Understanding Data Breaches and Cross-Border Data Transfers under UAE’s Personal Data Protection Law  

The UAE’s Federal Decree-Law No. 45 of 2021 marks a significant stride in personal data protection, establishing a comprehensive and robust framework that largely harmonizes with international best practices like the GDPR. A cornerstone of the PDPL is its stringent approach to Data Breaches. Similarly, Cross-Border data transfers are tightly regulated, necessitating either an adequacy decision for the destination country or the implementation of robust contractual safeguards.  

What is a Data Breach?  

The UAE Federal Law on Personal Data Protection (PDP Law), Federal Decree-Law No. 45 of 2021, establishes a comprehensive framework for personal data protection, including detailed Data Breach Notification procedures.  

Under Article 9(1) of the PDP Laws, a Data Controller must notify the UAE Data Office immediately upon becoming aware of any breach that could harm privacy or data security. A Data Breach under UAE Laws can encompass unauthorized and illegal access to personal data, including its copying, sending, distributing, exchanging, transferring, circulating, processing, alteration, or destruction, resulting in its disclosure to third parties, or otherwise compromising its integrity or availability. Such Notifications must follow timelines and forms to be specified in the upcoming Executive Regulations. It is important to note that as of July 2025, the Executive Regulations to Federal Decree-Law No. 45 of 2021 have not yet been fully issued.  

Steps in Reporting a Data Breach  

Critically, the Data Controller must accompany the Data Breach Report with:  

(a) a description of the breach (nature, form, causes, number of records affected);  

(b) the Data Protection Officer (DPO) contact details;  

(c) potential effects of such Breach on the Data Subjects;  

(d) corrective actions and measures proposed to be applied to address the Breach;  

(e) any documentation of the breach and remediation; and  

(f) any other information that the Data Office requires.  

It is crucial to retain all relevant records related to the breach and remediation efforts. 

In all cases, the Data Controller must also inform the affected Data Subjects “within the period and in accordance with the measures and requirements” of the Executive Regulations, explaining the breach and measures taken. This notification to Data Subjects is typically required if the breach is likely to result in a high risk to their rights and freedoms. 

Data Processors have a complementary duty: if a Data Processor becomes aware of a personal data breach, it must “notify the Data Controller of such breach as soon as it becomes aware,” so the Data Controller can fulfill its notification obligations. This is analogous to GDPR regulations, which requires Data Processors to notify Data Controllers. Unlike the GDPR’s strict 72-hour rule, the PDPL defers exact timeframes for notification to forthcoming regulations. However, in substance, the requirements are similar, emphasizing prompt action. 

The Reporting steps shall be as follows: 

1. Notifying the Data Office: The Controller is bound to notify the UAE Data Office and submit a report in case of any Data Breaches they are aware of or informed about by Data Processors. The Report shall contain the description of the nature of such data breach and its evidence, details of the appointed Data Protection Officer, potential harms of such breach, measures taken to negate its impact, etc.  

2. Notifying the affected Person: The Data Subject whose data has been breached has to be notified in accordance with the procedures established by the Law and Executive Regulations. 

3. Investigation by the Office: The UAE Data Office shall then investigate the reasons for such a breach and shall review the security measures undertaken by the Controller. 

Cross Border Data Transfers  

The PDP Law strictly governs transfers of personal data outside the UAE. Transfers may take place only under specific conditions. Article 22 of the PDP Law provides that Cross-Border Transfers are permitted if the Destination Country (the country that is to receive the Data) has an adequate Data Protection regime, as approved by the UAE Data Office. Concretely, the Data Office may authorize a transfer if (a) the Foreign country (or jurisdiction) has laws and measures protecting the Data Subjects’ privacy and an independent enforcement authority; or (b) if the UAE has a bilateral/multilateral Data Protection Agreement with that destination Country.  

Thus, Personal data can be transferred outside the UAE with the approval of the UAE Data Office. However, for facilitating such cross-border transfer, the data-receiving State shall have an established comprehensive legal framework for Personal Data Protection. Cross-border transfers can also be made by effecting bilateral or multilateral agreements between the UAE and the data-receiving State.  

Data may be transferred to a country without its own data protection laws only if:  

Article 23 of the PDP Law enumerates limited exceptions:  

• 23 (a) – the Data Controller/Processor imposes contractual obligations on the Recipient to adopt PDPL-equivalent safeguards (e.g., via well-drafted data transfer agreements or contracts);  

• 23 (b) – the Data Subject has given explicit consent to the transfer, provided it does not conflict with UAE public security or interest; or  

• 23 (c) to (f) – the transfer is necessary for specific purposes, including fulfilling a judicial obligation, performing a contract for the Data Subject, enabling international legal cooperation, or protecting a public interest. 

In summary, PDPL transfer rules require a high level of assurance. In practice, UAE entities should either transfer only to “approved” countries or negotiate binding contractual safeguards (akin to GDPR’s Standard Contractual Clauses or Binding Corporate Rules) and keep explicit consent records where applicable. Since the law empowers the UAE Data Office to issue guidelines and require certain “controls” on transfers, organizations must monitor for the forthcoming Executive Regulations.  

Conclusion

While organizations await the full issuance of the Executive Regulations for specific timelines and detailed guidance, the core principles and obligations are clear. Proactive compliance is paramount, not only to adhere to legal mandates but also to build and maintain trust with Data Subjects. This means appointing knowledgeable data privacy personnel (such as a DPO where mandated), conducting thorough risk assessments and Data Protection Impact Assessments (DPIAs), regularly training staff, and performing compliance audits. Entities must also be aware of the law’s broad scope, its specific exemptions (e.g., government entities and financial free zones like DIFC and ADGM), and the potential for significant administrative penalties for non-compliance, which can range from AED 50,000 to AED 5 million. 

By systematically embedding these practices and remaining vigilant for further regulatory developments from the UAE Data Office, organizations can effectively navigate the UAE’s evolving data protection landscape, meet their legal requirements, and better safeguard individual privacy in line with international standards. We at ABS Partners could help you understand these nuances, their practical implications and thereby assist your business in achieving and maintaining full compliance with the PDPL and other relevant data protection regulations.