info@antwort-law.com +38 095 838 64 96
EN
Русский English Українська
Publication

Personal Data Protection Law (PDPL) in UAE: Is it Mandatory for Businesses

The UAE is developing a mature legal system focused on international standards. In 2022, Federal Law No. 45/2021 on the Protection of Personal Data (Personal Data Protection Law - PDPL) came into force, regulating the processing of information about individuals. For many companies, this has become a key factor in building compliance and working with banks and investors.

We at Antwort Law support businesses in the Emirates on a daily basis and have prepared this article for you to explain who is required to have PDPL and how to properly document the absence of personal data processing, if this is your case.

So, PDPL is mandatory for all companies registered in the UAE (mainland and free zone), as well as foreign data controllers if they work with information about individuals located in the UAE. They are required to:

  • register data processing processes,
  • appoint a data protection officer (DPO) for significant volumes of processing
  • develop a privacy policy, 
  • notify of data security breaches.

However, the PDPL does not impose significant obligations on a company if all of the following conditions are met simultaneously:

  • the company has no employees or clients;
  • does not collect or process personal data of individuals;
  • the activity is carried out exclusively for its own needs (for example, private cryptocurrency trading without involving third parties).

However, even in this case, in order to formally confirm its position during inspections and exclude possible claims from regulators, the UAE Data Office recommends drawing up:

  • written confirmation of the absence of data processing;
  • an internal policy of "zero data processing"

In addition to the requirements of regulators, compliance with the PDPL directly affects business:

  • Audit: ready-made PDPL documents help to pass the audit without comments.
  • Banks: privacy policy speeds up compliance and reduces the risk of account denial.
  • Investors: transparent data processes increase trust and simplify raising funds.

If your company is required to comply with the PDPL, the algorithm of actions is very clear:

  1. Data inventory - a description of all data sources (employees, clients, contractors);
  2. Registration of processing processes through the UAE Data Office (including the appointment of a responsible person, if required);
  3. Develop a data protection policy (Data Privacy Policy, Data Flow Map);
  4. Prepare for audits and bank checks - many banks request confirmation of PDPL compliance when opening an account.

Companies in the UAE must build a clear system for working with personal data in order to comply with the requirements of the PDPL and be ready for audits. To do this, you need to:

  • Maintain a data processing register (Data Inventory): record what data is collected, for what purposes, where it is stored and who has access.
  • Determine the procedure for storing and destroying data: specify storage periods, deletion methods and responsible persons.
  • Update the data protection policy when the business model changes (for example, hiring employees or launching customer services).
  • Document cross-border data transfer: specify the grounds for transfer and confirm the security of processing outside the UAE.

The storage periods for personal data are determined by the company's internal documents and must comply with the PDPL principle: data cannot be stored longer than is justified by the purposes of their processing.

Many companies try to build PDPL processes on their own, relying on general recommendations from open sources, but in practice, this is where mistakes are most often made: the data register is not drawn up, the requirements of the UAE Data Office are not taken into account, and there is no internal policy. As a result, such gaps become a real problem during an audit or bank inspection.

How we help at Antwort Law:

  • analyze whether the business falls under the PDPL;
  • prepare documents for registering data processing in the UAE Data Office;
  • develop internal policies and compliance procedures;
  • advise on interactions with banks and auditors.

Working from our office in Dubai, we see that even companies without clients and staff benefit from formally recording their position on the PDPL. This removes questions from regulators and speeds up inspections. Instead of taking risks and understanding the nuances of the law on your own, entrust this process to professionals. At Antwort Law, we not only prepare documents, but also create real protection for your business.

Lidia Ivanova

International lawyer
Antwort Law

Actual Services
Policy preparation Legal advice
FAQ
Is it mandatory for all companies in the UAE to comply with PDPL?
Yes. The law applies to all companies in the mainland and free zones, as well as foreign companies if they process data of individuals located in the UAE. The exception is companies without employees, clients and processing of personal data, but even they are recommended to issue a "zero" policy.
What are the practical benefits of PDPL compliance for a company?
Properly executed PDPL documents help to pass audits without problems, speed up the process of opening bank accounts and increase investor confidence, which directly affects the development of business in the Emirates.
We use cookies
When you visit our website, if you give your consent, we will use cookies to allow us to collect data for aggregated statistics to improve our services and remember your choice for future visits.

If you don't want this, we will only use cookies to remember your choice for future visits (i.e., essential cookies).

If you don't select any of the two options, no cookies will be deployed, but the banner will re-appear every time you enter our website.

More information on Cookies Policy and Privacy Policy.
Accept cookies Decline all
Order a service and we will help!
Feel free to call, ask a question or leave a comment, because the introductory consultation is free!
Your request has been sent successfully
We will contact you in 1-2 days and answer all your questions!