UAE PDPL

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data

Flag of AE
United Arab Emirates (federal, excluding DIFC and ADGM free zones)Opt-inFederal
Back to Regulations Guide

Key Facts

Effective Date
January 2, 2022
Enacted
January 1, 2021
Enforcing Authority
UAE Data Office
Consent Model
Opt-in
Applies To
All entities processing personal data within the UAE (excluding DIFC and ADGM free zones, which have their own regimes)

Overview

The UAE PDPL is the country's first federal data protection law, enacted in 2021. It makes consent the default legal basis for processing personal data. The UAE uniquely operates a three-regime system where federal law, DIFC, and ADGM each maintain separate data protection frameworks. Executive Regulations remain pending as of 2026, creating uncertainty about detailed implementation requirements.

What This Means for Your Website

  • Consent is required before processing personal data of UAE visitors
  • The federal law does not apply within DIFC or ADGM free zones, which have their own rules
  • There is no ePrivacy equivalent, but cookies collecting personal data require consent under general processing rules
  • DPO appointment is required for large-scale sensitive data processing
  • Data subjects have rights to access, correct, delete, and port their data

Key Requirements

The UAE Data Office enforces the law with administrative penalties up to AED 5,000,000 per violation and criminal penalties including imprisonment up to 1 year. Consent must be freely given, specific, informed, and unambiguous. Other lawful bases include contractual necessity, legal obligation, and legitimate interest. Data minimization and purpose limitation principles apply.

How ConsentStack Handles This

ConsentStack applies opt-in consent collection for UAE visitors, supporting compliance with the federal PDPL and adapting to the unique three-regime environment.

Penalties

Administrative: AED 50,000-5,000,000. Criminal: AED 20,000+ and/or 1 year imprisonment.

Maximum Fine
AED5,000,000 per violation

Key Requirements

  • Consent is the default legal basis (freely given, specific, informed, unambiguous)
  • Other lawful bases: contractual necessity, legal obligation, legitimate interest
  • Data minimization and purpose limitation required
  • DPO appointment required for large-scale sensitive data processing
  • Data subjects have rights of access, correction, deletion, and portability
  • Data breach notification requirements

Notable Provisions

  • UAE has THREE separate data protection regimes (Federal, DIFC, ADGM)
  • Executive Regulations still pending — creating enforcement uncertainty
  • UAE Data Office handles policy, standards, complaints, and guidelines
  • No ePrivacy equivalent for cookie-specific regulation

Related Regulations (2)

DIFC DPLDubai International Financial Centre (DIFC)
DIFC's standalone data protection law applying within the Dubai financial free zone, significantly strengthened by a 2025 amendment introducing a private right of action for data subjects. Explicitly requires minimum necessary cookies and easily accessible cookie controls, making it one of the more cookie-specific frameworks in the Middle East.
ADGM DPRAbu Dhabi Global Market (ADGM) free zone
ADGM's comprehensive data protection regulations closely modeled on GDPR principles, carrying the highest penalty ceiling in the Middle East at USD 28 million. Requires data protection by design and default, record-keeping of processing activities, and written contracts between controllers and processors. Part of the UAE's three-regime system.

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.
Morocco Loi 09-08Morocco
Among the first data protection laws in Africa, modeled after the French Data Protection Act. The CNDP is an autonomous supervisory authority. All processing activities must be declared to the CNDP prior to implementation. The CNDP takes a graduated enforcement approach with warnings before fines or criminal referrals.

Frequently Asked Questions

Does the UAE PDPL apply in DIFC and ADGM?

No. DIFC and ADGM have their own separate data protection frameworks. The federal PDPL applies throughout the UAE except within these two financial free zones.

What are the penalties under the UAE PDPL?

Administrative fines range from AED 50,000 to AED 5,000,000. Criminal penalties include fines of AED 20,000+ and/or up to 1 year imprisonment.

Are Executive Regulations in effect?

As of 2026, the Executive Regulations for the UAE PDPL are still pending, creating uncertainty around detailed implementation and enforcement requirements.

Stay compliant with UAE PDPL

ConsentStack helps you implement Opt-in consent for United Arab Emirates (federal, excluding DIFC and ADGM free zones) automatically.

Get started