UAE Personal Data Protection Law: What Businesses Need to Know

The UAE's Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data represents a landmark shift in how businesses operating in the UAE must handle personal information.

Coming into force following a transitional period, the law establishes comprehensive obligations for data controllers and processors across all sectors. Key Compliance Obligations: 1. Lawful Basis for Processing — All data processing must be based on a valid legal ground, including consent, contractual necessity, legal obligation, or legitimate interest as defined under the law. 2. Data Subject Rights — Individuals now have rights to access, correct, and erase their personal data, as well as the right to object to processing and request data portability. 3. Data Protection Impact Assessments — High-risk processing activities require a formal DPIA prior to commencement. 4. Cross-Border Data Transfers — Personal data may only be transferred to jurisdictions offering adequate protection, or where appropriate safeguards are in place. 5. Data Breach Notification — Controllers must notify the UAE Data Office of qualifying breaches within defined timeframes. Regulatory Authority: The UAE Data Office is the supervisory authority responsible for enforcement. Non-compliance can result in significant financial penalties and reputational consequences. Actionable Steps for UAE Businesses: — Conduct a data mapping exercise to understand all personal data flows — Review and update privacy policies and consent mechanisms — Implement appropriate technical and organisational security measures — Establish a data breach response protocol — Appoint a Data Protection Officer where required Libra Legal Consultancy advises clients across all sectors on achieving and maintaining compliance with the UAE Personal Data Protection Law.