Personal Data Deletion Request (UAE)

A Personal Data Deletion Request in the United Arab Emirates — also known as a 'right to erasure' or 'right to be forgotten' request — is a formal written instrument by which a data subject demands that an organisation permanently destroy all personal data it holds about them. The right derives from Article 17 of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the UAE's primary federal privacy statute, administered by the UAE Data Office. This right represents one of the most powerful tools available to individuals under UAE data protection law, giving them active control over the lifecycle of their personal information held by companies, government portals, digital platforms, and service providers.

The Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) defines personal data broadly in Article 1 to include any information that identifies or may identify a natural person — names, Emirates ID numbers, contact details, financial records, health data, biometric data, photographs, location data, online identifiers, IP addresses, and any profile data derived from these. All of this data is subject to the deletion right under Article 17. The data controller — the organisation that determines the purposes and means of processing — bears the obligation to delete the data upon receiving a valid request, unless a specific ground for retention applies.

The right to erasure under the UAE PDPL arises in specific circumstances: when the data is no longer necessary for the purpose for which it was collected or processed; when the data subject withdraws the consent on which processing was based and there is no other lawful basis; when the data has been processed unlawfully; when the data subject objects to processing and there is no overriding legitimate interest; or when the data must be erased to comply with a legal obligation under UAE or international law. A data subject does not need to prove harm to assert the right; the existence of one of these grounds is sufficient.

The UAE Data Office, which enforces the PDPL and has issued guidance on data subject rights, has confirmed that the deletion right applies to all forms of personal data held in any medium — digital records, paper files, backup tapes, cloud storage, and archived emails — not merely to live production databases. Organisations may not avoid the deletion obligation by claiming that data exists only in a backup; the PDPL requires all copies to be erased.

In practice, individuals in Dubai, Abu Dhabi, and across the UAE most frequently use deletion requests to remove data from ex-employers after the employment relationship ends, from digital platforms after account closure, from data brokers and credit reference agencies after resolving a dispute, from healthcare providers after treatment has concluded, and from marketing databases after withdrawing consent to receive marketing communications. The forms-legal.com UAE Data Deletion Request template is drafted in accordance with Article 17 of the PDPL and the UAE Data Office's published guidance on the exercise of data subject rights.

A Personal Data Deletion Request in the United Arab Emirates is appropriate in any situation where an individual wishes to permanently remove their personal information from an organisation's records and one of the legal grounds for deletion under Article 17 of the PDPL applies.

Digital account closures are among the most common triggers. When a UAE resident closes an account with a digital platform — an e-commerce site, a social media service, a food delivery app, a ride-hailing service, or a subscription platform — the organisation may retain the customer's profile data, purchase history, device data, and behavioural analytics for its own commercial purposes even after the account is closed. A deletion request compels the organisation to purge all of this data rather than merely deactivating the account.

Marketing database removal is a frequent use case. UAE residents who have subscribed to marketing communications and later withdraw their consent under the PDPL have the right not just to stop receiving marketing (which is addressed by an opt-out mechanism) but to have their marketing profile and associated data deleted entirely. This is particularly relevant for contacts on direct marketing lists held by UAE-based companies regulated by the Telecommunications and Digital Government Regulatory Authority (TDRA) and subject to the anti-spam provisions of the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021).

Post-employment data removal is a significant use case for the UAE's large expatriate workforce. When an employment contract ends — whether by resignation, termination, or end of contract — the former employee may want their personal data deleted from the employer's HR systems, internal directories, and digital platforms, particularly biometric attendance data and photographs. Under the Labour Law (Federal Decree-Law No. 33 of 2021), employers have certain mandatory record retention periods, but data not required by law must be deleted upon request.

Credit bureau and financial data disputes generate deletion requests when an individual disputes a negative entry on their Al Etihad Credit Bureau (AECB) record and seeks to have erroneous or outdated data removed. The AECB is subject to the PDPL as a data controller, and the Central Bank of the UAE's consumer credit framework also supports data subject rights in the credit reporting context.

Healthcare data removal is sought by patients who no longer wish a particular clinic, pharmacy, or health insurance provider to retain their medical records after treatment has concluded and the mandatory retention period under Dubai Health Authority (DHA) or Ministry of Health and Prevention (MoHAP) regulations has expired.

Reputation and online content involve deletion requests sent to news websites, online forums, and social media platforms registered in the UAE, seeking removal of old articles, posts, or comments that contain personal data the subject wishes to have erased under the right to be forgotten. The UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021) supports this right by criminalising the publication of personal data without consent.

A Personal Data Deletion Request that complies with Article 17 of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and will be treated as a formal legal notice by a UAE data controller must contain all of the following elements. The forms-legal.com UAE Data Deletion Request template is structured to include each of these.

Identification of the data subject: the requester's full legal name, Emirates ID or passport number, and contact details. Controllers under the PDPL are entitled to verify identity before processing a deletion request to prevent fraudulent demands. Providing an Emirates ID number (in the standard UAE format 784-YYYY-XXXXXXX-X) is the most effective form of identification for UAE-based controllers.

Identification of the data controller: the full legal name of the organisation — not a trade name abbreviation — its registered address, and, where available, the contact details of its Data Protection Officer. The UAE Data Office encourages all organisations processing significant volumes of personal data to appoint a DPO and to publish DPO contact details in their privacy notice.

Statutory basis: an explicit reference to Article 17 of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and, where relevant, the Cybercrime Law (Federal Decree-Law No. 34 of 2021) if the data was published online. Citing the statute signals to the recipient that the request is a formal legal notice with defined response obligations, not merely an informal request.

Ground for deletion: identification of which of the Article 17 grounds applies. This is important because the controller's obligation varies depending on the ground. For example, if deletion is sought on the basis that the data is inaccurate and cannot be corrected, the controller must confirm whether inaccuracy is accepted; if deletion is sought on the basis that consent has been withdrawn, the controller must confirm that no other processing ground exists.

Description of data to be deleted: a clear description of the specific data categories, files, records, or accounts to be erased. The more specific the description, the more targeted and verifiable the response will be.

Third-party notification request: a request that the controller notify all third-party processors, sub-processors, joint controllers, and other organisations to whom the data has been disclosed of the deletion obligation. Under the PDPL, a controller that has disclosed personal data to third parties must notify them of a deletion request unless this is impossible or involves disproportionate effort.

Response deadline: a reference to the 30-day response period under Article 17 of the PDPL, and a request for written confirmation of completed deletion.

Consequences of non-compliance: a clear statement that failure to comply will result in a complaint to the UAE Data Office and, where appropriate, civil proceedings before the competent court. This signals that the requester is aware of their enforcement options and is prepared to use them.

Completing a Personal Data Deletion Request for use in the United Arab Emirates under the PDPL (Federal Decree-Law No. 45 of 2021) involves the following steps.

Step one: enter your full legal name as it appears on your Emirates ID or passport, and your Emirates ID or passport number. This identification information enables the data controller to locate your records and verify your identity before processing the deletion. The UAE Data Office has confirmed that identity verification is a permitted precondition for processing data subject rights requests.

Step two: enter your current contact email address and phone number. The controller's response — either confirming deletion or explaining why certain data must be retained — will typically be sent by email. Use an address you monitor regularly.

Step three: enter the date of the request in DD/MM/YYYY format. The date is the reference point for the 30-day response deadline under Article 17 of the PDPL. Retain a copy of the submitted request with the date clearly recorded.

Step four: identify the organisation holding your data. Enter its full legal name, registered address, and the DPO or privacy team email if available. For companies registered on the UAE mainland, the Department of Economic Development (DED) registration records are publicly searchable and can help confirm the legal name. For free-zone companies in DMCC, JAFZA, Dubai Internet City, or Media City, the relevant free-zone authority's company registry can also be consulted.

Step five: describe the personal data you want deleted. Be specific: list data categories, account types, and systems where you know or believe your data exists. For example: 'My registered account profile, email address, phone number, delivery addresses, order history from 2020 to date, payment method tokens, and any marketing or behavioural profile derived from my browsing or purchase activity on your platform.' Specificity reduces the risk of the controller claiming it cannot identify the data.

Step six: select the legal ground for deletion. This is the reason why the PDPL requires the data to be deleted. The most common grounds for consumer and employment contexts are: withdrawal of consent (when the data was originally collected based on consent and that consent has now been withdrawn); data no longer necessary for its original purpose (for example, an account that has been closed); or unlawful processing (for example, data collected without a valid legal basis).

Step seven: decide whether to request third-party notification. If you know or believe the organisation has shared your data with marketing partners, analytics providers, credit bureaus, or other third parties, selecting 'Yes' requires the controller to notify those parties of the deletion obligation. This is particularly important for marketing databases and for data shared with the Al Etihad Credit Bureau (AECB).

Step eight: sign the form electronically or by hand. Electronic signatures are valid under the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021). Send the request to the organisation's DPO by email or recorded post, and retain proof of delivery.

The right to erasure of personal data in the United Arab Emirates is enshrined in Article 17 of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). The PDPL is the primary federal data protection statute and applies to all data controllers established in the UAE or processing the personal data of UAE residents, regardless of whether the controller is located in the UAE.

Article 17 of the PDPL requires a data controller to erase personal data upon request from the data subject where one or more of the following grounds applies: the data is no longer necessary for the purpose for which it was collected; consent has been withdrawn and no other processing ground applies; the data subject objects to processing and there is no overriding legitimate interest; the processing is unlawful; or erasure is required to comply with a legal obligation.

The controller must respond within 30 days of receiving a valid deletion request. If the controller identifies a legal obligation requiring retention of certain data — for example, under the Commercial Transactions Law (Federal Decree-Law No. 50 of 2022), which requires commercial records to be retained for 5 years, or the VAT law (Federal Decree-Law No. 8 of 2017), which requires tax records to be retained for 5 years — the controller must erase all data not covered by the retention obligation and explain in writing which data is being retained and on what legal basis.

The UAE Data Office, established under the PDPL, is the enforcement authority. The Data Office can investigate complaints about data controllers that fail to comply with deletion requests, impose administrative penalties, and refer serious cases for criminal prosecution. Penalties under the PDPL for unauthorised processing can reach AED 5,000,000 for first violations.

For DIFC-registered organisations, the relevant instrument is Article 19 of the DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020), enforced by the DIFC Commissioner of Data Protection. For ADGM-registered organisations, it is Part 4 of the ADGM Data Protection Regulations 2021, enforced by the ADGM Registration Authority. The right exists under all three frameworks.

The UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021) is also relevant where personal data has been published online without consent. Article 44 of the Cybercrime Law can compel removal of online content, and Article 21 addresses the unauthorised disclosure of personal data more broadly.

Deletion requests in the United Arab Emirates frequently encounter obstacles because of avoidable errors. Understanding these pitfalls maximises the chance of a prompt and complete deletion response.

The first mistake is not citing the correct statutory basis. A request that simply says 'please delete my data' without citing Article 17 of the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and the applicable ground for deletion may be treated by the organisation as an informal preference rather than a legal obligation. Controllers are more likely to comply quickly — and to route the request to their PDPL compliance function — when the statute is explicitly referenced.

The second mistake is failing to specify a deletion ground. Controllers are permitted by Article 17 of the PDPL to refuse a deletion request where no recognised legal ground applies — for example, where the data is still necessary for the performance of a contract or is required for legal proceedings. Including the specific ground for deletion in the request forces the controller to either accept it or rebut it in writing, and a written rebuttal can itself be the basis for a UAE Data Office complaint if the ground stated is wrong.

The third mistake is not requesting confirmation of deletion. Without a confirmation request, controllers may delete data without informing the data subject, leaving uncertainty. The request should explicitly ask for written confirmation that all data — including backups — has been erased, and should specify a deadline for that confirmation.

The fourth mistake is ignoring retention obligations when framing the request. If data is subject to a mandatory retention period under UAE law — for example, employee records under the Labour Law (Federal Decree-Law No. 33 of 2021) — a blanket 'delete everything' request may be refused in part. Framing the request to exclude data subject to legal retention obligations, while requiring deletion of all other data, shows legal awareness and is more likely to succeed.

The fifth mistake is not following up if the controller does not respond within 30 days. The PDPL's response deadline is not self-enforcing; the data subject must actively pursue a complaint with the UAE Data Office if the deadline is missed.