Data Processing Agreement (UAE)
DATA PROCESSING AGREEMENT
Dated: [Agreement Date]
Data Controller: [Controller Name] (Trade Licence: [Controller Licence]), of [Controller Address] (the "Controller");
Data Processor: [Processor Name] (Trade Licence: [Processor Licence]), of [Processor Address] (the "Processor").
BACKGROUND
This Data Processing Agreement ('DPA') supplements the main services agreement between the Controller and the Processor and governs the processing of personal data by the Processor on behalf of the Controller, in compliance with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and its executive regulations.
1. DEFINITIONS
1.1 'PDPL' means the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) of the United Arab Emirates, as amended, and its executive regulations issued by Cabinet.
1.2 'Personal Data' means any data relating to an identified or identifiable natural person, as defined in Article 1 of the PDPL.
1.3 'Processing' has the meaning given in Article 1 of the PDPL and includes any operation performed on Personal Data, whether or not by automated means.
1.4 'UAE Data Office' means the UAE Personal Data Protection Office established under the PDPL to supervise compliance.
2. PROCESSING SCOPE AND INSTRUCTIONS
2.1 The Processor shall process Personal Data only for the following purpose: [Processing Purpose].
2.2 Categories of Personal Data: [Personal Data Categories].
2.3 Categories of Data Subjects: [Data Subject Categories].
2.4 Duration of processing: [Processing Duration].
2.5 The Processor shall process Personal Data only on documented instructions from the Controller. If the Processor is required by UAE law to process Personal Data beyond those instructions, it shall notify the Controller before such processing unless prohibited by law.
3. PROCESSOR OBLIGATIONS
3.1 Security measures. The Processor shall implement appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, consistent with the PDPL and any executive regulations issued thereunder.
3.2 Confidentiality. The Processor shall ensure that persons authorised to process the Personal Data are under an appropriate duty of confidentiality.
3.3 Data subject rights. The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligations to respond to data subject requests under Articles 7 to 14 of the PDPL (access, rectification, deletion, objection, and restriction of processing).
3.4 Data breach notification. The Processor shall notify the Controller without undue delay — and in no case later than 72 hours — upon becoming aware of a personal data breach affecting Personal Data processed under this DPA, providing sufficient information for the Controller to assess its notification obligations to the UAE Data Office under Article 17 of the PDPL.
3.5 Return or deletion. Upon termination of the main services agreement or written request by the Controller, the Processor shall return all Personal Data to the Controller or delete it, and shall certify deletion in writing within 30 days, unless retention is required by UAE law.
3.6 Audit cooperation. The Processor shall provide the Controller with all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Controller or a qualified third-party auditor at reasonable notice.
4. SUB-PROCESSORS
4.1 The Processor shall not engage any sub-processor to carry out processing activities under this DPA without the prior written consent of the Controller.
4.2 Where the Controller consents to a sub-processor, the Processor shall impose data protection obligations on the sub-processor equivalent to those in this DPA. The Processor remains fully liable to the Controller for the performance of the sub-processor.
5. CROSS-BORDER DATA TRANSFERS
5.1 Personal Data shall be hosted and processed [Data Hosting Location].
5.2 Any transfer of Personal Data outside the UAE shall be made only in accordance with Chapter 7 of the PDPL (Federal Decree-Law No. 45 of 2021) — either to a country providing an adequate level of protection as determined by the UAE Data Office, pursuant to standard contractual clauses approved by the UAE Data Office, or on another lawful basis recognised under the PDPL.
5.3 The Processor shall maintain a record of all cross-border transfers and make this available to the Controller on request.
6. GENERAL
6.1 This Agreement is governed by the laws of the United Arab Emirates. The parties submit to the exclusive jurisdiction of the [Governing Forum].
6.2 This DPA supplements and forms part of the main services agreement between the parties. In the event of conflict on data protection matters, this DPA prevails.
6.3 This DPA may be amended only by written agreement of both parties.
Signed for and on behalf of the Data Controller: [Controller Name]
Signed for and on behalf of the Data Processor: [Processor Name]
Data Controller
________________
Signature
Data Processor
________________
Signature
What Is a Data Processing Agreement (UAE)?
A Data Processing Agreement (DPA) in the United Arab Emirates is a legally binding contract between a data controller and a data processor that governs how the processor may handle personal data on behalf of the controller, in compliance with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The PDPL — the UAE's primary data protection statute, administered by the UAE Data Office — was enacted in November 2021 and applies to the processing of personal data by any person or entity subject to UAE law, including mainland UAE companies, government entities, and businesses in most UAE free zones. The DIFC and the ADGM maintain their own data protection regimes — the DIFC Data Protection Law (DIFC Law No. 5 of 2020) and the ADGM Data Protection Regulations 2021 — which are broadly aligned with the EU's General Data Protection Regulation (GDPR) and impose similar processor agreement requirements for entities established in those financial free zones.
Personal data under Article 1 of the PDPL means any data relating to an identified or identifiable natural person. This definition is broad and captures names, Emirates ID numbers, passport numbers, email addresses, phone numbers, financial data, health records, IP addresses, location data, and any other data that can be linked to a natural person. Processing means any operation performed on personal data, whether or not by automated means, including collection, storage, use, disclosure, combination, and deletion.
The PDPL distinguishes between the data controller — the person who determines the purposes and means of processing — and the data processor — the person who processes data on behalf of and under the instructions of the controller. The controller bears primary regulatory responsibility to the UAE Data Office and to data subjects. The processor, however, is not merely a passive tool: the PDPL imposes direct obligations on processors in relation to security, breach notification, sub-processing, and cross-border data transfers. Article 18 of the PDPL makes the controller liable for a processor's violations unless the controller demonstrates it took reasonable steps to select a compliant processor and monitor its performance. A well-drafted DPA is the primary mechanism by which the controller exercises that oversight and allocates compliance responsibility appropriately.
UAE enterprises that process personal data through third-party service providers — including SaaS platforms, cloud infrastructure, payroll bureaux, call centres, marketing analytics firms, IT service providers, and logistics companies — are required by the PDPL to execute a DPA with each service provider that acts as a processor. A DPA supplements the main services agreement and prevails over it on data protection matters. The UAE Data Office has powers to request DPAs from regulated entities during investigations and to impose penalties on controllers that engage processors without an adequate written agreement.
The PDPL's cross-border transfer regime in Chapter 7 adds a further dimension to UAE data processing agreements. Where a processor processes data outside the UAE — for example, through a cloud platform hosted in Europe, the United States, or Asia — the DPA must document the transfer mechanism: adequacy (for countries assessed by the UAE Data Office as providing equivalent protection), standard contractual clauses approved by the UAE Data Office, binding corporate rules for intra-group transfers, or another recognised basis. The Federal Tax Authority's five-year record retention requirement under Federal Decree-Law No. 8 of 2017 creates a regulatory minimum that interacts with the PDPL's data minimisation principle, requiring DPAs to address retention periods for tax-relevant personal data carefully.
When Do You Need a Data Processing Agreement (UAE)?
A Data Processing Agreement in the UAE is required under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) whenever a data controller engages a data processor to process personal data on its behalf.
Cloud and SaaS services are the most common trigger. Any UAE business that uses a third-party cloud platform — whether for HR management, payroll (with MOHRE Wage Protection System compliance), customer relationship management, email hosting, accounting, document storage, or business intelligence — and that platform processes personal data of UAE residents, requires a DPA with the cloud or SaaS provider. The UAE Data Office has published guidance confirming that a DPA must be in place before processing begins.
Outsourced HR and payroll processing involves the processing of employee personal data including Emirates ID numbers, bank account details, salary information, and leave records. Payroll bureaux and HR outsourcing firms operating in the UAE are data processors under the PDPL and must have a signed DPA with each client employer.
Marketing analytics and customer data services involve the processing of customer personal data by advertising technology companies, data brokers, and analytics firms. Retailers, banks, and telecom operators that share customer data with analytics partners require a DPA governing the analytics firm's use of that data.
Call centre and contact centre outsourcing involves processing customer personal data by a third-party call centre. UAE businesses operating across the telecommunications, banking, insurance, and e-commerce sectors that outsource customer contact operations to a UAE or international call centre require a DPA.
IT managed services and security operations centres (SOCs) that access production systems containing personal data as part of their monitoring and management services act as processors under the PDPL. Banks and government entities regulated by the Central Bank of the UAE or the Abu Dhabi Judicial Department that outsource IT services require DPAs as part of their vendor management frameworks.
Healthcare data processing by third-party software providers, laboratories, telehealth platforms, and insurance claims processors involves sensitive personal data under Article 4 of the PDPL, which heightens the DPA requirements.
What to Include in Your Data Processing Agreement (UAE)
A UAE Data Processing Agreement compliant with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) must contain the following elements. The forms-legal.com UAE DPA template addresses each component required by the UAE Data Office and the PDPL's executive regulations.
Party identification must record the full legal name, trade licence number, and address of the data controller and data processor. The roles of controller and processor must be explicitly stated, because the PDPL's obligations are role-specific.
Processing scope must specify: the purpose and nature of processing; the categories of personal data processed (ordinary and sensitive); the categories of data subjects; the duration of processing; and any specific processing activities that are permitted or prohibited.
Instruction clause must confirm that the processor will only process personal data on the controller's documented instructions and will notify the controller if it believes an instruction violates the PDPL.
Security obligations must require the processor to implement appropriate technical and organisational security measures, aligned with the risk to data subjects. The PDPL and the UAE Data Office's guidance specify security standards that must be addressed.
Confidentiality must require authorised personnel to be bound by confidentiality duties.
Data subject rights assistance must require the processor to assist the controller in responding to data subject requests under Articles 7 to 14 of the PDPL, including access, rectification, erasure, and restriction requests.
Data breach notification must require the processor to notify the controller without undue delay — and within 72 hours where possible — upon discovering a personal data breach, with sufficient detail for the controller to meet its PDPL notification obligations to the UAE Data Office under Article 17.
Sub-processor provisions must require the controller's prior written consent for sub-processor engagement and impose equivalent obligations on sub-processors. The processor remains fully responsible for sub-processor compliance.
Cross-border transfer rules must state where the data will be processed and confirm that any transfer outside the UAE complies with Chapter 7 of the PDPL, through adequacy, standard contractual clauses, binding corporate rules, or another lawful basis.
Return or deletion must require the processor to return or delete all personal data within 30 days of termination and certify deletion in writing.
Audit rights must allow the controller to verify compliance through information requests and third-party audits at reasonable notice.
Governing law and forum must identify UAE law and the competent court — the Dubai Courts, Abu Dhabi Judicial Department, DIFC Courts, or ADGM Courts — or an arbitral institution such as the Dubai International Arbitration Centre (DIAC) under the Federal Arbitration Law (Federal Law No. 6 of 2018).
How to Fill Out Your Data Processing Agreement (UAE)
Completing a UAE Data Processing Agreement under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) requires the parties to map the personal data flows between them and agree the processing parameters. Follow these steps.
Begin with the parties. Enter the data controller's full legal name, trade licence number, and registered address. The controller is the business that owns the personal data and determines why it is processed. Enter the data processor's full legal name and trade licence. The processor is the service provider that will act on the controller's instructions. Confirm that both signatories hold board authorisation or a power of attorney under the Commercial Companies Law (Federal Decree-Law No. 32 of 2021).
Enter the date in DD/MM/YYYY format.
Describe the processing purpose precisely. A vague purpose such as 'providing IT services' does not satisfy the PDPL's specificity requirement. Write the purpose in terms of the concrete processing operation: for example, 'providing cloud-based payroll processing services to the Controller, including calculating monthly salaries, generating WPS transfer files for the Ministry of Human Resources and Emiratisation, and archiving payroll records for tax purposes.'
List all categories of personal data. Separate ordinary personal data from sensitive personal data as defined in Article 4 of the PDPL. If health, biometric, or financial data is included, note that and confirm the legal basis under which the controller authorises processing of sensitive data.
State the categories of data subjects clearly: for example, 'employees and former employees of the Controller, and their dependants.'
Set the processing duration. Link this to the term of the main services agreement and add any required regulatory tail period for record-keeping purposes under the Federal Tax Authority's five-year records retention requirement.
Choose the data hosting location. UAE-only hosting is the simplest PDPL-compliant option. Cross-border hosting requires identification of the applicable transfer mechanism, which should be documented in a Cross-Border Transfer Schedule attached to the DPA.
Select the governing forum. For enterprise DPAs where the processor is a DIFC or ADGM entity, the DIFC Courts or ADGM Courts are common choices. For purely mainland arrangements, the Dubai Courts or Abu Dhabi Judicial Department are the standard forums.
Legal Requirements for Data Processing Agreement (UAE)
A UAE Data Processing Agreement must satisfy the requirements of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and its executive regulations issued by the UAE Cabinet, enforced by the UAE Data Office.
Article 18 of the PDPL requires that a controller only engage a processor that provides sufficient guarantees about implementing appropriate technical and organisational measures to ensure processing complies with the PDPL. The controller must document these guarantees in a written DPA.
The DPA must be in writing and must specify the subject matter, duration, nature, and purpose of the processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller.
The processor must process personal data only on the controller's documented instructions under Article 18(4) of the PDPL. Processing beyond those instructions, unless required by UAE law, constitutes a violation.
Security measures must be implemented under Article 16 of the PDPL and the UAE Data Office's technical security guidance. Measures must be appropriate to the risk, taking into account the nature of the data and the likelihood and severity of harm to data subjects.
Data breach notification must follow the timeline and content requirements of Article 17 of the PDPL. The controller must notify the UAE Data Office of breaches affecting data subjects' rights and interests within 72 hours of becoming aware, and must notify affected data subjects where the breach is likely to result in high risk to them.
Cross-border transfers must comply with Chapter 7 of the PDPL. The UAE Data Office's list of adequate countries must be checked, and standard contractual clauses or binding corporate rules must be in place for transfers to non-adequate countries.
Retention and deletion obligations must reflect both the PDPL's data minimisation principle and any UAE sector-specific retention requirements, including the Federal Tax Authority's five-year record-keeping obligation under Federal Decree-Law No. 8 of 2017 and the Labour Law (Federal Decree-Law No. 33 of 2021) requirements for employment records.
For DIFC and ADGM entities, the DIFC Data Protection Law (DIFC Law No. 5 of 2020) and the ADGM Data Protection Regulations 2021 apply instead of the federal PDPL and impose equivalent DPA requirements.
Common Mistakes to Avoid in Your Data Processing Agreement (UAE)
UAE Data Processing Agreements frequently fail to protect the parties or comply with the PDPL because of the following errors.
1. No DPA in place at all. The most serious error is engaging a data processor without any written agreement, in direct violation of Article 18 of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The UAE Data Office may impose penalties on the controller and the processor. Execute a DPA before processing begins.
2. Vague processing purpose. A DPA stating 'IT services' or 'data management' as the processing purpose fails the PDPL's specificity requirement. Define the purpose in concrete operational terms aligned with the services agreement.
3. Missing sensitive data provisions. Where the processor handles health, biometric, or financial personal data, the DPA must identify the sensitive data categories and confirm the legal basis. An agreement silent on sensitive data creates regulatory and liability exposure under Article 4 of the PDPL.
4. No sub-processor controls. Allowing the processor to engage sub-processors without the controller's prior written consent undermines the controller's ability to maintain oversight of its data. Require written consent and equivalent DPA obligations for every sub-processor.
5. No data breach notification timeline. A DPA without a specific breach notification obligation — requiring the processor to notify the controller within 72 hours of discovering a breach — prevents the controller from meeting its own notification obligations to the UAE Data Office under Article 17 of the PDPL.
6. Vague cross-border transfer provisions. A DPA that permits transfer 'to our global infrastructure' without specifying the countries, the data categories transferred, and the applicable transfer mechanism violates the PDPL's Chapter 7 requirements and may expose both parties to penalties.
7. No deletion certification obligation. A DPA without a requirement to certify deletion of personal data within a defined period after termination leaves the controller unable to demonstrate PDPL compliance in an audit, and leaves residual personal data in the processor's systems beyond the lawful retention period.
8. Applying GDPR templates without UAE-specific adaptation. Many UAE businesses use GDPR-based DPA templates without adapting them to the PDPL framework. While the PDPL and GDPR are broadly aligned, they differ on transfer mechanisms, the UAE Data Office's role, specific penalty provisions, and enforcement procedures. A GDPR-only DPA may not satisfy a UAE Data Office audit.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Processing Agreement (UAE) (United Arab Emirates) [Legal document template]. Forms Legal. https://forms-legal.com/uae/business/intellectual-property/data-processing-agreement-uae
"Data Processing Agreement (UAE) (United Arab Emirates)." Forms Legal, 2026, https://forms-legal.com/uae/business/intellectual-property/data-processing-agreement-uae.
@misc{formslegal-data-processing-agreement-uae,
author = {{Forms Legal}},
title = {Data Processing Agreement (UAE) (United Arab Emirates)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uae/business/intellectual-property/data-processing-agreement-uae}},
note = {Free legal document template. Based on Personal Data Protection Law — Federal Decree-Law No. 45 of 2021}
}
Frequently Asked Questions
A Data Processing Agreement is required under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) whenever a data controller engages a data processor to process personal data on its behalf. A controller is the person or entity that determines the purpose and means of processing personal data. A processor is any person or entity that processes personal data on behalf of the controller, under the controller's instructions, for a purpose determined by the controller rather than the processor's own purposes.
Common UAE scenarios requiring a DPA include: a company (controller) engaging a payroll bureau (processor) to process employee salary data; a retailer (controller) using a SaaS CRM platform (processor) to store and manage customer data; a hospital (controller) using an IT service provider (processor) to manage patient records on cloud infrastructure; and a bank (controller) engaging a marketing analytics firm (processor) to analyse customer transaction data. In each case, the PDPL requires that the processing be governed by a written agreement between the controller and the processor, covering the scope and purpose of processing, security measures, data subject rights assistance, breach notification, sub-processing restrictions, cross-border transfer rules, and return or deletion obligations.
The UAE Data Office, established under the PDPL, supervises compliance and has powers to investigate, issue corrective orders, and impose administrative penalties on both controllers and processors that fail to comply with the DPA requirement. Financial penalties under the PDPL can be significant, and the controller retains primary liability for the processor's actions under Article 18 of the Decree-Law.
Under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), a data processor in the UAE has the following key obligations.
Processing on instructions only: the processor must process personal data only on the documented instructions of the controller and must not process the data for its own purposes or for the benefit of third parties.
Confidentiality: persons authorised to process the personal data must be subject to an appropriate duty of confidentiality, whether under a contractual clause or a statutory obligation.
Security measures: the processor must implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, loss, or destruction. The PDPL and its executive regulations specify categories of security measures, and the UAE Data Office may issue guidance on minimum standards.
Sub-processing: the processor must not engage sub-processors without the controller's prior authorisation and must impose equivalent data protection obligations on any sub-processor.
Data subject rights assistance: the processor must assist the controller in fulfilling its obligations to respond to data subject requests — including requests for access, rectification, erasure, restriction, and objection — under Articles 7 to 14 of the PDPL.
Data breach notification: on becoming aware of a personal data breach, the processor must notify the controller without undue delay, providing sufficient information for the controller to assess and, where required, report the breach to the UAE Data Office and affected data subjects under Article 17 of the PDPL.
Return or deletion: on termination of the processing relationship or at the controller's request, the processor must return or delete all personal data and certify compliance in writing.
Audit and demonstrability: the processor must provide the controller with all information necessary to demonstrate compliance, and must support and contribute to audits by the controller or its authorised auditor.
Cross-border transfer of personal data outside the United Arab Emirates is permitted under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) only in specific circumstances regulated under Chapter 7 of the Decree-Law, supervised by the UAE Data Office.
Transfer to a country that provides an adequate level of personal data protection, as assessed and published by the UAE Data Office, is permitted without specific additional conditions. The UAE Data Office maintains a list of adequate countries, analogous to the EU adequacy decisions under the GDPR. The list is updated periodically and should be checked before any international transfer.
Where the destination country is not deemed adequate, transfer is permitted on the basis of appropriate safeguards, which under PDPL implementing regulations include standard contractual clauses approved by the UAE Data Office, binding corporate rules approved for intra-group transfers, or an approved code of conduct. The standard contractual clauses are the most commonly used mechanism in UAE commercial practice.
Transfer is also permitted under specific derogations including the data subject's explicit, informed consent; necessity for the performance of a contract with the data subject; necessity for the establishment, exercise, or defence of legal claims; and overriding public interest considerations.
UAE free-zone entities in the DIFC and the ADGM are subject to their own data protection regimes (DIFC Data Protection Law, DIFC Law No. 5 of 2020, and the ADGM Data Protection Regulations 2021), which are broadly GDPR-aligned. Data transfers between the DIFC or ADGM and EU/EEA countries may be subject to separate adequacy assessments, and UAE businesses with operations in both onshore and free-zone entities should map their data flows carefully to determine which regime applies to each transfer.
The distinction between a data controller and a data processor under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) determines the legal obligations and liabilities of each party in a data processing arrangement.
A data controller is the person or entity that, alone or jointly with others, determines the purposes and means of processing personal data. The controller decides what data is collected, for what purpose, and how it is used. Examples of UAE controllers include: a UAE company collecting customer data for its loyalty programme, an employer collecting employee HR data for payroll, a hospital collecting patient health records, and an e-commerce platform collecting user purchase histories. The controller bears primary regulatory responsibility under the PDPL and is the party to whom the UAE Data Office directs investigations and enforcement actions.
A data processor is the person or entity that processes personal data on behalf of and under the instructions of the controller. The processor does not determine the purpose of processing and acts solely on the controller's instructions. Examples of UAE processors include: a payroll bureau processing employee salary data for a company, a cloud provider hosting customer data on behalf of a retailer, a marketing analytics firm analysing customer data for an e-commerce business, and a call centre handling customer data for a telecommunications provider.
The same entity can be a controller in one relationship and a processor in another. A payroll bureau that receives employee data from its client (making it a processor) may itself use a cloud infrastructure provider (making the bureau a controller with respect to the cloud provider, which is a sub-processor). Correctly identifying the roles in each data flow is the first step in structuring a PDPL-compliant data processing agreement.
The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) establishes a tiered penalty regime administered by the UAE Data Office for violations of the Decree-Law and its executive regulations.
Administrative penalties are the primary enforcement tool. The UAE Data Office may issue corrective orders requiring a controller or processor to bring processing into compliance within a specified period. Failure to comply with a corrective order, or serious violations of the PDPL, may result in administrative fines. The Cabinet of the UAE, through executive regulations issued under the PDPL, sets the specific fine amounts applicable to each type of violation. The fine levels are commensurate with the severity of the breach, the number of data subjects affected, and whether the violation was deliberate or negligent.
Criminal sanctions apply to particularly serious violations, including unlawful processing of sensitive personal data (such as health, biometric, or financial data) without a legal basis, deliberate cross-border transfer in violation of the PDPL, and processing of personal data of minors without appropriate safeguards. Criminal penalties may include fines and in extreme cases imprisonment, and are imposed by the competent criminal courts.
Civil liability for damage caused by PDPL violations is available under the UAE Civil Code (Federal Law No. 5 of 1985). Data subjects who suffer actual damage — whether material or non-material — as a result of unlawful processing may claim compensation before the Dubai Courts, the Abu Dhabi Judicial Department, or the DIFC Courts. The controller retains primary liability even where the breach was caused by a sub-processor, unless the controller can demonstrate it took all reasonable steps to ensure compliance. Early execution of a well-drafted data processing agreement reduces both regulatory and civil liability exposure.
Yes. The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) distinguishes between ordinary personal data and sensitive personal data, which attracts additional restrictions and heightened obligations. Article 4 of the PDPL defines sensitive personal data to include: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, health data, data concerning sexual orientation or behaviour, and criminal records.
Processing of sensitive personal data is prohibited unless one of the specific legal bases in Article 4 applies, including the data subject's explicit consent, necessity for medical diagnosis or health services, necessity for the establishment or defence of legal claims, and other specified grounds. The processor's obligation to process only on the controller's instructions is therefore particularly important for sensitive data: the controller must establish its own legal basis before instructing the processor to process such data, and the processor should not accept instructions to process sensitive data without confirming that the controller has a valid legal basis.
A UAE data processing agreement that covers sensitive personal data should include: a specific schedule identifying the sensitive data categories; confirmation of the legal basis relied on by the controller; enhanced security measures appropriate to the sensitivity (encryption, access controls, pseudonymisation); and agreement on which sub-processors, if any, may access the sensitive data. The UAE Data Office may issue sector-specific guidance on sensitive data processing — for example, in healthcare under the Department of Health and the Dubai Health Authority frameworks — which should be incorporated by reference where applicable.
The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) requires that personal data not be retained for longer than is necessary to achieve the purpose for which it was collected, consistent with the data minimisation principle. The PDPL does not prescribe fixed universal retention periods but requires controllers to establish retention schedules aligned with their processing purposes and applicable sector regulations, and to delete or anonymise data when the purpose is achieved.
Several UAE sector-specific regulations impose minimum retention periods that interact with the PDPL's data minimisation principle. The Federal Tax Authority requires retention of tax-related accounting records, including records containing personal data, for five years under Federal Decree-Law No. 8 of 2017. The Labour Law (Federal Decree-Law No. 33 of 2021) and Cabinet Resolution No. 1 of 2022 require retention of employment records for specified periods after employment ends. The Central Bank of the UAE's Anti-Money Laundering regulations require financial institutions to retain customer due diligence records for at least five years after the business relationship ends. Healthcare providers in the UAE are subject to data retention requirements set by the Department of Health in Abu Dhabi and the Dubai Health Authority.
A data processing agreement should specify the agreed retention period for each category of personal data, cross-referencing any applicable regulatory minimum period. The processor must not retain data beyond the agreed period without a new instruction or legal basis, and must provide the controller with a deletion certification at the end of the retention period. Where data must be retained for a regulatory minimum period that exceeds the commercial processing purpose, the agreement should restrict the processor to storing the data in a secure archive during the regulatory retention tail, without active processing.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
SaaS Subscription Agreement (UAE)
A SaaS subscription agreement for the UAE governing cloud software access, service levels, data protection, and subscription fees, compliant with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and Copyright Federal Decree-Law No. 38 of 2021.
Software Licence Agreement (UAE)
A software licence agreement for the UAE allowing a software owner to grant a business the right to use a software product, compliant with the Copyright Federal Decree-Law No. 38 of 2021, PDPL, and UAE Civil Code.
Non-Disclosure Agreement (UAE)
A mutual confidentiality agreement binding both parties to protect proprietary information under the UAE Civil Code (Federal Law No. 5 of 1985) and the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). Suitable for joint ventures, M&A due diligence, and technology licensing in the United Arab Emirates.
Service Agreement (UAE)
A commercial service agreement setting out the scope, fees, and obligations between a service provider and client under the UAE Civil Code (Federal Law No. 5 of 1985) and the Commercial Transactions Law (Federal Decree-Law No. 50 of 2022). Includes VAT and data protection clauses for the United Arab Emirates.
Website Terms and Conditions (UAE)
Website Terms and Conditions set out the contract between a UAE website operator and its users, covering services, payment, acceptable use, liability, and data protection. They align with the Consumer Protection Law (Federal Law No. 15 of 2020), the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), and UAE electronic commerce rules.