🇦🇪 Live Privacy & Data Protection

UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021)

Regulates the collection, processing, and storage of personal data in the United Arab Emirates, establishing data subject rights, controller and processor obligations, and rules for cross-border data transfers. Applies to entities processing personal data within the UAE or of UAE residents.

View official source document

Rules extracted

Obligations decomposed

3.9x

Avg obligations per rule

🇦🇪 United Arab Emirates

Jurisdiction

About this regulation

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) was issued in September 2021 and came into effect on 2 January 2022. Executive Regulations were issued in March 2023. The law establishes comprehensive data protection requirements including lawful bases for processing, consent requirements, data subject rights, controller and processor obligations, cross-border transfer restrictions, breach notification, and enforcement by the UAE Data Office. It applies to the processing of personal data by controllers and processors located in the UAE or processing data of UAE residents. Government entities, free zone entities with their own data protection laws, health data under special legislation, and banking/credit data are exempted.

What AuditDSS covers

Source

Regulation

Extracted

Rules

Decomposed

Obligations

3.9x

Decomposition ratio

Each rule is decomposed into an average of 3.9 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 31 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in Federal Decree-Law 45/2021 is scored across independent risk dimensions:

Obligation Weight

How critical within the regulatory framework

Violation Likelihood

How often breached in practice

Enforcement Evidence

Regulator enforcement history and penalties

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title: UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021)
Regulatory body: UAE Data Office
Jurisdiction: 🇦🇪 United Arab Emirates
Document type: law
Effective date: January 2, 2022
Issuing authority: UAE Federal Government
Industry: Privacy & Data Protection
Official source: View source document ↗

Who this applies to

data controllersdata processorsestablishments processing personal data in the UAE

Key requirements

consent-based processing with enumerated exceptions
data subject rights (access, portability, rectification, erasure, restriction)
controller and processor obligations
data protection officer designation
data breach notification
data protection impact assessment
cross-border transfer restrictions
administrative sanctions

Frequently asked questions about Federal Decree-Law 45/2021

What is Federal Decree-Law 45/2021?

Who does Federal Decree-Law 45/2021 apply to?

Federal Decree-Law 45/2021 applies to data controllers, data processors, establishments processing personal data in the UAE.

How many obligations does Federal Decree-Law 45/2021 contain?

AuditDSS has decomposed Federal Decree-Law 45/2021 into 31 atomic obligations from 8 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of Federal Decree-Law 45/2021?

The key requirements include: consent-based processing with enumerated exceptions, data subject rights (access, portability, rectification, erasure, restriction), controller and processor obligations, data protection officer designation, data breach notification, data protection impact assessment, cross-border transfer restrictions, administrative sanctions.

How can I assess my Federal Decree-Law 45/2021 compliance?

Upload your compliance policy to AuditDSS. The platform maps your document against all 31 Federal Decree-Law 45/2021 obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces Federal Decree-Law 45/2021?

Federal Decree-Law 45/2021 is enforced in United Arab Emirates by UAE Data Office.

When did Federal Decree-Law 45/2021 come into effect?

Federal Decree-Law 45/2021 became effective on January 2, 2022.

What industry does Federal Decree-Law 45/2021 apply to?

Federal Decree-Law 45/2021 is primarily relevant to the Privacy & Data Protection industry. AuditDSS covers 71 regulations in this industry sector.

Build a Federal Decree-Law 45/2021 compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for Federal Decree-Law 45/2021 — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering Federal Decree-Law 45/2021 requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine Federal Decree-Law 45/2021 with other regulations into a single unified compliance pack for your business.

Build Federal Decree-Law 45/2021 compliance pack

Already have a policy? Assess it against Federal Decree-Law 45/2021

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

AI maps against 31 obligations

Your document is scored against every obligation in Federal Decree-Law 45/2021. Each claim is mapped to the obligation tree and evaluated for coverage.

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.