These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.
UAE Data Protection Compliance Checklist
Comprehensive compliance guide for UAE Personal Data Protection Law (PDPL) and DIFC Law No. 5 of 2020
UAE Personal Data Protection Law (PDPL)
Key Provisions
Territorial Scope
a) Applies to processing of personal data in the UAE. b) Covers controllers/processors inside the UAE (processing data anywhere). c) Covers controllers/processors outside the UAE processing data of UAE residents. d) Excludes government data, judicial/security authorities, personal use, health/banking data (sector-specific), and free zones with their own laws.
Data Controller (DC) Definition
Establishment/person deciding how/why data is processed.
Consent Requirements
To legally use someone's data, their consent is required, and: a. The Controller must be able to prove they obtained the Data Subject's consent. b. The consent request must be clear, simple, and easily accessible, whether written or electronic. c. The consent must clearly inform the Data Subject of their right to easily withdraw it. The Data Subject can withdraw their consent to data processing at any time. This withdrawal does not invalidate the legality of processing that occurred before the consent was withdrawn.
Data Controller Key Obligations
a) Ensure data security (technical/organizational measures which will be explained in the regulations). b) Maintain processing records. c) Hire compliant processors and notify the data subject and bureau. d) Must be able to prove consent if that is the basis for processing. e) Must report any breach of privacy to the bureau. The time limit for the same will be set in the regulations.
Data Processor (DP) Definition
Processes personal data on behalf of a controller.
Data Processor Key Obligations
a) Follow the controller's instructions and ensure data security b) Keep a record of processing. c) Erase data after expiry of processing period. The data retention requirements are expected to be highlighted in the upcoming regulations. d) Apply appropriate technical measures Notify the controller of any data breach.
Data Storage
Data must be stored securely (encryption, pseudonymization, etc.). Erase or anonymize personal data once purpose is fulfilled. Controllers/processors must adopt best practices to ensure continuous data confidentiality and availability.
Data Transfer
a) Cross-border transfers are allowed if the recipient country ensures adequate protection or by bilateral agreements. b) If no adequate protection, can still transfer with consent, contractual necessity, public interest, or legal obligations. Bureau approval/controls may apply if standards are not met.
Breach Protocols
Controllers must report breaches to the Data Office immediately, detailing the breach, Data Protection Officer contact, corrective actions, etc. Notify affected individuals if privacy risks exist. Processors inform controllers promptly if a breach occurs. Time limit for reporting the same will be set in the upcoming executive regulations
Regulatory Authority: UAE Data Office
a) Oversees enforcement, investigates breaches, issues regulations. b) Can exempt small data handlers. c) Administrative penalties for non-compliance. d) Issues Executive Regulations.
Data Protection Officer (DPO) Requirements
a) Required for high-risk processing (e.g., sensitive data, large-scale profiling). b) DPO can be internal or external. c) Oversees compliance, handles complaints, advises on risk, liaises with the Data Office.
PDPL Compliance Checklist
Data Mapping & Inventory
a) Identify all personal data collected, processed, stored, and transferred. b) Map data flows: sources, storage locations, and third-party access (including cross-border transfers). c) Maintain a personal data register to support compliance reviews.
Lawful Basis for Processing
a) Document the lawful basis for each processing activity (e.g., consent, contract, legal obligation, public interest). b) Ensure consent is obtained where required and clearly recorded. c) Verify exceptions permitted by the law are properly applied.
Consent Mechanism & Policies
a) Develop clear, simple, and unambiguous consent forms specifying processing purposes. b) Provide a straightforward mechanism for withdrawal of consent. c) Update privacy policies to reflect consent procedures and processing details.
Privacy Notices & Information Provision
a) Publish a comprehensive privacy notice stating: - What personal data is collected - Processing purposes - Data sharing details (including cross-border transfers) - Data retention periods - Data subject rights Notice has to be provided to the Data Subjects at the time of data collection or before the processing begins.
Data Protection Impact Assessment (DPIA)
a) Conduct DPIAs for high-risk processing activities (e.g., systematic profiling, large-scale sensitive data processing). b) Document the processing operations, necessity, risks, and mitigation measures. c) Review and update DPIAs regularly.
Appointment of a Data Protection Officer (DPO)
a) Assess if high risk, systematic, or large volume processing requires a DPO. b) Appoint a qualified DPO (internal or external) and record their contact details. c) Ensure the DPO is involved in all data protection matters and provided with sufficient resources.
Data Security Measures
a) Implement technical controls: encryption, pseudonymization, secure access, and timely data retrieval. b) Adopt organizational measures (e.g., regular security audits, staff training, risk assessments). c) Update security protocols periodically to address emerging threats.
Record of Processing Activities
a) Maintain detailed records including: - Categories of personal data processed - Processing purposes - Data subject categories - Retention periods - Details of cross-border transfers - Ensure records are available for inspection by the Data Office when requested.
Cross Border Data Transfer Obligations
Verify that data transfers are only to jurisdictions with adequate protection. Where not, implement safeguards such as standard contractual clauses or explicit consent. Document all transfer mechanisms and ensure Bureau approval where necessary.
Data Breach Notification & Response
a) Develop a robust breach response plan with clear steps to: - Detect and assess breaches - Mitigate breach impacts - Notify the UAE Data Office immediately of the breach including details related to the nature and cause of breach, approximate number of affected records, DPO contact details, corrective measures taken, ensure processors notify controllers immediately if a breach occurs.
Third Party (Processor) Management
a) Conduct due diligence on all processors and sub-processors handling personal data. b) Ensure contracts include data protection obligations, breach notification, and restrictions on sub-processing. c) Monitor third party compliance with periodic audits.
Complaint Handling Mechanism
a) Establish clear, accessible channels for data subjects to file complaints so that subjects do not directly go to the bureau. b) Develop an internal process to handle, investigate, and resolve complaints
DIFC Data Protection Law No. 5 of 2020
Key Provisions
Legislative authority
This clarifies that the power to enact this law resides with the Ruler of the DIFC, establishing the legal basis for the legislation.
Purpose of this Law
This article outlines the core reasons for the law: to establish standards for how personal data should be handled within the DIFC, and to safeguard individuals' privacy rights, especially in the context of evolving technology.
Application of the Law
This is crucial for determining who must comply. It clarifies that the law applies: • Within the DIFC jurisdiction. • To the processing of personal data by automated means and in structured filing systems. • To Controllers and Processors established in the DIFC. • It does not apply to personal or household use of data.
General requirements
This article lays out the fundamental principles of data processing: • Lawfulness, fairness, and transparency: Data must be processed legally, honestly, and with clear information provided to individuals. • Purpose limitation: Data can only be collected and used for specific, explicitly stated purposes. • Data minimization: Only the minimum amount of data necessary should be collected. • Accuracy: Data must be accurate and kept up to date. • Storage limitation: Data should not be kept longer than necessary. • Integrity and confidentiality (security): Data must be protected against unauthorized access, loss, or damage. • Accountability: Organizations are responsible for complying with these principles and must be able to demonstrate their compliance.
Lawfulness of Processing
This article details the legal grounds required for processing personal data. You must have one of these reasons: • Consent: The individual has given explicit permission. • Contract: Processing is necessary to fulfill a contract with the individual. • Legal obligation: Processing is required by law. • Vital interests: Processing is necessary to protect someone's life. • Public task: Processing is necessary for a task carried out in the public interest. • Legitimate interests: Processing is necessary for the organization's legitimate interests, as long as it doesn't override the individual's rights.
Processing of Special Categories of Personal Data
This article imposes stricter rules for "special categories" of sensitive data, which includes information about: • Race, ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Genetic data • Biometric data • Health data • Data concerning a natural person's sex life or sexual orientation. Processing this type of data generally requires explicit consent or must be necessary for specific purposes like employment, protecting vital interests, or public health.
Consent
If relying on consent as the legal basis for processing, this article sets out conditions: • Consent must be freely given, specific, informed, and unambiguous. • It cannot be a precondition to a service unless the processing is necessary for that service. • Organizations must be able to demonstrate that consent was obtained. • If processing is for multiple purposes, consent must be separate for each. • Consent must be clear and easy to understand. • Individuals have the right to withdraw consent at any time, and it must be as easy to withdraw as to give. • Organizations must manage and record consent and withdrawals effectively.
DIFC Compliance Checklist
Align data processing with the law's stated purposes.
Outlines the law's objectives: setting standards for personal data handling and safeguarding privacy rights in evolving technological contexts.
Article 5: Purpose of this Law
Adhere to core data processing principles.
Principles include lawfulness, fairness, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability.
Article 9: General Requirements
Ensure a valid legal basis for processing.
Valid grounds include consent, contract fulfillment, legal obligation, vital interests, public tasks, or legitimate interests.
Article 10: Lawfulness of Processing
Apply stricter safeguards for sensitive data.
Sensitive data (e.g., health, biometrics, ethnicity) requires explicit consent or specific legal justification.
Article 11: Processing of Special Categories of Personal Data
Obtain and manage valid consent.
Consent must be explicit, specific, and freely given. Withdrawal must be as easy as giving consent.
Article 12: Consent
Maintain detailed processing records.
Records must include purposes, data categories, retention periods, security measures, and cross-border transfers.
Article 15: Records of Processing Activities
Appoint a Data Protection Officer (DPO) if required.
Mandates DPO appointment for certain high-risk processing activities.
Article 16: Designation of the DPO
Perform Data Protection Impact Assessments (DPIAs) for high-risk processing.
DPIAs required for activities posing high risks to individuals' rights.
Article 20: Data Protection Impact Assessment
Verify adequacy for international data transfers.
Transfers allowed only to jurisdictions with adequate data protection standards.
Article 26: Transfers Out of the DIFC: Adequate Level of Protection
Provide transparency when collecting data directly.
Disclose purposes, legal basis, retention periods, and data subject rights.
Article 29: Providing Information Where Personal Data Is Obtained from the Data Subject
Need Help with UAE Compliance?
Our experts can help you navigate UAE data protection requirements and ensure full compliance with both PDPL and DIFC regulations.
Get Expert AssistanceChecklist to implementation
Need a fact-specific view?
Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.