IT Acceptable Use Policy (UAE)
IT ACCEPTABLE USE POLICY
[Company Name]
[Policy Version] | Effective: [Effective Date]
This IT Acceptable Use Policy governs the use of all information technology assets belonging to or administered by [Company Name]. It is issued under Federal Decree-Law No. 33 of 2021 on Regulation of Labour Relations (the UAE Labour Law), Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), and Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime (the UAE Cybercrime Law).
1. PURPOSE AND SCOPE
1.1 Purpose: This policy protects [Company Name]'s information technology assets, business data, and digital infrastructure from misuse, unauthorised access, data breaches, and cyber threats. The policy also defines the boundaries of acceptable personal use and ensures compliance with the UAE Cybercrime Law under Federal Decree-Law No. 34 of 2021 and the Personal Data Protection Law under Federal Decree-Law No. 45 of 2021.
1.2 Scope: This policy applies to all employees, contractors, temporary staff, and any other person who accesses or uses [Company Name]'s IT assets. The IT assets covered include: [IT Assets Covered]. This policy applies regardless of the employee's location, including when working remotely under the Company's Remote Work Policy.
1.3 Personal Use: [Personal Use Rule]. Even where personal use is permitted, employees must never use Company IT assets to access, create, transmit, or store content that is illegal under UAE law, including any content criminalised under Federal Decree-Law No. 34 of 2021 (the Cybercrime Law), Federal Decree-Law No. 45 of 2021, or Federal Decree-Law No. 31 of 2021 on Issuance of the Crimes and Penalties Law.
2. ACCEPTABLE USE
2.1 General Use: Employees may use Company IT assets for the performance of their job duties and, where permitted, for incidental personal use. Use must be professional, responsible, and consistent with UAE law. Employees must not use Company systems in a way that creates legal liability for the Company, damages the Company's reputation, or interferes with other employees' work.
2.2 Email and Communications: Company email accounts are the primary channel for official business communication. Employees must use Company email — not personal accounts — for all work-related correspondence. Emails sent from a Company account carry the Company's identity and may create contractual obligations under the UAE Civil Code (Federal Law No. 5 of 1985). Employees must not use Company email to send unsolicited commercial communications, to harass colleagues, or to transmit any content prohibited under Sections 3 and 4 below.
2.3 Internet Use: Access to the internet via Company systems is provided for business purposes. Employees may visit personal websites during breaks if this is permitted under Section 1.3. Websites hosting gambling, adult content, torrents, or any content that is blocked by the UAE Telecommunications and Digital Government Regulatory Authority (TDRA) must not be accessed on Company devices at any time.
2.4 Cloud and Storage: Business data must be stored in Company-approved cloud platforms and storage systems only. Employees must not upload, transfer, or store Company data — including customer personal data regulated under Federal Decree-Law No. 45 of 2021 — on personal cloud accounts (personal Google Drive, iCloud, Dropbox, or similar). Approved platforms are determined by the IT Department. Contact [IT Email] for the current approved list.
3. PROHIBITED USES
The following uses of Company IT assets are strictly prohibited under this policy and may constitute criminal offences under UAE law: (a) Unauthorised access to computer systems, networks, or data belonging to any third party — criminalised by Article 2 of Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime; (b) Publishing, sharing, or distributing content that insults, defames, or causes public panic — criminalised under Articles 20–26 of Federal Decree-Law No. 34 of 2021; (c) Processing personal data of customers, employees, or third parties in breach of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL); (d) Installing unauthorised software, including cracked or pirated applications, which may violate Federal Law No. 38 of 2021 on Intellectual Property Rights; (e) Using the Company's IT infrastructure to conduct personal commercial activities, including freelance work, without the employer's written consent; (f) Attempting to bypass, disable, or circumvent any security control, firewall, content filter, or monitoring system on Company devices; (g) Sharing user credentials (passwords, access tokens) with any other person, including colleagues; (h) Connecting unauthorised storage devices (USB drives, external hard disks) to Company systems without IT Department approval.
4. DATA PROTECTION AND CONFIDENTIALITY
4.1 PDPL Compliance: All processing of personal data through Company IT systems must comply with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. Employees must not collect, process, transfer, or store personal data beyond what is authorised by their role. Any suspected data breach or unauthorised access must be reported to the IT Department immediately at [IT Email]. The UAE Data Office may impose administrative penalties of up to AED 5 million for PDPL violations.
4.2 Confidentiality: All business information accessed through Company IT systems — including financial data, client information, HR records, and strategic plans — is confidential and subject to the confidentiality obligations in the employee's employment contract. Confidential information must not be transmitted outside the Company's secure systems without the written approval of the employee's line manager.
4.3 Password Security: Every employee must maintain a strong password for each Company system, change passwords when prompted by the IT Department, and never share passwords. Password-sharing is prohibited under Section 3(g) and is a disciplinary matter. Employees who suspect their credentials have been compromised must notify [IT Email] immediately.
5. MONITORING AND ENFORCEMENT
5.1 Monitoring: [Monitoring Disclosure]. Any monitoring is conducted in compliance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and is proportionate to the legitimate business purposes of protecting the Company's IT assets, ensuring regulatory compliance, and investigating suspected misconduct. Employees are not entitled to privacy in respect of content created, transmitted, or stored on Company-owned IT assets using Company-provided access.
5.2 Investigations: Where a breach of this policy is suspected, the Company may conduct a forensic review of the relevant IT assets. Such a review will be conducted by an authorised person, typically the IT Manager [IT Contact] or an external specialist, and will be governed by the applicable provisions of Federal Decree-Law No. 45 of 2021 and the UAE Civil Code (Federal Law No. 5 of 1985).
5.3 Disciplinary Action: Breaches of this policy are misconduct and are addressed through the progressive disciplinary tariff under Article 60 of Federal Decree-Law No. 33 of 2021 (UAE Labour Law). Serious breaches — including deliberate data breaches, intentional unauthorised access to third-party systems, and use of Company assets for criminal purposes — may be treated as gross misconduct under Article 44, permitting summary dismissal without notice. Criminal conduct will be reported to the relevant UAE authority.
5.4 Policy Questions: Questions about this policy should be directed to [IT Contact] at [IT Email] for IT-specific queries, or to [HR Email] for employment-related questions. This policy may be amended by [Company Name] at any time with reasonable advance notice.
6. DEVICE RETURN ON EXIT
On resignation, termination, or any other end of employment, all Company IT assets — including laptops, mobile phones, access cards, and any other device issued during employment — must be returned in good working condition on the last working day. The IT Department will conduct an exit review of returned devices. Any data removed or destroyed without authorisation prior to return will be investigated and may result in criminal referral under Federal Decree-Law No. 34 of 2021 (Cybercrime Law). The employer will process the employee's final entitlements under Article 53 of Federal Decree-Law No. 33 of 2021 within 14 days of the last working day, subject to the return of all IT assets.
ACKNOWLEDGMENT
By signing below, I confirm that I have received, read, and understood the [Company Name] IT Acceptable Use Policy ([Policy Version]) and agree to comply with its provisions. I understand that breaches may result in disciplinary action, including summary dismissal, and may constitute criminal offences under UAE law.
Employee Name: ___________________________ Employee ID: _______________
Signature: _______________________________ Date: _______________
Authorised by [Company Name]: _______________ Date: _______________
Employer (Authorised Signatory)
________________
Signature
Employee
________________
Signature
What Is a IT Acceptable Use Policy (UAE)?
An IT Acceptable Use Policy in the United Arab Emirates is a formal employer document that defines the boundaries of permissible and prohibited use of the organisation's information technology assets — computers, mobile devices, email systems, cloud platforms, and network infrastructure — by employees, contractors, and any other authorised users. The policy operates at the intersection of three major UAE legal frameworks: Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime (the UAE Cybercrime Law), Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), and Federal Decree-Law No. 33 of 2021 on Regulation of Labour Relations (the UAE Labour Law).
Federal Decree-Law No. 34 of 2021 is among the most relevant statutes for any UAE IT Acceptable Use Policy. Enacted in October 2021 as a consolidated replacement for earlier cybercrime legislation, the law criminalises a wide range of digital acts, including: unauthorised access to IT systems (Article 2), disruption or damage to data and networks (Articles 3–4), online fraud (Article 11), defamation and publication of false information (Articles 20–26), and incitement of public disorder through digital channels (Article 29). Penalties range from fines starting at AED 100,000 to imprisonment. An IT Acceptable Use Policy that explicitly prohibits these acts by employees serves as both a compliance tool and a notice document: by signing the policy, the employee acknowledges awareness of the criminal prohibitions and cannot subsequently claim ignorance.
Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) applies to every employer in the UAE that processes personal data — which includes storing, accessing, transferring, or using information that identifies a natural person. Employee IT use is a major conduit for personal-data processing: customer records accessed through a CRM, HR data stored on a shared drive, and financial information transmitted by email all involve personal data processing subject to the PDPL. The IT Acceptable Use Policy imposes employee-level data-protection obligations — mandatory use of approved storage, prohibition of personal cloud accounts, password security — that are essential to the employer's ability to demonstrate PDPL compliance to the UAE Data Office.
From the employment-law perspective under Federal Decree-Law No. 33 of 2021, the IT Acceptable Use Policy is a workplace policy document that employees are required to acknowledge at onboarding. Article 60 of the Labour Law makes the existence of a communicated disciplinary system a prerequisite for any disciplinary sanction. A signed IT Acceptable Use Policy is essential evidence when an employer needs to take action for IT misconduct — whether for a minor breach such as accessing prohibited websites, or a serious breach such as deliberately exfiltrating confidential data.
The UAE's digital regulatory landscape also involves the Telecommunications and Digital Government Regulatory Authority (TDRA), which maintains a content-filtering regime that blocks gambling, adult, and certain VoIP-related websites throughout the UAE. The IT Acceptable Use Policy must confirm that employees may not use Company devices to attempt to circumvent TDRA filtering, and must note that attempting to bypass lawful restrictions using unauthorised VPN applications may constitute an offence under Federal Decree-Law No. 34 of 2021.
For employers operating across multiple jurisdictions — mainland UAE under MOHRE, the Dubai International Financial Centre (DIFC), and the Abu Dhabi Global Market (ADGM) — the IT Acceptable Use Policy provides consistent minimum standards for all users, while noting that the applicable employment discipline framework (Article 60 of Federal Decree-Law No. 33 of 2021 for MOHRE employees, DIFC Employment Law No. 2 of 2019, or ADGM Employment Regulations 2019) will govern enforcement.
The forms-legal.com UAE IT Acceptable Use Policy template covers all required elements: purpose and scope, acceptable use, prohibited uses with specific UAE statutory references, data protection obligations aligned with Federal Decree-Law No. 45 of 2021, monitoring disclosures, disciplinary consequences, device-return obligations on exit, and a signed acknowledgment block.
When Do You Need a IT Acceptable Use Policy (UAE)?
An IT Acceptable Use Policy is needed in the UAE at multiple points in the employee and IT asset lifecycle.
At onboarding, when issuing Company IT assets for the first time, the employer must ensure the employee understands the rules governing use before they access any system containing personal data or confidential business information. Without a signed policy issued at Day 1, the employer cannot rely on IT-conduct rules in any subsequent disciplinary or legal proceeding.
When a data breach occurs, MOHRE mediators, Federal Labour Courts, and the UAE Data Office will ask whether the relevant employees were on notice of their data-protection obligations. A signed IT Acceptable Use Policy that specifically references Federal Decree-Law No. 45 of 2021 and prohibits the use of personal cloud storage is the most direct evidence that notice was given.
When implementing or updating monitoring tools, the PDPL requires prior disclosure to employees. A monitoring-disclosure clause in the IT Acceptable Use Policy or a supplementary notice satisfies this requirement. Without disclosure, monitoring may breach the PDPL and render any evidence collected through monitoring inadmissible in disciplinary proceedings.
When an employee is terminated or resigns, the IT Acceptable Use Policy's device-return section provides the legal basis for the employer to demand immediate return of all IT assets and to suspend access to Company systems. This prevents post-employment data exfiltration, which is a growing source of data breaches and litigation in the UAE.
When the Company is subject to a MOHRE establishment inspection or a Federal Tax Authority review, the IT Acceptable Use Policy demonstrates that the employer has appropriate internal controls in place and reduces the risk of adverse findings relating to data security and employee-conduct standards.
When adopting remote work, the IT Acceptable Use Policy must be in place before employees access Company systems from outside the office, to ensure PDPL compliance for data accessed in home environments and to define the VPN and secure-access obligations applicable to remote workers.
What to Include in Your IT Acceptable Use Policy (UAE)
A UAE IT Acceptable Use Policy compliant with Federal Decree-Law No. 34 of 2021, Federal Decree-Law No. 45 of 2021, and Federal Decree-Law No. 33 of 2021 must include the following elements. The forms-legal.com UAE IT Acceptable Use Policy template covers each one.
Purpose and scope must identify the Company, the specific IT assets covered, all categories of user (employees, contractors, temporary staff), and the employment jurisdictions applicable (MOHRE mainland, DIFC, ADGM). The scope clause must be broad enough to cover BYOD scenarios if the Company allows personal devices for work.
Acceptable use must describe permitted use with sufficient clarity that employees understand what is allowed, including the incidental personal use position and the time-of-use restrictions.
Prohibited use must list each category of prohibited conduct with an explicit UAE statutory reference: unauthorised access under Federal Decree-Law No. 34 of 2021 Article 2, PDPL breaches under Federal Decree-Law No. 45 of 2021, pirated software under Federal Law No. 38 of 2021 on Intellectual Property Rights. Named statutory references turn the policy from a general conduct standard into a legally specific notice.
Data protection and PDPL compliance must prohibit personal cloud storage for business data, require approved storage tools, mandate password security, and set out the data-breach notification obligation to the IT Department. The UAE Data Office is the regulator under Federal Decree-Law No. 45 of 2021, with authority to impose penalties of up to AED 5 million.
Monitoring disclosure must state clearly and specifically what the Company monitors — email content, browsing history, keystroke logging, or only aggregate usage data — and must confirm that use of Company assets constitutes consent to monitoring for the stated purposes, consistent with the PDPL.
Disciplinary consequences must reference Article 60 of Federal Decree-Law No. 33 of 2021 for the progressive tariff and Article 44 for summary dismissal, and must state that criminal conduct will be reported to UAE authorities.
Device return must set the timeline and process for returning IT assets on exit, and confirm that failure to return assets or deliberate data destruction prior to return may constitute a criminal offence under Federal Decree-Law No. 34 of 2021.
Acknowledgment block must include employee name, ID, signature, and date.
How to Fill Out Your IT Acceptable Use Policy (UAE)
Completing the UAE IT Acceptable Use Policy template requires the employer to align the policy with the actual IT environment and risk profile of the business.
Begin with Company Information. Enter the legal company name as it appears on the trade licence. Choose the effective date and version number. The version number is important: if the policy is updated — for example, when a new monitoring tool is deployed or a new category of device is issued — the updated version should carry a new number and a fresh acknowledgment page.
In the IT Assets section, define the covered assets specifically. A broad definition ('all devices and systems') gives maximum coverage but may require disclosure of monitoring tools that have not yet been deployed. A specific definition ('Company-issued Dell laptops and Samsung mobile phones, Microsoft 365 email, SharePoint, and VPN access') is more accurate and easier to enforce, but must be updated whenever new assets are added. If BYOD is permitted, state this explicitly and note that the policy applies to the work data partition on personal devices.
Choose the personal-use position carefully. A blanket 'business use only' rule is the simplest from a compliance perspective but is often ignored in practice. A 'permitted incidental personal use' rule is more realistic but requires a clear boundary between incidental and excessive personal use. Whichever option is chosen, state the position clearly so that employees cannot claim ambiguity.
Choose the monitoring disclosure option that accurately reflects your current IT controls. Disclosing monitoring that does not actually occur creates a risk that employees will claim their privacy was violated by monitoring they did not expect; disclosing monitoring that does occur, on the other hand, is a PDPL obligation. Work with your IT Manager and legal counsel to determine what is actually monitored and disclose it accurately.
Fill in the IT contact and HR contact details accurately. These are the people employees will contact when they have questions, suspect a security incident, or need to report a breach. Outdated contact details in a signed policy weaken the employer's position in any subsequent disciplinary or legal proceeding.
Distribute the policy to all employees, contractors, and authorised system users at the time they are first given access to Company IT assets. Collect a signed acknowledgment and store it in the personnel file or contractor record. Update the policy and re-collect acknowledgments whenever a material change is made.
Legal Requirements for IT Acceptable Use Policy (UAE)
IT Acceptable Use Policy (UAE) — Legal Requirements.
Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime is the primary criminal statute. Article 2 criminalises unauthorised access to IT systems. Articles 3–4 cover data corruption and network disruption. Articles 20–26 cover online defamation, false information, and incitement. Employers are not criminally liable for employee acts committed on Company systems, but may face regulatory scrutiny and civil liability if they failed to take reasonable steps — including a clear policy — to prevent such acts.
Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) requires data controllers to implement appropriate technical and organisational measures to protect personal data. An IT Acceptable Use Policy is an organisational measure that contributes to PDPL compliance. The UAE Data Office can impose penalties of up to AED 5 million and, for repeated or intentional violations, up to AED 20 million.
Federal Decree-Law No. 33 of 2021 (UAE Labour Law) provides the employment framework. Article 60 requires a written disciplinary system for any sanction to be valid. Article 44 permits summary dismissal for deliberate misconduct causing serious harm to the employer, including data breaches. Article 53 requires settlement of final entitlements within 14 days of the last working day, subject to return of Company property.
Federal Law No. 38 of 2021 on Intellectual Property Rights applies to software installed on Company devices without a valid licence. Employees who install pirated software may expose the employer to civil and criminal liability under the IP law.
Federal Law No. 5 of 1985 (UAE Civil Code) provides the contractual basis for seeking damages from an employee whose IT misconduct causes financial loss to the employer.
For DIFC employees: DIFC Employment Law No. 2 of 2019 and DIFC Courts apply. For ADGM employees: ADGM Employment Regulations 2019 and ADGM Courts apply. Federal Decree-Law No. 34 of 2021 and Federal Decree-Law No. 45 of 2021 apply throughout the UAE including free zones.
Common Mistakes to Avoid in Your IT Acceptable Use Policy (UAE)
UAE IT Acceptable Use Policy — Common Mistakes That Create Security and Legal Exposure.
1. Not collecting a signed acknowledgment. An IT Acceptable Use Policy that employees have not signed is difficult to rely on in disciplinary proceedings. The Article 60 tariff requires the employer to show the employee was on notice of the rule. Always collect a signed acknowledgment at onboarding and when the policy is substantially updated.
2. Failing to reference UAE statutory provisions. A policy that prohibits 'hacking' without referencing Federal Decree-Law No. 34 of 2021 misses an opportunity to communicate the serious criminal consequences of digital misconduct. Named statutory references make the policy more credible and serve as a stronger deterrent.
3. Not disclosing monitoring in advance. Monitoring employee communications without prior disclosure may breach Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. The IT Acceptable Use Policy must state specifically what is monitored and on what legal basis. 'We may monitor' is insufficient; 'we monitor email metadata and browsing activity on Company devices for security purposes' is specific enough to satisfy the PDPL's transparency requirement.
4. Allowing BYOD without a policy. Personal devices used for work introduce data-protection risk that the employer bears under Federal Decree-Law No. 45 of 2021. A simple note that 'employees may use personal devices' without any security requirements or MDM solution leaves the employer exposed. Either prohibit BYOD or implement a managed BYOD framework with a clear policy supplement.
5. Omitting the device-return obligation. Employees who leave with Company IT assets — or who destroy data on those assets before returning them — may commit criminal offences under Federal Decree-Law No. 34 of 2021. The policy must state the device-return obligation and the criminal consequences of non-compliance.
6. Not updating the policy after law changes. Federal Decree-Law No. 34 of 2021 replaced the earlier UAE Cybercrime Law, and Federal Decree-Law No. 45 of 2021 introduced the PDPL as a complete data-protection framework for the first time. Any IT Acceptable Use Policy drafted before 2022 must be updated to reflect these statutes and the new UAE Data Office regulatory structure.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). IT Acceptable Use Policy (UAE) (United Arab Emirates) [Legal document template]. Forms Legal. https://forms-legal.com/uae/employment/hr-forms/it-acceptable-use-policy-uae
"IT Acceptable Use Policy (UAE) (United Arab Emirates)." Forms Legal, 2026, https://forms-legal.com/uae/employment/hr-forms/it-acceptable-use-policy-uae.
@misc{formslegal-it-acceptable-use-policy-uae,
author = {{Forms Legal}},
title = {IT Acceptable Use Policy (UAE) (United Arab Emirates)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uae/employment/hr-forms/it-acceptable-use-policy-uae}},
note = {Free legal document template. Based on Federal Decree-Law No. 34 of 2021 (UAE Cybercrime Law) & Federal Decree-Law No. 45 of 2021 (PDPL)}
}Frequently Asked Questions
Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime is the primary UAE statute governing digital offences. Article 2 criminalises unauthorised access to any computer, electronic information system, website, or information network. The penalty for basic unauthorised access is imprisonment of not less than one year and a fine between AED 100,000 and AED 300,000. Where the access results in deletion, alteration, corruption, disclosure, or copying of data, the penalties increase substantially.
For employers, the IT Acceptable Use Policy is the key tool for making clear to employees where the boundaries of authorised access lie. An employee who accesses a colleague's files without permission, uses another person's credentials to log into a system, or attempts to bypass security controls may face criminal liability under Federal Decree-Law No. 34 of 2021 in addition to the disciplinary consequences under the employment contract and Article 60 of Federal Decree-Law No. 33 of 2021.
From a practical standpoint, the Policy should specify which systems and data each category of employee is authorised to access in the course of their duties. This creates a clear documented baseline: any access beyond that baseline is potentially unauthorised and may expose the employee to criminal liability. Employers who suffer a data breach caused by an employee's criminal conduct may also need to notify the UAE Data Office under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and the signed IT Acceptable Use Policy helps establish that the employee was on notice of the prohibition.
The use of VPNs in the UAE is a legally nuanced area. The UAE Telecommunications and Digital Government Regulatory Authority (TDRA) — formerly the Telecommunications Regulatory Authority (TRA) — blocks certain categories of content, including gambling, adult material, and VoIP services that compete with licensed providers. Using a VPN to circumvent TDRA content filters on content that is blocked for legal reasons is prohibited under Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime and may attract criminal penalties.
Legitimate VPN use — such as connecting to the employer's corporate network securely from a remote location — is permitted and is in fact commonly required by UAE companies' IT security policies. The key distinction is purpose: a VPN used to access the Company's systems securely is a legitimate business tool; a VPN used to access content that is blocked under UAE law is potentially a criminal act under Federal Decree-Law No. 34 of 2021.
An IT Acceptable Use Policy should explicitly address VPN use: state that employees may only use VPNs approved and issued by the IT Department for the purpose of accessing Company systems, and must not use personal VPN applications to bypass TDRA content filters on Company devices. Employees who use personal VPNs on Company-issued devices to circumvent lawful content restrictions expose the employer to regulatory risk and violate the IT Acceptable Use Policy, triggering the disciplinary process under Article 60 of Federal Decree-Law No. 33 of 2021.
Yes. Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) applies to the processing of any personal data, including the personal data of employees. 'Processing' includes collecting, storing, using, and disclosing data. Monitoring employee communications, keystrokes, browsing history, and location data through Company IT systems involves the processing of personal data and is subject to PDPL requirements.
The PDPL requires employers to have a lawful basis for processing employee data. The most applicable basis for workplace monitoring is the legitimate-interest basis (Article 8 of the PDPL): the employer has a legitimate interest in protecting its IT assets, ensuring regulatory compliance, and investigating suspected misconduct, and this interest outweighs the employee's reasonable expectation of privacy in Company-issued systems used for work purposes. However, the processing must be necessary, proportionate, and disclosed in advance.
The disclosure requirement is met by a clear monitoring notice in the IT Acceptable Use Policy or the employment contract, stating what is monitored, how the data is used, and who has access. Covert monitoring — installing spyware without employee knowledge — is problematic under the PDPL even on Company devices. The UAE Data Office can impose administrative penalties of up to AED 5 million for PDPL violations, so employers should ensure their monitoring practices are disclosed, documented, and proportionate to the legitimate business need. The IT Acceptable Use Policy and its acknowledgment page are the primary tools for meeting the disclosure requirement.
Bring-your-own-device (BYOD) arrangements create three main categories of legal risk for UAE employers. The first is data-protection risk under Federal Decree-Law No. 45 of 2021. When an employee accesses or stores Company or customer personal data on their personal device, the employer as data controller is responsible for ensuring that data is adequately protected. If the personal device lacks encryption, is lost or stolen, or is accessed by a family member, a data breach may occur for which the employer bears regulatory responsibility. The UAE Data Office may impose penalties regardless of whether the employer issued the device.
The second risk is data recovery on exit. When an employee with a personal device leaves the Company, the employer has no automatic right to remotely wipe the device (which may contain the employee's own personal data), and cannot simply require return of the device. Without a Mobile Device Management (MDM) solution that creates a segregated work container, Company data on a personal device may be difficult or impossible to recover securely after the employment ends.
The third risk is the cybercrime exposure under Federal Decree-Law No. 34 of 2021. If an employee uses their personal device to access a colleague's data without authorisation, or to transmit confidential Company information to a competitor, prosecuting the cybercrime offence is more complex when the device is personally owned. An IT Acceptable Use Policy that clearly extends to personal devices used for work, combined with an MDM work container and a BYOD addendum to the employment contract, substantially reduces all three categories of risk.
When an employee causes a data breach through misuse of Company IT systems — whether through negligence (emailing a spreadsheet to the wrong recipient), wilful misconduct (selling customer data to a competitor), or a security incident attributable to policy violation (installing malware through an unauthorised USB device) — the employer faces obligations on two parallel tracks: regulatory and employment.
On the regulatory track, Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data requires the data controller (the employer) to notify the UAE Data Office of a data breach within 72 hours of becoming aware of it if the breach is likely to result in harm to the affected data subjects. The notification must describe the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken to address the breach. Failure to notify within the required period may result in administrative penalties.
On the employment track, the employer should immediately preserve the IT evidence (forensic copy of the relevant device or log files), suspend access to Company systems, conduct a fair investigation under Article 60 of Federal Decree-Law No. 33 of 2021, notify the employee of the allegation and give them an opportunity to respond, and then determine the appropriate disciplinary sanction — up to and including summary dismissal under Article 44 for deliberate or seriously negligent conduct. The employer may also seek civil recovery of losses caused by the breach under the UAE Civil Code (Federal Law No. 5 of 1985), and may file a criminal complaint under Federal Decree-Law No. 34 of 2021 for deliberate cybercrime acts. The signed IT Acceptable Use Policy is essential evidence in all of these proceedings.
Yes. An employer has the right to restrict employee use of social media platforms on Company-issued devices during working hours, and to prohibit any social media use that involves Company confidential information, negative commentary about the employer or its clients, or content that is prohibited under UAE law. These restrictions are enforceable through the IT Acceptable Use Policy and, where necessary, through technical controls (website blocking via content filter).
The UAE legal framework supports such restrictions on two grounds. First, Article 60 of Federal Decree-Law No. 33 of 2021 permits the employer to impose disciplinary sanctions for breach of internal workplace policies, including IT policies. Second, Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime criminalises the online publication of content that damages national unity, incites sectarianism, insults state institutions, or defames individuals — obligations that apply to employees using Company systems as much as to personal use.
A well-drafted IT Acceptable Use Policy should state clearly whether personal social media access is prohibited on Company devices entirely, permitted during designated break times only, or permitted incidentally. The policy should cross-reference the Social Media Policy (where one exists) for more detailed guidance on what employees may and may not post about the Company, its staff, and its clients. The combination of an IT Acceptable Use Policy and a Social Media Policy gives the employer comprehensive coverage of the digital-conduct risks that are most commonly the source of disciplinary issues in UAE workplaces.
The IT Acceptable Use Policy applies to all employees accessing Company IT systems, regardless of whether they are employed on mainland UAE contracts registered with MOHRE or on free-zone contracts under the DIFC Employment Law No. 2 of 2019 or the ADGM Employment Regulations 2019. The criminal prohibitions in Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrime and the data-protection obligations under Federal Decree-Law No. 45 of 2021 (PDPL) are federal statutes that apply throughout the UAE, including within free zones.
The disciplinary consequences for IT policy breaches differ between jurisdictions. For mainland MOHRE employees, the Article 60 graduated tariff and Article 44 summary-dismissal provisions of Federal Decree-Law No. 33 of 2021 apply. For DIFC employees, the DIFC Employment Law No. 2 of 2019 provides the disciplinary framework and the DIFC Courts have jurisdiction over employment disputes. For ADGM employees, the ADGM Employment Regulations 2019 and ADGM Courts apply.
From a practical standpoint, the IT Acceptable Use Policy should contain a scope clause identifying that it applies to all Company employees and authorised IT system users regardless of employment jurisdiction, while noting that disciplinary consequences for breaches will be determined by the applicable employment framework for each employee's contract. This approach ensures consistent data-security standards across a group employer with staff in multiple zones, while accurately reflecting the different dispute-resolution mechanisms available in each jurisdiction.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Employee Handbook (UAE)
A comprehensive Employee Handbook for UAE private-sector employers, structured under Federal Decree-Law No. 33 of 2021 and Cabinet Resolution No. 1 of 2022. Covers employment basics, pay, WPS, leave, conduct, discipline, grievances, and exit procedures.
Remote Work Policy (UAE)
A structured Remote Work Policy for UAE private-sector employers, aligned with Federal Decree-Law No. 33 of 2021, Cabinet Resolution No. 1 of 2022 (flexible work models), and the Personal Data Protection Law. Covers eligibility, approval, core hours, equipment, data security, and conduct.
Data Processing Agreement (UAE)
A data processing agreement for the UAE governing how a data processor handles personal data on behalf of a data controller, fully compliant with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) administered by the UAE Data Office.
Employee Code of Conduct (UAE)
A comprehensive Employee Code of Conduct for UAE private-sector employers, aligned with Federal Decree-Law No. 33 of 2021 and Cabinet Resolution No. 1 of 2022. Covers professional standards, integrity, data protection, and the disciplinary procedure.
Social Media Policy (UAE)
A comprehensive Social Media Policy for UAE employers, covering official account management, personal posting rules, prohibited content under Federal Decree-Law No. 34 of 2021 (Cybercrime Law), PDPL obligations, and disciplinary consequences under the UAE Labour Law.