UAE Personal Data Protection Law: General Obligations of the Data Controllers and Processors under the Law

Posted On - 26 May, 2025 • By - Ayush A Haq

The UAE’s Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, or “PDPL”) establishes a broad data protection framework largely aligned with international standards such as the EU GDPR. The PDPL applies to any entity (inside or outside the UAE) that processes personal data of individuals in the UAE. It lays down various key obligations to be complied by the Data Controllers and Processors. These obligations aim to facilitate the highest standard of data security.

Under Article 1 (Definitions) of the PDPL, a Data Controller is defined as an establishment or natural person who has Personal Data and who, given the nature of his/her activity, specifies the method, criteria and purpose of Processing such Personal Data, whether individually or jointly with other persons or establishments.

A Data Processor on the other hand, is an establishment or natural person who processes Personal Data on behalf of the Controller, as directed and instructed by the Controller.

These definitions mirror the GDPR’s own definitions and in both jurisdictions, the Controller has decision-making authority over data purposes and means, while the Processor acts at the controller’s direction.

Data Controllers and their Obligations

A Data Controller can be a natural person or an establishment that has personal data and determines the method for processing such data and the purposes for doing so.

General Obligations:

Their obligations (Art. 7) under the PDPL Law include:

  • Undertaking all the necessary technical and organizational measures to ensure that the privacy and confidentiality of the data is upkept and to protect it from any breaches, destructions or alterations.
  • Undertaking mechanisms like Pseudonymisation while processing data and ensuring accurate compliance with the Data Protection Law.
  • Restricting the processing of personal data only to the intended purposes.
  • Maintaining a data record, which shall include the details of the Controller, the Data Protection Officer, the categories of personal data, details of persons or individuals having access to such data, and all the other necessary information as specified by the law.
  • Appointing a processor by ensuring lawful and secure data processing.
  • Providing the Bureau with all the necessary information pursuant to a request from a competent judicial authority.

Lawfulness and Purpose Limitation:

Per Article 5, all personal data processing must be fair, transparent and lawful. Controllers may collect data only for “a specific and clear purpose”, and may not process the data later in a manner incompatible with that purpose. The data collected must be limited to what is strictly necessary for the purpose (“data minimization”), and must be accurate and kept up-to-date. Personal data must not be retained beyond the period necessary for the purpose; if retained longer, the data subject’s identity must be anonymized. These provisions echo GDPR principles of purpose limitation, data minimization, accuracy and storage limitation. The PDPL makes clear that if any processing is based on consent, the controller must be able to demonstrate that consent was freely given, specific, informed and unambiguous. Consent under the PDPL must be clear and easily accessible, and the data subject has a right to withdraw consent at any time. These requirements are very similar to the GDPR’s standards for valid consent.

Record-Keeping:

Controllers must maintain detailed processing records. Article 7(4) mandates that the controller keep a “special record” of all personal data activities, including the controller’s own details, the appointed Data Protection Officer (if any), categories of data processed, categories of data subjects, processing operations and purposes, retention schedules, data recipients, cross-border transfer details, and the technical/organizational security measures in place. This record must be made available to the Data Office on request. In effect, controllers must document their processing in a format similar to the “records of processing activities” required by GDPR.

Notification and Cooperation with Data Protection Office:

Article 9 requires controllers to notify the Data Office of personal data breaches “at the time it becomes aware” of any breach likely to prejudice data security or privacy. The notification must include detailed information about the incident (nature, cause, affected records, DPO details, etc.). Controllers also must notify affected data subjects when a breach poses a risk to their privacy, informing them of the measures taken. After notification, the Data Office will verify the adequacy of corrective measures and may impose penalties if PDPL obligations were violated.

Data Processors and their Obligations

General Obligations (Article 8):

A Data Processor can be a natural person or an establishment that processes personal data on behalf and under the supervision of the Controller. The data processor’s general obligations include:

  • Adhering to all the instructions of the Controller and fulfilling all the contractual obligations between them while processing the data.
  • Undertaking the adequate and appropriate technical and organizational mechanisms while processing, considering factors like the cost of such measures, its nature and scope, and its purposes.
  • Limiting the processing to the specified purpose and time frame. Processing exceeding the stipulated period shall obtain the approval to do so from the Controller.
  • Erase the data once the processing is concluded and handed over to the controller.
  • Avoiding disclosure of personal data and results of its processing, thereby upkeeping its confidentiality.
  • Maintaining a data record of the personal data processed on behalf of the Controller, including all the necessary information as specified by the law.
  • If processing the data involves multiple processors, it must be done by carrying out a written agreement clearly defining their obligations, roles and responsibilities.

Compliance with Controller Instructions:

A Processor’s primary duty is to act only on the controller’s documented instructions. Article 8(1) states that the Data Processor shall carry out the processing in accordance with the instructions of the Controller and the contracts and agreements concluded between them. This means a Data Processor cannot process data beyond the Controller’s directive. It also implies that the controller-processor contract must clearly specify the processing details (scope, nature, category of data, etc.). If a Data Processor subcontracts processing, all sub-processors must be bound by the same obligations, and multiple processors must have a written agreement delineating responsibilities [Article 8(10)]. In the absence of such agreement, all co-processors are jointly liable for PDPL obligations.

Technical and Organizational Measures:

Like Controllers, Data Processors must implement appropriate safeguards. Article 8(2) obliges processors to apply the appropriate technical and organizational procedures and measures to protect Personal Data at the design stage and throughout processing. This means Data Processors should build in security by design, evaluating risk and cost to deploy protective measures (encryption, access controls, etc.) commensurate with the processing activity.

Purpose and Period of Processing:

Article 8(3) and (4) govern Data Retention. A Processor must “carry out the processing according to the purpose and the period specified for it”, and if processing exceeds the agreed period, the processor must notify the Controller. Upon expiry of the processing term or at the Controller’s direction, the processor must erase or return all personal data. This parallels GDPR’s laws and the principle that personal data must not be stored longer than necessary.

Confidentiality:

Data Processors must not disclose or use personal data improperly. Article 8(5) explicitly requires Data Processors to maintain confidentiality (e.g. through employee confidentiality agreements) and report unauthorized disclosures to the Data Controller. The Controller remains liable for any misuse by the Processor, so Processors must be able to demonstrate that only authorized personnel have access.

Records and Accountability:

Article 8(7) imposes on Processors a requirement very similar to the controller’s record-keeping. Data Processors must maintain a special record of Personal Data which is processed on behalf of the Controller, including details of the Controller, the processor, the DPO (if any), data categories, authorized personnel, processing times, purposes, retention/erasure mechanisms, cross-border transfer details, and security measures.

Related Posts

One-Of-A-Kind Initiative: Dubai Launches The First Ever International Sports And Entertainment Free Zone Cluster

One-Of-A-Kind Initiative: Dubai Launches The First Ever International Sports And Entertainment Free Zone Cluster

June 3, 2025
Cargo Liability Claims In The UAE

Cargo Liability Claims In The UAE

May 21, 2025
An Overview Of The Different Types Of Legal Structures In The UAE

An Overview Of The Different Types Of Legal Structures In The UAE

May 19, 2025
Trademark Assignment in UAE

Trademark Assignment In The UAE: Legal Framework, Procedures And Challenges

May 7, 2025