Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the UAE PDPL) is the UAE's federal-level personal data protection law adopted on 26 September 2021 + published in the Official Gazette on 28 November 2021 + entered into force on 2 January 2022 (six months after publication). The Law applies to: any natural person whose data is processed; any controller / processor located in the UAE; any controller / processor located OUTSIDE the UAE that processes the personal data of data subjects within the UAE (extraterritorial scope). The Law is administered by the UAE DATA OFFICE which is operational since 2022 + has the authority to issue executive regulations + guidance + handle complaints + investigate breaches + impose administrative penalties. EXCLUSIONS: the Law does NOT apply within the financial free zones - the Dubai International Financial Centre (DIFC) maintains its own sectoral data protection law (DIFC Data Protection Law No. 5 of 2020) + the Abu Dhabi Global Market (ADGM) maintains its own (ADGM Data Protection Regulations 2021). Sectoral data protection laws also exist (Federal Law No. 2 of 2019 on Health Data + cybersecurity-sectoral regulations). KEY PROVISIONS: lawful basis for processing (Article 4); consent (Article 5); sensitive personal data + biometrics (Article 6); children's data (Article 7); data subject rights (Articles 11-16 - access + correction + erasure + restriction + portability + objection + opt-out for automated decision-making); controller + processor obligations (Articles 8-10, 18-21 - records + security + breach notification + DPO + DPIA); cross-border transfers (Articles 22-24 - adequacy / appropriate safeguards / derogations); UAE Data Office establishment + powers (Articles 25-29). The Law incorporates GDPR-aligned protections + applies to data processed in the UAE OR for UAE-resident data subjects from abroad. Executive Regulations + Data Office guidance continue to evolve.