The UAE’s Personal Data Protection Law (PDPL), established under Federal Decree-Law No. 45 of 2021, marks a pivotal step in safeguarding personal data in the digital age. It came into effect on 2nd January, 2022 and since then has caught the attention of all the organisations and entities processing personal data. Designed to align with international standards such as the GDPR, the PDPL provides a robust framework for the collection, processing, and storage of personal data, ensuring individuals’ privacy while promoting a secure digital economy.

Key Features

• Individual Rights: Grants individuals the right to access, rectify, and delete their personal data.
• Consent-Driven: Requires explicit consent from individuals before processing their data.
• Roles and Responsibilities: Defines clear obligations for data controllers and processors.
• Cross-Border Data Transfers: Establishes stringent safeguards for transferring data outside the UAE.
• Compliance Framework: Mandates the appointment of Data Protection Officers (DPOs) for certain organizations to ensure adherence to the law.

This legislation applies to all entities that process personal data of individuals within the UAE, excluding government entities. However, free zones like the DIFC and ADGM adhere to their own data protection laws.

Penalties for Non-Compliance

• Fines: The PDPL allows for fines of up to AED 5 million (approximately USD 1,360,000) for non-compliance, depending on the severity of the violation. The Council of Ministers has the authority to impose administrative fines following a complaint from a data subject.
• Imprisonment: Unauthorized use of technology to infringe on privacy could result in a minimum of six months in detention.
• Seizure of Funds: Courts may seize funds linked to violations.

Factors Influencing the Penalty

• Repeat Offences: Multiple violations may lead to fines up to twice the maximum amount.
• Violation Severity: The nature of the breach, such as the disclosure of sensitive data, may influence the level of the penalty.

Adhering to the PDPL is essential for businesses in the UAE, as it builds customer trust, reduces the risk of financial penalties and operational disruptions, and ensures alignment with global best practices, providing a competitive edge.

PDPL Solutions

Advoke International provides comprehensive solutions tailored to support your organization in achieving full compliance with the PDPL.

• PDPL Gap Analysis
• Privacy Framework Implementation
• PDPL Readiness Assessment
• Complete PDPL Compliance Review

Frequently Answered Questions

Who does the PDPL apply to? 

The PDPL applies to all organizations that process personal data of individuals in the UAE, excluding government entities. Certain free zones, like DIFC and ADGM, may follow their own specific regulations, but the law generally applies to all private sector businesses.

What are the penalties for not complying with the PDPL? 

Non-compliance with the PDPL can result in fines ranging from AED 50,000 to AED 5 million, imprisonment for privacy breaches, and the seizure of funds obtained through violations. Repeat offenses can lead to even higher fines.

Can personal data be transferred outside the UAE under the PDPL? 

Yes, but the PDPL imposes strict conditions for cross-border data transfers. Organizations must ensure that data is transferred to countries with adequate data protection laws or implement additional safeguards to protect the privacy of the data.

What happens if my personal data is breached in the UAE? 

If a personal data breach occurs, individuals have the right to be informed, and the responsible organization must take immediate steps to address the breach. Non-compliance or mishandling of such breaches can result in severe penalties, including fines and operational restrictions.

Can I file a complaint if my personal data is mishandled? 

Yes, individuals have the right to file complaints with the relevant authorities in the UAE if they believe their personal data has been mishandled. The PDPL provides a formal process for addressing grievances and seeking redress.