Vendor Code of Conduct (UAE)
VENDOR CODE OF CONDUCT
Issued by: [Company Name], [Company Address]
Effective Date: [Effective Date]
Compliance Contact: [Compliance Contact]
This Vendor Code of Conduct (the "Code") sets out the ethical, legal, and operational standards that [Company Name] (the "Company") requires of every vendor, supplier, contractor, and service provider (each a "Vendor") that supplies goods or services to the Company. The Code applies from the date on which the Vendor is registered on the Company's approved-supplier list or first receives a purchase order from the Company, whichever is earlier.
1. BUSINESS ETHICS AND ANTI-CORRUPTION
1.1 Each Vendor must conduct its business with integrity and in full compliance with the UAE Penal Code (Federal Decree-Law No. 31 of 2021), the UAE Federal Decree-Law No. 6 of 2016 on Anti-Corruption in the Public Sector, and any applicable anti-bribery laws in the jurisdictions in which the Vendor operates.
1.2 Vendors must not offer, give, promise, or receive any bribe, kickback, facilitation payment, or improper benefit — whether in cash, gift, hospitality, or in kind — to or from any employee, officer, agent, or representative of the Company, or any public official. Any gift or hospitality offered to or received from Company personnel must comply with the Company's gift and hospitality policy.
1.3 Vendors must not engage in fraudulent misrepresentation in quotations, invoices, certificates of origin, quality certifications, or any other documents submitted to the Company.
1.4 Vendors must avoid conflicts of interest and must disclose to the Company any relationship — financial, familial, or otherwise — that may create an actual or perceived conflict of interest with the Company's personnel involved in procurement decisions.
2. LEGAL COMPLIANCE
2.1 Each Vendor must hold and maintain a valid trade licence from the relevant UAE Department of Economic Development or free-zone authority, and must comply with all UAE laws applicable to its business activities, including the Commercial Transactions Law (Federal Decree-Law No. 50 of 2022) and the UAE Civil Code (Federal Law No. 5 of 1985).
2.2 Vendors must comply with the UAE Labour Law (Federal Decree-Law No. 33 of 2021) in respect of all workers engaged in performing the Vendor's supply obligations. Vendors must not use forced, bonded, or child labour. Wages must be paid through the Wages Protection System (WPS) where required, and workers must not be charged recruitment fees as a condition of employment.
2.3 Vendors must comply with the UAE Federal Decree-Law No. 6 of 2019 concerning People of Determination (disability), and must not discriminate in their workforce on the grounds of nationality, gender, religion, or disability.
2.4 Vendors must comply with the VAT Law (Federal Decree-Law No. 8 of 2017) and issue compliant tax invoices, including the Tax Registration Number (TRN) from the Federal Tax Authority (FTA), for every supply to the Company.
2.5 Where the Vendor handles personal data of the Company or its employees, it must comply with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and must process data only for the purpose for which it is provided.
3. ENVIRONMENT AND SUSTAINABILITY
3.1 Vendors must comply with all applicable UAE environmental laws and regulations, including the Environment Protection and Development Law (Federal Law No. 24 of 1999) and any emirate-level environmental regulations issued by the Environment Agency — Abu Dhabi (EAD), the Dubai Municipality, or the Sharjah Environment and Protected Areas Authority.
3.2 Vendors are encouraged to adopt environmentally sustainable practices, reduce waste, minimise energy consumption, and support the UAE's National Net Zero by 2050 Strategy.
3.3 Vendors that supply chemical products must comply with applicable UAE customs and chemical import regulations and must provide safety data sheets on request.
4. HEALTH AND SAFETY
4.1 Vendors must maintain safe working conditions for all personnel engaged in delivering goods or services to the Company, in compliance with applicable UAE occupational health and safety requirements and any site-specific rules communicated by the Company.
4.2 Vendors performing services at Company premises must comply with the Company's health and safety policy and must ensure that their personnel hold any required training, certification, or personal protective equipment.
5. CONFIDENTIALITY AND DATA PROTECTION
5.1 Vendors must keep confidential all non-public information of the Company — including pricing, business processes, personnel data, customer information, and technical specifications — obtained in the course of the supply relationship, and must not use it for any purpose other than performing the supply obligation.
5.2 Vendors that process personal data under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) must implement appropriate technical and organisational security measures and must notify the Company immediately of any personal data breach.
6. REPORTING AND CONSEQUENCES
6.1 Vendors must report any suspected breach of this Code — including bribery, fraud, forced labour, environmental violation, or data breach — to the Company's reporting channel: [Reporting Channel]. Reports may be made anonymously.
6.2 Consequence of breach: [Consequence of Breach].
6.3 The Company reserves the right to audit a Vendor's compliance with this Code on reasonable notice. Vendors must cooperate fully with such audits.
By signing below, [Vendor Name] (Trade Licence: [Vendor Licence]), of [Vendor Address], acknowledges receipt of this Vendor Code of Conduct and confirms that it will comply with all requirements set out herein.
Acknowledged by: [Vendor Name]
For and on behalf of: [Company Name]
Vendor Representative
________________
Signature
Company Procurement
________________
Signature
What Is a Vendor Code of Conduct (UAE)?
A Vendor Code of Conduct in the United Arab Emirates is the policy document through which a buying organisation sets out the ethical, legal, and operational standards it requires every vendor, supplier, contractor, and service provider in its supply chain to uphold. The Code translates the company's own compliance obligations — anti-bribery, labour rights, environmental protection, data privacy, and commercial integrity — into binding requirements for the vendor, backed by contractual consequences including suspension or removal from the approved-supplier list.
The legal obligations that drive UAE vendor codes of conduct are numerous and significant. Anti-bribery and anti-corruption duties arise from the UAE Penal Code (Federal Decree-Law No. 31 of 2021), which criminalises active and passive bribery in both public and private sectors, and from the Federal Decree-Law No. 6 of 2016 on Anti-Corruption in the Public Sector, which applies specifically to dealings with UAE public officials and government-linked entities. The Central Anti-Corruption Authority of the UAE oversees compliance across the public sector and increasingly publishes guidance relevant to the private sector. Companies that supply international clients or operate with foreign parent entities also face extraterritorial anti-bribery laws such as the UK Bribery Act 2010 and the US Foreign Corrupt Practices Act (FCPA), both of which extend to UAE supply-chain conduct.
Labour rights obligations flow from the UAE Labour Law (Federal Decree-Law No. 33 of 2021) and Cabinet Resolution No. 1 of 2022, enforced by the Ministry of Human Resources and Emiratisation (MOHRE) through the Wages Protection System (WPS), labour inspections, and the TASHEEL and AMER service centres. The ILO Forced Labour Convention and the ILO Child Labour Conventions, to which the UAE is committed, prohibit bonded labour, passport confiscation, and child labour — practices that a robust vendor code must expressly prohibit.
Data protection obligations under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), administered by the UAE Data Office, require both controllers and processors to protect personal data. The DIFC Data Protection Law (DIFC Law No. 5 of 2020) and the ADGM Data Protection Regulations 2021 apply in those free zones. Environmental obligations arise from the Environment Protection and Development Law (Federal Law No. 24 of 1999) and emirate-level agencies including the Environment Agency — Abu Dhabi (EAD) and Dubai Municipality's Environment Department. The UAE's National Net Zero by 2050 Strategy, announced by President His Highness Sheikh Mohamed bin Zayed Al Nahyan, motivates sustainability requirements in corporate supply chains.
When Do You Need a Vendor Code of Conduct (UAE)?
A Vendor Code of Conduct in the United Arab Emirates is needed whenever a buying organisation wants to set enforceable ethical and compliance standards for its vendor base, rather than relying solely on UAE law to govern vendor conduct. The code is particularly important in several distinct procurement and governance contexts.
Regulated industries require vendor codes as part of their compliance frameworks. Banks and financial institutions regulated by the Central Bank of the UAE must manage third-party risk under the Central Bank's outsourcing and third-party risk management standards, which include supply-chain integrity. Insurance companies regulated by the Insurance Authority and investment managers regulated by the Securities and Commodities Authority (SCA) face similar third-party governance obligations. Healthcare facilities licensed by the Dubai Health Authority (DHA) or the Department of Health — Abu Dhabi (DoH) require their medical device and pharmaceutical vendors to meet quality, safety, and integrity standards documented in a code or equivalent instrument.
Multinational companies with UAE operations are required by their parent-company compliance programmes to impose code-of-conduct obligations on suppliers in every jurisdiction. UK parent companies subject to the UK Bribery Act 2010 must have 'adequate procedures' in place across their supply chains. US parent companies subject to the FCPA must conduct supply-chain due diligence. German parent companies subject to the German Supply Chain Due Diligence Act (LkSG) must audit UAE suppliers for forced labour and environmental violations. A UAE vendor code of conduct is the primary contractual mechanism through which these parent-company obligations are passed to UAE vendors.
ISO 9001:2015 certified organisations must evaluate and monitor external providers, including their compliance with quality and legal requirements. An ISO 14001 certified company must extend its environmental management system requirements to significant suppliers. A vendor code of conduct documents the company's supply-chain standards and provides the basis for supplier audits, which are required evidence for ISO certification renewal.
Government-linked entities and companies that supply federal or emirate government entities must meet the integrity standards of the UAE Government Procurement Law (Federal Decree-Law No. 26 of 2021) and the Abu Dhabi Accountability Authority's procurement framework. Maintaining a vendor code of conduct and requiring vendors to sign it demonstrates procurement integrity and supports the buying organisation's own compliance in its dealings with government customers.
What to Include in Your Vendor Code of Conduct (UAE)
A UAE Vendor Code of Conduct that achieves its compliance objectives and is enforceable before the Dubai Courts, the Abu Dhabi Judicial Department, or the free-zone tribunals must contain the following elements. The forms-legal.com UAE vendor code of conduct template addresses each component in a structure aligned with leading practice across the Gulf region.
Company identification must record the full legal name of the issuing organisation, its address, the compliance contact for the code, and the effective date, so that vendors know who has issued the code and when their obligations begin.
Vendor identification must record the vendor's full legal name, trade licence number, and address, and must require the vendor's authorised representative to sign the code as a condition of registration on the approved-supplier list.
Business ethics and anti-corruption must prohibit bribery in all forms — cash, gifts, hospitality, and facilitation payments — in compliance with the UAE Penal Code (Federal Decree-Law No. 31 of 2021) and the Federal Decree-Law No. 6 of 2016 on Anti-Corruption in the Public Sector. The section should require conflict-of-interest disclosure and prohibit fraudulent documentation.
Legal compliance must require the vendor to hold a valid trade licence, to comply with the Commercial Transactions Law (Federal Decree-Law No. 50 of 2022) and the UAE Civil Code (Federal Law No. 5 of 1985), and to issue VAT-compliant tax invoices under the VAT Law (Federal Decree-Law No. 8 of 2017) with a valid Tax Registration Number (TRN) from the Federal Tax Authority (FTA).
Labour standards must prohibit forced labour, bonded labour, passport confiscation, and child labour, and must require compliance with the UAE Labour Law (Federal Decree-Law No. 33 of 2021), the Wages Protection System (WPS) administered by MOHRE, and ILO core labour standards.
Environmental obligations must require compliance with the Environment Protection and Development Law (Federal Law No. 24 of 1999) and relevant emirate-level regulations from the Environment Agency — Abu Dhabi (EAD), Dubai Municipality, or the Sharjah Environment and Protected Areas Authority.
Health and safety must require safe working conditions for personnel delivering at Company premises, consistent with UAE occupational health and safety requirements.
Data protection must require compliance with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), with separate provisions for DIFC Data Protection Law (DIFC Law No. 5 of 2020) and ADGM Data Protection Regulations 2021 where relevant.
Reporting and consequences must provide a confidential reporting channel for suspected breaches and must specify the consequences of breach — suspension, removal from the approved list, or immediate contract termination — as a contractual obligation enforceable by the Company under Article 272 of the UAE Civil Code (Federal Law No. 5 of 1985).
How to Fill Out Your Vendor Code of Conduct (UAE)
Completing a Vendor Code of Conduct for the United Arab Emirates requires the issuing organisation to have its compliance contact details, reporting channel, and consequence-of-breach policy confirmed before circulating the document to vendors.
Start with company identification. Enter the full legal name of the issuing organisation exactly as it appears on its trade licence from the relevant Department of Economic Development or free-zone authority, the registered address, the compliance contact email, and the effective date in DD/MM/YYYY format. The effective date is typically the date from which the code applies to all new vendor onboardings; existing vendors may be given a transition period.
Enter the vendor's full legal name, trade licence number, and registered address. This information is verified against the supplier registration documents collected during onboarding, ensuring that the code is signed by the entity with which the Company is contracting rather than a related but different legal person.
Set the reporting channel. This must be an accessible, confidential channel — an email address monitored by the compliance function, a third-party ethics hotline, or an online reporting portal. The reporting channel must be independent of the procurement team so that vendors reporting bribery or misconduct by procurement employees are not exposed. The Company's whistleblower policy should protect reporters from retaliation consistent with the UAE Whistleblower Protection provisions in the Federal Decree-Law No. 6 of 2016.
Choose the consequence-of-breach option that reflects the Company's risk appetite: suspension followed by permanent removal for most organisations, immediate termination for those operating in highly regulated industries or with international anti-bribery programme requirements. The consequence should be the same regardless of which provision of the code is breached, to avoid arguments about whether a particular breach is severe enough to trigger removal.
Obtain signature from an authorised representative of the vendor — a director or manager with authority under the Commercial Companies Law (Federal Decree-Law No. 32 of 2021) — and from the Company's procurement or compliance officer. Electronic signatures are valid under the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021). File the signed code in the vendor's qualification record alongside the onboarding agreement. Review and reissue the code whenever the Company's compliance obligations change, requiring existing vendors to re-acknowledge.
Legal Requirements for Vendor Code of Conduct (UAE)
A Vendor Code of Conduct in the United Arab Emirates is a contractual compliance instrument governed by the UAE Civil Code (Federal Law No. 5 of 1985), which makes the contract the law of the parties under Article 257 and supports termination for material breach under Article 272. The code's substantive requirements track numerous UAE laws that impose direct obligations on vendors.
Anti-bribery: the UAE Penal Code (Federal Decree-Law No. 31 of 2021) criminalises bribery in public and private sectors, and the Federal Decree-Law No. 6 of 2016 on Anti-Corruption in the Public Sector applies to dealings with government entities. The Central Anti-Corruption Authority of the UAE has enforcement powers. Multinational vendors also face the UK Bribery Act 2010 and the US Foreign Corrupt Practices Act (FCPA) on an extraterritorial basis.
Labour: the UAE Labour Law (Federal Decree-Law No. 33 of 2021) and Cabinet Resolution No. 1 of 2022 require compliant employment contracts, minimum wages, WPS compliance, and end-of-service gratuity. The Ministry of Human Resources and Emiratisation (MOHRE) enforces the Labour Law through inspections and the AMER service centre. Passport confiscation is a criminal offence under the UAE Penal Code (Federal Decree-Law No. 31 of 2021). Child labour is prohibited.
Data protection: the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), administered by the UAE Data Office, applies to onshore data processing. The DIFC Data Protection Law (DIFC Law No. 5 of 2020) and ADGM Data Protection Regulations 2021 apply in those free zones. Vendors that process personal data must implement security measures and report breaches.
Environment: the Environment Protection and Development Law (Federal Law No. 24 of 1999) sets national environmental standards, supplemented by emirate-level regulations from the Environment Agency — Abu Dhabi (EAD), Dubai Municipality, and the Sharjah Environment and Protected Areas Authority.
VAT: the VAT Law (Federal Decree-Law No. 8 of 2017) requires registered vendors to issue compliant tax invoices with their TRN from the Federal Tax Authority (FTA).
Common Mistakes to Avoid in Your Vendor Code of Conduct (UAE)
A UAE Vendor Code of Conduct achieves its compliance objectives only when it is complete, specific, and contractually binding. The following errors undermine its effectiveness.
1. Not making the code contractually binding. A code of conduct distributed as a policy document without being incorporated into the vendor agreement or onboarding agreement has no enforceable weight. The code must be signed by the vendor and referenced in the contract to create a binding obligation enforceable under Article 257 of the UAE Civil Code (Federal Law No. 5 of 1985).
2. Vague anti-bribery provisions. A code that prohibits 'improper payments' without defining what is prohibited — kickbacks, facilitation payments, gifts above a threshold — is unenforceable in practice. Specify the prohibited conduct, including the gift and hospitality threshold, in clear language consistent with the UAE Penal Code (Federal Decree-Law No. 31 of 2021).
3. Omitting labour rights. Failing to address forced labour, passport confiscation, and WPS compliance leaves a significant gap in supply-chain ethics coverage. Passport confiscation is a UAE criminal offence; WPS non-compliance is a Ministry of Human Resources and Emiratisation (MOHRE) enforcement priority. Both must be expressly prohibited.
4. No data protection clause. Omitting a data protection requirement from the code means vendors handling the company's employee or customer data are not contractually bound to protect it, creating exposure under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).
5. No reporting channel. A code without a confidential reporting channel cannot be self-enforced. Vendors and their employees will not report misconduct if there is no mechanism or if they fear retaliation.
6. No audit right. A code without the right to audit compliance allows vendors to sign the code and disregard it. Include an audit right and exercise it periodically for critical suppliers.
7. Stale code not updated. A code that was last issued in 2022 and not updated since does not reflect the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) enacted in that year, the revised Labour Law (Federal Decree-Law No. 33 of 2021), or the updated Penal Code (Federal Decree-Law No. 31 of 2021). Review and reissue the code at least every two years.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Vendor Code of Conduct (UAE) (United Arab Emirates) [Legal document template]. Forms Legal. https://forms-legal.com/uae/business/policies/vendor-code-of-conduct-uae
"Vendor Code of Conduct (UAE) (United Arab Emirates)." Forms Legal, 2026, https://forms-legal.com/uae/business/policies/vendor-code-of-conduct-uae.
@misc{formslegal-vendor-code-of-conduct-uae,
author = {{Forms Legal}},
title = {Vendor Code of Conduct (UAE) (United Arab Emirates)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uae/business/policies/vendor-code-of-conduct-uae}},
note = {Free legal document template. Based on UAE Penal Code (Federal Decree-Law No. 31 of 2021)}
}Frequently Asked Questions
A Vendor Code of Conduct in the United Arab Emirates serves as the company's primary tool for extending its ethical and legal compliance requirements to the vendors and suppliers in its procurement chain. Companies operating in the UAE face a growing body of obligations that extend beyond their own operations to the conduct of their suppliers: anti-bribery and anti-corruption requirements under the UAE Penal Code (Federal Decree-Law No. 31 of 2021) and the Federal Decree-Law No. 6 of 2016 on Anti-Corruption in the Public Sector; labour rights requirements under the UAE Labour Law (Federal Decree-Law No. 33 of 2021) and the Wages Protection System (WPS) administered by the Ministry of Human Resources and Emiratisation (MOHRE); data protection obligations under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021); and environmental obligations under the Environment Protection and Development Law (Federal Law No. 24 of 1999).
Multinational companies with UAE operations are additionally required by their parent-company compliance frameworks — including the UK Bribery Act 2010, the US Foreign Corrupt Practices Act (FCPA), and the EU Corporate Sustainability Due Diligence Directive — to conduct due diligence on their supply chains and to impose ethical standards on vendors through contractual instruments such as a code of conduct.
The Dubai Chamber of Commerce and Industry, the Abu Dhabi Chamber of Commerce, and the UAE Ministry of Economy have all promoted corporate governance standards that include supply-chain ethics as a component. Large UAE developers, hotel groups, healthcare providers, and government-linked companies increasingly require vendors to sign a code of conduct as part of the supplier onboarding process, and the code forms part of the contractual basis on which the supply relationship rests. A vendor that breaches the code — through bribery, use of forced labour, or fraudulent invoicing — can be removed from the approved-supplier list and terminated from active contracts.
Anti-bribery obligations for vendors in the United Arab Emirates arise from the UAE Penal Code (Federal Decree-Law No. 31 of 2021), which criminalises active bribery (the giving of a bribe), passive bribery (the receiving of a bribe), and facilitation payments regardless of their value or the seniority of the recipient. The Federal Decree-Law No. 6 of 2016 on Anti-Corruption in the Public Sector extends these obligations to dealings involving UAE public officials and employees of public entities, semi-governmental companies, and free-zone authorities.
For vendors supplying private-sector companies, the UAE Penal Code (Federal Decree-Law No. 31 of 2021) applies to bribery in commercial contexts. A vendor that offers a kickback or an improper benefit to a buyer's procurement employee to influence an award decision commits an offence under UAE criminal law, punishable by imprisonment and a fine. The buyer company may also face liability for failing to prevent bribery in its supply chain if it has not taken reasonable preventive measures, consistent with the approach of anti-corruption frameworks in major trading partner jurisdictions such as the UK and Germany.
In practice, anti-bribery compliance for vendors in the UAE requires: a clear internal policy prohibiting bribery in all forms; a gifts and hospitality policy with a de minimis threshold (commonly AED 200 to AED 500) and a mandatory register; due diligence on procurement relationships, particularly where employees of the vendor interact with the buyer's procurement personnel; and a confidential reporting channel through which employees can report suspected bribery without fear of retaliation. The vendor code of conduct formalises these requirements and provides documentary evidence of the company's anti-bribery programme, which is increasingly reviewed by banks regulated by the Central Bank of the UAE as part of their own AML/CFT and reputational due diligence on corporate customers.
Vendors operating in the United Arab Emirates must comply with the UAE Labour Law (Federal Decree-Law No. 33 of 2021) and its implementing Cabinet Resolution No. 1 of 2022, which set the minimum standards for employment contracts, working hours, leave entitlements, end-of-service gratuity, and termination procedures. The Ministry of Human Resources and Emiratisation (MOHRE) administers and enforces the Labour Law and operates the Wages Protection System (WPS), which requires all employers to pay wages electronically through a registered payment agent and to report wage payments to MOHRE on a monthly basis.
Key labour standards that vendors must meet include the following. All workers must be employed under a written contract that complies with the Labour Law, with clear terms on wages, working hours, leave, and end-of-service gratuity calculated at 21 days' basic pay per year for the first five years and 30 days per year thereafter. Workers must not be charged recruitment fees or made to pay for their own immigration or work-permit costs as a condition of employment — a practice that amounts to debt bondage and is a form of forced labour prohibited by the Labour Law and the UAE's commitments under the ILO Forced Labour Convention.
Working hours must comply with Article 17 of the Labour Law: a maximum of eight hours per day or 48 hours per week in ordinary conditions, with paid overtime for additional hours. During Ramadan, working hours are reduced. Workers must receive weekly rest days.
Child labour is prohibited under UAE law: the minimum working age is 15, with restrictions on sectors and working hours for workers between 15 and 18. Vendors must verify the age of all workers. Workers must not have their passports confiscated, which is a criminal offence under the UAE Penal Code (Federal Decree-Law No. 31 of 2021). Housing provided by the employer must meet the standards set by MOHRE. Vendors that supply goods manufactured outside the UAE should also assess their international supply chains for forced labour and child labour risks.
The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies to vendors in the United Arab Emirates whenever they process personal data — defined as any data relating to an identified or identifiable natural person — in the course of supplying goods or services. Processing includes collecting, storing, using, disclosing, and transferring personal data. A vendor that receives employee records from a buyer for the purpose of providing HR software or payroll services, that processes customer data as part of a customer-relationship management implementation, or that accesses building-occupant data as part of a facilities management contract, is a data processor under the PDPL.
The PDPL requires data processors — vendors in this context — to process personal data only on the documented instructions of the data controller (the buyer), to implement appropriate technical and organisational security measures to protect the data, to notify the controller immediately of any personal data breach, to delete or return data at the end of the engagement, and to assist the controller in responding to data subject access requests. The UAE Data Office administers the PDPL and has the power to investigate complaints, conduct audits, and impose administrative penalties on both controllers and processors.
For vendors established in or supplying to entities in the DIFC, the DIFC Data Protection Law (DIFC Law No. 5 of 2020) applies, and the DIFC Commissioner of Data Protection has independent enforcement powers. For ADGM entities, the ADGM Data Protection Regulations 2021 apply, administered by the ADGM Registration Authority. Vendors that transfer personal data outside the UAE must comply with the cross-border transfer requirements of the relevant law: the PDPL permits transfers only to jurisdictions that provide adequate protection or under approved transfer mechanisms.
A vendor code of conduct should include a data protection clause that requires the vendor to comply with the applicable UAE data protection law, to process data only for the agreed purpose, to implement security measures, to notify data breaches, and to accept audit rights in relation to data processing activities.
A vendor can be removed from an approved-supplier list for a breach of the Vendor Code of Conduct in the United Arab Emirates, and the removal will be enforceable provided the code has been incorporated into the supplier onboarding agreement or vendor agreement as a contractual obligation and the removal process follows the procedure set out in those documents.
Under the UAE Civil Code (Federal Law No. 5 of 1985), Article 257 makes the contract the law of the parties. Where the vendor agreement or onboarding agreement expressly states that a breach of the code is a material breach entitling the company to terminate the agreement and remove the vendor from the approved list, this right will be upheld by the Dubai Courts, the Abu Dhabi Judicial Department, the DIFC Courts, and the ADGM Courts. The right of rescission in Article 272 of the Civil Code supports termination for material breach.
The process for removal should follow the procedure set out in the onboarding agreement or vendor agreement: where the breach is serious — confirmed bribery, use of forced labour, fraud, or a major data breach — immediate suspension pending investigation is appropriate, followed by permanent removal on confirmation of the breach. For less serious breaches, a notice of deficiency and a reasonable cure period is more defensible. The company should document the breach, the investigation, and the decision to remove, to provide an audit trail that can be relied on in any challenge brought by the removed vendor.
A vendor that disputes its removal from an approved list may bring a claim for wrongful termination before the relevant UAE court. The company's ability to defend such a claim depends on the precision of the code, the quality of the evidence of the breach, and the procedural fairness of the removal process. A well-drafted vendor code of conduct, incorporated as a contractual obligation and applied consistently, provides the foundation for a defensible removal decision.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Vendor Agreement (UAE)
A comprehensive vendor agreement for the UAE governing the supply of goods or services, including scope, deliverables, fees, VAT, performance standards, compliance, and termination, under the UAE Civil Code (Federal Law No. 5 of 1985) and Commercial Transactions Law (Federal Decree-Law No. 50 of 2022).
Supplier Onboarding Agreement (UAE)
A UAE supplier onboarding agreement covering registration documents, qualification criteria, performance obligations, VAT invoicing, audit rights, and approved-supplier list governance under the UAE Civil Code (Federal Law No. 5 of 1985) and the Commercial Transactions Law (Federal Decree-Law No. 50 of 2022).
Anti-Bribery Policy (UAE)
An Anti-Bribery Policy for UAE companies establishes zero tolerance for bribery and corruption, in compliance with the UAE Penal Code, Federal Decree-Law No. 31 of 2021, and the Anti-Money Laundering Law, Federal Decree-Law No. 20 of 2018. Covers government officials, private sector bribery, gifts, facilitation payments, and third-party due diligence.
Employee Code of Conduct (UAE)
A comprehensive Employee Code of Conduct for UAE private-sector employers, aligned with Federal Decree-Law No. 33 of 2021 and Cabinet Resolution No. 1 of 2022. Covers professional standards, integrity, data protection, and the disciplinary procedure.
Whistleblower Policy (UAE)
A Whistleblower Policy for UAE companies provides a confidential, protected channel for reporting suspected wrongdoing, including bribery, fraud, and regulatory violations. Consistent with the Securities and Commodities Authority's corporate governance code and the Anti-Money Laundering Law, Federal Decree-Law No. 20 of 2018.