UAE Personal Data Protection Law: Key Rights of Data Subjects and Scope of Compliance

In the modern digital landscape, where every aspect of a person’s life transacts through the digital space, personal data and its effective protection are fundamentally crucial. For a major business hub like the UAE, data protection holds the utmost significance.

Amid the substantial increase in data breaches over the recent years, the United Arab Emirates, in September 2021, enacted a comprehensive Personal Data Protection Law – Federal Law No. 45 of 2021 (as the “Law”) – aiming to establish stringent standards for data privacy, data protection and legal compliance. Companies and other entities operating in the UAE that fail to comply with this Law may attract penalties, operational inefficiencies, and constant interventions from the regulators, resulting in permanent loss of consumer trust.

Scope of Application of the Law

The UAE Data Protection Law applies to the personal data processed using automated electronic systems or other means, covering the following scenarios:

• A Data Subject residing or conducting business in the UAE;
• A Data Controller or Processor residing in the UAE and carrying out personal data processing activities of Data Subjects residing inside or outside of the UAE;
• A Data Controller or Processor not residing in the UAE but processing personal data of data subjects residing in the UAE.

However, the Law also sets out certain exemptions, stating that it shall not apply to:

1. Processing of any government data,
2. Government entities controlling or processing personal data,
3. Personal data held with security and judicial authorities,
4. Individuals processing their data for their personal usage,
5. Banking and credit personal data subject to specific legislations,
6. Personal health data subject to specific legislations, and
7. Entities located in Free Zones and are subject to specific legislations.

For the purposes of the Article, the following definitions shall be applicable:

• Data Controller: An establishment or natural person who possesses personal data and, based on the nature of their activity, determines the method, criteria, and purpose of processing such personal data, either individually or jointly with others.
• Data Processor: An establishment or natural person who processes personal data on behalf of the Controller, as per the Controller’s instructions.

Who are Data Subjects? What are their Rights under the Law?

Under the UAE Data Protection Law, a Data Subject is a natural person who is the subject of personal data or to whom the personal data relates.

The Law grants Data Subjects a range of rights, ensuring the highest standard of information security and data protection.

Right to Receive Information and Access One’s Personal Data (Article 13)

Each Data Subject has the right to receive information regarding the type of personal data being processed, its purposes, the duration for which the data will be stored, the entities inside and outside the UAE with whom such personal data will be shared, the security measures ensured in cross border data processing, the procedure to submit complaints, etc.

A Data Subject can obtain such information by submitting a request to the Controller, without entailing any costs for the same.

However, the Data Controller shall reject such a request if it conflicts with judicial procedures, poses a threat to information security, or has the potential to affect the confidentiality of personal data of third parties.

Right to Request Transfer of Personal Data (Article 14)

In cases where the transfer of personal data from one Data Controller to another is technically feasible, the Data Subject shall have the right to enable transfer of such personal data.

Right to Correction of Personal Data (Article 15)

The Data Subjects has the right to request correction or completion of their inaccurate and incomplete personal data, ensuring well-updated data records and thereby facilitating precise and error-free data processing.

Right to Erasure of Personal Data

The Data Subject shall have the right to request for erasing his/her personal data in cases where:

• the personal data of such Data Subject is no longer necessary for the purpose for which it was collected, and/or
• It lacks legitimate reasons for data processing, and/or
• the Data Subject has withdrawn consent for the processing, or
• Such data processing is in contravention of the applicable Data Protection Laws.

However, such requests shall be denied if personal data is related to public health in private facilities and/or if such data erasure affects or contradicts any investigation procedures or any other applicable laws.

Right to Restrict or Stop Processing (Article 16)

A Data Subject can request the Data Controller to restrict and stop the processing of their data in cases where there exists an objection to the accuracy of his/her personal data; OR when such processing is in violation of the agreed-upon purposes or any of the applicable Laws.

A Data Subject can also request the Data Controller to continue storing such data after the completion of the Processing purposes if it is deemed necessary for claiming or defending any rights or legal proceedings.

When the processing of data is conducted for any direct marketing purposes, Profiling, statistical surveys, etc., the Data Subject shall have the right to stop the processing of his/her data.

Right to Processing and Automated Processing (Article 18)

The Data Subject shall have the right to object to any decisions resulting from automated processing (including any Profiling) which may have a legal impact or other adverse effects on the Data Subject.

Right to Complain: (Article 24)

The Law also provides the Data Subject with the right to withdraw consent for the processing of their personal data.

In case the Data Subject has reasons to believe that a violation of any provisions as per Law has occurred or that the Controller or Processor is processing any data in violation to any rules, then he/she shall have the right to complain to the Data Protection Authority or the UAE Data Office.  

Ensure Compliance with the UAE Data Protection Law

The UAE’s Federal Law No. 45 of 2021 sets a benchmark for personal data protection by recognizing the rights of individuals and establishing clear compliance obligations for entities handling personal data. In today’s data-driven world, ensuring personal data protection is not merely a regulatory requirement—it is a business imperative.

To ensure compliance, organizations must take proactive steps such as conducting thorough data audits, implementing robust technical and organizational safeguards (including encryption and pseudonymization), appointing a Data Protection Officer where necessary, and formulating clear policies on data processing, storage, and sharing.

Protecting personal data is no longer optional—it is essential to upholding consumer trust and achieving long-term business success in the UAE. The Regulatory procedures for such data protection and its laws may seem technical and complex.  This can be addressed by seeking the assistance of an expert or a legal professional for a unified approach.