Skill

uae-pdp-law

Guides implementation of UAE PDP Law (Federal Decree-Law 45/2021) compliance, covering controller/processor obligations, data subject rights, cross-border transfers, sensitive data processing, and UAE Data Office enforcement.

security

npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-complete

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the UAE PDP Law) was issued on 20 September 2021 and entered into force on 2 January 2022, with a compliance grace period. The Executive Regulations were issued by Cabinet Decision No. 111 of 2023, published in the Official Gazette on 23 October 2023, and companies were given until 1 January 2025 to achieve compliance. The UA...

Supporting Assets

assets/template.mdreferences/standards.mdreferences/workflows.mdscripts/process.py

SKILL.md

Similar Skills

github-deep-research

63.9k

Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.

2 files

bytedance-deer-flow-1

surprise-me

63.9k

Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.

bytedance-deer-flow-1

image-generation

63.9k

Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.

2 files

bytedance-deer-flow-1

Stats

Parent Repo Stars37

Parent Repo Forks4

Last CommitMar 16, 2026

Actions

View Source View Plugin View on GitHub View README

UAE Personal Data Protection Law Compliance

Overview

The UAE PDP Law is the first comprehensive federal data protection law in the UAE. It is important to note that the UAE also has separate data protection regimes in the financial free zones: the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. These free zone laws operate independently of the federal law.

Key Definitions

UAE PDP Law Term	GDPR Equivalent	Definition
Personal Data	Personal data	Any data related to an identified or identifiable natural person (Article 1)
Sensitive Personal Data	Special category data	Data revealing racial or ethnic origin, political opinion, religious beliefs, criminal records, biometric data, health data, genetic data (Article 1)
Controller	Controller	Any person who determines the purposes and means of personal data processing (Article 1)
Processor	Processor	Any person who processes personal data on behalf of the controller (Article 1)
Data Subject	Data subject	The natural person to whom personal data relates (Article 1)

Lawful Bases for Processing (Article 5)

The controller may process personal data only where:

Consent of the data subject — must be clear, specific, informed, unambiguous, easy to withdraw
Necessary for performance or initiation of a contract with the data subject
Necessary for compliance with legal obligations of the controller
Necessary to protect the vital interests of the data subject or another person
Processing concerns data made public by the data subject
Necessary for legal proceedings — establishment, exercise, or defence of legal claims
Necessary for medical purposes — preventive or occupational medicine, by a medical professional
Necessary for public interest — archiving, statistical analysis, scientific research
Necessary for the legitimate interests of the controller, provided data subject rights do not override

Sensitive Personal Data (Article 7)

Processing of sensitive personal data is prohibited except where:

The data subject has given explicit consent
Processing is necessary for the performance of obligations under employment, social security, or social protection law
Processing is necessary to protect vital interests where the data subject is incapable of giving consent
Processing relates to data manifestly made public by the data subject
Processing is necessary for legal claims
Processing is necessary for public interest, public health, or scientific research

Data Subject Rights (Articles 13-18)

Right to be informed — notification of processing at the time of collection (Article 13)
Right of access — obtain confirmation and a copy of personal data (Article 14)
Right to rectification — correct inaccurate data (Article 15)
Right to erasure — request deletion when data is no longer necessary (Article 15)
Right to restrict processing — limit processing in specified circumstances (Article 16)
Right to data portability — receive data in a structured, commonly used format (Article 17)
Right to object — object to processing, including for direct marketing (Article 17)
Right related to automated decisions — not be subject to solely automated decisions producing legal effects (Article 18)

Cross-Border Transfers (Article 22)

Transfer of personal data outside the UAE is permitted where:

The recipient country or territory provides an adequate level of protection as determined by the UAE Data Office
The controller provides appropriate safeguards including standard contractual clauses, binding corporate rules, or approved certification mechanisms
The data subject has given explicit consent after being informed of the risks
Transfer is necessary for contract performance, legal claims, vital interests, or public interest

The Executive Regulations specify the criteria for adequacy assessment and the process for approving standard contractual clauses.

Controller and Processor Obligations

Controller Obligations

Maintain records of processing activities (Article 8)
Conduct Data Protection Impact Assessments for high-risk processing (Article 9)
Appoint a Data Protection Officer where required (Article 10)
Implement appropriate technical and organisational measures (Article 11)
Notify the UAE Data Office and data subjects of breaches (Article 12)

Processor Obligations

Process data only on documented instructions of the controller
Ensure persons processing data are bound by confidentiality
Implement appropriate security measures
Assist the controller with data subject requests and breach notification
Formal written agreement required between controller and processor

Enforcement and Penalties

The UAE Data Office may:

Issue warnings and corrective orders
Impose administrative fines (amounts to be specified in implementing regulations)
Order suspension of data processing
Refer criminal violations to the public prosecutor

Key Exemptions

The UAE PDP Law does not apply to:

Government data or data processed by government security and judicial entities
Health data governed by specific health data legislation
Banking and credit data subject to specific financial sector regulation
Personal data processed by individuals for purely personal or family purposes
Data processed by media entities in accordance with applicable media regulation

Free Zone Data Protection Regimes

DIFC Data Protection Law No. 5 of 2020

Independent supervisory authority: Commissioner of Data Protection
Closely aligned with GDPR
Applies to entities registered in the DIFC processing personal data

ADGM Data Protection Regulations 2021

Independent regulator: Office of Data Protection
Based on international best practices
Applies to entities registered in the ADGM processing personal data

Integration Points

cross-border transfers: Article 22 transfer mechanisms and adequacy assessment
vendor-privacy-due-diligence: Controller-processor agreement requirements under the Executive Regulations
breach-72h-notification: UAE PDP Law breach notification obligations (timeframe specified in Executive Regulations)
data-inventory-mapping: Article 8 records of processing activities