Personal Data Access Request (UAE)

A Personal Data Access Request in the United Arab Emirates is a formal written demand by which an individual — known as the 'data subject' under UAE privacy law — exercises their statutory right to obtain from an organisation confirmation of what personal data it holds about them, why it is being processed, and a complete copy of that data. The instrument derives its legal force from Article 15 of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), commonly abbreviated as the PDPL, which came into force in January 2022 and is administered by the UAE Data Office established under the same decree.

The PDPL represents the UAE's first comprehensive federal data protection statute, bringing the country's legal framework into alignment with international standards such as the European General Data Protection Regulation (GDPR) and the OECD Privacy Guidelines. Before the PDPL, data subjects in the UAE had limited formal mechanisms for discovering what personal information companies held about them. The law changed this fundamentally: Article 1 defines personal data broadly to encompass 'any data — regardless of source or form — that leads to identifying a specific person or makes it possible to identify them', covering names, Emirates ID numbers, email addresses, location data, biometric data, financial records, health records, photographs, and online identifiers.

The right of access under Article 15 of the PDPL is a cornerstone right that supports all other data subject rights. Without knowing what data an organisation holds, a data subject cannot assess whether to request correction under Article 16, deletion under Article 17, or restriction of processing. The Personal Data Access Request therefore serves as the investigative first step in the full exercise of UAE privacy rights.

The UAE Data Office, which enforces the PDPL and has issued several guidance documents for both data controllers and data subjects, has made clear that any natural person — whether a UAE national, an expatriate resident, or a non-resident whose data is processed by a UAE-based organisation — may submit a data access request. Organisations that qualify as data controllers under the PDPL — a category that encompasses almost every company, government authority, healthcare provider, financial institution, educational establishment, and digital platform operating in the UAE — are obligated to respond. Free-zone entities registered with the Dubai International Financial Centre (DIFC) or the Abu Dhabi Global Market (ADGM) have their own data protection regimes — the DIFC Data Protection Law 2020 and the ADGM Data Protection Regulations 2021, respectively — but the right of access exists under all three frameworks.

For residents of Dubai, Abu Dhabi, Sharjah, and other UAE emirates, a Personal Data Access Request is the standard mechanism for auditing the personal information held by employers, banks, telecom operators, insurers, government portals, healthcare providers, and e-commerce platforms. The forms-legal.com UAE template is drafted to satisfy the PDPL's requirements and can be adapted for use across all emirates and free zones.

A Personal Data Access Request in the United Arab Emirates becomes necessary or advisable in a range of everyday and exceptional circumstances where an individual needs to know what personal information an organisation holds about them.

Employment situations frequently trigger access requests. An employee who is dismissed, disciplined, or passed over for promotion may wish to understand what data their employer — whether a mainland UAE company regulated by the Ministry of Human Resources and Emiratisation (MOHRE) or a free-zone entity in Jebel Ali Free Zone (JAFZA), DMCC, or DIFC — holds about them in HR files, performance records, CCTV footage, and digital communications. Under the Labour Law (Federal Decree-Law No. 33 of 2021), employers in the UAE have significant recordkeeping obligations, and employees have a corresponding right under the PDPL to know what data is kept.

Financial and banking situations call for access requests when an individual believes incorrect data is affecting their credit profile with the Al Etihad Credit Bureau (AECB), the UAE's national credit bureau. Banks, finance companies, and credit providers licensed by the Central Bank of the UAE are data controllers under the PDPL, and an access request to such an entity can reveal what adverse data has been submitted to the AECB, enabling a correction or deletion request to follow.

Healthcare data disputes require access requests when a patient questions the accuracy or completeness of medical records held by hospitals, clinics, or health insurance companies licensed by the Dubai Health Authority (DHA), the Abu Dhabi Department of Health (DoH), or the Ministry of Health and Prevention (MoHAP). Medical data is among the most sensitive categories of personal data under the PDPL, and the patient's right of access ensures they can review, verify, and if necessary correct their health records.

Digital platforms and e-commerce operators that collect UAE residents' data — including addresses, purchase histories, behavioural profiles, and payment information — are subject to the PDPL. A consumer who wants to understand the scope of data collection by a UAE-licensed platform, or who suspects data has been shared with third-party advertisers without consent, should file a formal access request before escalating a complaint to the UAE Data Office or the Telecommunications and Digital Government Regulatory Authority (TDRA).

Legal proceedings and regulatory disputes often require an individual to obtain a full copy of their personal data before instructing a lawyer or filing a complaint with a government authority. The Dubai Courts, the Abu Dhabi Judicial Department, and the DIFC Courts all recognise PDPL data access requests as a legitimate pre-litigation investigative tool.

A Personal Data Access Request that complies with the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and meets the evidentiary standards expected by the UAE Data Office must contain the following key elements. The forms-legal.com UAE Personal Data Access Request template includes each of these.

Identification of the data subject: the requester's full legal name, Emirates ID number or passport number, and contact details. The PDPL requires a data controller to verify the identity of the person making a request before complying, to prevent third parties from obtaining another person's data. Providing an Emirates ID number or passport number assists this verification process without requiring the requester to attend in person.

Identification of the data controller: the full legal name, registered address, and contact details of the organisation being requested. Where the organisation has appointed a Data Protection Officer (DPO) — as recommended for controllers processing large volumes of personal data — the request should be directed to the DPO's email or postal address. Many UAE banks, telecom operators, and large employers publish DPO contact details on their websites in compliance with PDPL transparency requirements.

Statutory basis: an explicit reference to Article 15 of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). Citing the specific statutory provision confirms to the recipient that this is a formal legal request and not an informal enquiry, and starts the 30-day response clock under the PDPL.

Description of data requested: a clear description of the categories and specific items of personal data the requester wishes to access. The more specific the request, the faster and more targeted the response. However, a broad request for 'all personal data held about me' is also valid under the PDPL.

Time period: if the request is limited to a specific period — for example, data collected during an employment relationship from a particular start date — stating this focuses the response and reduces the likelihood of delay.

Preferred delivery format: specifying electronic delivery (PDF or CSV) or printed copies. Under the PDPL, data must be provided in an intelligible, structured format where technically practicable.

Statement of controller's obligations: a reminder that under the PDPL, the controller must respond within 30 days, and that failure to do so gives the requester the right to complain to the UAE Data Office or seek judicial remedy before the competent court.

Signature and date: the requester's signature (wet-ink or electronic, both valid under the Electronic Transactions and Trust Services Law, Federal Decree-Law No. 46 of 2021) and the date of the request, which marks the start of the controller's response period.

Completing a Personal Data Access Request for use in the United Arab Emirates requires careful attention to detail to ensure the request is legally effective under the PDPL (Federal Decree-Law No. 45 of 2021) and to reduce the likelihood of the controller delaying or refusing on procedural grounds.

Step one: enter your full legal name exactly as it appears on your Emirates ID or passport. For UAE nationals and residents, the Emirates ID number (in the format 784-YYYY-XXXXXXX-X) is the most reliable identifier. For non-residents making a request about data held by a UAE organisation, a passport number and nationality should be provided. This identification information is not shared with third parties; it is used solely to enable the controller to locate and verify your records.

Step two: provide your current contact details — email address and phone number — so the controller can seek clarification or deliver the data. Use an email address you monitor regularly, as the controller's response is likely to be delivered electronically.

Step three: identify the organisation you are addressing. Enter its full legal name — for example, 'Emirates NBD Bank PJSC' rather than just 'Emirates NBD' — and its registered address. If the organisation has published a DPO email address on its privacy policy page, use that address rather than a general contact email, as this routes the request directly to the privacy compliance function.

Step four: enter the date of your request in DD/MM/YYYY format. The date is important because it starts the 30-day response clock under Article 15(3) of the PDPL. Keep a copy of the sent request with the date clearly recorded.

Step five: describe the personal data you are requesting. Be as specific as possible — for example, 'all personal data collected from me in connection with my current account ending 1234, including account opening documentation, transaction records, KYC files, and any data shared with the Al Etihad Credit Bureau (AECB)'. If you are uncertain what categories of data the organisation holds, a general request for 'all personal data concerning me in any form' is valid and requires the controller to provide a full disclosure.

Step six: specify the time period if relevant. If you left the organisation three years ago and want only data from your time as a customer or employee, state the start and end dates. This focuses the response and reduces processing time.

Step seven: select your preferred delivery format. UAE banks and healthcare providers typically offer secure email delivery or portal download. If you need printed copies for legal proceedings before the Dubai Courts or the Abu Dhabi Judicial Department, request those specifically.

Step eight: sign the form — electronically or by hand — and send it to the organisation. For banks and government authorities, registered post provides a delivery record. For digital companies, email to the DPO address is standard. Keep the email or posting record as evidence of submission.

Personal data access rights in the United Arab Emirates are established and governed by the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), which is the primary federal statute on privacy and data protection. Article 15 of the PDPL grants every data subject the right to obtain from a data controller: (a) confirmation of whether their personal data is being processed; (b) a copy of the personal data; (c) information about the purposes of processing, the categories of data, and third-party recipients; (d) the retention period; and (e) information about the subject's rights to request correction, deletion, and restriction of processing.

The controller must respond within 30 days of receiving a verified request. If additional time is needed, the controller must notify the data subject within the initial 30-day period and may extend the deadline by up to 15 further days, for a maximum of 45 days from receipt. Any extension must be notified to the data subject with reasons. Failure to respond within the required period is an actionable breach under the PDPL, and the data subject may complain to the UAE Data Office or apply to the competent court for an order requiring the controller to comply.

The UAE Data Office, established by the PDPL and headquartered in Abu Dhabi, is the supervisory authority responsible for enforcing the PDPL. The Data Office investigates complaints, issues guidance, conducts audits, and imposes administrative penalties on controllers that breach the law. Penalties for failure to comply with data subject rights requests can include fines and, in serious cases, criminal referral.

For entities operating within DIFC free zone, the DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020) applies instead of the federal PDPL, and data subject access requests to DIFC-registered organisations are governed by Article 18 of that law. The Commissioner of Data Protection within DIFC enforces compliance. Similarly, ADGM-registered organisations fall under the ADGM Data Protection Regulations 2021. In all three frameworks, the right of access is fundamental and the response timeline is comparable.

Note that if the organisation processes your data under an exemption — for example, for law enforcement, national security, or credit risk management purposes — it may decline to disclose certain categories of data while still acknowledging that data is held. The UAE Civil Code (Federal Law No. 5 of 1985), under Articles 282 onwards, also supports a civil claim for damages if failure to respond to a data access request causes a demonstrable loss.

Personal Data Access Requests in the United Arab Emirates frequently fail to achieve their purpose because of avoidable errors. Awareness of these mistakes ensures a faster, more complete response from the data controller.

The first and most common mistake is submitting the request to a general customer service email address rather than to the organisation's designated Data Protection Officer or privacy team. Many UAE banks, telecoms, and large employers publish a specific DPO email address in their PDPL privacy notice. Using the correct channel ensures the request is routed to the function responsible for PDPL compliance, rather than sitting in a general enquiries queue.

The second mistake is failing to provide adequate identification. Controllers under the PDPL are required to verify the requester's identity before disclosing personal data, to prevent fraudulent access requests. A request that does not include an Emirates ID number or passport number is likely to result in the controller requesting further verification, delaying the response and potentially extending the clock beyond the initial 30-day period.

The third mistake is making a vague or excessively broad request without any description of the data sought. While a broad request is legally valid, it increases processing time and may result in a massive data dump that is difficult to review. A focused request — for example, specifying particular data categories, systems, or time periods — leads to a more useful and timely response.

The fourth mistake is not keeping a record of when and how the request was submitted. The 30-day response clock under Article 15(3) of the PDPL runs from receipt of the request. Without proof of the submission date — a sent email timestamp, registered post receipt, or portal submission confirmation — it is difficult to enforce the timeline if the controller is slow to respond.

The fifth mistake is allowing the 30-day deadline to pass without following up. If a controller does not respond within 30 days, the data subject should send a formal chaser referencing the original request date and notifying the controller that a complaint to the UAE Data Office is being considered. This often produces a prompt response.