Understanding the UAE PDPL: key obligations, international transfers and the role of the DPO

The UAE’s Personal Data Protection Law (PDPL) is the cornerstone of federal privacy regulation. While aligned with global standards (including the GDPR), it preserves local specificities organisations must address. Drawing on “Breaking Down the UAE’s Data Protection Law” (HNS Legal, 2025), this practical guide covers scope, lawful bases (with a focus on consent), sensitive data and DPO, international transfers, the Cybercrime Law interface and a compliance roadmap.

Scope: who is in?

PDPL applies to personal data processing conducted in the UAE and, extraterritorially, to controllers/processors targeting individuals in the UAE. Both controllers and processors are covered and must map their data flows (intragroup, vendors, hosting) to determine obligations.

Lawful bases and consent

Processing is lawful where a valid basis exists: consent, contract, legal obligation, public interest, or where the data subject has made data public. Consent must be specific, unambiguous, separate from other terms and easily with drawable. Organisations should be able to evidence how consent was obtained and manage opt outs promptly.

3) Sensitive data and DPO requirement

Sensitive data (health, biometrics, financial/criminal data, political/religious beliefs, etc.) attracts enhanced protection. High risk processing (large volumes, profiling, or use of AI, ML, blockchain) may trigger a DPO appointment. In the absence of numerical thresholds, document the risk assessment (volume, categories, duration, geography) used to decide whether to appoint a DPO.

International data transfers

Outbound transfers are permitted to adequate countries or under agreements. Otherwise, organisations must rely on appropriate safeguards (approved contractual clauses) or narrow derogations (explicit consent, contract performance, public interest, judicial cooperation). A destination risk assessment (local laws, government access, security posture) and robust technical measures (encryption, pseudonymisation) are best practice.

Security and the Cybercrime Law

PDPL sits alongside the UAE Cybercrime Law (Federal Law No. 34/2021) which criminalises unlawful access and disclosure. Privacy compliance and cybersecurity are mutually reinforcing: access control, MFA, encryption, logging, penetration testing and an incident response plan that includes notifying the regulator and, where relevant, affected individuals.

Data subject rights and accountability

• • Transparency: clear notices (purposes, bases, recipients, transfers, retention, rights).
• • Rights: access, rectification, erasure, portability and restriction/objection within PDPL parameters.
• • Record keeping: inventory of processing, processors, transfers and risk analyses (DPIAs where needed).
• • Contracts: data processing clauses with vendors (security, audit, sub-processing).

A pragmatic compliance roadmap

1. Map data (sources, purposes, systems, transfers) and determine lawful bases.
2. Assess risks (DPIAs for sensitive/largescale processing), determine whether a DPO is required.
3. Contract: DPAs, transfer clauses, security and audit obligations.
4. Implement policies (retention, rights, BYOD, incidents) and an incident playbook.
5. Secure: encryption at rest/in transit, segmentation, MFA, access reviews.
6. Train teams (marketing, HR, IT, sales) and track actions (KPIs, remediation plans).

Use cases

Ecommerce: cookie/SDK consent, personalisation, fraud controls; limited retention.

• Cookie/SDK consent: prior, clear and documented collection, possibility of refusal or withdrawal.
• Personalisation: limited use of data, based on consent or legitimate interest, transparent information.
• Fraud prevention: proportionate and secure processing to detect fraudulent payments.
• Limited retention: duration defined according to purpose

HR

• Surveillance: proportionate measures and prior notification of employees.
• International transfers: governed by clauses or BCRs for global HRIS.
• Health: restricted access and enhanced protection of medical data.

B2B / Cloud

• Defined roles: specify who is responsible for processing and who is a processor.
• Audits: right of inspection and compliance reports (ISO, SOC).
• Chain subcontracting: clear list, notification of changes, same level of protection.

PDPL is a modern, demanding framework built on accountability, transparency and security. Organisations that invest in data governance (mapping, DPO, contracts, security and training) reduce legal exposure and build customer trust.

Our lawyers are available to answer all your questions and provide advice. We offer face-to-face meetings or videoconferencing. You can book an appointment directly online at https://www.agn-avocats.fr/.

AGN AVOCATS – Business Law Division
contact@agn-avocats.fr
09 72 34 24 72