Rakshan.
Back to Frameworks
🇦🇪
Binding

UAE Personal Data Protection Law (PDPL)

Middle EastUnited Arab Emirates

Summary

The UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) is the UAE's first comprehensive federal data protection law. It establishes a framework for the protection of personal data and creates new obligations for entities that process personal data in the UAE, including those using AI systems.

Key Obligations

  • Obtain valid legal basis for processing personal data
  • Implement appropriate technical and organizational measures
  • Appoint a Data Protection Officer when required
  • Conduct Data Protection Impact Assessments for high-risk processing
  • Report data breaches to the UAE Data Office
  • Ensure lawful cross-border transfers of personal data
  • Respect data subject rights including access, correction, and deletion
  • Maintain records of processing activities

Enforcement

Regulator

UAE Data Office

Penalties

Administrative fines (amounts to be specified in executive regulations), potential civil liability for damages, and reputational damage.

Audit Mechanism

Regulatory inspections, data protection impact assessments, and compliance audits conducted by the UAE Data Office.

Applicable To

  • Data controllers and processors operating in the UAE
  • Organizations processing personal data of UAE residents
  • Companies with UAE operations that handle personal data
  • AI systems that process personal data of UAE residents
  • Cloud service providers storing UAE residents' data

AI-GPM Coverage

Rakshan provides comprehensive coverage for UAE PDPL compliance, including data mapping tools, automated compliance assessments, data protection impact assessment automation, and breach notification workflows. Our platform helps organizations ensure their AI systems process personal data in compliance with UAE law.

Resources

Overview

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) came into effect on January 2, 2022, with a six-month grace period for organizations to achieve compliance. It is the UAE's first comprehensive federal data protection law, establishing a framework for the protection of personal data in the UAE.

The law applies to the processing of personal data by controllers and processors in the UAE, as well as those outside the UAE who process the personal data of individuals in the UAE. It establishes rights for data subjects and obligations for data controllers and processors, with specific implications for AI systems that process personal data.

Key Provisions

Data Subject Rights

  • Right to access personal data
  • Right to rectification of inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right not to be subject to automated decision-making

Legal Bases for Processing

  • Consent of the data subject
  • Performance of a contract
  • Compliance with legal obligations
  • Protection of vital interests
  • Performance of a task in the public interest
  • Legitimate interests of the controller

AI-Specific Provisions

Automated Decision-Making

The UAE PDPL grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.

Exceptions to this right include when the decision is:

  • Necessary for a contract between the data subject and controller
  • Authorized by law with suitable safeguards
  • Based on the data subject's explicit consent

Data Protection Impact Assessments

The UAE PDPL requires controllers to conduct a Data Protection Impact Assessment (DPIA) before processing that is likely to result in a high risk to the rights of data subjects, particularly when using new technologies like AI.

A DPIA is specifically required for:

  • Systematic and extensive evaluation based on automated processing
  • Processing of sensitive personal data on a large scale
  • Systematic monitoring of publicly accessible areas

Implementation Timeline

1

September 20, 2021

Federal Decree-Law No. 45 of 2021 issued

2

January 2, 2022

Law came into effect

3

March 2022

Establishment of the UAE Data Office

4

September 2022

End of grace period for compliance

How Rakshan Helps

Automated DPIA Process

Rakshan streamlines the Data Protection Impact Assessment process for AI systems, helping organizations identify and mitigate risks to data subjects in compliance with UAE PDPL requirements.

Cross-Border Transfer Management

Our platform helps organizations manage and document cross-border transfers of personal data, ensuring compliance with the UAE PDPL's requirements for international data flows.

AI Governance Framework

Rakshan provides a comprehensive AI governance framework that helps organizations ensure their AI systems comply with the UAE PDPL's requirements for automated decision-making and transparency.

Need Help With Compliance?

Our platform automates compliance with UAE Personal Data Protection Law (PDPL) and other global AI regulations.