Back

PDPL in the UAE in simple terms: what businesses need to know today

PDPL in the UAE in simple terms

The UAE has long ceased to be just a financial hub for the Middle East. It is a jurisdiction where international IT companies, start-ups, logistics, e-commerce and global services are concentrated. And since 2021, it has had its own comprehensive UAE data protection law – PDPL, which radically changes the approach to working with personal information. If a company works with customers, users or partners in the Emirates, or processes data of people who are physically located in the UAE, it will no longer be possible to ignore personal data protection in the UAE.

Who exactly does the PDPL apply to and where does it work?

PDPL in the UAE The PDPL has a wide scope and is not limited to companies within the country. UAE data protection law covers businesses that directly or indirectly work with people located in the Emirates. It applies in the following cases:

  • organisations registered in the UAE that process personal data;
  • companies outside the UAE if they work with data of individuals in the country;
  • to data processing in electronic or structured storage systems;
  • to businesses operating in Dubai, including start-ups and international companies.

At the same time, there are exceptions where the Dubai data protection regulation within the PDPL does not apply. These include government agencies, domestic use of data, and certain free economic zones such as DIFC and ADGM.

What data is considered personal and on what basis can it be processed

The PDPL clearly explains what is considered personal data. UAE data protection law interprets this much more broadly than just contact information. Personal data includes:

  • name, address, telephone number, email address;
  • identification numbers and online identifiers;
  • geolocation, financial information and employment data;
  • biometric indicators and health data as a sensitive category.

Such data may only be processed on a clear legal basis defined by law. Dubai data protection regulation within the PDPL requires that consent be informed, voluntary and revocable at any time.

Company responsibilities and individual rights

The PDPL gives individuals the right to access, correct, delete, restrict the processing of, and withdraw consent for their data, and companies must respond to such requests within the specified time limits. Businesses are required to implement technical and organisational security measures, keep records of processing, appoint a DPO where necessary, and report incidents. Cross-border data transfers are only permitted with safeguards or the consent of the individual. This is why personal data protection in the UAE is becoming a practical risk management issue for companies.

February 3, 2026

On this page