Online Store Privacy Policy (UAE)
ONLINE STORE PRIVACY POLICY
Operated by: [Business Name] (Trade Licence: [Business Licence]), [Business Address]
Website: [Website URL] | Privacy contact: [Privacy Contact Email]
Effective date: [Effective Date]
This Privacy Policy (the "Policy") explains how [Business Name] collects, uses, shares, and protects personal data in connection with the online store at [Website URL]. The Policy is issued under the Personal Data Protection Law of the United Arab Emirates (Federal Decree-Law No. 45 of 2021) (the "PDPL"), administered by the UAE Data Office, and the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021). By using this store and placing an order, customers acknowledge this Policy.
1. DATA CONTROLLER
1.1 [Business Name], registered at [Business Address] under Trade Licence [Business Licence], is the data controller for personal data collected through [Website URL]. Customers may contact the data controller on privacy matters at [Privacy Contact Email].
1.2 [Business Name] operates in the United Arab Emirates and is subject to the PDPL and any implementing regulations issued by the UAE Data Office.
2. PERSONAL DATA COLLECTED
2.1 Categories of personal data collected: [Data Types Collected].
2.2 Collection may occur when a customer: creates an account, places an order, uses the website or app, contacts customer service, subscribes to marketing, or participates in a promotion.
2.3 [Business Name] does not knowingly collect personal data from individuals under 18 years of age without verifiable parental consent. Customers who are minors under UAE law must obtain guardian consent before providing personal data.
3. PURPOSES AND LEGAL BASES
3.1 Purposes of processing: [Processing Purposes].
3.2 Legal bases for processing: [Legal Bases].
3.3 Where processing is based on consent, customers have the right to withdraw consent at any time by contacting [Privacy Contact Email] or using the unsubscribe link in marketing communications. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
3.4 Where processing is necessary to comply with a legal obligation, examples include keeping VAT records as required by Federal Decree-Law No. 8 of 2017 and the Federal Tax Authority, and retaining commercial records under the Commercial Transactions Law (Federal Decree-Law No. 50 of 2022).
4. DATA SHARING
4.1 Third parties personal data is shared with: [Third Party Sharing].
4.2 All third-party processors are required by contract to process personal data only on [Business Name]'s instructions and to apply security measures consistent with the PDPL.
4.3 [Business Name] may disclose personal data to UAE law enforcement, courts, or regulators — including the Consumer Protection Authority, the Federal Tax Authority, or the Ministry of Economy — where required by UAE law or a valid court order.
4.4 [Business Name] does not sell personal data to third parties.
5. INTERNATIONAL DATA TRANSFERS
5.1 Cross-border data transfers: [Cross-Border Transfer].
5.2 The PDPL restricts transfers of personal data outside the UAE except where the destination country is on the UAE Data Office's adequate protection list, or where appropriate safeguards are in place, such as standard contractual clauses, binding corporate rules, or other mechanisms approved by the UAE Data Office.
6. RETENTION
6.1 Retention periods: [Retention Period].
6.2 When personal data is no longer needed, [Business Name] will securely delete or anonymise it. Data required for legal compliance (such as VAT records under the 5-year statutory retention period set by the Federal Tax Authority) will be retained for the legally required period even after account deletion.
7. DATA SUBJECT RIGHTS
7.1 Under the PDPL (Federal Decree-Law No. 45 of 2021), UAE residents have the right to: access their personal data; correct inaccurate data; request deletion of data no longer required; object to processing based on legitimate interest; restrict processing in certain circumstances; and withdraw consent where processing is consent-based.
7.2 How to exercise rights: [Rights Exercise Process].
7.3 If customers are dissatisfied with how a request is handled, they may lodge a complaint with the UAE Data Office.
8. COOKIES AND TRACKING TECHNOLOGIES
8.1 Cookie and tracking technology use: [Cookie Policy].
8.2 Essential cookies necessary for the website to function are placed without consent. Analytics and marketing cookies require consent, which is obtained through the cookie preference centre on the first visit. The use of electronic tracking is subject to the PDPL and the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021).
9. SECURITY
9.1 [Business Name] applies technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, consistent with the security requirements of the PDPL. Payment card data is handled via PCI-DSS-compliant payment processors and is not stored in full by [Business Name].
9.2 In the event of a personal data breach that is likely to result in risk to the rights of individuals, [Business Name] will notify the UAE Data Office and affected customers in accordance with the notification obligations in the PDPL.
10. CONSUMER PROTECTION AND E-COMMERCE
10.1 This Policy operates alongside [Business Name]'s obligations under Consumer Protection Federal Decree-Law No. 15 of 2020 and Cabinet Decision No. 66 of 2023. Customers retain all statutory rights under UAE consumer protection law.
10.2 All transactions through [Website URL] are subject to the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021), which gives electronic records and electronic signatures the same legal effect as paper equivalents.
11. CHANGES AND GOVERNING LAW
11.1 [Business Name] may update this Policy from time to time. Material changes will be notified by email or by a prominent notice on [Website URL] at least 30 days before they take effect.
11.2 This Policy is governed by the laws of the United Arab Emirates. Disputes are subject to the jurisdiction of the competent UAE courts.
For any privacy enquiry, contact [Business Name] at [Privacy Contact Email].
Data Controller Representative
________________
Signature
What Is a Online Store Privacy Policy (UAE)?
An Online Store Privacy Policy in the United Arab Emirates is a legally required document that informs customers how their personal data is collected, processed, shared, retained, and protected by the operator of an e-commerce store. The document fulfils the transparency and disclosure obligations of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the UAE's primary data protection statute administered by the UAE Data Office. Under the PDPL, any entity processing personal data in the UAE or about UAE residents must publish a Privacy Policy that identifies the data controller, describes the categories of data collected and the purposes of processing, discloses third parties with whom data is shared, sets out retention periods, and explains how data subjects may exercise their rights.
The UAE data protection framework has matured significantly in recent years. The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) represents a comprehensive federal data protection regime modelled on international standards, covering all private-sector entities outside the DIFC and ADGM free zones, which operate their own data protection regimes — the DIFC Data Protection Law (DIFC Law No. 5 of 2020) and the ADGM Data Protection Regulations 2021 respectively. UAE online stores must identify which regime applies to their operations and publish a Privacy Policy consistent with the applicable framework.
The Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) provides the statutory framework for digital commerce in the UAE, confirming that electronic contracts, digital records, and electronic signatures have the same legal effect as paper instruments. This law requires that the terms governing a digital transaction — including privacy terms — be disclosed to the consumer before the transaction is confirmed. A Privacy Policy that is accessible only after checkout fails this pre-purchase disclosure obligation.
Consumer Protection Federal Decree-Law No. 15 of 2020 reinforces the obligation to provide accurate, transparent information about how customer data is handled. Cabinet Decision No. 66 of 2023 sets implementing procedures for consumer transactions, including the minimum information that must be communicated before a purchase.
VAT under Federal Decree-Law No. 8 of 2017 requires online stores to retain VAT-related transaction records, including customer invoice details, for at least five years — a legal retention obligation that the Privacy Policy should acknowledge to explain why transaction data is not deleted on account closure. Anti-money laundering obligations under Federal Decree-Law No. 20 of 2018 impose additional retention and monitoring duties on certain categories of e-commerce transactions.
Payment data security involves separate obligations under the standards of the card schemes (PCI DSS) and the Central Bank of the UAE's regulations on payment services. UAE online stores typically use PCI-DSS-compliant payment gateways operated by providers such as Telr, Network International, PayFort (Amazon Payment Services), or Stripe, which prevents the store from storing raw card data. The Privacy Policy should acknowledge this arrangement and confirm that payment processing is handled by third-party processors.
The UAE Data Office may investigate complaints from consumers who believe their privacy rights have been violated and may impose fines and corrective orders on data controllers that fail to comply with the PDPL.
When Do You Need a Online Store Privacy Policy (UAE)?
An Online Store Privacy Policy in the UAE is needed by every business that operates an e-commerce website, app, or digital storefront through which UAE consumers purchase goods or services and provide personal data in the process. The requirement arises at the moment of launch, before the first transaction is completed.
Startup online retailers establishing a UAE e-commerce presence must publish a Privacy Policy before accepting the first order. The UAE Data Office may investigate new e-commerce businesses for PDPL compliance, and the absence of a Privacy Policy is a clear and easily identified violation. The Consumer Protection Authority may also flag the absence of a Privacy Policy during market surveillance of e-commerce websites.
Existing businesses adding an online sales channel to a physical retail presence must create an Online Store Privacy Policy even if they have an existing corporate privacy statement, because the online store context involves additional data collection activities — analytics, cookies, digital marketing, and delivery partner data sharing — not covered by a generic corporate policy.
International e-commerce businesses selling to UAE residents from an overseas platform must assess their PDPL obligations. The PDPL applies to the processing of personal data about UAE residents regardless of where the processing entity is established. An overseas online store with UAE customers must assess whether its Privacy Policy meets PDPL standards and whether the UAE Data Office has extraterritorial jurisdiction over its processing activities.
Free-zone online stores, including those established in the DMCC, DAFZA, or twofour54, that sell to UAE mainland consumers are subject to the federal PDPL for consumer-facing data processing, even if their internal corporate operations are governed by free-zone regulations. The Privacy Policy must reflect the federal PDPL framework for the consumer-facing elements.
Online stores using third-party platforms — Shopify, WooCommerce, Magento, or UAE-hosted equivalents — must ensure their Privacy Policy accurately reflects the data processing activities of those platforms and the data sharing that occurs between the store and the platform provider, as both are processors accessing the store's customer data.
Online stores that refresh their technology stack, add new analytics tools, engage new payment processors, or introduce loyalty or personalisation features must update their Privacy Policy to reflect the new processing activities before those activities begin.
What to Include in Your Online Store Privacy Policy (UAE)
A UAE Online Store Privacy Policy compliant with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) must contain the following elements. The forms-legal.com UAE Online Store Privacy Policy template covers each component.
Data controller identification must state the full legal name, trade licence number, registered address, and privacy contact email of the entity responsible for data processing. The UAE Data Office and consumers must be able to identify and contact the data controller. Where the store is operated by a company with a different trading name from its legal entity, both must be disclosed.
Categories of personal data collected must list all types of personal data the store collects: identity data (name, Emirates ID), contact data (email, phone, address), transaction data (orders, invoices, payment references), technical data (IP address, device, browser, cookies), behavioural data (browsing history, purchase preferences), and any sensitive data (health, biometric) collected for specific purposes.
Purposes of processing must describe why each category of data is collected: order fulfilment, customer service, fraud prevention, VAT compliance, marketing, website analytics, and any other purpose. The purposes must be specific and honest — a catch-all 'to improve our services' without further detail is insufficient.
Legal bases must identify the PDPL basis for each processing purpose: contract performance, legal obligation, consent, or legitimate interest. Consent-based processing must disclose how consent is obtained and how it may be withdrawn.
Third-party data sharing must list all third parties receiving customer data: payment processors, delivery couriers, analytics providers, marketing platforms, cloud hosting providers, and customer service software. The category and purpose of sharing must be described for each recipient.
International data transfers must identify whether data is transferred outside the UAE, to which countries or regions, and on what safeguards — adequacy list, standard contractual clauses, or other approved mechanisms under the PDPL.
Retention periods must state specific retention periods by data category, aligned with the legal minimum retention obligations under Federal Decree-Law No. 8 of 2017 for VAT records and Commercial Transactions Law requirements, together with shorter periods for marketing and analytics data.
Data subject rights must explain the rights available under the PDPL — access, correction, erasure, restriction, objection, and portability — and the process for exercising them, including the response timeframe and the right to complain to the UAE Data Office.
Cookies and tracking must describe the types of cookies used, their purpose, and how the consumer may manage cookie preferences.
Security must describe the technical and organisational measures applied to protect personal data, including the use of PCI-DSS-compliant payment processors.
Policy updates must describe how changes are communicated and the effective date mechanism.
How to Fill Out Your Online Store Privacy Policy (UAE)
Completing a UAE Online Store Privacy Policy requires an honest audit of data processing activities before drafting. Work through the template in order.
Enter the business name exactly as it appears on the UAE trade licence, the trade licence number, and the registered address. Enter the privacy contact email — ideally a dedicated address such as [email protected], which signals to the UAE Data Office and to customers that data protection queries are handled seriously.
Enter the online store URL. This is the primary digital presence whose data practices the policy governs.
Enter the effective date in DD/MM/YYYY format. Update this date whenever the policy is materially amended.
Describe the categories of personal data collected accurately. List every category the store actually collects. Do not include categories the store does not collect — inaccurate over-disclosure is itself a PDPL concern — but do not omit categories the store does collect.
Describe the processing purposes specifically. Map each data category to a purpose: name and address — order fulfilment; email — order confirmation and, with consent, marketing; IP address — fraud prevention and analytics.
Identify the legal basis for each purpose, consistent with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021): contract performance, legal obligation, consent, or legitimate interest.
List all third-party recipients. Check the store's actual technology stack: payment gateway, courier, warehouse, analytics, email marketing platform, customer service software, and cloud hosting. Name the categories of provider and the purpose of data sharing.
Describe cross-border transfer safeguards. Check whether the UAE Data Office has published an adequacy list covering the countries where data processors are located.
Set retention periods by data category. Align transaction record retention with the five-year VAT retention obligation under Federal Decree-Law No. 8 of 2017. Set shorter periods for marketing data and analytics.
Describe the rights exercise process: direct customers to the privacy contact email, state the response timeframe consistent with the PDPL, and note the right to complain to the UAE Data Office.
Publish the Privacy Policy on the website with a link accessible from every page footer and from the checkout flow.
Legal Requirements for Online Store Privacy Policy (UAE)
A UAE Online Store Privacy Policy must comply with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) as the primary data protection statute, administered by the UAE Data Office. The PDPL applies to all private-sector entities processing personal data in the UAE or about UAE residents, outside the DIFC and ADGM free zones. Key obligations include: publishing a Privacy Policy before collecting personal data; identifying the lawful basis for each processing activity; obtaining separate consent for optional processing such as marketing; responding to data subject rights requests; reporting personal data breaches to the UAE Data Office; and applying security measures proportionate to the risk.
The Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) requires pre-purchase disclosure of the terms governing digital transactions, including privacy terms. The Privacy Policy must be accessible before checkout.
Consumer Protection Federal Decree-Law No. 15 of 2020 and Cabinet Decision No. 66 of 2023 require transparent pre-purchase disclosure of material consumer transaction terms, which include data handling practices.
VAT retention obligations under Federal Decree-Law No. 8 of 2017 require transaction records to be kept for at least five years, which the Privacy Policy must acknowledge. Anti-money laundering obligations under Federal Decree-Law No. 20 of 2018 impose additional transaction monitoring and record-keeping duties.
Free-zone entities in the DIFC and ADGM operate under separate data protection regimes — the DIFC Data Protection Law (DIFC Law No. 5 of 2020) and the ADGM Data Protection Regulations 2021 respectively — and must publish privacy policies compliant with those regimes instead of or in addition to the federal PDPL, depending on their audience.
PCI DSS requirements apply to any entity involved in card payment processing, requiring that raw card data not be stored and that payment processing be handled through compliant gateways.
Common Mistakes to Avoid in Your Online Store Privacy Policy (UAE)
UAE online stores frequently publish Privacy Policies that fail to meet PDPL requirements, creating UAE Data Office enforcement exposure and undermining consumer trust. The most common mistakes follow.
1. Generic template not adapted to UAE law. A Privacy Policy drafted for GDPR or US law and not updated for the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) will reference legal bases, data subject rights, and supervisory authorities that do not exist in UAE law. The policy must reference the PDPL and the UAE Data Office.
2. Missing lawful basis identification. A policy that states only 'we process your data to improve your experience' without identifying the PDPL lawful basis fails the transparency requirement. Each processing purpose must state its legal basis.
3. Third-party sharing not disclosed. Online stores routinely share customer data with payment processors, couriers, and analytics providers without disclosing this in the Privacy Policy. Undisclosed data sharing violates the PDPL's transparency principle and may also breach the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021).
4. Consent conflated with contract performance. Using a customer's order placement as consent for marketing emails conflates two distinct lawful bases. Marketing consent must be obtained separately and affirmatively, independently of the purchase transaction.
5. No cross-border transfer disclosure. Storing customer data on overseas cloud servers without disclosing the transfer and the safeguards applied violates the PDPL's data transfer restrictions. The destination countries and safeguards must be named.
6. No data breach notification process. Online stores without a breach notification procedure are unprepared to comply with the PDPL's breach notification obligations. An internal incident response process should be in place before the store launches.
7. Policy not accessible before checkout. A Privacy Policy linked only from the website footer or account settings page, with no link in the checkout flow, fails the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) pre-purchase disclosure requirement.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Online Store Privacy Policy (UAE) (United Arab Emirates) [Legal document template]. Forms Legal. https://forms-legal.com/uae/business/policies/online-store-privacy-policy-uae
"Online Store Privacy Policy (UAE) (United Arab Emirates)." Forms Legal, 2026, https://forms-legal.com/uae/business/policies/online-store-privacy-policy-uae.
@misc{formslegal-online-store-privacy-policy-uae,
author = {{Forms Legal}},
title = {Online Store Privacy Policy (UAE) (United Arab Emirates)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uae/business/policies/online-store-privacy-policy-uae}},
note = {Free legal document template. Based on Personal Data Protection Law (Federal Decree-Law No. 45 of 2021)}
}Frequently Asked Questions
Every UAE online store that collects personal data from customers is required to maintain a privacy policy under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), which is the UAE's primary data protection statute administered by the UAE Data Office. The PDPL applies to any entity processing personal data in the UAE or processing data about UAE residents, regardless of where the entity is incorporated. An online store that collects customer names, email addresses, delivery addresses, phone numbers, or payment details — which all UAE online stores do — is a data controller subject to the PDPL's obligations. These include publishing a Privacy Policy that discloses the categories of data collected, the purposes of processing, the legal basis for processing, third parties with whom data is shared, data retention periods, the procedure for exercising data subject rights, and the identity and contact details of the data controller. The Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021) further requires that consumers be informed of the terms governing digital transactions, including privacy terms, before completing a purchase. Consumer Protection Federal Decree-Law No. 15 of 2020 requires accurate pre-purchase disclosure of material consumer transaction terms. Failure to publish a compliant Privacy Policy exposes the online store to enforcement by the UAE Data Office, which may issue fines, corrective orders, and public sanctions.
A UAE online store typically collects the following categories of personal data from customers during their interactions with the store. At account registration: full name, email address, phone number, and — where required for age verification or regulated products — Emirates ID or passport number. At checkout: delivery address, billing address, and payment details (typically tokenised card data through a payment gateway — the card number itself is held by the payment processor, not the merchant). During customer service interactions: order numbers, complaint details, and correspondence content. Through website analytics: IP addresses, browser type, device type, pages visited, time on site, and referral source. Through marketing communications: email open and click data, and preferences indicated by the customer. Through loyalty program participation: purchase history, frequency, and category preferences. The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies to all of these categories and requires that data collection be limited to what is necessary for the stated purpose (data minimisation). The Privacy Policy must list all categories of data collected so that consumers can make an informed decision about whether to share their data. Sensitive personal data — health information, financial account details beyond tokenised payment data, Emirates ID biometric elements — attracts higher PDPL obligations and should be collected only where strictly necessary.
The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) requires every processing activity to have a lawful basis. For UAE online stores, the commonly applicable bases are: contract performance — processing necessary to fulfil a customer's order, manage their account, and handle returns and customer service queries, without which the transaction cannot be completed; legal obligation — processing required to comply with UAE law, such as retaining VAT records for five years under Federal Decree-Law No. 8 of 2017 or anti-money laundering transaction records under Federal Decree-Law No. 20 of 2018; consent — processing for optional activities such as marketing emails, push notifications, behavioural profiling for targeted advertising, and sharing data with third-party marketing partners, which requires a clear affirmative opt-in that can be withdrawn at any time; and legitimate interest — processing for fraud prevention, security monitoring, and improving the website and services, provided the interest is not overridden by the individual's privacy rights. The Privacy Policy must identify the lawful basis for each category of processing, not just make a generalised claim of compliance. Consent must be obtained separately for each distinct processing purpose, and the withdrawal of consent must be as easy as giving it. Where the store processes data of minors under 18 — which may occur in UAE family purchases — the legal basis and verification mechanism for parental consent must also be addressed.
UAE online stores typically share customer personal data with third parties in the following categories, all of which must be disclosed in the Privacy Policy under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). Payment processors — Telr, Network International, PayFort (now Amazon Payment Services), Stripe, or PayPal — receive tokenised payment data to process transactions and conduct fraud screening. Delivery couriers — Aramex, DHL, Fetchr, Emirates Post, or other last-mile providers — receive customer names, delivery addresses, and phone numbers to complete shipment. Fulfilment or warehousing partners — third-party logistics providers — receive order data to pick, pack, and dispatch. Marketing platforms — Mailchimp, Klaviyo, HubSpot, or Meta and Google advertising APIs — may receive email addresses and purchase history for marketing and targeted advertising. Analytics platforms — Google Analytics, Hotjar, or Adobe Analytics — receive anonymised or pseudonymised browsing data. Customer service platforms — Zendesk, Freshdesk — receive customer names, order details, and communications. The Privacy Policy must identify each third-party category and the purpose of data sharing. For cross-border transfers to overseas processors, the PDPL's transfer restrictions apply: data may be transferred to countries on the UAE Data Office's adequate protection list or where appropriate safeguards, such as data processing agreements with standard contractual clauses, are in place. The Privacy Policy must describe the safeguards applied to international transfers.
Data retention periods for UAE online stores must comply with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), which requires that personal data be retained only for as long as necessary for the purpose for which it was collected, and no longer. The PDPL does not set specific fixed retention periods for commercial transactions, but several other UAE statutes impose minimum retention requirements that the online store must honour. VAT records under Federal Decree-Law No. 8 of 2017 must be retained for five years from the end of the relevant tax year, meaning order and invoice records must be kept for at least five years. Anti-money laundering transaction records under Federal Decree-Law No. 20 of 2018 require retention of at least five years. Commercial records under the Commercial Transactions Law (Federal Decree-Law No. 50 of 2022) may require retention for similar periods. Account data for customers with active accounts is retained for the duration of the account relationship and typically for one to two years after account closure to handle any residual warranty or consumer protection claims. Marketing data should be deleted when the customer withdraws consent. Cookie and analytics data are typically retained for 12 to 26 months. The Privacy Policy should set out specific retention periods by data category, explaining both the storage period and the trigger for deletion, so that customers can understand when their data will be removed. After the retention period expires, data should be securely deleted or irreversibly anonymised, consistent with Article 37 of the PDPL.
UAE customers have a set of enforceable data subject rights under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The right of access allows any individual to request confirmation of whether their personal data is processed, and if so, to receive a copy of that data and information about how it is used. The right to correction allows individuals to request the correction of inaccurate or incomplete personal data. The right to erasure (right to be forgotten) allows individuals to request the deletion of their data where it is no longer necessary for the original purpose, where consent has been withdrawn, or where processing is unlawful — subject to overriding legal retention obligations. The right to restrict processing allows individuals to request that their data be kept but not used in certain ways while a dispute about its accuracy or the lawfulness of processing is resolved. The right to object allows individuals to object to processing based on legitimate interest, including profiling and direct marketing. The right to data portability, where it applies under the PDPL's implementing regulations, allows individuals to receive their data in a structured, machine-readable format. The online store must respond to data subject requests within the timeframes prescribed by the PDPL and its implementing regulations. Where a request is refused, the reason for refusal must be communicated to the individual, who has the right to complain to the UAE Data Office. The Privacy Policy must explain how to exercise these rights and identify the contact details for the data controller.
A personal data breach — any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data — must be handled by UAE online stores in accordance with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The PDPL requires data controllers to notify the UAE Data Office of a breach that is likely to result in risk to the rights or freedoms of individuals, within the timeframe prescribed by the PDPL's implementing regulations (which the UAE Data Office may update from time to time). Where the breach is likely to result in a high risk to affected individuals — for example, a breach involving payment card details, Emirates IDs, or sensitive personal data — the store should also notify affected customers directly without undue delay. The notification to the UAE Data Office must describe the nature of the breach, the categories and approximate number of individuals affected, the categories and approximate number of records affected, the contact details of the data controller, the likely consequences of the breach, and the measures taken or proposed to address the breach. To enable timely breach notification, UAE online stores should maintain an incident response plan, conduct regular security testing, and ensure that data processors and third-party service providers are contractually required to report breaches involving the store's customer data without delay. The PDPL's security requirements, which apply to all data controllers, require technical and organisational measures proportionate to the risk, including encryption, access controls, and regular security assessments.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Website Terms and Conditions (UAE)
Website Terms and Conditions set out the contract between a UAE website operator and its users, covering services, payment, acceptable use, liability, and data protection. They align with the Consumer Protection Law (Federal Law No. 15 of 2020), the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), and UAE electronic commerce rules.
Refund and Return Policy (UAE)
A UAE consumer-facing refund and return policy compliant with Consumer Protection Federal Decree-Law No. 15 of 2020, Cabinet Decision No. 66 of 2023, and the E-Commerce Law No. 46 of 2021. Covers the 15-day return window, defective goods, refund timelines, and online purchase rights.
Loyalty Program Terms and Conditions (UAE)
UAE loyalty program terms and conditions covering membership, earning and redemption rates, points expiry, tier structure, consumer rights, program changes, and data protection under the Consumer Protection Law No. 15 of 2020 and the PDPL No. 45 of 2021.
Gift Card Terms and Conditions (UAE)
UAE gift card terms and conditions covering denominations, validity, redemption, expiry, cash policy, fraud, data protection, and consumer rights under Consumer Protection Federal Decree-Law No. 15 of 2020 and the E-Commerce Law No. 46 of 2021.
Non-Disclosure Agreement (UAE)
A mutual confidentiality agreement binding both parties to protect proprietary information under the UAE Civil Code (Federal Law No. 5 of 1985) and the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). Suitable for joint ventures, M&A due diligence, and technology licensing in the United Arab Emirates.