UAE Enacts New Federal Personal ...
UAE Enacts New Federal Personal Data Pro...

UAE Enacts New Federal Personal Data Protection Law

First comprehensive federal data protection law in the UAE will enter into effect on January 2, 2022

clock4 Min Read

Featured Image

A new comprehensive personal data protection law was enacted in the UAE on November 29, 2021. The Law is the UAE’s first-ever federal privacy law and is part of a broad federal reform package in the UAE which has seen over 40 other laws amended or enacted. The Law will enter into effect on January 2, 2022, and will be enforceable 12 months later in January 2023.​ It is also understood that executive regulations are to be published within six months from the date of publication of the Law, and organizations that fall under the Law’s scope will be expected to comply within one year from the publication date.

The Federal Personal Data Protection Law will introduce new data subject rights, as well as requirements around breach notification, risk assessments, data processing records, and consent, among other things.

Will the UAE Federal Personal Data Protection Law Apply to Me?

The Law will apply to processing of personal data by automated, partly automated, or any other means. It will also apply to every data controller or data processor in the UAE that processes the personal data of data subjects regardless of the subject’s geographic location. Furthermore, the Law will apply to data controllers or data processors that are established outside of the UAE that process the personal data of data subjects in the UAE.

There are several exemptions from the scope of the new law which will not apply to public entities, health data governed by existing legislation, credit data governed by existing legislation, and financial free zones with their own data protection legislation (e.g. DIFC, ADGM). Organizations operating in financial free zones will continue to be bound by the existing data protection legislation in these areas.

Key Areas of the Law to Consider

Consent Requirements

The Law highlights that the processing of personal data cannot take place without the consent of the data subject. However, there are several exceptions including:

  • when processing is necessary to protect the public interest;
  • when processing is related to personal data that has become available and known to all by an act of the data owner; or
  • when the processing is necessary to carry out any legal procedures and rights.

Data Subject Rights

The Law defines a new set of rights for data subjects in the UAE giving data subjects greater control of their use of their personal data. The law includes the following data subject rights:

  • The right to access
  • The right to correction
  • The right to restrict processing
  • The right to stop processing

Other Key Features of the Law

The Law also sets out obligations for data controllers such as impact assessments, breach notification requirements, data protection officer appointment, and cross-border transfers. Data controllers will also have to maintain records of data processing.

Data processors will also need to comply with several new requirements including in relation to relationships with data controllers.

Who Will Enforce the law?

The Law will establish the UAE Data Office that will be responsible for proposing policies, developing data protection legislation, and issuing guidance on the implementation of data protection law.

What’s Next?

The Federal Data Protection Law in the UAE will enter into effect on January 2, 2022, and the Law will become enforceable in January 2023. Executive regulations will be made public six months after the Law’s publication on July 2, 2022. The UAE Data Office will also need to be established before the January 2023 entry into force.

Further reading on the new federal data protection law in the UAE:

Follow OneTrust on LinkedInTwitter, or YouTube for the latest privacy developments from around the world.

You Might Also Be Interested In

SEPTEMBER 20, 2022

Ojas Rege

SEPTEMBER 20, 2022

Anne Kenyon


Kelly Maxwell


Julie Yamamoto

AUGUST 31, 2022

Julie Yamamoto

AUGUST 30, 2022

Jason Koestenblatt

AUGUST 29, 2022

Kelly Maxwell

AUGUST 29, 2022

Ashlea Cartee

Onetrust All Rights Reserved