← Back to Privacy laws
UAE / Dubai

Three UAE data laws.
One compliance view.

The UAE operates three separate data protection regimes — Federal PDPL, DIFC, and ADGM — that do not automatically apply to each other. An entity with offices in both mainland Dubai and DIFC has two distinct compliance obligations. Privacy Conduit handles all three correctly.

Federal PDPL entities

~1.4M mainland companies

DIFC active firms

~8,844 — actively enforced

ADGM licences

~12,671 — USD 28M max fine

Enforcement clock

DIFC: now · Federal: Jan 2027

UAE mainland ↔ DIFC data transfers are regulated cross-border transfers

Federal PDPL and the DIFC DP Law do not recognise each other as adequate. A Dubai mainland entity sharing personal data with its DIFC subsidiary requires appropriate transfer safeguards (SCCs or binding corporate rules). No platform handles this correctly out of the box — Privacy Conduit does.

Federal

Federal Decree-Law No. 45 of 2021

Scope

All mainland UAE entities and any organisation processing UAE-resident personal data

Regulator

UAE Data Office (Emirates Data Office)

Response deadline

30 days

Max fine

AED 20,000,000 (~USD 5.4M)

Status

Pre-enforcement; Executive Regulations issued 2024. Compliance deadline: January 2027

Data subject rights

  • Access and be informed about processing (Article 13)
  • Portability — receive data in a structured, machine-readable format (Article 14)
  • Rectification and erasure (Article 15)
  • Restrict processing (Article 16)
  • Stop processing / object (Article 17)
  • Object to automated decision-making (Article 18)
Key difference from other laws: No legitimate interests basis — processing requires explicit consent or one of 9 enumerated statutory exceptions.
Note: DIFC and ADGM entities are explicitly excluded — they have separate regimes.
DIFC

DIFC Data Protection Law No. 5 of 2020 (as amended July 2025)

Scope

DIFC-incorporated entities and any organisation with stable DIFC processing operations

Regulator

DIFC Commissioner of Data Protection

Response deadline

30 days (extendable by 60 days)

Max fine

USD 25,000–50,000 per violation + private right of action (since July 2025)

Status

Actively enforced since 2020 — most mature data protection regime in the UAE

Data subject rights

  • Withdraw consent at any time (Article 32)
  • Access personal data (Article 33)
  • Rectification (Article 34)
  • Erasure (Article 35)
  • Restriction of processing (Article 36)
  • Data portability (Article 37)
  • Object to processing (Article 38)
  • Non-discrimination — cannot be denied services for exercising rights (Article 39)
Key difference from other laws: Most GDPR-aligned of the three UAE regimes. Art. 39 non-discrimination right mirrors CCPA. Private right of action as of July 2025 creates real litigation risk today.
Note: July 2025 amendment: data subjects can now sue controllers directly in DIFC Courts without going through the Commissioner first.
ADGM

ADGM Data Protection Regulations 2021

Scope

ADGM-registered entities and processors handling data for ADGM-registered controllers

Regulator

ADGM Commissioner of Data Protection

Response deadline

60 days (2 months), extendable by 30 more days

Max fine

USD 28,000,000 per offense — highest cap of the three UAE regimes

Status

Moderately enforced; Commissioner has active investigative powers

Data subject rights

  • Access personal data
  • Rectification of inaccurate or incomplete data
  • Erasure (right to be forgotten)
  • Data portability in machine-readable format
  • Object to processing
  • Object to automated processing and profiling
  • Restrict processing
  • Withdraw consent
Key difference from other laws: Closest to GDPR of the three UAE regimes. 2-month response deadline is longer than GDPR's 1 month. ADGM recognises DIFC as adequate — but UAE mainland is not considered adequate.
Note: Controller registration with the ADGM Commissioner is mandatory — unlike GDPR where registration was abolished.

Penalties across all three regimes

Federal PDPL

Unlawful processing of special category data

AED 20,000,000

~USD 5.4M

Federal PDPL

General data protection violations

AED 50,000–5,000,000

~USD 13K–1.36M

Federal PDPL

Unlawful disclosure of personal data (criminal)

Fine + up to 1 year imprisonment

DIFC

Failure to notify Commissioner of processing

USD 25,000

Per violation

DIFC

Failure to conduct mandatory DPIA

USD 50,000

Per violation

DIFC

Private right of action (data subject lawsuit)

Financial + non-financial damages

Direct DIFC Court litigation

ADGM

Per-offense data protection violation

USD 28,000,000

Highest UAE cap

What compliance looks like in practice

Data Subject Request handling

All three UAE regimes require documented procedures for handling access, deletion, portability, and objection requests. DIFC entities face litigation risk since July 2025.

Conduit: DSR inbox with per-regime deadline clocks: 30 days (Federal + DIFC) or 60 days (ADGM), with overdue escalation.

Consent records

Federal PDPL requires explicit, specific consent with no legitimate interests fallback. ADGM requires explicit written or electronic consent. DIFC consent must be freely given and withdrawable.

Conduit: Consent records module with purpose-tagging, withdrawal tracking, and jurisdiction-specific consent language.

Privacy notice

All three regimes require clear notice before or at collection. Federal PDPL mandates disclosure of identity, purposes, retention, recipients, and data subject rights.

Conduit: Privacy Center with jurisdiction-specific notice templates for each UAE regime.

DPO appointment

Federal PDPL: required for high-risk or large-scale processing. ADGM: required for systematic monitoring. DIFC: required in line with GDPR-equivalent thresholds.

Conduit: DPO designation and case assignment within the compliance workspace.

Breach response

Federal PDPL: notify UAE Data Office promptly (no specific window). ADGM: 72-hour notification (same as GDPR). DIFC: notification required per Commissioner guidance.

Conduit: Breach workflow with notification templates for each UAE regulator and countdown timers.

Cross-border transfer controls

UAE mainland ↔ DIFC is a regulated cross-border transfer — neither recognises the other as adequate. ADGM recognises DIFC as adequate. Federal PDPL adequacy list not yet published.

Conduit: Transfer impact assessments and SCCs flagged automatically when data flows between UAE entities in different regimes.

FREQUENTLY ASKED

UAE PDPL, answered.

What is the UAE PDPL?
The UAE Personal Data Protection Law is Federal Decree-Law No. 45 of 2021. It is the United Arab Emirates’ federal data protection law, governing how organisations process the personal data of individuals in the UAE and granting data subjects rights over their data.
What rights do data subjects have under the UAE PDPL?
Data subjects have the right to access their data, to request correction, to request erasure, to restrict or stop processing, to data portability, and to object to automated processing and profiling.
Who enforces the UAE PDPL?
The UAE Data Office (the federal data protection authority) is responsible for issuing executive regulations, overseeing compliance, and handling complaints under the PDPL.
Does the PDPL apply in the DIFC and ADGM free zones?
No. The financial free zones — the DIFC and ADGM — have their own standalone data protection laws (the DIFC Data Protection Law and the ADGM Data Protection Regulations). The federal PDPL applies across the rest of the UAE.
How should companies respond to a data subject request in the UAE?
Controllers must respond to data subject requests without undue delay, with specific timelines and procedures set out in the PDPL’s executive regulations. Privacy Conduit tracks each request on an SLA clock so nothing is missed.

I operate in the UAE

Identify which of the three UAE regimes applies to your entity, set up DSR intake, and start your compliance clock before the January 2027 Federal PDPL enforcement deadline.

Read the full law breakdown

See how UAE privacy law compares to GDPR, India DPDP, and other jurisdictions on the full Privacy Laws reference page.

Compare all laws