several enforceable rights under UAE law. These include the right of access to know what data is held and how it is processed, the right to rectification to correct inaccurate or incomplete data, and the right to erasure, also known as the right to be forgotten, when processing is no longer necessary. Data subjects also have the right to restrict processing temporarily, the right to object to certain types of processing such as direct marketing or automated decision-making, and the right to data portability to receive their personal data in a structured format when technically feasible.
Controllers must respond to such requests without undue delay and establish internal procedures for handling them efficiently.
4. Cross-Border Data Transfers
The UAE Data Office regulates international transfers under the PDPL. Transfers outside the UAE are permitted if the destination country ensures an adequate level of protection or if the controller provides appropriate safeguards such as contractual clauses or binding corporate rules.
The 2025 DIFC amendments now require controllers to conduct transfer-impact assessments before exporting data to non-adequate jurisdictions, echoing the EU’s Schrems II principles.
5. Enforcement and Penalties
Non-compliance may result in administrative fines and regulatory actions, including mandatory audits or suspension of processing activities, fines for breaches of consent or cross-border transfer rules, and public enforcement actions by the UAE Data Office or, within free zones, the respective Commissioners of Data Protection.
In 2025, regulators are increasingly proactive, issuing guidance and conducting targeted investigations, particularly concerning cybersecurity incidents and marketing-consent practices.
6. Practical Compliance Steps for 2025
To maintain compliance, organisations should appoint a Data Protection Officer where required, particularly for large-scale or high-risk processing. They must map data flows across UAE entities and free-zone operations, review consent mechanisms for clarity and transparency, and adopt documented policies covering data retention, breach response, and international transfers. Staff training on privacy obligations and incident-reporting protocols is also essential. Regular audits and readiness assessments aligned with PDPL and DIFC standards help maintain continuous compliance.
Conclusion
The UAE’s data protection framework in 2025 reflects a decisive move toward global interoperability and regulatory maturity. Organisations operating within the Emirates, especially those spanning federal and free-zone jurisdictions, must adopt a comprehensive compliance framework that balances innovation with accountability.
As enforcement tightens, proactive compliance has become a strategic necessity for building trust, competitiveness, and long-term legal resilience.
No responses yet