ATB LEGAL
Dispute Resolution Employment Corporate & Commercial Personal Status Intellectual Property Regulatory & Compliance International Trade Insights People About Contact Us

Data Protection in the UAE: the Federal PDPL, DIFC and ADGM

The UAE has three parallel data-protection regimes, and which one applies turns on where an organisation is established and where it processes personal data. Onshore, the federal Personal Data Protection Law (PDPL)Federal Decree-Law No. 45 of 2021, supervised by the UAE Data Office – sets a GDPR-influenced framework whose long-awaited Executive Regulations – needed to operationalise full enforcement – have been repeatedly delayed and should be confirmed as in force before they are relied upon (a six-month compliance window runs from their issuance). The two financial free zones sit outside the federal law and run their own regimes: the DIFC Data Protection Law (DIFC Law No. 5 of 2020, substantially amended by Amendment Law No. 1 of 2025, which added a statutory right for individuals to sue, and a dedicated AI rule, Regulation 10), and the ADGM Data Protection Regulations 2021, each enforced by its own independent Commissioner. All three are broadly aligned to the EU GDPR. A group operating across onshore UAE, a free zone and abroad may have to comply with more than one regime at once. Because the federal framework is moving quickly, confirm the current Executive Regulations and compliance deadlines at the time of use.

How the UAE’s three data-protection regimes – federal, DIFC and ADGM – fit together, and which one applies to you.

At a glance

  • Three regimes: Federal PDPL (onshore) + DIFC + ADGM (free zones, carved out of the federal law)
  • Federal: Federal Decree-Law No. 45 of 2021; regulator the UAE Data Office (Federal Decree-Law No. 44 of 2021); Executive Regulations long-awaited – confirm whether yet in force; a six-month compliance window runs from issuance (verify)
  • DIFC: DIFC Law No. 5 of 2020, as amended by Amendment Law No. 1 of 2025 (in force 15 July 2025); independent Commissioner; statutory cause of action; Regulation 10 on AI/autonomous systems
  • ADGM: Data Protection Regulations 2021; independent Commissioner / Office of Data Protection; fines up to USD 28 million
  • Common architecture: all three are GDPR-aligned – lawful basis, data-subject rights, DPO where required, DPIAs, breach notification, and restrictions on cross-border transfers
  • The threshold question: which regime(s) apply turns on where the entity is incorporated and where it processes – a group can be caught by more than one

1. Three regimes, one country – the UAE data-protection map

The single most common mistake foreign businesses make about UAE data protection is to assume there is one law. There are three. Onshore – that is, in the UAE outside the financial free zones – the federal PDPL applies. Inside the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM), each free zone has its own data-protection law, its own independent regulator, and its own courts; both sit outside the federal PDPL. The federal law expressly does not displace the free-zone regimes, and the free-zone regimes do not reach onshore processing.

The practical consequence is that the first question in any UAE data matter is a perimeter question: where is the controller or processor established, and where does the processing happen? A company incorporated onshore answers to the PDPL and the UAE Data Office; a DIFC entity answers to the DIFC Commissioner under DIFC Law No. 5 of 2020; an ADGM entity answers to the ADGM Commissioner under the 2021 Regulations. A group with entities in more than one of these places – common for financial-services and technology businesses – can be subject to two or three regimes simultaneously, and a data flow that crosses from a free zone to onshore (or abroad) engages transfer rules at each boundary. Alongside the three general regimes sit sectoral overlays – notably the federal health-data rules (Federal Law No. 2 of 2019 on ICT in health), the Cybercrimes Law (Federal Decree-Law No. 34 of 2021) and consumer-protection rules – which can apply on top of the general data-protection law.

2. The federal PDPL – the onshore regime

The Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, is the UAE’s first comprehensive federal data-protection statute. It came into effect on 2 January 2022 and is supervised by the UAE Data Office, the federal regulator established under Federal Decree-Law No. 44 of 2021 and affiliated with the Cabinet. The PDPL was drafted with a clear eye on international standards, and its architecture is broadly GDPR-influenced: it requires a lawful basis (generally consent, with defined exceptions) for processing personal data; grants data subjects rights of access, correction, erasure, restriction, portability and objection; imposes obligations of security, transparency and accountability; requires breach notification; contemplates the appointment of a Data Protection Officer in defined circumstances; and restricts cross-border transfers of personal data.

For several years the framework was incomplete, because the Executive Regulations needed to operationalise and enforce the PDPL had not been issued. Closing that gap depends on the Executive Regulations needed to operationalise and enforce the PDPL – which have been repeatedly delayed since the law took effect, and whose status has been reported inconsistently. Whether they are yet in force, and the compliance deadlines that follow (organisations are given a six-month window from issuance to comply), should be confirmed at the time of use rather than assumed. The direction of travel is clear – a maturing federal regime moving toward active enforcement under an increasingly empowered UAE Data Office – but the operative detail turns on the current instrument. Scope is broad: the PDPL applies to controllers and processors established in the UAE, and also reaches those outside the UAE that process the personal data of data subjects inside the UAE – an extraterritorial reach familiar from the GDPR. Importantly, the federal law does not apply to the DIFC and ADGM (which have their own regimes), to government data, or to categories governed by their own special laws (such as health and credit data).

3. The DIFC regime – Law No. 5 of 2020, as amended in 2025

The DIFC Data Protection Law (DIFC Law No. 5 of 2020), in force since 1 July 2020, is a mature, closely GDPR-aligned regime overseen by an independent Commissioner of Data Protection. It binds controllers and processors connected to the DIFC, and since the 2025 amendments its scope is clearer: it applies to controllers or processors incorporated in the DIFC regardless of where they process personal data, and to the processing of personal data in the DIFC as part of stable arrangements. A DIFC entity cannot escape the law simply by processing data elsewhere.

The substantive obligations track the familiar GDPR architecture: a lawful basis for processing; the full suite of data-subject rights; transparency, security and accountability (the controller must be able to demonstrate compliance, not merely assert it); data protection impact assessments for higher-risk processing; record-keeping; an annual assessment of whether a Data Protection Officer is required; notification of high-risk processing to the Commissioner; and breach notification. The most consequential recent development is Amendment Law No. 1 of 2025 (in force 15 July 2025), the most significant change since 2020. It introduced a statutory cause of action – a private right, modelled on the GDPR, for data subjects to claim directly in the DIFC Courts against a controller or processor that breaches the law, for financial and non-financial (for example, distress) damages, with the onus on the controller or processor to show it was not responsible. It also clarified the law’s extra-territorial scope and raised several administrative fines. Data protection in the DIFC is therefore no longer only a regulatory question; it carries a real litigation dimension, and a single incident can produce both Commissioner enforcement and a civil claim in parallel.

4. DIFC Regulation 10 – AI and autonomous systems

The DIFC was the first jurisdiction in the region to add a dedicated data-protection regime for artificial intelligence. Regulation 10 (“Processing Personal Data through Autonomous and Semi-Autonomous Systems”), in force since 1 September 2023, sits in the DIFC Data Protection Regulations and applies where AI systems process personal data. It introduces dedicated roles – a “Deployer” (treated as the controller) and an “Operator” (treated as the processor) – and turns on the concept of “High Risk Processing Activities” (such as large-scale processing, systematic evaluation or profiling, or novel technologies that heighten the risk to individuals). For high-risk activities it contemplates transparency duties, AI/processing registers, evidence and risk-control obligations, a certification pathway, and the appointment of an Autonomous Systems Officer (the AI equivalent of a DPO). Regulation 10 is in force now, but the Commissioner’s certification framework and further guidance are phasing in during 2026, with fuller enforcement expected as that guidance lands. Organisations deploying AI in the DIFC should map their systems against Regulation 10 now rather than wait.

5. The ADGM regime – Data Protection Regulations 2021

The Abu Dhabi Global Market runs its own regime under the Data Protection Regulations 2021, which came into force on 14 February 2021, replacing the earlier 2015 Regulations and bringing the ADGM into close alignment with the EU GDPR. Enforcement sits with an independent Office of Data Protection headed by a Commissioner of Data Protection. Like its DIFC counterpart, the ADGM regime requires a lawful basis for processing, grants data subjects the full set of rights, and imposes obligations of transparency, security, accountability, DPIAs for higher-risk processing, appointment of a DPO where required, and breach notification to the Commissioner without undue delay. ADGM controllers and processors must also register (notify) with the Commissioner and renew annually, and must apply appropriate safeguards to cross-border transfers. The Commissioner has a full enforcement toolkit, including the power to impose fines of up to USD 28 million for serious failures. As with the DIFC, the ADGM regime is separate from the federal PDPL: an ADGM entity answers to the ADGM Commissioner, not the UAE Data Office.

6. Common ground and key differences

For all their separateness, the three regimes share a common GDPR-derived spine – lawful-basis requirements, data-subject rights, accountability, DPIAs, breach notification and transfer restrictions – so an organisation with a mature GDPR programme starts well ahead. The differences that matter in practice are about regulator, remedies and detail. The DIFC and ADGM each have a dedicated, independent Commissioner and their own courts; the federal regime is supervised by the UAE Data Office. The DIFC now offers data subjects a statutory right to sue in the DIFC Courts – a private-litigation risk that is most developed there. The DIFC also has a dedicated AI regime (Regulation 10) that the others do not match. Consent and lawful-basis mechanics, DPO triggers, registration requirements (ADGM requires notification and annual renewal), and the precise transfer rules differ in their detail across the three. Mapping a group’s entities and data flows against the right regime – and not assuming that compliance with one satisfies another – is the core of getting UAE data protection right.

7. Cross-border transfers

Each regime restricts moving personal data out of its perimeter, and each uses the now-familiar adequacy / appropriate-safeguards structure. Under the DIFC law, personal data may be transferred out only where the destination ensures an adequate level of protection or appropriate safeguards are in place, and – since the 2025 amendments – the controller or processor must make a documented adequacy assessment of the recipient jurisdiction, with the Commissioner able to review and withdraw adequacy decisions; stricter rules govern disclosures to public authorities. The ADGM regime similarly permits transfers on the basis of adequacy or appropriate safeguards (such as standard contractual clauses or binding corporate rules), with defined derogations. The federal PDPL likewise restricts transfers to countries with an adequate level of protection or, failing that, subject to appropriate safeguards or specific exceptions, with the detail set by the Executive Regulations. A practical point for cross-border groups: a transfer from a free zone to onshore UAE, or from the UAE to a third country, is a transfer for these purposes and needs to be justified under the rules of the exporting regime – which is why a group-wide transfer map, rather than ad hoc assessment, is the safer approach.

8. The India–UAE dimension

For India-facing businesses the UAE regimes bite in several recurring ways. An Indian company that processes the personal data of individuals in the UAE – for example, a services or technology business with UAE customers – can be caught by the federal PDPL’s extraterritorial reach even without a UAE establishment. A UAE entity (onshore or in a free zone) that sends personal data to India – to a group company, a shared-services centre or an outsourced processor – must treat that as a cross-border transfer and assess India as a recipient jurisdiction under the applicable UAE regime. And a group spanning onshore UAE, a free zone and India has to operate a layered compliance map: the relevant UAE regime (or regimes) on one side and India’s own framework on the other. India’s data-protection law – the Digital Personal Data Protection Act 2023 – is developing in parallel and is dealt with on our separate India data-protection page; the cross-border task is to make the two sides consistent rather than to treat them in isolation.

Key points at a glance

TopicFederal (PDPL)DIFCADGM
LawFederal Decree-Law No. 45 of 2021DIFC Law No. 5 of 2020 (am. Law No. 1 of 2025)Data Protection Regulations 2021
RegulatorUAE Data OfficeCommissioner of Data ProtectionCommissioner of Data Protection
Applies toOnshore UAE; extraterritorial to UAE data subjectsDIFC-connected controllers/processorsADGM-connected controllers/processors
ModelGDPR-influencedClosely GDPR-alignedClosely GDPR-aligned
Private right to suePer the law/Regulations (verify)Yes – statutory cause of action (2025)Per the Regulations
AI-specific ruleRegulation 10 (autonomous systems)
StatusExecutive Regulations long-awaited – confirm status (six-month window from issuance)In force; amended 15 Jul 2025In force since 14 Feb 2021

Frequently asked questions

How many data-protection laws does the UAE have?

Effectively three general regimes: the federal PDPL (Federal Decree-Law No. 45 of 2021) onshore, the DIFC Data Protection Law (Law No. 5 of 2020, as amended in 2025), and the ADGM Data Protection Regulations 2021. The two free zones sit outside the federal law and have their own regulators and courts. Sectoral laws (for example on health data) can apply on top.

Which regime applies to my business?

It depends on where you are established and where you process. An onshore company answers to the PDPL and the UAE Data Office; a DIFC entity to the DIFC Commissioner; an ADGM entity to the ADGM Commissioner. A group with entities in more than one of these can be subject to more than one regime at the same time.

Is the federal PDPL actually being enforced now?

The PDPL has been in effect since 2 January 2022, but full enforcement requires its Executive Regulations, which have been long delayed and reported on inconsistently. Whether they are yet in force – and the compliance deadlines that follow (a six-month window runs from issuance) – should be confirmed before relying on them; the regime is clearly moving toward active enforcement under the UAE Data Office.

Who regulates data protection onshore?

The UAE Data Office, the federal regulator established under Federal Decree-Law No. 44 of 2021 and affiliated with the Cabinet. It is separate from the DIFC and ADGM Commissioners, who regulate their respective free zones.

Can individuals sue for a data-protection breach in the UAE?

In the DIFC, yes – Amendment Law No. 1 of 2025 introduced a statutory cause of action allowing data subjects to claim in the DIFC Courts for financial and non-financial damages. Rights to compensation under the federal PDPL and the ADGM Regulations should be assessed under those instruments; the most developed private-litigation route is currently the DIFC’s.

What changed in the DIFC in 2025?

Amendment Law No. 1 of 2025 (in force 15 July 2025) introduced the statutory cause of action, clarified the law’s extra-territorial scope and the liability of controllers and processors (including non-financial damages), tightened cross-border-transfer assessments, and raised several administrative fines.

Does the UAE have AI-specific data-protection rules?

The DIFC does: Regulation 10, in force since 1 September 2023, governs personal data processed through autonomous and semi-autonomous systems, introducing “Deployer” and “Operator” roles, a High Risk Processing concept, certification and an Autonomous Systems Officer. Its certification framework is phasing in during 2026. The federal and ADGM regimes do not yet have an equivalent dedicated AI rule.

What are the rules on transferring personal data out of the UAE?

Each regime restricts transfers to jurisdictions offering an adequate level of protection or, failing that, subject to appropriate safeguards or defined exceptions. The DIFC additionally requires a documented adequacy assessment. A transfer from a free zone to onshore, or from the UAE abroad, is a transfer for these purposes and must be justified under the exporting regime’s rules.

How large are the fines?

They vary by regime. The ADGM Commissioner can impose fines up to USD 28 million for serious failures; the DIFC raised several administrative fines in 2025 and can impose larger penalties for serious contraventions; federal PDPL penalties are set under the law and its Executive Regulations. Exact figures should be confirmed against the current instruments.

We are in a free zone – does the federal PDPL apply to us?

No. The DIFC and ADGM are carved out of the federal PDPL and are governed by their own laws and Commissioners. But a group with both free-zone and onshore entities, or data flows between them, can be subject to both the free-zone regime and the federal regime at the relevant points.

Do we need a Data Protection Officer?

Each regime sets its own trigger. The DIFC requires an annual assessment of whether a DPO is needed (and an Autonomous Systems Officer for high-risk AI under Regulation 10); the ADGM and federal regimes require a DPO in defined circumstances based on the nature and risk of the processing. The assessment should be documented.

How does this interact with India’s data-protection law?

An Indian business processing the data of people in the UAE can be caught by the PDPL’s extraterritorial reach, and a UAE entity sending data to India must treat that as a cross-border transfer. India’s Digital Personal Data Protection Act 2023 is covered on our separate India data-protection page; cross-border groups need the UAE and India positions to be consistent.