mea
United Arab Emirates
The UAE federal data protection law adds a national privacy layer that should be distinguished from major free-zone regimes such as DIFC and ADGM.
Editorial caveat
Structured values summarize official materials for research and planning. They are reviewed by humans before publication and should not be treated as legal advice.
medium confidence, Federal UAE should eventually be modeled distinctly from major free-zone regimes such as DIFC and ADGM.
Breach
- Breach deadline (hours)
- 0
- Breach notification required
- Yes
Marketing
- Cookie consent rule
- Online tracking analysis is shaped by consent, transparency, and emerging UAE digital regulation practice.
Transfers
- Cross-border transfer restricted
- Yes
- Data localization required
- No
Governance
- DPO required
- Yes
- Impact assessment required
- Yes
- Records of processing required
- Yes
Identity
- Effective date
- 2022-01-02
- Effective status
- in-force
- Last amended
- 2021-09-20
- Law status
- active
Scope
- Extraterritorial application
- Yes
- Private sector coverage
- Applies broadly to private-sector controllers and processors, except in exempt free zones with separate regimes.
- Public sector coverage
- Government entities may be excluded or subject to separate rules depending on the context.
- Territorial scope
- Applies to controllers and processors in the UAE and outside the UAE processing personal data of individuals in the UAE, subject to exclusions.
Legal Basis
- Legal bases
- consent, contract, legal obligation, public interest, legitimate interests
- Requires legal basis
- Yes
Enforcement
- Maximum fine
- Penalties are expected through implementing regulations and enforcement practice rather than a single headline figure in the core law.
- Private right of action
- No
- Regulator or enforcement authority summary
- Federal UAE regulator structure distinct from DIFC and ADGM
Definitions
- Personal data definition
- Personal data means any data relating to a specific natural person or a natural person who can be identified.
- Sensitive data recognized
- Yes
Rights
- Right of access
- Yes
- Right to appeal
- Yes
- Right to deletion
- Yes
- Right to erasure or delete summary
- Erasure / deletion rights
- Right to object
- Yes
- Right to portability
- Yes
- Right to rectification or correction summary
- Rectification right
Official sources
- UAE Data Office guidanceSecondary official material • en • html
- UAE PDPL textPrimary official law • en • html