The Constitution of the United Arab Emirates (UAE) provides that safety and security for all citizens shall be the pillars of society. The Constitution further provides that freedom of correspondence by post, telegraph or other means of communication, and the secrecy thereof, is guaranteed in accordance with the law, and that dwellings are inviolable. These constitutional provisions serve as the foundational guidelines for respecting privacy.

The statutory regime concerning data protection is chiefly found in the following laws/regulations.

Federal Decree Law No 45 of 2021 on personal data protection (the “UAE Law”)

The UAE Law is a federal-level law applicable across the UAE, except for the following:

• governmental data;
• government authorities that control and process personal data;
• security and judicial authorities;
• health-related personal data;
• banking and credit personal data; and
• companies and organisations incorporated

Dubai International Financial Centre (DIFC) Law No 5 of 2020 (the “DIFC Law”)

The DIFC is a free zone, and the DIFC Law applies in the jurisdiction of the DIFC to the processing of personal data, regardless of the place of incorporation of the controller or processor. Similarly, it is also applicable to controllers and processors incorporated in the DIFC, irrespective of their processing of personal data.

The Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021 (the “ADGM Regulations”)

The ADGM is a free zone, and the ADGM Regulations apply in the context of the establishment of a controller or a processor in the ADGM.

Apart from the above, sector-specific regulations govern data protection in their respective sectors, as follows:

• Federal Decree-Law No 6/2025 Concerning the Central Bank and the Regulation of Financial Institutions, Activities, and Insurance Business (governing data protection of customers of banks);
• Federal Law No 3 of 2003 (concerning telecommunications) governing data protection of telecoms consumers; and
• Federal Law No 2 of 2019 (concerning use of information and communication technology in health fields) governing confidentiality of patients’ information.

The above-mentioned laws/regulations provide for matters related to offences, penalties and enforcement in their respective sphere.

In the UAE, Federal Decree-Law No 45 of 2021 (PDPL) forms the main national data protection law. Alongside this, the DIFC and ADGM have their own data protection regimes that apply within their respective free zones. While separate, these frameworks are broadly aligned with each other and with GDPR principles, reflecting a shared commitment to high standards of personal data protection. The DIFC and ADGM laws also set out more detailed, zone-specific requirements, which are enforced by their own regulatory authorities.

The sector-specific regulations mentioned above regulate the processing of personal data in their respective spheres while complementing the personal data protection laws in the UAE.

The data privacy laws applicable across the UAE based on the set of principles for the processing of the personal data, which are as follows:

• Lawfulness: Personal data must be processed in accordance with applicable legal requirements.
• Fairness and Transparency: Processing must be fair to individuals and carried out in a transparent manner.
• Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes.
• Data Adequacy and Relevance: Personal data must be adequate, relevant, and limited to what is necessary.
• Data Minimisation: Only the minimum amount of personal data required for the stated purpose should be processed.
• Accuracy: Personal data must be accurate and kept up to date where necessary.
• Security and Confidentiality: Appropriate technical and organisational measures must be in place to protect personal data.
• Storage Limitation/Erasure: Personal data should not be retained longer than necessary and must be erased or anonymised when no longer required.

Rights of Data Subjects

The following rights are provided to data subjects under the UAE Federal Law, DIFC Law and ADGM Regulations.

• Right of Access to Information: A data subject has the right to access his/her processed personal data.
• Right to Notification: A data subject has the right to be notified with respect to the processing of his/her personal data.
• Right to Rectification/Erasure of Personal Data: A data subject has a right to request the rectification or erasure of their processed personal data.
• Right to Withdraw Consent: A data subject has the right to withdraw consent given for the processing of his/her personal data.
• Right to Restriction/Stopping of Processing: A data subject has the right to request the restriction or cessation of processing by a controller.
• Right to Data Portability: A data subject has the right to receive his or her personal data in a structured and commonly used machine-readable format and to transmit the personal data to another controller.
• Right Related to Automated Decision-Making and Profiling: A data subject has the right to not be subjected to a decision solely based on automated decision-making, including profiling.
• Right to Lodge Complaint: A data subject has the right to submit a complaint to the relevant data protection authority if the personal data has been processed in violation of the UAE PDPL, the DIFC Data Protection Law, or the ADGM Data Protection Regulations.

Compliance depends on the nature of the industry, the type of personal data processed, and the quantum of personal data processed. Some examples of compliance mechanisms, which may vary depending on the industry and other factors, are as follows:

• implementing compliance documentation;
• implementing a consent management mechanism;
• implementing a personal data breach procedure;
• facilitating data subjects to exercise their rights;
• implementing appropriate measures to protect personal data; and
• privacy awareness amongst employees in general and capacity building of staff entrusted with privacy compliance.

Federal Decree Law

The Federal Decree Law provides that the controller has an obligation to appoint a Data Protection Officer (DPO) when the controller is involved in the systematic processing and overall assessment of sensitive personal data (special categories of personal data).

Similarly, there is a requirement to carry out a data protection impact assessment when the processing involves a large amount of sensitive personal data.

DIFC Data Protection Law and ADGM Regulations

Special categories of personal data can be processed under the DIFC Law and ADGM Regulations in the following situations:

• when processing is carried out with the explicit consent of the data subject;
• when processing is necessary to fulfil obligations or exercise specific rights of the controller or the data subject in the context of employment;
• when processing is required to protect the vital interests of the data subject;
• when processing is conducted by a foundation, association, or other non-profit organisation as part of its legitimate activities;
• when processing relates to personal data that has been deliberately made public by the data subject;
• when processing is necessary for the establishment, exercise, or defence of legal claims; and
• when processing is required to comply with a specific legal obligation applicable to the controller.

Under the DIFC Law and the ADGM Regulations, criminal convictions are also included in the definition of the special categories of personal data. The Federal Decree Law, DIFC Law and the ADGM Regulations are silent on the matter of the processing of personal data relating to minors.

Federal Decree Law No 26 of 2025 on Child Digital Safety has been enacted to establish a legal framework for safeguarding children in the digital environment. The law aims to protect children from online risks and harmful digital content that may adversely affect their wellbeing, while at the same time ensuring their right to access digital content that is safe, appropriate, and age-appropriate. This law will be implemented after a one-year grace period.

ADGM Regulations

Processing for research purposes is allowed subject to the following conditions, irrespective of the particular circumstances:

• The controller must ensure, through appropriate technical and organisational measures, that personal data, including special categories of personal data, are anonymised and pseudonymised in a way that prevents re-identification. The processing for research purposes must not cause substantial damage to a data subject.
• The processing for research purposes is only allowed if the purpose for processing includes medical research, and it has received the approval of a public authority and research institution.

Through its Regulation 10, the DIFC has enacted amendments to its data protection regulations, aimed at overseeing the use of autonomous and semi-autonomous systems, particularly those driven by artificial intelligence (AI) and machines. The regulations apply to AI-driven systems and processes used within the DIFC’s jurisdiction – either autonomous systems or semi-autonomous systems. These regulations emphasise:

• the ethical use of systems;
• risk assessment and mitigation;
• accountability and oversight;
• that the processing must be transparent; and
• that users and data subjects must be informed about the role of AI in decisions that affect them.

Although neither the ADGM nor the DIFC has enacted laws specifically dedicated to AI, both have incorporated AI-related considerations into their existing data protection and governance frameworks. These provisions ensure that AI applications in financial services are used responsibly, ethically and in accordance with data protection standards.

The data controller, in the event of a personal data breach, is required to notify the relevant competent authority – ie, the Data Office (Federal Decree Law)/Commissioner (DIFC Data Protection Law)/Commissioner of Data Protection (ADGM Regulations), where the breach is likely to pose a risk to the privacy, confidentiality, security, or rights of data subjects. The data processor must notify the controller without undue delay upon becoming aware of such a breach.

Notification timelines differ across UAE jurisdictions:

• Under UAE Federal Law, the breach must be reported immediately.
• Under the DIFC Data Protection Law, notification must be made without undue delay.
• Under the ADGM Data Protection Regulations, notification must be made within 72 hours of becoming aware of the breach. Where notification is not made within this timeframe, the controller must provide reasons for the delay.

The breach notification must include, at a minimum:

• a description of the nature of the breach;
• contact details of the DPO;
• the likely consequences or impact of the breach;
• a description of the measures taken or proposed by the controller to address the breach and mitigate its effects; and
• any additional information required by the UAE Data Office (where applicable under UAE Federal Law).

Where a personal data breach is likely to pose a high risk to the security or rights of a data subject, the controller must also notify the affected data subject of the breach. The notification to the data subject must include the same information that was provided to the competent authority.

The UAE Data Office is the regulator for the purposes of the UAE Law.

The Commissioner administers the DIFC Law while the Commissioner of Data Protection is responsible for the monitoring and enforcement of the ADGM Regulations.

The Central Bank of the UAE and the Telecommunications and Digital Government Regulatory Authority (TDRA) are the regulators concerning the banking and telecommunications sectors, responsible for, among other things, the protection of their respective consumers’ data.

Health authorities (federal or local government) are entrusted with the protection of patients’ data.

The above-mentioned authorities have the powers of investigation and complaint-handling in their respective spheres.

The Data Office (concerning the UAE Law) is competent to receive complaints by data subjects regarding contraventions of provisions of the UAE Law. The Data Office is also competent to impose administrative sanctions for contraventions of provisions of the UAE Law. A person aggrieved by any decision, administrative sanction or any action of the Data Office may file a grievance with the Director General of the Data Office. The grievance is to be filed within 30 days of the date of decision, administrative sanction or action of the Data Office. The Director General of the Data Office is to determine such grievance within 30 days of its filing. The executive regulations to be issued pursuant to the UAE Law will specify the procedural aspects for filing and deciding on such grievances.

The Commissioner of Data Protection (under the DIFC Law) is competent to receive complaints from data subjects concerning contraventions of the DIFC Law or any breach of the rights of data subjects. The Commissioner is empowered to investigate the complaints and to issue a direction or declaration. The Commissioner is empowered to impose fines in the event of non-compliance with a direction issued by them. Concerning a complaint lodged with them, the Commissioner may follow those practices and procedures that will, in the Commissioner’s view, lead to the most timely, fair and effective resolution of the claim in the complaint. The controller, processor or data subject aggrieved by the Commissioner’s decision may appeal to the DIFC Court within 30 days.

Upon a contravention of the ADGM Regulations, a data subject may lodge a complaint with the Commissioner of Data Protection under the ADGM Regulations. After an assessment, the Commissioner may:

• dismiss the complaint;
• uphold the complaint;
• uphold the complaint but with no further action; or
• take any further action.

The aggrieved controller, processor or data subject may refer the matter to the court for review. The court may make any orders that it thinks just and appropriate in the circumstances, within three months of the penalty notice, direction or date of complaint.

Under the UAE Federal Decree Law, the administrative sanctions to be imposed are issued by the cabinet upon proposal of the Director General of the Data Office.

As per the DIFC Law, when the Commissioner considers that a controller or processor is liable for a contravention of law, they may issue an administrative fine to the controller or processor. The Commissioner must issue a notice to the controller or processor of the imposition of a fine or may hold the controller or processor liable for damages and compensation payable to the data subject. Administrative fines are set out in Schedule 2 of DIFC Data Protection Law No 5 of 2020. Fines corresponding to the contraventions mentioned in Schedule 2 range from USD10,000 to USD100,000.

Data subjects are also given a private right of action under the DIFC Law, so that when a data subject suffers damage due to a violation of the DIFC Law or its regulations, the data subject may apply to the court for compensation.

Under the ADGM Regulations, if a controller or processor performs an act or abstains from performing an act in contravention of a direction issued by the Commissioner of Data Protection or the ADGM Regulations (or subsequent rules made thereunder), they shall be subject to imposition of an administrative fine by the Commissioner. The Commissioner shall send a written “penalty notice” to the controller or processor. The penalty imposed by the Commissioner must not exceed USD28 million.

Under the ADGM Regulations the following penalties have been imposed:

• Okadoc Technologies Limited (21 May 2024): The violation involved failure to comply with a data subject’s access request, breaching individual rights. The penalty was a USD20,000 fine under the ADGM Regulations. Adequate processes were lacking for identifying, facilitating and fulfilling the access request.
• VentureRock Global Limited (23 June 2023): The violation involved deficiencies in data security, policies and procedures. The ADGM Commissioner of Data Protection found that poor cybersecurity practices due to human error, inadequate training, and lack of proper policies and procedures contributed to the violation.

Under the DIFC Law, recent amendments have introduced, among other matters, an express principle of liability and have granted data subjects a private right of action, enabling them to apply to the court for compensation.

As discussed in 2.2 Recent Case Law, the ADGM Commissioner of Data Protection has issued a direction in two different cases with respect to contravention of the ADGM Regulations. However, no active court litigation relating to privacy has arisen in this context.

No court decisions are currently available.

UAE law does not provide for collective redress mechanisms for data subjects.

DIFC Law and ADGM Regulations

Under the DIFC Law and the ADGM Regulations, multiple data subjects affected by the same offence or violation may file a collective complaint. In addition, the Commissioner may elect to deal collectively with multiple complaints that relate to the same contravention or breach.

The TDRA has issued a regulatory policy on the internet of things (IoT). This policy shall be applicable to all persons connected with IoT within the UAE, including but not limited to:

• licensees;
• IoT service providers; and
• IoT service users, including individuals, businesses and the government.

Objective/Scope

The IoT policy encompasses the following objectives:

• ensuring secure IoT services;
• addressing reasonable demands for IoT services;
• promoting continuous innovation in IoT;
• efficiently managing limited resources;
• safeguarding the rights and interests of IoT users; and
• offering transparency to facilitate IoT market growth.

Obligations

Any service provider providing IoT is under an obligation to follow UAE telecommunications laws, regulations and the IoT policy. The IoT service provider has to register with the TDRA and obtain an IoT service provider registration certificate. IoT service providers need to have a local presence or must appoint a representative to have a point of contact with the TDRA.

Service providers must ensure that the service they provide is adequate and reliable. For personal data processing and storage, the IoT service provider must follow the principles of purpose limitation, data minimisation and storage limitation. Secret, sensitive and confidential data of individuals and businesses must be stored within the UAE. However, it can be stored outside the country when such data is afforded adequate or equivalent security. Secret, sensitive and confidential data of the government must remain in the UAE. The service provider has to use encryption standards. Data processors/service providers must establish technical measures to enable the inspection of stored data. IoT services in the UAE are also regulated by Federal Decree Law No 3 of 2023 (the “Telecommunications Law”), under which different penalties apply for contraventions of the law. Defiance of or non-compliance with the IoT policy by IoT service providers or users shall be taken as a breach of the UAE Telecommunications Law, and may be penalised by the TDRA.

There is no law similar or identical to that of the EU Data Act.

The Federal Law, DIFC Law, and ADGM Regulations recognise the following legal bases for the processing of personal data:

• Data Subject Consent: Personal data may be processed when a data subject gives its consent.
• Performance of Contract: Personal data may be collected when it is essential for the performance of a contract.
• Compliance With Legal Obligations: Personal data may be processed when such processing is necessary for legal compliance purposes.
• Protection of Vital Interests: Personal data may be processed when its processing is required for the protection of the vital interests of the data subjects.
• For Public Tasks: Personal data processing may be carried out when such processing is essential for the performance of a task vested in a public authority.
• Legitimate Interests: Personal data may be processed when the processing is necessary for the legitimate interests of the controller or a third party.

UAE data privacy laws protect the confidentiality of personal data by requiring organisations that collect or use data to put in place proper technical and organisational safeguards. These safeguards are meant to prevent personal data from being accessed, shared, changed, or lost without authorisation. Under the federal Personal Data Protection Law, as well as the DIFC and ADGM frameworks, personal data must be kept secure at all stages of its use, including when it is collected, stored, shared, and eventually deleted.

These laws do not address the IP protection of non-personal data.

Please see 1.2 Rights and Obligations.

Please see 1.7 Regulators.

While there is no specific law regulating the use of cookies in the processing of personal data, existing personal data protection laws apply to their collection and use. Consent must be explicitly obtained from data subjects before cookies are utilised, and they must be provided with clear and accessible options to opt out of cookie usage.

The UAE Law confers on the data subject a “right to stop processing” where personal data is processed for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.

The DIFC Law provides that a data subject has the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing and that the data subject be expressly offered the right to object to direct marketing. The data subject has the right to object to personal data processing for direct marketing purposes, including profiling to the extent profiling is related to such direct marketing.

The ADGM Regulations carry the same provisions as in the DIFC Law, regarding direct marketing. The ADGM Regulations, in addition, provide that when a data subject objects to direct marketing, personal data must not be processed for direct marketing purposes.

Federal Decree Law No 33 of 2021, regarding the regulation of employment relationships, provides that a worker should maintain the confidentiality of information and data to which they have access by virtue of their work.

The UAE Law, the DIFC Law and the ADGM Regulations do not contain any provision concerning the role of labour organisations, whistle-blowing or e-discovery.

There is no dedicated framework concerning privacy requirements in M&A; instead, the general framework, as discussed elsewhere in this chapter, is applicable.

The UAE Law provides that personal data may only be transferred outside the UAE to a jurisdiction with a law in place covering various aspects as to the protection of personal data (ie, an adequate level of protection). Personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection.

Where no adequacy decision exists, the UAE Personal Data Protection Law permits certain transfers of personal data outside the UAE, subject to the Executive Regulation, including the following:

• where legally binding safeguards ensure compliance with UAE data protection standards;
• where the data subject has expressly consented in a manner consistent with public order and national security;
• where the transfer is required for judicial proceedings or the exercise of legal rights;
• where it is necessary to enter into or perform a contract involving or benefiting the data subject;
• where it is undertaken for purposes of international judicial co-operation; or
• where it is justified by public interest considerations.

The DIFC Law provides that personal data may be transferred to a third country or to an international organisation on the basis of an adequate level of protection, as determined by the Commissioner of Data Protection. A list of adequate jurisdictions is issued through the DIFC Data Protection Regulations.

In the absence of an adequate level of protection, the personal data may be transferred by incorporating appropriate safeguards, which may be provided by adopting the following:

• any agreement between public authorities of both the sender and the receiver;
• binding corporate rules;
• standard data protection clauses that will be issued by the Commissioner;
• an approved code of conduct; or
• an approved certification mechanism along with the binding and enforceable commitments of the controller or processor that they will apply appropriate safeguards.

The ADGM Regulations allow the transfer of personal data outside the ADGM or to an international organisation where the Commissioner has decided that the receiving jurisdiction or the international organisation ensures an adequate level of protection.

In addition, in the absence of an adequacy decision, the ADGM Regulations permit cross-border transfers of personal data only where the controller or processor puts in place appropriate safeguards that ensure a comparable level of protection for the data subject.

These safeguards include the use of the following:

• standard contractual clauses or other contractually binding instruments that impose enforceable data protection obligations on the recipient party;
• binding corporate rules for intra-group transfers; and
• approved codes of conduct or certification mechanisms coupled with binding and enforceable commitments by the data recipient.

There is no requirement for any government notifications or approvals in order to transfer data internationally, except as discussed in 5.3 Data Localisation Requirements related to health data.

There is no data localisation requirement, except with regard to health information and data, which, under Federal Law No 2 of 2019, may not be stored, processed, generated or transferred outside the UAE, except upon a decision issued by the Health Authority in co-ordination with the Ministry of Health and Prevention.

There are no blocking statutes in the UAE.

No information is publicly available on any changes or anticipated developments concerning the international transfer of personal data.