app.brand
ar العربية ru Русский ur اردو zh 中文 fr Français

Companies' Obligations and Individuals' Rights Under UAE Data Law

Companies' Obligations and Individuals' Rights Under UAE Data Law

Personal data has today become the lifeblood of the digital economy and one of the most sensitive sources of legal liability for organizations in the United Arab Emirates. Every name, phone number, email address, and transaction record is now governed by a federal legislative framework that obliges companies to protect what they collect and grants individuals genuine authority over their data. The UAE legislator established this framework through the Federal Personal Data Protection Law, which balances the free flow of information and business requirements on one hand with the fundamental rights of data subjects on the other. In this article we explain the key obligations of companies and the rights granted to individuals, while clarifying who is subject to the law and who is exempt.

What Are the Obligations of Companies and the Rights of Individuals Under the Personal Data Protection Law in the UAE?

The Legal Framework and the Supervisory Authority

The personal data protection system in the State rests on the Federal Personal Data Protection Law, which sets the general frameworks for collecting, processing, storing, and protecting personal data, along with the rights and duties of all parties. Oversight of its application lies with the UAE Data Office, established under a separate federal law, which is the competent regulatory body for issuing guidance, receiving complaints, and monitoring compliance. Several detailed procedural aspects — such as penalties, cross-border transfer controls, and the limits of exemption — are referred to the law's Executive Regulations.

Scope of Application: Who Is Subject to the Law?

The law applies to the processing of personal data, whether wholly or partly, by electronic or other means, and it has extraterritorial reach in specific cases. Its scope includes:

Data subjectAnyone residing in the State or having a place of business therein.
Controller / processor inside the StateProcesses the data of subjects inside or outside the State.
Controller / processor outside the StateProcesses the data of subjects residing in the State.

Entities and Cases Exempt From the Law

The law expressly defines cases to which its provisions do not apply — a crucial point for determining the legislation applicable to each entity:

Exempt cases
Government data and the government entities controlling or processing it; personal data held by security and judicial authorities; an individual's processing of their own data for personal purposes; health data that has its own special legislation regulating its protection; banking and credit data that has its own special legislation; and companies and establishments located in free zones that have their own personal data protection legislation.

Why are free zones independent? Under this exemption, entities operating in free zones that have their own systems — such as the Dubai International Financial Centre and Abu Dhabi Global Market — are subject to their independent legislation and their own regulator, not the federal law. The UAE Data Office may also exempt certain establishments that do not process large volumes of data from part of the requirements, in accordance with the controls of the Executive Regulations.

The State's Multi-Layered Protection System

Federal Law
The general framework for the mainland and most establishments, under the supervision of the UAE Data Office.
DIFC
An independent data protection law and a dedicated regulator for entities registered in the Dubai International Financial Centre.
ADGM
Independent data protection regulations specific to entities operating within the Abu Dhabi Global Market.

Personal Data Processing Principles

Fairness, Transparency & Lawfulness
Data is processed in a fair, transparent, and lawful manner.
Purpose Limitation
Collected for a specific, clear purpose and not later processed in a manner incompatible with it.
Adequacy & Minimization
Adequate and limited to what is necessary for the processing purpose.
Accuracy & Updating
Accurate and correct, and updated whenever required.
Security & Protection
Kept secure through appropriate technical and organizational measures against breach and tampering.
Storage Limitation
Not retained after the purpose is fulfilled, except by anonymizing the subject's identity.

Consent and Cases of Lawful Processing Without It

As a rule, processing personal data without the subject's consent is prohibited. The consent must be one the controller can prove; it must be clear, simple, unambiguous, and easily accessible; and it must include the right to withdraw it easily — without the withdrawal affecting the lawfulness of processing that preceded it. The law exempts from the consent requirement certain cases in which processing is lawful, including:

Protection of the public interest; data the subject has made available to all by their own act; establishing legal rights and claims, or judicial and security proceedings; occupational or preventive medicine and healthcare purposes; protection of public health; archival purposes and scientific, historical, and statistical studies; protection of the data subject's interests; employment and social security obligations; performance of a contract to which the data subject is a party; and fulfilling obligations laid down in other laws.

Obligations of Companies (Controller and Processor)

Controller obligations
Taking appropriate technical and organizational measures to secure the data and preserve its confidentiality and privacy; applying protection both when determining the means of processing and during it; setting default configurations to what is necessary for the purpose; keeping a special record of personal data; appointing a processor that offers sufficient guarantees; and providing the Office with what it requests under the law.
Processor obligations
Carrying out the processing in accordance with the controller's instructions and the contracts concluded; applying protection by design; adhering to the specified purpose and duration; erasing the data after processing ends or handing it over; not disclosing except in authorized cases; securing the processing operation; and keeping a special record. Where there are multiple processors without a contract defining roles, they are jointly liable.

Reporting a Data Breach

As soon as the controller becomes aware of any breach or infringement affecting the privacy, confidentiality, and security of data, it must notify the Office of the nature of the breach, its causes, its potential effects, and the measures taken, and must notify the data subject when the breach affects their data. The processor must notify the controller as soon as it becomes aware, so that the controller can notify the Office.

Appointing a Data Protection Officer (DPO)

A qualified data protection officer must be appointed in three cases: if the processing creates a high risk to data privacy due to new technologies or the volume of data; if it involves a systematic and comprehensive assessment of sensitive data, including profiling and automated processing; or if it is carried out on a large volume of sensitive data. The officer verifies compliance, receives requests and complaints, and acts as a liaison with the Office.

Individuals' Rights Over Their Personal Data

Access to Information
Knowing the types of one's data, the processing purposes, automated decisions, the parties it is shared with, and storage controls — free of charge.
Data Portability
Obtaining one's data in a structured, machine-readable format and transferring it to another controller where technically possible.
Correction & Erasure
Correcting inaccurate data and requesting its erasure in cases such as the purpose no longer existing or withdrawal of consent.
Restriction & Suspension
Compelling the controller to restrict processing when objecting to the accuracy of the data or its breach of the purposes or the law.
Objection to Automated Processing
Objecting to decisions based on automated processing and profiling that have a legal or significant effect.
Communication & Complaint
Communicating directly with the data protection officer and submitting complaints to the UAE Data Office.

Cross-Border Data Transfer

Personal data may be transferred outside the State to a country or territory that provides an adequate level of protection, or in specific cases including: the explicit consent of the data subject in a manner not conflicting with the public and security interest; where the transfer is necessary to establish rights before judicial authorities; to conclude or perform a contract serving the data subject's interest; for a procedure related to international judicial cooperation; or to protect the public interest. The Executive Regulations set the controls for these cases.

Supervision, Complaints, and Penalties

The role of the UAE Data Office: the data subject may submit a complaint to the Office upon any breach of their rights, and the Office may verify the causes of breaches and impose administrative penalties on the controller or processor that violates the provisions of the law and the decisions issued in its implementation. The value of these administrative penalties and their procedures are determined under the law's Executive Regulations, in addition to the Office's power to issue guidance and follow up on compliance.

Legal References

Governing legislation: Federal Decree-Law No. (45) of 2021 on the Protection of Personal Data, and Federal Decree-Law No. (44) of 2021 on the Establishment of the UAE Data Office.

Relevant articles: scope and exceptions (Article 2), exemption authority (Article 3), lawful processing without consent (Article 4), processing principles (Article 5), consent (Article 6), controller obligations (Article 7), processor obligations (Article 8), breach notification (Article 9), data protection officer (Articles 10–12), individuals' rights — access to information, portability, correction, erasure, and restriction (Articles 13–18), cross-border transfer (Articles 22–23), complaints and penalties (Articles 24–26).

For entities in free zones: DIFC Data Protection Law No. (5) of 2020, and the ADGM Data Protection Regulations.

“The first step for any organization is to precisely determine the legislation to which it is subject: federal law or free-zone legislation. Those who confuse the two systems may build non-compliant policies — compliance begins with understanding the scope of the law before its details.”

— Lawyer Awadh Almheiri
Do You Need Consultation on Data Protection and Compliance?

Our legal team helps organizations and individuals determine the applicable legislation, draft privacy policies and data processing agreements, set up breach response procedures, and exercise the prescribed rights.

AWADH ALMHEIRI LAW FIRM AND LEGAL CONSULTATIONS

Frequently Asked Questions

Does the federal law apply to companies in free zones?+
The federal law does not apply to companies and establishments located in free zones that have their own personal data protection legislation, such as the Dubai International Financial Centre and Abu Dhabi Global Market, since these entities are subject to their independent legislation and their own regulator. All other establishments are subject to the federal law.
Does the law apply to a company outside the State?+
Yes; the scope of the law extends to every controller or processor located outside the State that processes the personal data of data subjects residing in the State. What matters is the data subject's place of residence, not merely the company's location.
When must a data protection officer be appointed?+
Appointment is required in three cases: if the processing creates a high risk to data privacy due to new technologies or the volume of data; if it involves a systematic and comprehensive assessment of sensitive data, including profiling and automated processing; or if it is carried out on a large volume of sensitive data.
What must be done when a data breach occurs?+
As soon as the controller becomes aware of a breach affecting the privacy, confidentiality, and security of data, it must notify the UAE Data Office, stating the nature of the breach, its effects, and the measures taken, and must notify the data subject when the breach affects their data. The processor must notify the controller as soon as it becomes aware.
How does an individual exercise their rights or file a complaint?+
An individual has the right to communicate directly with the entity's data protection officer to exercise their rights such as access, correction, erasure, restriction, and objection. If any of their rights is breached, they may submit a complaint to the UAE Data Office, which undertakes verification and takes the appropriate action.
To help you achieve compliance or exercise your rights, our team is at your service.Contact Us
Legal Expertise That Protects Your Data and Your Business
Determining the applicable legislation and building compliance frameworks
Drafting privacy policies and data processing agreements
Breach response procedures and representing individuals in exercising their rights
We place our legal expertise at your service

AWADH ALMHEIRI LAW FIRM AND LEGAL CONSULTATIONS

Legal Disclaimer
This article was prepared for the purposes of spreading legal culture and community awareness, and does not constitute legal advice or a legal opinion on a specific matter. Legal treatment varies according to the circumstances of each case, so it is advisable to consult a specialized legal advisor before taking any action. Reviewing this content does not create an attorney–client relationship. In the event of any discrepancy between this translation and the original Arabic text, the Arabic version shall prevail.
Our Services in Dubai

AWADH ALMHEIRI LAW FIRM AND LEGAL CONSULTATIONS in Dubai provides services to organizations and individuals in matters of personal data protection and privacy compliance — from determining the applicable legislation, whether the federal law or free-zone legislation such as the Dubai International Financial Centre, and building governance frameworks and drafting privacy policies and processing agreements, through to managing individuals' requests, responding to data breach incidents, and dealing with the competent regulatory authorities.

Our Services Across the Other Emirates

Our services extend to our clients in Abu Dhabi, Sharjah, Ajman, Umm Al Quwain, Ras Al Khaimah, and Fujairah, where we support organizations and individuals in understanding their obligations and rights regarding personal data under the federal law, and provide practical consultations that help balance business requirements with the protection of individuals' privacy, with careful monitoring of any legislative developments affecting this vital field.