UAE - Federal
Law: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law')
Regulator: UAE Data Office (not yet operational)
Summary: On 28 November 2021, the UAE Cabinet announced that it had enacted the Law regarding the protection of personal data, as issued on 20 September 2021. The Law covers the processing of personal data belonging to data subjects within the UAE, regardless of the location of the data controller or data processor. In addition, the Law outlines the conditions for consent, several data subject rights, as well as comprehensive requirements for controllers and processors, such as mandatory breach notification, the appointment of data protection officers, and the implementation of technical and organisational measures to support data security.
The Law entered into effect on 2 January 2022 and the Executive Regulations are expected within six months from the Law's date of issuance (March 2022). Notably, companies must comply with the Law six months from the publication of the Executive Regulations. However, the Law does not apply to public entities or free zones in the UAE with their own data protection legislation (notably the DIFC and ADGM), nor does it apply to health or credit data governed by existing sectoral legislation. Furthermore, it repeals all laws which conflict with its provisions.