Data is the most valuable asset in the digital economy, and in 2025, it is also one of the most heavily regulated. The UAE has built one of the most sophisticated multi-layered data protection system in the Middle East and Africa region: Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) as the federal cornerstone, Cabinet Decision No. 83 of 2022 as the Executive Regulations clarifying compliance obligations, DIFC Data Protection Law No. 5 of 2020 as significantly amended by DIFC Amendment Law No. 1 of 2025 (effective 15 July 2025) in the DIFC, and ADGM Data Protection Regulations 2021 in Abu Dhabi. And in 2025, two landmark new instruments have expanded the digital compliance landscape further: Federal Decree-Law No. 26 of 2025 on Child Digital Safety, imposing mandatory age verification and content filtering obligations on digital platforms and the UAE's announcement that an AI system will serve as an advisory Cabinet member from January 2026.
For businesses operating in Dubai technology companies, e-commerce operators, financial institutions, healthcare providers, SaaS vendors, and any organisation that collects or processes the personal data of UAE residents, digital and data law compliance is no longer a future priority. It is an immediate operational necessity. At Al Adl Legal Consultants, listed in Forbes and headquartered in Dubai's Business Bay, our digital and data lawyers advise businesses of all sizes on the full spectrum of UAE digital and data law, from PDPL compliance programmes and DPO appointments through technology contract drafting and cybersecurity incident response to data breach litigation and cybercrime defence before UAE courts. Your first consultation is free and confidential.
The UAE data protection system is a layered, multi-jurisdictional regulation. Understanding which laws apply to your organisation and in which combination is the essential first step in any digital compliance strategy.
Federal Decree-Law No. 45/2021 (PDPL) - UAE's National Data Privacy Law
Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)is the UAE's first comprehensive federal data privacy law in force since 2 January 2022. Modelled substantially on the GDPR, the PDPL establishes a national system for the collection, processing, storage, and transfer of personal data, and creates theUAE Data Office (Emirates Data Office)as the federal supervisory authority.
• Territorial scope:applies to any controller or processor in the UAE AND to entities outside the UAE processing personal data of individuals residing inside the UAE (extra-territorial reach)
• Exemptions:government data, public entities, health data (covered by separate legislation), banking and credit data (covered by CBUAE regulations), personal data processed for personal use, and entities in DIFC and ADGM (covered by their own regimes)
• Lawful basis for processing:consent is the primary basis, supplemented by public interest, contract performance, legal obligations, and vital interests, narrower bases than the GDPR
• Data subject rights:access, rectification, erasure, restriction, portability, and objection to processing broadly aligned with GDPR Articles 15-22
• Mandatory DPO appointment:required for organisations engaged in systematic and large-scale processing of sensitive personal data
• Mandatory Data Protection Impact Assessments (DPIA):required for high-risk processing, particularly automated decision-making and profiling
• Mandatory data breach notification:to the UAE Data Office and affected data subjects, with timelines specified in the Executive Regulations
• Cross-border transfers:permitted to countries with adequate protection or through safeguard mechanisms. Cabinet Decision No. 83 of 2022 specifies contractual clauses and adequacy lists
Cabinet Decision No. 83/2022 - The PDPL Executive Regulations
KEY: Cabinet Decision No. 83 of 2022 sets out the PDPL Executive Regulations, providing detailed compliance requirements that are binding on UAE businesses. These include: data subject rights procedures, cross-border data transfer mechanisms (contractual clauses, adequacy determinations), and data breach notification obligations. Any PDPL compliance programme must be built on both the PDPL and Cabinet Decision 83/2022.
Cabinet Decision No. 83 of 2022 clarified the following key PDPL obligations:
• Cross-border data transfers:permitted where the receiving country has adequate data protection laws; or through standard contractual clauses approved by the UAE Data Office; or where the UAE Data Office has issued an adequacy decision for the destination country
• Data subject rights:controllers must respond to data subject requests within the timelines specified failure to respond is a violation
• Record of Processing Activities (ROPA):controllers and processors must maintain detailed records of all data processing activities
• Data breach notification:controllers must notify the UAE Data Office and affected data subjects within prescribed timeframes. The specific timelines and thresholds are set out in the Executive Regulations
• Data Processing Agreements:controllers must enter into formal data processing agreements with processors specifying security obligations, sub-processor rules, and liability
DIFC Data Protection Law - Amended July 2025
2025 UPDATE: DIFC Amendment Law No. 1 of 2025 (effective 15 July 2025) introduced significant amendments to the DIFC Data Protection Law No. 5 of 2020. Key changes include higher administrative fines (up to USD 50,000 per violation for failures such as not conducting mandatory DPIAs or failing to notify the DIFC Commissioner of data breaches), enhanced enforcement mechanisms, and alignment with evolving GDPR principles on AI and automated decision-making.
The DIFC Data Protection Law applies to any controller or processor that processes personal data in the DIFC as part of stable arrangements, regardless of where the entity is incorporated. For DIFC-regulated entities, the DIFC Commissioner of Data Protection (not the UAE Data Office) is the supervisory authority. Key features that differ from the federal PDPL:
• Legitimate interests as a legal basis:unlike the federal PDPL, the DIFC DPL permits 'legitimate interests' as a lawful basis for processing, offering broader operational flexibility
• Higher administrative fines:up to USD 50,000 per violation under the 2025 amendments, significantly higher than previously
• Commissioner enforcement:the DIFC Commissioner has active enforcement powers, including directions to cease processing, data erasure orders, and administrative fines
• AI and automated decision-making:the 2025 amendments expand provisions on automated processing and profiling directly relevant to fintech, AI-powered services, and digital platforms
• Cookies and tracking:where cookies collect personal data, they are subject to the DIFC DPL requirements, no standalone cookie law, but general data protection principles apply
ADGM Data Protection Regulations 2021
The ADGM Data Protection Regulations 2021 apply to ADGM-registered entities processing personal data. Broadly aligned with GDPR principles, the ADGM regime is supervised by the ADGM Office of Data Protection. Administrative fines can reach USD 28 million for serious violations significantly higher than the federal PDPL. Legitimate interests are also available as a legal basis, similar to DIFC. Al Adl advises entities registered in ADGM on full ADGM Data Protection Regulations compliance.
2025 New Laws: Child Digital Safety & UAE AI Governance
LATEST 2025: Federal Decree-Law No. 26 of 2025 on Child Digital Safety mandatory age verification, active content filtering systems, parental controls, and prohibition on behavioural profiling of minors for marketing. Applies to internet service providers and digital platforms. Penalties for violations involving minors are notably elevated. UAE announced AI as an advisory Cabinet member from January 2026 the most significant signal yet of the UAE's commitment to leading global AI governance.
Federal Decree-Law No. 26 of 2025 on Child Digital Safety creates new compliance obligations for digital platforms, e-commerce operators, and internet service providers in the UAE. Key requirements:
• Mandatory age verification:platforms must implement systems to verify user ages and enforce restrictions for users under 18
• Mandatory content filtering:Internet service providers must activate content filtering systems for supervised access for children
• Parental controls:operators must provide parental control mechanisms and compliance support tools
• Prohibition on behavioural profiling:behavioural profiling of children for marketing purposes is strictly prohibited
• Elevated penalties:fines for violations involving minors under this law are substantially higher than standard PDPL violations
• PDPL interaction:the Child Digital Safety Law operates alongside and supplements the PDPL organisations must comply with both
Identifying which UAE data protection regime applies to your organisation is the essential starting point. Many businesses in Dubai are subject to multiple overlapping regimes simultaneously.
Regime | Applies To | Supervisory Authority & Penalties |
UAE Federal PDPL (Federal Decree-Law 45/2021 + Cabinet Decision 83/2022) | All private sector businesses in the UAE mainland (except those covered by DIFC/ADGM regimes or specific sector exemptions). Extra-territorial reach for non-UAE entities processing UAE residents' data. | UAE Data Office (Emirates Data Office) is still solidifying its enforcement role. Administrative penalties set by Cabinet decision. Criminal penalties under the Cybercrime Law: fines up to AED 5,000,000. |
DIFC Data Protection Law No. 5/2020 (as amended by Amendment Law 1/2025) | Any controller or processor in DIFC as part of stable arrangements, regardless of the incorporation place. | DIFC Commissioner of Data Protection. Fines up to USD 50,000 per violation (post-2025 amendments). Active enforcement record. |
ADGM Data Protection Regulations 2021 | ADGM-registered entities processing personal data. | ADGM Office of Data Protection. Fines up to USD 28 million for serious violations, the highest penalty tier in the UAE. |
Federal Decree-Law No. 26/2025, Child Digital Safety | Internet service providers and digital platforms operating in the UAE. Cross-sector. | TDRA + relevant sectoral regulators. Elevated fines for violations involving minors. |
UAE Cybercrime Law (Federal Decree-Law 34/2021) | All entities and individuals in the UAE criminalise unauthorised access, data misuse, phishing, impersonation, and electronic fraud. | Public Prosecution + UAE courts. Criminal fines up to AED 5,000,000 + imprisonment for serious violations. |
Sector-Specific Regimes | Healthcare data (Federal Law 2/2019), banking/financial data (CBUAE regulations), telecommunications (Federal Law 3/2003). | Respective sectoral regulators: MOHAP, CBUAE, TDRA. |
Al Adl Legal provides comprehensive digital and data law advisory and litigation services for businesses operating in Dubai and across the UAE. Our digital lawyers are UAE Ministry of Justice licensed advocates, meaning we provide legally binding opinions, advise on UAE court proceedings for data breaches and cybercrime, and represent clients in regulatory proceedings before the UAE Data Office and DIFC Commissioner.
UAE PDPL Compliance Programmes & Gap Analysis
With the UAE Data Office establishing its enforcement role and the DIFC Commissioner actively enforcing the DIFC Data Protection Law, proactive PDPL compliance is now a genuine business risk management priority, not just a future obligation. Al Adl designs and implements end-to-end UAE PDPL compliance programmes from initial gap analysis through to ongoing monitoring and regulatory update management.
• PDPL gap analysis:Reviewing existing data processing activities, policies, and procedures against PDPL and Cabinet Decision 83/2022 requirements
• Data mapping and Record of Processing Activities (ROPA):Identifying all personal data flows, storage locations, processors, and cross-border transfers
• Privacy notice and consent management:Drafting PDPL-compliant privacy policies, consent mechanisms, and data subject rights procedures
• Data Processing Agreements (DPAs):Drafting and reviewing agreements with processors and sub-processors UAE-law compliant
• Compliance training: Educating staff on UAE PDPL obligations, data subject rights handling, and breach recognition
• Ongoing compliance monitoring: Regulatory update tracking (PDPL Executive Regulations, UAE Data Office guidance, DIFC amendments)
• DIFC Data Protection Law compliance:Reparate compliance programme for DIFC-regulated entities under the 2025 amended regulation.
Data Protection Officer (DPO) Appointment & Support
The UAE PDPL mandates the appointment of a Data Protection Officer for organisations engaged in systematic and large-scale processing of sensitive personal data. The DIFC Data Protection Law has its own DPO requirements. Al Adl advises on whether your organisation requires a DPO under UAE law, assists with DPO appointment, and provides outsourced DPO support services where Al Adl's lawyers serve as the organisation's DPO on a retained basis.
• DPO obligation assessment:determining whether PDPL, DIFC DPL, or ADGM regulations require a DPO appointment for your organisation
• DPO appointment support:advising on DPO qualifications, responsibilities, and independence requirements
• Outsourced DPO services:Al Adl serves as external DPO, managing regulatory engagement, monitoring compliance, and advising the board
• DPO notification:managing DPO registration requirements with the UAE Data Office, DIFC Commissioner, and ADGM ODP as applicable
• DPO advisory support:providing ongoing legal guidance to in-house DPOs on complex processing activities and data subject requests
Data Breach Response & Notification
A data breach, whether from a cyberattack, accidental disclosure, or insider threat triggers mandatory notification obligations under the UAE PDPL, DIFC DPL, and ADGM regulations. The notification timelines are strict, the content requirements are specific, and a poorly handled breach response can significantly increase regulatory and legal exposure. Al Adl provides immediate breach response legal support, managing both the regulatory notification process and any related legal proceedings.
• Breach assessment:immediate legal assessment of whether a notifiable breach has occurred under applicable UAE data protection laws
• UAE Data Office notification:drafting and filing breach notifications with the UAE Data Office within the required system
• DIFC Commissioner notification:managing DIFC breach notifications under the 2025 amended requirements
• Data subject notification:drafting individual notifications to affected data subjects where required by law
• Regulatory liaison:managing ongoing communication with UAE Data Office, DIFC Commissioner, and TDRA following a breach
• Litigation and insurance:managing civil claims arising from data breaches and coordinating with cyber insurance policies
• Post-breach remediation:advising on technical and organisational measures to prevent recurrence and demonstrate regulatory accountability
Technology Contracts, SaaS & Cloud Agreements
Technology contracts, whether a SaaS subscription agreement, cloud services contract, software development agreement, technology transfer agreement, or outsourcing contract, carry significant data protection, intellectual property, and commercial risk under UAE law. Al Adl drafts, reviews, and negotiates technology contracts for businesses on both the supplier and customer side, ensuring UAE law compliance and commercially appropriate risk allocation.
• SaaS agreements:subscription terms, data processing clauses, service levels, and data portability for UAE-law-governed SaaS products
• Cloud services contracts:data residency requirements, security obligations, breach notification, and audit rights for UAE cloud deployments
• Software development agreements:IP ownership, escrow arrangements, warranty, and liability clauses under UAE law
• Technology transfer and licensing:licensing structures, royalty arrangements, and IP protection for technology transfers into the UAE
• Outsourcing and IT service agreements:data protection, confidentiality, BCP/DR, and termination for IT service providers
• API and data sharing agreements:governing data exchange arrangements with third parties, access controls, liability, and compliance obligations
• Digital commerce agreements:terms and conditions for online platforms, marketplace operator agreements, and digital service contracts
Cybersecurity Legal Advisory & Incident Response
The UAE's Cybercrime Law (Federal Decree-Law No. 34 of 2021) provides one of the most comprehensive criminal regulations for addressing cybercrime in the region with fines of up to AED 5,000,000 and criminal prosecution for serious violations. Al Adl advises businesses on cybersecurity legal obligations, assists with cybersecurity policy and contract system, and represents both victims of cybercrime and businesses defending against cybercrime allegations.
• Cybersecurity policy review:assessing existing cybersecurity policies against UAE legal requirements and TDRA Internet Access Management (IAM) standards
• Cybersecurity contract drafting:vendor security obligations, penetration testing authorisations, and security incident response procedures
• Cybercrime complaint management:filing criminal complaints with UAE Police cybercrime units and Public Prosecution under Federal Decree-Law No. 34/2021
• Cybercrime defence:representing businesses and individuals facing cybercrime allegations phishing, fraud, impersonation, and data theft
• Regulatory cybersecurity notifications:managing mandatory cybersecurity incident notifications to TDRA and sectoral regulators
• Cyber insurance legal support:reviewing cyber insurance policies and managing legal aspects of cyber insurance claims
E-commerce, Digital Commerce & Consumer Protection
E-commerce businesses in the UAE operate in one of the most active digital commerce markets in the Middle East and face compliance obligations under multiple simultaneous regulations: PDPL, Federal Decree-Law No. 14/2023 on Trading by Modern Technological Means (Digital Commerce Law), Federal Law No. 15/2020 on Consumer Protection, and now Federal Decree-Law No. 26/2025 on Child Digital Safety for platforms with minor users. Al Adl advises e-commerce operators on the complete UAE digital commerce compliance system.
• E-commerce terms and conditions:drafting UAE-law compliant T&Cs, refund policies, and delivery terms
• Digital Commerce Law compliance:Federal Decree-Law No. 14/2023 obligations for online traders, electronic contracts, and digital marketplace operators
• Consumer protection compliance:Federal Law No. 15/2020 obligations include accurate product descriptions, data use restrictions, and dispute resolution requirements
• Child Digital Safety compliance:Federal Decree-Law No. 26/2025 age verification, content filtering, and parental controls for platforms serving minors
• Electronic contracting:validity and enforceability of digital signatures and electronic contracts under UAE law
• Cross-border e-commerce:advising on UAE import regulations, customs compliance, and consumer protection in cross-border online transactions
• Social media and influencer marketing:permits required for social media advertisers and influencers to comply with UAE advertising standards
AI Governance, Automated Decision-Making & Emerging Technology
The UAE is the most AI-forward jurisdiction in the world with an AI National Strategy 2031, the world's first AI-enabled Regulatory Intelligence Office (April 2025), an AI advisory Cabinet system from January 2026, and the Dubai Autonomous Vehicles Regulation (Law No. 9/2023). For businesses deploying AI in the UAE, the intersection of AI with PDPL automated processing obligations, DIFC DPL (as amended 2025), and sector-specific AI requirements creates complex compliance challenges. Al Adl advises on the emerging UAE AI governance landscape.
• AI + PDPL compliance:automated processing and profiling obligations under UAE PDPL lawful basis, transparency, and data minimisation requirements
• DIFC DPL 2025 automated decision-making:expanded provisions under Amendment Law No. 1 of 2025 affecting AI-powered services in DIFC
• AI contract structuring:AI development agreements, AI output ownership, indemnity for AI errors, and limitation of liability in AI deployments
• Regulatory monitoring:tracking UAE AI Strategy 2031 developments, Ministry of AI guidance, and sector-specific AI regulations
• AI governance regulation:board-level AI risk governance, algorithmic audit trail requirements, and AI ethics policy advisory
• Autonomous vehicles:Dubai Law No. 9/2023 compliance for AV operators and technology providers
Cross-Border Data Transfers & International Compliance
Moving personal data across UAE borders to cloud providers, group companies, or third-party processors in other countries requires careful compliance with the PDPL, Cabinet Decision No. 83/2022, and (for DIFC entities) the DIFC DPL. International businesses processing UAE residents' data from outside the UAE must also comply with the PDPL's extra-territorial provisions. Al Adl advises on the legal mechanisms for lawful cross-border data transfers and multi-jurisdictional data compliance strategies.
• Transfer mechanism analysis:determining whether the recipient country has adequate protection or whether contractual safeguards are required
• Standard contractual clauses:drafting UAE Data Office-aligned contractual clauses for cross-border data transfers
• GDPR-UAE interaction:advising businesses that must comply with both GDPR (EU operations/EU data) and UAE PDPL simultaneously
• Group data sharing agreements:intra-group data transfer agreements and data governance regulation for multinational groups
• Cloud provider data residency:advising on UAE data localisation requirements for banking, healthcare, and government-linked sectors
• Multi-jurisdictional compliance:coordinating UAE PDPL compliance with KSA PDPL, Kuwait data law, Bahrain PDPL, and Qatar PDPL for GCC-wide operations
The UAE's digital and data law landscape changes faster than any other practice area. Al Adl's digital lawyers are current on every development and can litigate any dispute that arises.
UAE Ministry of Justice Licensed Advocates:Al Adl's digital lawyers are licensed UAE advocates. We prosecute cybercrime complaints in UAE courts, represent clients before the UAE Data Office, and litigate data breach damages claims, capabilities that compliance consultants cannot provide.
2025 Law Current:Al Adl's digital practice reflects the latest UAE developments: DIFC Amendment Law No. 1/2025 (July 2025), Federal Decree-Law No. 26/2025 on Child Digital Safety, UAE AI Cabinet announcement (June 2025), and Cabinet Decision No. 83/2022 Executive Regulations. Unlike many competitors, who still describe the 2021 PDPL without these updates.
Multi-Regime Expertise:Federal PDPL, Cabinet Decision 83/2022, DIFC Data Protection Law (as amended 2025), ADGM Data Protection Regulations, UAE Cybercrime Law, Digital Commerce Law, Child Digital Safety Law 2025. One firm for your entire UAE digital compliance portfolio.
AI & Emerging Technology Capability:Al Adl advises on AI governance, automated decision-making compliance, autonomous vehicles regulation, and digital commerce obligations, the fastest-growing areas of UAE digital law.
E-Commerce Specialists:From digital platform terms and conditions through PDPL-compliant privacy policies to Child Digital Safety Law compliance for platforms with minor users. Al Adl covers the complete e-commerce legal risk spectrum.
Forbes-Listed Law Firm:Al Adl Legal's Forbes recognition provides institutional credibility when dealing with large technology vendors, international cloud providers, or regulatory bodies in UAE digital law matters.
Legal Professional Privilege:All digital and data law matters involve highly commercially sensitive information. Al Adl's communications are protected by absolute legal professional privilege your data flows, security vulnerabilities, and compliance gaps cannot be disclosed.
GCC-Wide Digital Law Capability:Al Adl advises on UAE PDPL alongside KSA PDPL, Kuwait, Bahrain, and Qatar data laws, ideal for regional multinationals needing a single firm for GCC digital compliance.
Business Bay, Dubai:Centrally located near DIFC, ADGM's regional hub, and Dubai's main technology and e-commerce business districts.
Free First Consultation:Understand your UAE digital and data law compliance position and the specific legal risks your business faces before committing to any advisory programme.
Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) is the UAE's first comprehensive federal data privacy law, in force since 2 January 2022. It applies to any controller or processor located in the UAE that processes personal data — and extends extra-territorially to organisations outside the UAE that process the personal data of individuals residing inside the UAE. Exemptions include: government data, public entities, health data (covered by Federal Law No. 2/2019), banking and credit data (covered by CBUAE regulations), personal data for personal use, and entities in DIFC and ADGM (which have their own data protection regimes). The PDPL is implemented alongside Cabinet Decision No. 83 of 2022 (Executive Regulations), which specifies cross-border transfer mechanisms, data subject rights procedures, and breach notification requirements.
GDPR does not directly apply as UAE law. However, organisations in the UAE that process the personal data of EU data subjects (for example, EU-based customers, employees, or users) must comply with GDPR regardless of where the processing takes place — GDPR has its own extra-territorial reach. Many UAE-based multinationals therefore comply with both GDPR (for EU data) and UAE PDPL (for UAE-resident data) simultaneously. The UAE PDPL was modelled substantially on the GDPR, sharing core principles (lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability) — so organisations already compliant with GDPR have a strong foundation for PDPL compliance. Key differences include: PDPL relies more heavily on consent as the lawful basis; the PDPL enforcement structure is still developing (unlike GDPR's active enforcement); and GDPR fines are significantly higher (up to 4% of global turnover vs PDPL's Cabinet-determined penalties).
Under the UAE PDPL, a DPO appointment is mandatory when the controller or processor is engaged in systematic and large-scale processing of sensitive personal data. Sensitive personal data includes information revealing family origins, ethnic background, political or religious beliefs, criminal records, biometric data, health data, genetic data, and sexual life or orientation. Cabinet Decision No. 83/2022 provides further guidance on the circumstances requiring DPO appointment. Under the DIFC Data Protection Law (as amended by Amendment Law No. 1 of 2025), DIFC-regulated entities have their own DPO requirements. Al Adl assesses DPO obligation status for each client's specific processing activities and, where required, provides outsourced DPO services through senior qualified legal professionals.
The UAE PDPL does not specify fixed penalty amounts in the law itself penalties will be determined by the Cabinet upon the UAE Data Office General Manager's proposal. However, for unauthorised disclosure of personal data, criminal penalties under the UAE Cybercrime Law (Federal Decree-Law No. 34/2021) can apply — fines up to AED 5,000,000 and criminal prosecution. For DIFC entities, DIFC Amendment Law No. 1 of 2025 (effective 15 July 2025) significantly increased DIFC Commissioner fines to up to USD 50,000 per violation. For ADGM entities, the ADGM Office of Data Protection can impose fines up to USD 28 million. For Child Digital Safety Law violations (Federal Decree-Law No. 26/2025), elevated penalties apply — particularly for violations involving minors.
The DIFC Data Protection Law No. 5 of 2020 governs data protection within the Dubai International Financial Centre. It applies to any controller or processor processing personal data in the DIFC as part of stable arrangements regardless of where the entity is incorporated. DIFC Amendment Law No. 1 of 2025 (effective 15 July 2025) introduced significant changes: substantially higher administrative fines (up to USD 50,000 per violation for failures such as not conducting mandatory DPIAs or failing to notify the DIFC Commissioner of breaches), enhanced enforcement mechanisms, and expanded provisions on AI and automated decision-making. The DIFC DPL uses legitimate interests as an additional lawful basis for processing, offering more flexibility than the federal PDPL, which relies primarily on consent. The DIFC Commissioner of Data Protection actively enforces the DIFC DPL.
Federal Decree-Law No. 26 of 2025 on Child Digital Safety imposes new obligations on internet service providers and digital platforms in the UAE. Key requirements include: mandatory age verification systems to identify and restrict access for users under 18; mandatory content filtering, internet service providers must activate content filtering for children; parental control mechanisms and compliance support tools; strict prohibition on behavioural profiling of minors for marketing purposes; and significantly elevated penalties for violations involving minors. The law works alongside the PDPL organisations must comply with both. Al Adl advises e-commerce platforms, social media operators, gaming companies, educational technology providers, and any digital business with UAE minor users on full compliance with Federal Decree-Law No. 26 of 2025.
Yes, if your company is based outside the UAE but processes the personal data of individuals residing inside the UAE, the PDPL applies to you. This extra-territorial reach mirrors the GDPR's approach and affects: e-commerce companies selling to UAE residents; SaaS providers with UAE-based subscribers; technology companies with UAE users; marketing platforms targeting UAE audiences; and any organisation that processes UAE residents' personal data in the course of its business. The practical compliance requirements include: having a UAE-law compliant privacy notice; establishing a mechanism for UAE data subject rights requests; complying with cross-border data transfer rules when exporting UAE resident data abroad; and appointing a DPO where required. Al Adl advises international companies on UAE PDPL extra-territorial compliance, including gap analysis, documentation, and ongoing monitoring.
Our team of highly-skilled and experienced lawyers specialize in a variety of areas of practice. With a comprehensive knowledge of UAE legislation, we are well-equipped to provide strategic counsel and effective solutions.
We prioritise our clients' interests and strive to deliver personalised legal solutions. We take the time to thoroughly understand your unique situation, objectives, and concerns. By developing a close working relationship with you, we can provide sound advice and guidance.
Our dedication to excellence sets us apart. We are committed to delivering exceptional legal services, consistently meeting and exceeding our clients' expectations. With meticulous attention to detail, thorough research, and diligent case preparation, we leave no stone unturned.
We uphold the highest standards of integrity and professionalism in all our interactions. We understand the sensitive nature of legal matters and the importance of confidentiality. Rest assured that your information will be handled with the utmost discretion and respect.
Clients
AED Recovered
Countries
Success Rate
