UAE PDPL
The UAE Personal Data Protection Law is the UAE's federal data protection framework, enacted in 2021 and effective since 2022.
Federal Decree-Law No. 45 of 2021 — the UAE PDPL — establishes the UAE's first federal personal data protection framework. It applies to organizations that process personal data in the UAE, with extraterritorial scope for processing that affects UAE residents. The law establishes rights for data subjects, requires consent for most processing activities, and mandates data protection measures proportionate to the sensitivity of the data.
The UAE's regulatory landscape is more complex than a single federal law. DIFC (Dubai International Financial Centre) has its own Data Protection Law (DP Law 2020) — administered by the DIFC Commissioner of Data Protection — that applies to all entities registered in DIFC. ADGM (Abu Dhabi Global Market) has its own Data Protection Regulations. Organizations operating across these zones must navigate multiple overlapping frameworks simultaneously.
UAE PDPL data residency requirements limit cross-border transfers of personal data. Unlike GDPR's adequacy decision mechanism, UAE PDPL requires explicit approval from the UAE Data Office for transfers to countries without adequate protection — or the use of approved contractual mechanisms. Engineering teams building UAE-serving systems must architect data residency into their infrastructure from the start.
We architect UAE PDPL compliance across all three layers — federal law, DIFC, and ADGM — depending on where clients operate. Our teams build data residency into the infrastructure configuration, implement consent management systems that meet UAE standards, and understand the cross-border transfer approval process for data that must flow outside the UAE.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.