Data Confidentiality Addendum (UAE)

A Data Confidentiality Addendum in the United Arab Emirates is a supplementary agreement attached to or incorporated into an existing commercial contract — such as a service agreement, consultancy agreement, or SaaS subscription agreement — that sets out the specific legal terms governing how a data processor may handle personal data on behalf of a data controller, in compliance with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The PDPL, administered by the UAE Data Office, is the UAE's comprehensive federal data protection statute, and it requires that any processing of personal data by a third party on behalf of another organisation must be governed by a written contract imposing the required data protection obligations on the processor.

The addendum structure is commercially practical because it allows the parties to supplement an existing commercial agreement without redrafting the entire contract. The main commercial agreement governs the service scope, fees, warranties, and remedies; the Data Confidentiality Addendum governs the data protection layer. In the event of any conflict between the two instruments on data protection matters, the addendum prevails. This hierarchy ensures that the PDPL-compliant data terms are not overridden by less specific general provisions in the main agreement.

The PDPL draws a fundamental distinction between data controllers and data processors. The data controller is the organisation that determines the purposes and means of processing personal data — the retailer who decides to analyse customer purchase data for loyalty rewards, the hospital that manages patient records, or the fintech platform that processes user transaction data. The data processor is the organisation that processes the personal data solely on the controller's instructions, without independently determining why or how the data is processed — the analytics vendor, the cloud hosting company, the marketing automation platform, or the payroll outsourcing firm.

The PDPL requires that this controller-processor relationship be documented in a written agreement containing at minimum: a description of the personal data and the processing purpose; the processor's obligation to act only on the controller's instructions; security measures appropriate to the risk of the processing; restrictions on engaging sub-processors without controller consent; obligations to assist the controller in responding to data subject rights requests; a data breach notification obligation; and cross-border transfer restrictions under Article 22 of the PDPL.

The UAE Data Office, established to administer the PDPL, has enforcement powers that include investigation, binding remedial orders, and administrative penalties for non-compliance. Data subjects whose personal data is mishandled also have the right to seek compensation under the PDPL, which may be pursued against the controller, who may in turn look to the data processing agreement for indemnification from the processor.

For DIFC entities, the DIFC Data Protection Law (DIFC Law No. 5 of 2020) applies a parallel regime administered by the DIFC Commissioner of Data Protection. For ADGM entities, the ADGM Data Protection Regulations 2021 impose equivalent requirements. All three frameworks require a written controller-processor agreement, making the Data Confidentiality Addendum a commercially essential document across all UAE regulatory contexts. The Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) validates electronic execution of the addendum.

A Data Confidentiality Addendum in the United Arab Emirates is needed whenever a UAE company engages a third party to process personal data on its behalf as part of a commercial service.

Cloud and SaaS services are the most common trigger. When a UAE retailer, bank, healthcare provider, or government-adjacent entity subscribes to a cloud-based CRM, HR system, accounting platform, or marketing automation tool, the SaaS provider processes personal data of the client's customers or employees as a data processor. The PDPL requires a written data processing agreement governing this relationship before any personal data is shared. A Data Confidentiality Addendum supplements the SaaS subscription agreement to satisfy this requirement.

Marketing and analytics agencies in the UAE that process customer databases, behavioural data, or transaction records on behalf of retail and e-commerce clients are acting as data processors. The agency's access to and use of the client's personal data must be governed by a Data Confidentiality Addendum to the marketing services agreement, specifying the permitted processing purpose and the security and confidentiality obligations the agency must maintain.

Payroll and HR outsourcing providers process significant volumes of sensitive employee personal data — salaries, bank details, leave records, Emirates IDs, and health insurance information — on behalf of UAE companies. This processing must be governed by a compliant data processing agreement. A Data Confidentiality Addendum to the payroll services agreement provides this governance framework in a targeted document without disrupting the commercial terms of the payroll arrangement.

Technology development and integration services in the UAE frequently require the development partner to have access to the client's production database, customer records, or operational data to build, test, and configure the system. A Data Confidentiality Addendum governs this access, restricting the developer to the permitted purpose of system development and requiring deletion or return of personal data at the end of the engagement.

Healthcare and life sciences organisations that outsource clinical data analysis, medical billing, or health records management to specialist vendors must ensure those vendors are bound by PDPL-compliant data processing obligations. The Ministry of Health and Prevention applies its own healthcare-specific data protection requirements in parallel with the PDPL, making a complete Data Confidentiality Addendum essential in any healthcare data outsourcing arrangement.

A Data Confidentiality Addendum for the United Arab Emirates compliant with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) must contain the following elements. The forms-legal.com UAE data confidentiality addendum template addresses each component.

Reference to the main agreement must identify the commercial contract that the addendum supplements, so that the data protection obligations are clearly incorporated into the overall contractual framework between the parties.

Party identification must distinguish the data controller from the data processor with their full legal names, trade licence numbers, and registered addresses, consistent with the Commercial Companies Law (Federal Decree-Law No. 32 of 2021).

Details of processing must set out: the subject matter and purpose of the processing — what personal data is being processed and for what commercial aim; the categories of personal data — names, contact details, transaction records, health data, financial data; the categories of data subjects — customers, employees, service users; and the retention period — how long the processor may hold the data before deleting or returning it.

Processor obligations must require the processor to: process personal data only on the controller's documented instructions; implement appropriate technical and organisational security measures under Articles 12 and 16 of the PDPL; bind all authorised personnel to confidentiality; not engage sub-processors without controller consent; assist the controller in responding to data subject rights requests under Chapter 3 of the PDPL (access, correction, deletion, objection); and notify the controller promptly of any data breach.

Prohibition on self-interested use must prevent the processor from using the personal data for its own independent purposes — building proprietary datasets, training AI models, or commercial profiling — outside the service.

Cross-border transfer restrictions must address whether the processor may transfer personal data outside the UAE, and if so, to which countries and on what legal basis under Article 22 of the PDPL. Any transfer must be to an adequate-protection country or covered by approved safeguards.

Data breach notification must specify a maximum notification period — typically 24 hours — within which the processor must inform the controller after becoming aware of a breach, so the controller can meet its own notification obligation to the UAE Data Office under Article 17 of the PDPL.

Audit rights must permit the controller to audit the processor's compliance or request evidence of security certifications.

Governing law and forum must identify UAE law, the PDPL, and the appropriate dispute resolution forum.

Completing a Data Confidentiality Addendum for use in the United Arab Emirates is straightforward when the commercial context is clear. The addendum should be executed at the same time as, or before, the main service agreement, and before any personal data is shared with the processor.

Enter the data controller's full legal name as it appears on the trade licence from the relevant DED or free-zone authority — for example, a DED Dubai licence for a mainland LLC, or a DMCC registration for a DMCC entity. Add the licence number and registered address. Enter the same information for the data processor. Confirm that the person signing on behalf of each party holds board authorisation or a power of attorney under the Commercial Companies Law (Federal Decree-Law No. 32 of 2021).

Enter the date of the addendum in DD/MM/YYYY format and identify the main agreement that this addendum supplements — for example, "Master Services Agreement dated 01/01/2026" or "SaaS Subscription Agreement dated 15/03/2026". The reference to the main agreement incorporates the addendum into the overall contractual framework.

Describe the categories of personal data precisely. For a retail analytics engagement, this might be: "customer names, UAE mobile phone numbers, email addresses, purchase transaction records, and loyalty programme identifiers". For an HR outsourcing engagement: "employee full names, Emirates ID numbers, bank account details, salary information, and leave records". Specificity here determines the scope of the processor's obligations.

Describe the processing purpose with commercial precision, for example: "analytics and personalised marketing campaigns for the Controller's retail customers in the UAE via the Controller's CRM platform".

Identify the categories of data subjects — for example, "the Controller's retail customers in the UAE" or "the Controller's employees based in Dubai and Abu Dhabi".

Set the retention period. A retention period tied to the contract duration — for example, "no longer than 30 days after termination of the Main Agreement" — provides a clear deletion obligation.

Indicate whether personal data will be transferred outside the UAE. If yes, identify the destination country and the legal basis — adequacy determination or specific safeguards. Select the governing courts appropriate to the controller's establishment. Both parties should sign; electronic signatures are valid under the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021). Download as PDF or Word.

A Data Confidentiality Addendum in the United Arab Emirates is required by law under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), which mandates a written contract governing any controller-processor data processing relationship. The UAE Data Office, established as the national supervisory authority under the PDPL, administers and enforces this requirement.

The PDPL requires the written agreement to cover: instruction-only processing; security measures under Articles 12 and 16; confidentiality obligations on authorised personnel; sub-processor management; data subject rights assistance under Chapter 3; breach notification under Article 17; and cross-border transfer compliance under Article 22. These are minimum requirements; the addendum may include additional protections.

The UAE Civil Code (Federal Law No. 5 of 1985) underpins the contractual enforceability of the addendum, with Articles 282 and 389 providing compensation remedies for breach, and Article 246 imposing the good-faith performance obligation. The Commercial Companies Law (Federal Decree-Law No. 32 of 2021) governs the corporate authority of the signatories.

For DIFC entities, the DIFC Data Protection Law (DIFC Law No. 5 of 2020), administered by the DIFC Commissioner of Data Protection, applies in parallel with and independently of the federal PDPL. ADGM entities are subject to the ADGM Data Protection Regulations 2021. All three frameworks require a written controller-processor agreement.

Cross-border transfers must comply with Article 22 of the PDPL, which restricts transfers to countries providing adequate protection or where specific safeguards are in place. The Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) validates electronic signatures. The Federal Arbitration Law (Federal Law No. 6 of 2018) governs any arbitral proceedings chosen by the parties.

Data Confidentiality Addenda are frequently drafted inadequately, creating PDPL compliance gaps and regulatory exposure. The following errors are most common.

1. No written data processing agreement at all. Many UAE service contracts contain only a general confidentiality clause, which does not satisfy the PDPL's requirement for a written data processing agreement governing the controller-processor relationship. The absence of a compliant addendum is itself a PDPL violation.

2. Failing to describe the personal data and purpose specifically. A vague addendum that covers 'any personal data processed in connection with the services' without specifying categories, purposes, and data subjects does not define the processor's obligations with the precision the PDPL requires and makes enforcement ambiguous.

3. No instruction-only processing obligation. Without an express clause restricting the processor to processing only on the controller's instructions, the processor may argue it had authority to use the data for its own purposes — for example, to train machine learning models with the controller's customer data.

4. No breach notification obligation. The PDPL requires the controller to notify the UAE Data Office of data breaches within 72 hours. Without a 24-hour notification obligation on the processor, the controller cannot meet its own regulatory obligation. This oversight can result in regulatory penalties that fall on the controller.

5. Ignoring cross-border transfers. If the processor stores or processes data in a country outside the UAE — including cloud data centres in Europe or North America — without addressing this in the addendum and without meeting the Article 22 PDPL transfer requirements, both parties are in breach of the PDPL's transfer restriction.

6. No sub-processor restriction. Without a clause requiring controller consent before the processor engages sub-processors, the processor may delegate personal data handling to unauthorised third parties, creating uncontrolled downstream risk.

7. Not distinguishing DIFC/ADGM regime from mainland PDPL. For cross-free-zone arrangements, the applicable data protection law depends on where the processor is established. Applying the wrong regime to a DIFC processor creates regulatory gaps that the DIFC Commissioner of Data Protection may identify on investigation.