The UAE operates three separate data protection regimes — Federal PDPL, DIFC, and ADGM — that do not automatically apply to each other. An entity with offices in both mainland Dubai and DIFC has two distinct compliance obligations. Privacy Conduit handles all three correctly.
Federal PDPL entities
~1.4M mainland companies
DIFC active firms
~8,844 — actively enforced
ADGM licences
~12,671 — USD 28M max fine
Enforcement clock
DIFC: now · Federal: Jan 2027
UAE mainland ↔ DIFC data transfers are regulated cross-border transfers
Federal PDPL and the DIFC DP Law do not recognise each other as adequate. A Dubai mainland entity sharing personal data with its DIFC subsidiary requires appropriate transfer safeguards (SCCs or binding corporate rules). No platform handles this correctly out of the box — Privacy Conduit does.
Scope
All mainland UAE entities and any organisation processing UAE-resident personal data
Regulator
UAE Data Office (Emirates Data Office)
Response deadline
30 days
Max fine
AED 20,000,000 (~USD 5.4M)
Status
Pre-enforcement; Executive Regulations issued 2024. Compliance deadline: January 2027
Data subject rights
Scope
DIFC-incorporated entities and any organisation with stable DIFC processing operations
Regulator
DIFC Commissioner of Data Protection
Response deadline
30 days (extendable by 60 days)
Max fine
USD 25,000–50,000 per violation + private right of action (since July 2025)
Status
Actively enforced since 2020 — most mature data protection regime in the UAE
Data subject rights
Scope
ADGM-registered entities and processors handling data for ADGM-registered controllers
Regulator
ADGM Commissioner of Data Protection
Response deadline
60 days (2 months), extendable by 30 more days
Max fine
USD 28,000,000 per offense — highest cap of the three UAE regimes
Status
Moderately enforced; Commissioner has active investigative powers
Data subject rights
Unlawful processing of special category data
AED 20,000,000
~USD 5.4M
General data protection violations
AED 50,000–5,000,000
~USD 13K–1.36M
Unlawful disclosure of personal data (criminal)
Fine + up to 1 year imprisonment
Failure to notify Commissioner of processing
USD 25,000
Per violation
Failure to conduct mandatory DPIA
USD 50,000
Per violation
Private right of action (data subject lawsuit)
Financial + non-financial damages
Direct DIFC Court litigation
Per-offense data protection violation
USD 28,000,000
Highest UAE cap
All three UAE regimes require documented procedures for handling access, deletion, portability, and objection requests. DIFC entities face litigation risk since July 2025.
Federal PDPL requires explicit, specific consent with no legitimate interests fallback. ADGM requires explicit written or electronic consent. DIFC consent must be freely given and withdrawable.
All three regimes require clear notice before or at collection. Federal PDPL mandates disclosure of identity, purposes, retention, recipients, and data subject rights.
Federal PDPL: required for high-risk or large-scale processing. ADGM: required for systematic monitoring. DIFC: required in line with GDPR-equivalent thresholds.
Federal PDPL: notify UAE Data Office promptly (no specific window). ADGM: 72-hour notification (same as GDPR). DIFC: notification required per Commissioner guidance.
UAE mainland ↔ DIFC is a regulated cross-border transfer — neither recognises the other as adequate. ADGM recognises DIFC as adequate. Federal PDPL adequacy list not yet published.
FREQUENTLY ASKED
Identify which of the three UAE regimes applies to your entity, set up DSR intake, and start your compliance clock before the January 2027 Federal PDPL enforcement deadline.
See how UAE privacy law compares to GDPR, India DPDP, and other jurisdictions on the full Privacy Laws reference page.
Compare all laws