Cybersecurity · UAE Law Guide · 2025
UAE Data Privacy Law Explained 2025 — What Residents & Businesses Must Know
Written By
Raina
Tech Editor, techhack.org
Last Updated
April 2026
Based on Federal Law No. 45 of 2021
Covers
Residents & Businesses
Plain English · Fines · Compliance
Note: This article is for general information only and does not constitute legal advice. For specific compliance questions, consult a qualified UAE legal advisor.
The UAE Personal Data Protection Law — Federal Law No. 45 of 2021 (PDPL) — is the UAE’s comprehensive data privacy framework, enacted to protect the personal data of individuals and regulate how organisations collect, store, and use it. Whether you are a UAE resident wanting to understand your rights, or a business owner needing to understand your obligations, this plain-English guide covers what the PDPL actually means for you in 2025.
UAE Data Privacy Law — Key Facts:
- Law: Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)
- Regulator: The Data Office (UAE)
- Applies to: All businesses processing personal data of UAE residents — including foreign companies
- Minimum fine: AED 100,000 for violations
- Maximum fine: AED 1,000,000 (up to AED 5,000,000 for critical infrastructure)
- Exemptions: Government entities, DIFC and ADGM (have own separate frameworks)
- Your rights: Access, correction, deletion, portability of your personal data
What Is “Personal Data” Under UAE Law?
The PDPL defines personal data broadly — any information that identifies or can identify a natural person. This includes obvious data (name, Emirates ID, phone number, email) and less obvious data (IP address, location data, cookie identifiers, biometric data, health records, and financial data).
Sensitive personal data receives extra protection — this includes health and medical data, biometric data, genetic data, data relating to criminal records, and data revealing ethnic or racial origin, religious beliefs, or political opinions. Businesses handling sensitive data face stricter requirements.
Your Rights as a UAE Resident Under the PDPL
📋 Right to Know
You have the right to know what personal data any organisation holds about you, why they hold it, and how it is being used — before or when data is collected.
✏️ Right to Correct
If an organisation holds inaccurate personal data about you, you have the right to request that it be corrected or completed. The organisation must respond within a reasonable time.
🗑️ Right to Delete
In certain circumstances, you can request that an organisation delete your personal data — particularly if consent was withdrawn, the data is no longer needed, or it was processed unlawfully.
📦 Right to Portability
You can request a copy of your personal data in a structured, machine-readable format — allowing you to transfer it to another service provider.
🚫 Right to Object
You can withdraw consent for processing your data at any time and object to your data being used for direct marketing purposes.
What UAE Businesses Must Do to Comply
From 2026 onward, compliance with the PDPL is not optional. Here are the core obligations for UAE businesses handling personal data.
| Obligation | What It Means in Practice |
|---|---|
| Lawful basis for processing | You must have a legal reason to process personal data — typically consent, contract performance, legal obligation, or legitimate interest |
| Clear consent | Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent under UAE law |
| Privacy notice | Every business must provide a clear privacy policy explaining what data is collected, why, how it is stored, who it is shared with, and how long it is kept |
| Data breach notification | Businesses must notify The Data Office of a data breach within a defined timeframe, and notify affected individuals if the breach poses significant risk |
| Cross-border data transfers | Personal data may only be transferred outside UAE to countries with adequate data protection — or with appropriate contractual safeguards in place |
| Data minimisation | Collect only the personal data you actually need — and delete it when you no longer need it |
PDPL Fines — What Are the Penalties?
Standard Violation
AED 100K
Minimum fine for PDPL violations
Serious Violation
AED 1M
Maximum fine for most violations
Critical Infrastructure
AED 5M
Maximum for critical infrastructure harm
Sensitive Data Breach
Up to AED 3M
Unlawful processing of sensitive personal data
UAE Data Privacy — Sector-Specific Rules
In addition to the federal PDPL, sector-specific regulations apply in the UAE:
| Sector | Applicable Framework | Regulator |
|---|---|---|
| Financial (DIFC) | DIFC Data Protection Law 2020 | DIFC Commissioner of Data Protection |
| Financial (ADGM) | ADGM Data Protection Regulations 2021 | ADGM Registration Authority |
| Healthcare | PDPL + ADHICS (Abu Dhabi) / DHA regulations (Dubai) | DOH / DHA |
| Telecoms | PDPL + TDRA Cybersecurity Framework | TDRA |
Practical compliance starting point for UAE businesses: Update your privacy policy, audit what personal data you collect and why, ensure you have a valid lawful basis for each type of processing, and create a simple data breach response procedure. These four steps address the majority of PDPL compliance requirements for most UAE SMEs and are the minimum expected by The Data Office when assessing compliance intent.
Also read on techhack.org:
→ Complete Cybersecurity Guide for UAE Residents & Businesses 2025
Frequently Asked Questions — UAE Data Privacy Law
What is the UAE data privacy law?
The UAE Personal Data Protection Law is Federal Decree-Law No. 45 of 2021 (PDPL). It governs how personal data of UAE residents is collected, stored, processed, and transferred. It gives individuals rights over their data and imposes obligations on businesses, with fines from AED 100,000 to AED 5,000,000 for violations. The regulator is The Data Office.
Does the UAE PDPL apply to my business?
The PDPL applies to any organisation — whether UAE-based or international — that processes personal data of UAE residents. This includes e-commerce businesses, marketing agencies, HR departments handling employee data, healthcare providers, and any app or website collecting data from UAE users. DIFC and ADGM entities are exempt from the federal PDPL but have equivalent local frameworks.
What are my rights under UAE data privacy law as a resident?
As a UAE resident, you have the right to know what personal data is held about you, the right to correct inaccurate data, the right to request deletion in certain circumstances, the right to receive a copy of your data (portability), and the right to withdraw consent and object to processing for direct marketing.
What is the fine for violating UAE data privacy law?
Fines under the PDPL range from AED 100,000 (minimum) to AED 1,000,000 for standard violations. Unlawful processing of sensitive personal data can result in fines up to AED 3,000,000. Violations causing harm to critical infrastructure can result in fines up to AED 5,000,000. Non-financial penalties including operational restrictions and licence issues also apply.
Does UAE PDPL apply to companies outside the UAE?
Yes — the PDPL applies to any organisation that processes personal data of UAE residents, regardless of where the organisation is based. International e-commerce companies, SaaS providers, and digital services that collect data from UAE users must comply with the PDPL if they process UAE resident data.
UAE Data Privacy Law — Key Takeaways 2025
- Law: Federal Decree-Law No. 45 of 2021 — UAE’s comprehensive data privacy framework
- Your rights: Access · Correct · Delete · Portability · Object to processing
- Business must: Have lawful basis · Provide privacy notice · Notify breaches · Minimise data
- Fines: AED 100,000 minimum — AED 5,000,000 maximum
- Applies to: Any organisation handling UAE resident data — including foreign companies
- Regulator: The Data Office — thedataoffice.gov.ae
For legal advice on PDPL compliance specific to your business, consult a qualified UAE data protection lawyer. This article is for general information only.
Last updated: April 2026 | Based on Federal Decree-Law No. 45 of 2021 and UAE Data Office guidance. This article is for general information and does not constitute legal advice. Always refer to official UAE government sources and qualified legal counsel for compliance decisions.
About the Author
Raina
Tech Editor & Cybersecurity Writer · techhack.org
Raina covers cybersecurity, AI tools, smart home tech, and digital trends across the UAE.