Data Protection Policy (UAE)
DATA PROTECTION POLICY
[Company Name]
[Emirate], United Arab Emirates
Effective date: [Effective Date]
1. PURPOSE AND SCOPE
[Company Name] (the 'Company') is committed to protecting the privacy and personal data of its employees, customers, suppliers, and other individuals whose data it processes. This Data Protection Policy sets out the Company's obligations and standards for the collection, use, storage, transfer, and disposal of personal data in compliance with the Personal Data Protection Law of the United Arab Emirates, Federal Decree-Law No. 45 of 2021 (the 'PDPL'), and the implementing Cabinet Decisions issued thereunder.
This Policy applies to all employees, contractors, and agents of the Company and to all personal data processed by or on behalf of the Company, regardless of the medium in which the data is held or whether the processing is carried out by the Company or by a data processor acting on its instructions. Personal data processed includes: [Data Categories].
2. DATA PROTECTION PRINCIPLES
The Company processes personal data in accordance with the following principles, which reflect the requirements of the PDPL, Federal Decree-Law No. 45 of 2021:
(a) Lawfulness, fairness, and transparency: Personal data is processed only on a lawful basis — including consent, contract performance, legal obligation, vital interests, public task, or legitimate interests — and data subjects are informed of how their data is used.
(b) Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not processed in a manner incompatible with those purposes.
(c) Data minimisation: The Company collects only personal data that is adequate, relevant, and limited to what is necessary for the purpose of processing.
(d) Accuracy: Reasonable steps are taken to ensure that personal data is accurate and, where necessary, kept up to date.
(e) Storage limitation: Personal data is retained for no longer than is necessary for the processing purpose. The default retention period under this Policy is [Retention Period], subject to longer periods required by UAE law — including the Commercial Transactions Law, Federal Decree-Law No. 50 of 2022, and tax record retention requirements under the Value Added Tax Law, Federal Decree-Law No. 8 of 2017.
(f) Integrity and confidentiality: Personal data is processed with appropriate technical and organisational security measures to protect against unauthorised access, loss, or destruction.
3. DATA SUBJECT RIGHTS
Under the PDPL, Federal Decree-Law No. 45 of 2021, individuals whose personal data the Company processes have the right to: access their personal data; correct inaccurate data; request erasure where retention is no longer justified; restrict or object to processing in certain circumstances; data portability in machine-readable format; and to withdraw consent at any time without affecting the lawfulness of prior processing.
Requests may be submitted to the Data Protection Officer at [DPO Email]. The Company will respond to requests within the timeframe specified by the UAE Data Office — the regulatory authority established under the PDPL — and will verify the identity of the requestor before responding. In appropriate cases, requests may be declined on grounds permitted by the PDPL, including where processing is required for legal compliance.
4. DATA SECURITY AND BREACH RESPONSE
The Company implements technical and organisational measures appropriate to the risk of processing, including access controls, encryption of sensitive data in transit and at rest, and regular security assessments. All employees who handle personal data receive training on data protection obligations under the PDPL and this Policy.
In the event of a personal data breach, the Data Protection Officer at [DPO Email] will assess the breach and, where required by the PDPL, notify the UAE Data Office within the prescribed period and inform affected data subjects without undue delay. Breach records are maintained in the Company's data breach register.
5. DATA PROTECTION OFFICER AND REVIEW
The Company has designated [Data Protection Officer] as the Data Protection Officer, responsible for overseeing compliance with the PDPL, Federal Decree-Law No. 45 of 2021, maintaining the Company's record of processing activities, conducting data protection impact assessments for high-risk processing, and liaising with the UAE Data Office. This Policy will be reviewed [Review Period] and updated to reflect changes in UAE law, business activities, or identified risks.
General Manager / Chief Executive Officer
________________
Signature
Data Protection Officer
________________
Signature
What Is a Data Protection Policy (UAE)?
A Data Protection Policy in the United Arab Emirates is a formal corporate document that sets out how an organisation collects, uses, stores, transfers, and protects personal data in compliance with the Personal Data Protection Law — Federal Decree-Law No. 45 of 2021 (PDPL). The PDPL is the UAE's first comprehensive federal data protection statute, establishing rights for individuals over their personal data and obligations for organisations that process it.
The PDPL applies to any person or entity processing personal data within the UAE, or processing data relating to UAE-resident individuals, regardless of where the organisation is based. The law covers all forms of processing — automated and manual — and addresses the full lifecycle of personal data from collection through deletion. Key definitions include: 'personal data' — any information that identifies or can identify a natural person, such as a name, Emirates ID number, email address, location data, or biometric data; 'sensitive personal data' — a higher-risk category including health data, racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data used for unique identification, and data about criminal convictions; 'controller' — the entity that determines the purposes and means of processing; and 'processor' — an entity that processes data on behalf of the controller.
The UAE Data Office, established under the PDPL by Cabinet Decision, is the federal supervisory authority responsible for overseeing implementation, issuing guidance, receiving complaints, conducting investigations, and imposing administrative fines of up to AED 5 million. The Ministry of Economy retains oversight of certain aspects of implementation, and sector-specific regulators — including the Central Bank of the UAE for financial institutions, the Securities and Commodities Authority for listed companies, and the Ministry of Health and Prevention for health data — may impose additional data protection requirements.
Free zones in the UAE apply their own data protection frameworks. The Dubai International Financial Centre applies the DIFC Data Protection Law 2020, which is closely modelled on the EU General Data Protection Regulation and enforced by the DIFC Commissioner of Data Protection. The Abu Dhabi Global Market applies the ADGM Data Protection Regulations 2021. Organisations based in these zones must comply with both their zone framework and, where applicable, the federal PDPL.
A well-drafted Data Protection Policy demonstrates the organisation's commitment to PDPL compliance, builds trust with employees, customers, and partners, and provides a framework for consistent data handling across the business. The forms-legal.com Data Protection Policy (UAE) template covers all key obligations under Federal Decree-Law No. 45 of 2021, available in PDF and Word for immediate adoption.
When Do You Need a Data Protection Policy (UAE)?
A Data Protection Policy is needed in the UAE for any organisation that collects, uses, or stores personal data about identifiable individuals — which includes virtually every registered business, free zone entity, and branch office operating in the country.
Organisations subject to mandatory compliance under the PDPL include those that process personal data on a large scale, process sensitive personal data as a core activity, or are required by sector-specific regulation to have data protection frameworks. Financial institutions supervised by the Central Bank of the UAE — including banks, finance companies, exchange houses, and insurance companies — must have data governance policies meeting Central Bank AML-CFT and governance standards. Healthcare providers regulated by the Ministry of Health and Prevention, the Dubai Health Authority, or the Abu Dhabi Department of Health must comply with health-data-specific requirements in addition to the PDPL.
Companies operating e-commerce platforms, mobile applications, or digital services collect customer personal data through their platforms and must comply with the PDPL's requirements for consent, privacy notices, data subject rights, and secure processing. The UAE's National Programme for Cybersecurity, overseen by the Cybersecurity Council, and the National Information Assurance Standard (NIAS) set out technical security standards for organisations handling personal data, with which a Data Protection Policy must align.
Employers in the UAE must also comply with the PDPL in relation to employee data — including payroll records, health information collected for mandatory medical insurance under UAE Labour Law Federal Decree-Law No. 33 of 2021, and Emirates ID numbers. A Data Protection Policy covering employee data collection and processing is a foundational HR compliance document.
Any UAE company that shares data with international partners, group companies, or service providers outside the UAE must address cross-border transfer restrictions under the PDPL, which requires an adequacy assessment or appropriate safeguards before transferring personal data to other countries.
What to Include in Your Data Protection Policy (UAE)
A complete UAE Data Protection Policy must include the following elements to meet the requirements of the PDPL, Federal Decree-Law No. 45 of 2021, and best practice standards.
Scope and purpose: A clear statement of the documents covered entities, categories of personal data, and the legal framework — the PDPL and any applicable free zone law such as the DIFC Data Protection Law 2020 or ADGM Data Protection Regulations 2021.
Data protection principles: The six core principles under the PDPL — lawfulness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. The policy must commit the organisation to processing data in compliance with each principle.
Lawful bases for processing: Identification of the lawful bases the organisation relies on — consent, contract, legal obligation, vital interests, public task, or legitimate interests — for each category of personal data and processing activity. The policy should explain how consent is obtained and how it can be withdrawn.
Data subject rights: A clear explanation of individuals' rights under the PDPL — access, correction, erasure, restriction, portability, and objection — and the process for submitting and responding to requests, including the DPO contact at the organisation's designated privacy email address.
Cross-border transfers: Where personal data is transferred outside the UAE, the mechanism relied upon — adequacy decision, standard contractual clauses, or other approved safeguard — and the countries involved.
Security measures: Technical and organisational measures to protect personal data — access controls, encryption, pseudonymisation, regular testing, staff training — and the breach response procedure including notification to the UAE Data Office.
Data Protection Officer: The DPO's name or title, contact email, and responsibilities. The forms-legal.com Data Protection Policy (UAE) template includes all mandatory elements and the DPO designation required for regulated organisations.
Retention: Specific retention periods for each data category, aligned with UAE legal requirements under the Commercial Transactions Law, Federal Decree-Law No. 50 of 2022, and VAT record-keeping obligations.
How to Fill Out Your Data Protection Policy (UAE)
Completing the UAE Data Protection Policy begins with entering the company's full registered name exactly as it appears on the trade licence or free zone registration certificate, the emirate or jurisdiction, and the policy effective date — typically the board approval date.
Appoint the Data Protection Officer. Enter the name and title of the person responsible for PDPL compliance. For organisations not legally required to appoint a formal DPO, the general manager or head of legal typically acts as privacy lead. Enter the DPO's dedicated email address — this address should be monitored, accessible to data subjects making requests, and published in the company's privacy notice on its website.
Select the default personal data retention period. Choose the period that reflects the primary data categories processed and applicable legal requirements. UAE VAT records must be kept for five years under Federal Decree-Law No. 8 of 2017; employment records should be retained for the duration of employment plus the minimum period under UAE Labour Law Federal Decree-Law No. 33 of 2021; corporate financial records must be retained for a minimum of five years under the Commercial Companies Law Federal Decree-Law No. 32 of 2021. Where different categories have different retention periods, supplement the policy with a detailed retention schedule.
Select the categories of personal data processed. Choosing the category that most accurately describes the company's processing activities ensures that the policy is accurate and useful. If sensitive personal data — health data, biometric data, or data revealing racial or ethnic origin — is processed, additional controls and, potentially, a data protection impact assessment are required under the PDPL.
Indicate whether the company transfers personal data outside the UAE. If yes, the cross-border transfer section is included in the policy and should be completed with specific details of the destination countries, the transfer mechanism, and any data processor contracts in place. Obtain legal advice before transferring personal data to countries that have not been assessed by the UAE Data Office for adequacy.
After completing the wizard, arrange for the policy to be approved and signed by the general manager and DPO, and distribute it to all employees. Publish a public privacy notice on the company's website summarising the key elements of the policy. Review and update the policy whenever processing activities change or the UAE Data Office issues new guidance.
Legal Requirements for Data Protection Policy (UAE)
Legal requirements for a UAE Data Protection Policy arise primarily from the Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, and its implementing Cabinet Decisions and regulations.
The PDPL requires controllers to: process personal data only on a lawful basis; inform data subjects of their processing activities through a clear privacy notice before or at the time of collection; implement appropriate technical and organisational security measures; report personal data breaches to the UAE Data Office within the required timeframe; maintain records of processing activities; appoint a DPO where required; and conduct data protection impact assessments for high-risk processing.
For sensitive personal data — including health data, biometric data used for unique identification, genetic data, data about racial or ethnic origin, political opinions, religious beliefs, and data about criminal convictions — the PDPL imposes stricter requirements including explicit consent from the data subject (unless a specific exemption applies), enhanced security measures, and restrictions on sharing with third parties.
The Commercial Companies Law, Federal Decree-Law No. 32 of 2021, imposes confidentiality obligations on directors and officers in relation to company information, including customer and employee data. The UAE Cybersecurity Law — Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime — imposes criminal liability for unauthorised access to and disclosure of personal data stored electronically.
Sector-specific requirements add further layers of obligation. The Central Bank of the UAE's Consumer Protection Regulation requires financial institutions to protect customer data and maintain confidentiality. The Ministry of Health and Prevention's Health Data Law and Health Facilities Laws impose specific requirements for the protection of patient health records. The Securities and Commodities Authority corporate governance code requires listed companies to have data governance policies.
For companies based in the DIFC, the DIFC Data Protection Law 2020 and its implementing Commissioner's Directions are mandatory. ADGM entities must comply with the ADGM Data Protection Regulations 2021. Both frameworks align closely with the EU GDPR and impose 72-hour breach notification requirements, formal DPO appointment obligations for qualifying entities, and complete data subject rights.
Common Mistakes to Avoid in Your Data Protection Policy (UAE)
Common mistakes in drafting and implementing a UAE Data Protection Policy include the following.
Failing to update the policy when processing activities change is one of the most frequent errors. A policy adopted at incorporation that describes only the original processing activities quickly becomes inaccurate as the company launches new products, onboards new suppliers, or expands to new emirates or free zones. Under the PDPL, Federal Decree-Law No. 45 of 2021, a controller's privacy notice must accurately reflect current processing, and an outdated policy is both a compliance gap and a practical problem when responding to data subject requests.
Treating consent as the only lawful basis for processing is a mistake that leads to over-reliance on consent for processing that could be justified on other grounds — contract performance, legal obligation, or legitimate interests — and creates unnecessary administrative burdens. Under the PDPL, consent must be freely given, specific, informed, and capable of being withdrawn at any time; relying on consent for processing that is actually required by law or necessary for contract performance means that withdrawal of consent would wrongly block lawful processing.
Omitting cross-border transfer controls despite transferring data outside the UAE regularly — for example to cloud service providers in Europe or the United States — is a serious compliance gap. The PDPL requires an adequacy assessment or approved safeguard before international transfers; companies that have not checked whether their cloud or SaaS providers process data outside the UAE, or have not put in place appropriate contractual protections, face regulatory exposure.
Naming a DPO with no practical data protection knowledge or responsibilities creates a policy that is non-functional. The DPO must have genuine operational responsibility for data protection compliance — maintaining processing records, handling data subject requests within prescribed timelines, and managing breach response. Designating the DPO role on paper without adequate resources or authority is an indicator of non-compliance that the UAE Data Office is likely to identify during an investigation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Protection Policy (UAE) (United Arab Emirates) [Legal document template]. Forms Legal. https://forms-legal.com/uae/business/policies/data-protection-policy-uae
"Data Protection Policy (UAE) (United Arab Emirates)." Forms Legal, 2026, https://forms-legal.com/uae/business/policies/data-protection-policy-uae.
@misc{formslegal-data-protection-policy-uae,
author = {{Forms Legal}},
title = {Data Protection Policy (UAE) (United Arab Emirates)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uae/business/policies/data-protection-policy-uae}},
note = {Free legal document template. Based on Personal Data Protection Law — Federal Decree-Law No. 45 of 2021}
}Frequently Asked Questions
The UAE Personal Data Protection Law — Federal Decree-Law No. 45 of 2021 (PDPL) — is the UAE's first comprehensive federal data protection law. Issued on 26 September 2021 and brought into force progressively, the PDPL applies to any person or entity that processes personal data within the UAE, or processes data relating to individuals located in the UAE, regardless of where the processing organisation is established. The law covers both automated and manual processing of personal data. Key obligations include: having a lawful basis for processing (consent, contract, legal obligation, vital interests, or legitimate interests); informing data subjects of processing activities through a privacy notice; respecting data subject rights including access, correction, erasure, and portability; implementing technical and organisational security measures; notifying the UAE Data Office and affected individuals in the event of a breach; conducting data protection impact assessments for high-risk processing; and appointing a Data Protection Officer where required. The UAE Data Office, established under the PDPL, is the supervisory authority responsible for enforcement and can impose fines of up to AED 5 million for serious violations. Free zones such as the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) apply their own data protection frameworks — the DIFC Data Protection Law 2020 and the ADGM Data Protection Regulations 2021 respectively — which may apply to entities based in those zones in addition to or instead of the federal PDPL.
Under the UAE Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, certain organisations are required to appoint a Data Protection Officer (DPO). The PDPL and its implementing Cabinet Decisions specify categories of controller and processor that must designate a DPO, generally including: organisations that process personal data on a large scale as their core activity; organisations that process sensitive personal data (such as health data, biometric data, or data revealing racial or ethnic origin) as a core activity; and certain government or public sector entities. Even where formal DPO appointment is not legally required, best practice for UAE companies is to designate a privacy lead — whether the general manager, head of legal, or compliance officer — who is responsible for overseeing PDPL compliance, maintaining the record of processing activities, handling data subject requests, managing breach response, and liaising with the UAE Data Office. For companies subject to the DIFC Data Protection Law 2020 or the ADGM Data Protection Regulations 2021, the requirements for DPO appointment are broadly similar to GDPR requirements, and these frameworks are more prescriptive than the federal PDPL on the circumstances requiring formal DPO appointment.
Cross-border transfers of personal data from the UAE are regulated under the Personal Data Protection Law, Federal Decree-Law No. 45 of 2021. The PDPL permits transfers to countries or international organisations that the UAE Data Office has determined provide an adequate level of data protection — an adequacy determination similar to the GDPR adequacy mechanism. Where no adequacy determination exists, transfers may proceed subject to appropriate safeguards including: standard contractual clauses approved by the UAE Data Office; binding corporate rules for intra-group transfers; specific derogations such as the data subject's explicit consent, contract performance, vital interests, or important reasons of public interest. Organisations that regularly transfer data internationally should maintain a transfer impact assessment for each destination and ensure that data processors outside the UAE are bound by contractual clauses that reflect the PDPL requirements. Companies operating from the DIFC are subject to the DIFC Data Protection Law 2020, which has similar transfer restrictions and requires that transfers be to adequate countries or subject to approved safeguards, applying DIFC Commissioner of Data Protection oversight. ADGM entities are subject to the ADGM Data Protection Regulations 2021, which similarly restrict transfers and require the ADGM Commissioner of Data Protection's approval for transfers to inadequate destinations without safeguards.
The UAE Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, requires organisations to notify the UAE Data Office of a personal data breach where the breach is likely to result in harm to the data subjects concerned. The notification must be made within the timeframe specified by the UAE Data Office in its guidance, and must include: a description of the nature of the breach; the categories and approximate number of individuals affected; the categories and approximate volume of personal data records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach. Where the breach is likely to result in significant harm to the affected individuals — such as financial loss, identity theft, discrimination, or other serious detriment — the organisation must also notify the affected data subjects directly, without undue delay. Organisations must maintain a record of all data breaches regardless of whether notification is required, including details of the breach, its effects, and remedial actions taken. This record must be available for inspection by the UAE Data Office. Companies operating from the DIFC are subject to the DIFC Data Protection Law 2020 notification requirements, which require notification to the DIFC Commissioner of Data Protection within 72 hours of discovering a breach that is likely to result in a risk to data subjects' rights and freedoms — a stricter timeline than the federal PDPL.
Under the UAE Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, individuals (data subjects) have the following rights in relation to their personal data: the right of access — to obtain confirmation of whether the organisation holds their personal data and to receive a copy; the right to correction — to have inaccurate or incomplete data corrected; the right to erasure — to have data deleted where it is no longer necessary for its original purpose, where consent has been withdrawn and there is no other lawful basis, or where the data has been unlawfully processed; the right to restriction of processing — in certain circumstances while a dispute about accuracy or lawfulness is resolved; the right to data portability — to receive data in a structured, machine-readable format and to transmit it to another controller; the right to object — to processing based on legitimate interests or direct marketing; and the right not to be subject to automated decision-making, including profiling, that produces significant legal effects, except on defined lawful bases. Organisations must respond to data subject requests within the period specified by the UAE Data Office and may charge a reasonable fee for manifestly unfounded or excessive requests. Where a request is refused, the organisation must inform the data subject of the reason and of their right to complain to the UAE Data Office.
Non-compliance with the UAE Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, can result in significant penalties. The UAE Data Office — the supervisory authority established under the PDPL — has powers to investigate complaints, conduct audits, issue warnings and reprimands, order processing to be suspended or restricted, and impose administrative fines. Fines under the PDPL can reach AED 5 million for serious violations, including unlawful processing of sensitive personal data, failure to implement adequate security measures, and failure to notify the UAE Data Office of a breach within the required timeframe. Repeat or aggravated violations may attract higher penalties. Beyond administrative fines, non-compliance can expose organisations to civil claims from affected data subjects, reputational damage, and regulatory scrutiny from other UAE authorities whose licensing and governance requirements include data protection compliance — including the Central Bank of the UAE for financial institutions, the Insurance Authority, and sector-specific regulators. Companies based in the DIFC or ADGM are subject to the enforcement powers of those zones' data protection commissioners, which include fines under the DIFC Data Protection Law 2020 and ADGM Data Protection Regulations 2021 respectively, in addition to any applicable federal PDPL obligations.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Online Store Privacy Policy (UAE)
A UAE online store privacy policy compliant with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the E-Commerce Law (Federal Decree-Law No. 46 of 2021), and Consumer Protection Law No. 15 of 2020. Covers data collection, processing, sharing, retention, and data subject rights.
Data Processing Agreement (UAE)
A data processing agreement for the UAE governing how a data processor handles personal data on behalf of a data controller, fully compliant with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) administered by the UAE Data Office.
Employee Handbook (UAE)
A comprehensive Employee Handbook for UAE private-sector employers, structured under Federal Decree-Law No. 33 of 2021 and Cabinet Resolution No. 1 of 2022. Covers employment basics, pay, WPS, leave, conduct, discipline, grievances, and exit procedures.
Cybersecurity Services Agreement (UAE)
A cybersecurity services agreement for the UAE governing SOC monitoring, penetration testing, incident response, and data protection obligations under the PDPL Federal Decree-Law No. 45 of 2021 and Cybercrime Law Federal Decree-Law No. 34 of 2021.
Website Terms and Conditions (UAE)
Website Terms and Conditions set out the contract between a UAE website operator and its users, covering services, payment, acceptable use, liability, and data protection. They align with the Consumer Protection Law (Federal Law No. 15 of 2020), the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), and UAE electronic commerce rules.