Personal data has today become the lifeblood of the digital economy and one of the most sensitive sources of legal liability for organizations in the United Arab Emirates. Every name, phone number, email address, and transaction record is now governed by a federal legislative framework that obliges companies to protect what they collect and grants individuals genuine authority over their data. The UAE legislator established this framework through the Federal Personal Data Protection Law, which balances the free flow of information and business requirements on one hand with the fundamental rights of data subjects on the other. In this article we explain the key obligations of companies and the rights granted to individuals, while clarifying who is subject to the law and who is exempt.

What Are the Obligations of Companies and the Rights of Individuals Under the Personal Data Protection Law in the UAE?

The Legal Framework and the Supervisory Authority

The personal data protection system in the State rests on the Federal Personal Data Protection Law, which sets the general frameworks for collecting, processing, storing, and protecting personal data, along with the rights and duties of all parties. Oversight of its application lies with the UAE Data Office, established under a separate federal law, which is the competent regulatory body for issuing guidance, receiving complaints, and monitoring compliance. Several detailed procedural aspects — such as penalties, cross-border transfer controls, and the limits of exemption — are referred to the law's Executive Regulations.

Scope of Application: Who Is Subject to the Law?

The law applies to the processing of personal data, whether wholly or partly, by electronic or other means, and it has extraterritorial reach in specific cases. Its scope includes:

Entities and Cases Exempt From the Law

The law expressly defines cases to which its provisions do not apply — a crucial point for determining the legislation applicable to each entity:

Why are free zones independent? Under this exemption, entities operating in free zones that have their own systems — such as the Dubai International Financial Centre and Abu Dhabi Global Market — are subject to their independent legislation and their own regulator, not the federal law. The UAE Data Office may also exempt certain establishments that do not process large volumes of data from part of the requirements, in accordance with the controls of the Executive Regulations.

The State's Multi-Layered Protection System

Personal Data Processing Principles

Consent and Cases of Lawful Processing Without It

As a rule, processing personal data without the subject's consent is prohibited. The consent must be one the controller can prove; it must be clear, simple, unambiguous, and easily accessible; and it must include the right to withdraw it easily — without the withdrawal affecting the lawfulness of processing that preceded it. The law exempts from the consent requirement certain cases in which processing is lawful, including:

Obligations of Companies (Controller and Processor)

Reporting a Data Breach

As soon as the controller becomes aware of any breach or infringement affecting the privacy, confidentiality, and security of data, it must notify the Office of the nature of the breach, its causes, its potential effects, and the measures taken, and must notify the data subject when the breach affects their data. The processor must notify the controller as soon as it becomes aware, so that the controller can notify the Office.

Appointing a Data Protection Officer (DPO)

A qualified data protection officer must be appointed in three cases: if the processing creates a high risk to data privacy due to new technologies or the volume of data; if it involves a systematic and comprehensive assessment of sensitive data, including profiling and automated processing; or if it is carried out on a large volume of sensitive data. The officer verifies compliance, receives requests and complaints, and acts as a liaison with the Office.

Individuals' Rights Over Their Personal Data

Cross-Border Data Transfer

Personal data may be transferred outside the State to a country or territory that provides an adequate level of protection, or in specific cases including: the explicit consent of the data subject in a manner not conflicting with the public and security interest; where the transfer is necessary to establish rights before judicial authorities; to conclude or perform a contract serving the data subject's interest; for a procedure related to international judicial cooperation; or to protect the public interest. The Executive Regulations set the controls for these cases.

Supervision, Complaints, and Penalties

The role of the UAE Data Office: the data subject may submit a complaint to the Office upon any breach of their rights, and the Office may verify the causes of breaches and impose administrative penalties on the controller or processor that violates the provisions of the law and the decisions issued in its implementation. The value of these administrative penalties and their procedures are determined under the law's Executive Regulations, in addition to the Office's power to issue guidance and follow up on compliance.

Legal References

Frequently Asked Questions