UAE Data Protection Law Framework: Mainland, DIFC and ADGM

Overview

This article provides a comprehensive summary of the data protection frameworks across distinct UAE jurisdictions – the UAE mainland, the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC). It also explores how these regimes interact in the realm of personal data protection.

UAE

The UAE introduced its first Federal Data Protection statute on 20 September 2021 – Federal Decree-Law No 45 of 2021 on the Protection of Personal Data (PDPL) – which officially came into force on 2 January 2022. A key feature of the PDPL is the establishment of the UAE Data Office, the central authority tasked with managing data subject complaints, issuing guidance and enforcing the law. The PDPL mandates that the UAE Data Office shall issue Executive Regulations to define detailed standards and controls for implementation. Enforcement of the PDPL was scheduled to commence six months after these regulations were formally adopted.

Prior to the PDPL, personal data protection and confidentiality were addressed through a variety of legal instruments, including:

• the UAE Constitution, which upholds communication freedom and confidentiality;
• Federal Law No 15 of 2020 on Consumer Protection, granting consumers rights over their data and its usage;
• Federal Law No 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields, which safeguards the confidentiality and security of health data; and
• Federal Decree Law No 34 of 2021 on Combating Rumours and Cybercrimes, establishing penalties for unauthorised data handling, especially when it involves sensitive sectors such as government, banking, media, health and scientific entities.

DIFC

The DIFC Data Protection Law (Law No 5 of 2020), governs personal data in the DIFC, aligning with GDPR and UK standards. Supported by the DIFC Data Protection Regulations (the “DIFC DP Regulation”), effective 1 July 2020, it applies to DIFC-based entities and any controller or processor handling personal data within the DIFC, regardless of location. Its extraterritorial scope ensures robust data protection for all processing activities conducted through local means or personnel within the financial centre.

The Office of the Commissioner of Data Protection (the “Commissioner”) is the designated regulatory body responsible for enforcing these provisions. The Commissioner handles complaints from data subjects, oversees compliance with both the law and the regulations, and works to enhance public understanding of data protection principles.

Inadvertently obtained information

Amendments of 1 September 2023 to the DIFC DP Regulations introduced key updates where individuals who inadvertently receive personal data are now classified as “temporary custodians” and must notify the owner or the Commissioner and delete the data to avoid liability for unauthorised processing.

Marketing and communications

Marketing rules mandate that data subjects be clearly informed of their right to limit data use. Organisations must provide intuitive privacy options, such as clear selection boxes and accessible language, to ensure transparency in data collection and usage.

Processing via autonomous and semi-autonomous systems

For the first time, AI and semi-autonomous systems fall under regulation. Entities using such technologies must notify data subjects about data-processing purposes, system design principles and any certifications. The amendments establish key AI design principles, including ethics, fairness, transparency, security and accountability, ensuring responsible and compliant data use. These changes strengthen the DIFC’s data protection framework, reinforcing privacy rights and ethical technology deployment.

ADGM

The ADGM Data Protection Regulations (the “ADGM DPR”) set the legal framework for personal data protection within the ADGM. Issued on 14 February 2021, they took effect on 14 February 2022 after a one-year transition. Enforced by the Office of Data Protection under the Commissioner, the regulations also apply beyond the ADGM as follows:

• entities outside the ADGM may be subject to them if their processing activities are directly linked to an ADGM-based entity; and
• where the ADGM entity’s revenue is tied to such external processing.

Territorial Application

The data protection regimes in the UAE, DIFC and ADGM extend their reach beyond their physical boundaries, but each under its own set of conditions.

PDPL (UAE mainland)

Any controller or processor, wherever they are based, who processes personal data of individuals located in the UAE must comply with the PDPL. The regulation’s definition of “data subject” is broad, covering all natural persons, and is not limited to the citizens or residents of the UAE. This means that even a tourist visiting the UAE temporarily is included within its scope, and any entity handling such personal data is subject to its provisions.

DIFC Data Protection (DP) Law

The DIFC DP Law applies to controllers and processors irrespective of their incorporation if they process personal data within the DIFC. In practice, this means that, if data processing occurs via means or personnel operating in the DIFC, the entity must adhere to the DIFC DP Law, ensuring full compliance within the centre.

ADGM DPR

The extraterritorial application of the ADGM DPR is more circumscribed. For controllers or processors outside the ADGM to fall under its jurisdiction, there must be a direct and substantial connection to an ADGM-based entity. In other words, the external processing must be integrally linked to the operations of a company within the ADGM, with the revenue generated by the ADGM entity being demonstrably tied to those processing activities.

Analysis

The UAE PDPL has a broad extraterritorial scope, applying to any processing of personal data involving individuals in the UAE, regardless of the controller’s or processor’s location – even covering tourists. In contrast, the DIFC DP Law applies based on where processing occurs, focusing on whether the means or personnel are in the DIFC, irrespective of the data subjects’ locations. The ADGM DPR takes a narrower approach, applying to foreign entities only if there is a strong, demonstrable link to an ADGM-based company, ensuring jurisdiction is limited to processing activities closely tied to the company’s services and revenue.

Non-Consent-Based Legal Basis for Processing of Data

“Consent” is a key principle in personal data processing, ensuring that data subjects retain control. The PDPL, DIFC DP Law and ADGM DPR set strict consent criteria. The PDPL requires consent to be specific, informed and unambiguous, with clear details on processing purposes and the controller’s identity. The DIFC DP Law and ADGM DPR further mandate that consent be “freely given”, preventing coercion. However, consent is not always the sole legal basis for processing. These frameworks also outline alternative grounds, allowing data processing without consent, and ensuring a balanced approach between regulatory compliance, individual rights and business or public interest needs. This applies as follows.

PDPL

• For protection of public interest.
• Where personal data has been made public by the data subject, to initiate or defend legal claims and judicial/security procedures.
• While facilitating healthcare, employee capacity assessment or social care system management.
• While facilitating public health protection (diseases, epidemics) and ensuring safety of medical products/medicines.
• While facilitating scientific/historical/statistical purposes as mandated by State legislation.
• For protection of the interests of the data subject.
• While facilitating fulfilment of legal obligations and exercising rights in relation to employment, social security and social protection, as permitted by relevant laws.
• While facilitating fulfilment of contractual obligations or amending, concluding and terminating a contract at the request of the data subject. 

DIFC DP Law

• For performance of a contract.
• For compliance with legal obligations.
• For protecting the vital interests of the data subject.
• Where processing is necessary for:
1. performance of a task carried out by the Dubai Financial Services Authority, DIFC Courts or the Commissioner in the interests of the DIFC.
2. exercise of a DIFC body’s powers and functions; or
3. the exercise of powers or functions vested by a DIFC body in a third party to whom personal data is disclosed by the DIFC body.
• In pursuance of a “legitimate interest” of the controller.

ADGM DPR

• For performance of a contract.
• For compliance with legal obligations.
• For protecting the vital interests of the data subject.
• Where processing is necessary for the performance of a task carried out by a public authority in the interests of the ADGM, or in the exercise of:
1. the ADGM;
2. the Financial Services Regulatory Authority;
3. the ADGM Courts;
4. the registration authority’s functions; or
5. official authority vested in the controller under applicable law.
• In pursuance of a “legitimate interest” of the controller.

Analysis

The PDPL, DIFC DP Law and ADGM DPR provide distinct yet overlapping legal bases for data processing. All three prioritise protecting vital interests and fulfilling contractual or legal obligations. While the DIFC DP Law and ADGM DPR recognise “legitimate interests” as a basis, the PDPL does not, instead focusing on public interest and health-related processing. Together, these frameworks balance legal compliance, individual rights and business needs, reflecting a nuanced approach to data protection and regulatory requirements.

Whether “Consent” Is a Valid Basis for Processing of Data in the Case of an Employee

PDPL

Consent is recognised as a valid legal basis for processing personal data under the PDPL. However, the law does not expressly require that such consent be “freely given”. In practice, this means the PDPL does not explicitly address scenarios where power imbalances – such as those that might exist between employers and employees – could lead to consent that is less than voluntary. It is expected that future Executive Regulations may provide additional clarity on this issue.

DIFC DP Law/ADGM DPR

In contrast, both the DIFC DP Law and the ADGM DPR – as interpreted through guidance issued by their respective data protection authorities – mandate that consent must be “freely given”. These frameworks are to be read alongside UK and EU standards, which emphasise that data subjects must have a genuine, uninfluenced choice when consenting, ensuring that no party is coerced into agreeing to data processing.

Analysis

The PDPL accepts consent as a legal basis for processing without an explicit requirement for it to be “freely given”, leaving potential issues unaddressed –such as power imbalances between employers and employees. On the other hand, the DIFC DP Law and the ADGM DPR take a more robust stance by requiring that consent be given voluntarily. This stricter requirement aligns these frameworks with international best practices, thereby better safeguarding the autonomy of data subjects in all contexts.

Data Subject Rights

The common data subject rights granted under the PDPL, DIFC DP Law and ADGM DPR are that:

• they must be informed about the collection of their personal data, regardless of the data source, with specified details;
• they can confirm and obtain a copy of their processed personal data from the controller;
• they can request the erasure of their personal data;
• they can have inaccurate or incomplete personal data corrected;
• they can receive their personal data in a machine-readable format and transfer it to another controller;
• they are protected from decisions based solely on automated processes, including profiling;
• they can object to the processing of their personal data, including for direct marketing;
• they have the right to withdraw their consent at any time; and
• they have the right to file a complaint with the pertinent authority in the event of any violation of the legal provisions in the PDPL, the DIFC DP Law or the ADGM DPR.

DIFC DP Law

Data subject rights specific to the DIFC DP Law are as follows:

• non-discrimination – the DIFC DP Law protects data subjects from discrimination when exercising their rights under Part 6, ensuring equal access to goods and services; and
• communication methods to exercise data subject rights – controllers must provide at least two communication channels, such as telephone and an online portal, to facilitate the exercise of data subject rights effectively and accessibly.

Analysis

The PDPL, DIFC DP Law and ADGM DPR all outline data subject rights that mirror those found in the GDPR, thereby aligning with international practices. This harmonisation not only reinforces the protection of personal data but also makes these jurisdictions attractive to international entities, as they can be confident that their transferred data will be safeguarded by globally recognised standards. Notably, the DIFC DP Law goes a step further by explicitly incorporating non-discrimination measures and mandating multiple communication methods, thereby providing data subjects with additional tools to enforce their rights and prevent unfair treatment.

Special Provisions With Respect to Processing of Personal Data in Relation to a Minor

PDPL

The PDPL does not include any special provisions for processing the personal data of minors. As a result, minors are treated in the same manner as adult data subjects under this law.

DIFC DP Law

Under the DIFC DP Law, minors are granted an absolute right to object to automated processing. While this right is absolute for minors, adult data subjects may have certain limitations or conditions attached to exercising the same right.

ADGM DPR

The ADGM DPR outlines a three-pronged proportionality test for using the “legitimate interest” basis to process personal data. This test is further explained in guidance from the Office of Data Protection, which highlights the importance of considering whether the data subject is a minor when applying the test. The guidance emphasises that, when minors exercise their right to access information, the provided data must be communicated in a clear, transparent and easily understandable manner tailored to their level of understanding.

Analysis

Under the PDPL, minors are treated the same as adults for data processing. However, both the DIFC DP Law and the ADGM DPR introduce more tailored protections for minors. In the DIFC, minors are granted an absolute right to reject automated processing, while the ADGM framework incorporates a proportionality test that places special emphasis on the data subject’s minor status when justifying processing based on “legitimate interest”. These measures demonstrate a heightened sensitivity to the unique risks and needs involved in handling the personal data of minors.

Appointment of a Data Protection Officer

PDPL

Under the PDPL, a Data Protection Officer (DPO) must be appointed when:

• processing activities pose a significant risk to the confidentiality and privacy of personal data due to the use of emerging technologies or the large volume of data processed;
• processing involves a systematic and comprehensive evaluation of sensitive data, including profiling or automated processing; or
• a substantial volume of sensitive personal data is being handled.

DIFC DP Law

A DPO is required under the DIFC DP Law only when a controller or processor is engaged in “high risk activities” on a regular or systematic basis that includes:

• processing a considerable amount of personal data via use of novel technologies or methods resulting in a high risk to the data subject;
• processing that involves automated processing, including profiling, where inferences from such processing will form the basis of legally binding decisions; or
• where a material amount of special categories of personal data is to be processed.

ADGM DPR

The ADGM DPR mandates the appointment of a DPO if an organisation is involved in:

• large-scale processing or continuous monitoring of data; and
• processing activities that involve considerable amounts of special category personal data.

Analysis

All three frameworks – the PDPL, DIFC DP Law and ADGM DPR – set similar thresholds for DPO appointment. They each require a DPO in scenarios where data processing presents elevated risks, whether due to the volume of data, the sensitive nature of the information involved, or when systematic processing activities occur. This unified approach ensures that organisations managing high-risk data-processing operations have dedicated oversight to maintain robust compliance with data protection standards.

International Transfers

PDPL

Under the PDPL, personal data transfers outside the UAE are permitted if the recipient’s jurisdiction has adequate data protection laws or if a bilateral agreement exists. If neither applies, transfers can proceed with a binding contract ensuring safeguards, explicit consent of the data subject, for legal compliance or for legal claims. Transfers are also allowed for contractual obligations in the data subject’s interest, international judicial co-operation or safeguarding public interest.

DIFC DP Law

Under the DIFC DP Law, personal data transfers outside the DIFC are allowed if the recipient jurisdiction has adequate data protection laws. If there are no laws, transfers require legally binding contracts, corporate rules or safeguards such as explicit consent, contractual necessity, legal compliance or public interest. Transfers are also valid for legal claims, vital interests, financial standards or AML/CFT compliance.

If the data transfer does not fall under any of these conditions, it must meet the following additional criteria to be considered valid under the DIFC DP Law:

• the transfer should not be repetitive or part of a continuous series of transfers; 
• it must concern only a limited number of data subjects;
• it should be necessary for pursuing compelling legitimate interests of the controller; and
• the controller must perform a comprehensive documentary assessment of all the circumstances surrounding the transfer and ensure that suitable safeguards are in place.

ADGM DPR

Such transfers are permissible under specific conditions, as follows.

Transfers are allowed to jurisdictions recognised by the ADGM Commissioner of Data Protection as providing an adequate level of data protection. The list of these jurisdictions is maintained and updated by the ADGM Office of Data Protection.

In the absence of adequate laws, data transfers require safeguards that include legally binding instruments, corporate rules, standard clauses, codes of conduct, or certification ensuring data rights and legal remedies. Transfers can also rely on explicit consent, public interest, legal compliance, vital interests, legal claims, or contracts facilitating performance and protecting the data subject’s interests.

Analysis

The data transfer rules across these jurisdictions clearly outline when personal data may be moved beyond their borders, leaving no room for ambiguity. This precise approach not only facilitates cross-border data flows in a practical and flexible manner but also maintains the confidentiality of personal data. In instances where the receiving jurisdiction lacks robust data protection laws or formal bilateral agreements, the defined criteria provide both data subjects and organisations with the independence needed to manage their data transfers in line with their unique legal and operational requirements.

Data Breach

PDPL

Organisations must establish mechanisms to detect and manage data breaches. While detailed breach notification timelines will be specified in the forthcoming Executive Regulations, companies must promptly inform the UAE Data Office of any incidents that could jeopardise data subjects’ rights and freedoms.

DIFC DP Law

Reporting data breaches to authorities

If a company (controller) experiences a data breach, it must report the incident to the DIFC Commissioner without delay via the email commissioner@dp.difc.ae or the DIFC website.

Informing affected individuals

The Commissioner may instruct the company to inform affected individuals (data subjects) or issue public announcement through email, letters or media outlets.

Penalties for not reporting breaches

Failure to notify the Commissioner or affected individuals when legally required may incur fines, sanctions or other legal consequences.

Handling accidental possession of personal data

If a business or individual accidentally gains access to someone else’s personal data, they are considered a temporary custodian and the following applies.

• They must attempt to return or notify the rightful owner (Party B) within 30 days.
• If Party B recovers the data, the custodian (Party A) must delete all copies.
• If Party B is unidentifiable or unresponsive, Party A must:
1. inform the Commissioner and hand over the data;
2. explain how the data was acquired; and
3. delete all copies.

Commissioner’s role in handling accidental data possession

The Commissioner will assess the situation and may:

• impose penalties on Party B;
• instruct Party B to notify affected individuals; and
• order Party B to cover costs related to the data’s handling.

ADGM DPR

Reporting data breaches

A company (controller) must report a personal data breach to the Commissioner of Data Protection within 72 hours of becoming aware of it. If delayed, an explanation must be provided. If a breach occurs at a processor, they must immediately notify the controller.

Report requirements

The report to the Commissioner should include:

• what happened – type of data breach and estimated number of affected individuals and records;
• contact information – company’s DPO or responsible person;
• potential risks – likely impact on affected individuals; and
• corrective actions – measures taken to mitigate the issue.

Internal documentation

Regarding communication of a breach, companies must keep records of all breaches, their impact and resolutions. If a high-risk breach could significantly affect individuals, they must be notified immediately about:

• what happened;
• possible consequences;
• steps taken to fix the issue; and
• how individuals can protect themselves.

Exception to notification

Notification is not required if:

• the data was encrypted or otherwise secured, making it useless to unauthorised parties;
• corrective measures have been taken that eliminate any significant risks; and
• notifying individuals is impractical (eg, owing to outdated data or an excessively large number of affected individuals) – in such cases, a public notice should be issued.

The Commissioner’s authority

If a company opts not to notify individuals, the Commissioner may still require it if they assess a high risk. Conversely, they may confirm that no notification is necessary if risks are low.

Analysis

Every jurisdiction has different reporting obligations. While further regulatory guidance is awaited regarding the PDPL, companies must nonetheless swiftly inform the UAE Data Office of incidents posing risks to data subjects. The DIFC and ADGM mandate immediate breach reporting to the Commissioner, who may require notifying affected individuals and impose penalties for non-compliance. Across all frameworks, companies must maintain breach records, assess risks and implement corrective measures. 

Conclusion

In recent years, the UAE, DIFC and ADGM have made notable progress in developing comprehensive data protection frameworks. While the UAE’s federal law, the PDPL, is still awaiting its Executive Regulations, the DIFC and ADGM have already implemented robust data protection regulations inspired by the EU GDPR, which ensure strong safeguards for personal data. These frameworks emphasise individual rights and accountability to uphold privacy and confidentiality. However, as regulations continue to evolve, organisations must stay proactive and implement effective compliance strategies to navigate the shifting landscape of data protection.