Federal Decree-Law No. 45 of 2021 (UAE PDPL) came into force in January 2022, with its Executive Regulation published in November 2022. The law has been consistently described in international press as "GDPR-equivalent" — a comparison that leads engineering teams to assume that systems built for GDPR compliance are automatically PDPL-compliant. They are not.
The PDPL and GDPR share a conceptual foundation: data subject rights, lawful basis for processing, controller and processor relationships, breach notification obligations. The differences are in the details — and in regulated-industry contexts, the details are where compliance failures occur.
Consent and Lawful Basis Differences
GDPR provides six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests. UAE PDPL is more restrictive: the law provides consent and contractual necessity as the primary lawful bases, with a more limited legitimate interests provision that requires specific conditions to be met. The practical impact: processing activities that rely on GDPR's legitimate interests basis (behavioral analytics, fraud detection, direct marketing) may not have a valid lawful basis under PDPL without explicit consent.
GDPR consent requires a freely given, specific, informed, and unambiguous indication of the data subject's agreement. PDPL consent requirements are similar in principle but differ in the specific disclosure requirements — the PDPL's Executive Regulation specifies the information that must be disclosed to obtain valid consent, and the list differs from GDPR's Article 13/14 requirements.
The PDPL's consent requirements include disclosure of the identity and address of the Data Controller, the purposes and means of processing, the types of personal data to be processed, the data retention period, and the data subject's rights. GDPR requires substantially the same information, but the PDPL adds a requirement to disclose whether personal data will be processed outside the UAE — a disclosure that GDPR covers under its international transfer provisions but doesn't require as a specific consent element.
Data Localisation Under PDPL
UAE PDPL includes data localisation provisions that have no direct equivalent in GDPR. Article 22 of the PDPL permits cross-border transfer of personal data only to countries that provide an adequate level of protection (determined by the UAEDP), on the basis of contractual clauses approved by the UAEDP, or with explicit data subject consent. The UAE Data Office has not yet published an adequacy list equivalent to the EU's list — meaning that most cross-border data transfers from the UAE require either contractual clauses or consent.
For organizations operating multi-jurisdiction data infrastructure, this creates an architecture challenge: the same data flowing from the UAE to Europe requires Standard Contractual Clauses under PDPL (UAE to EU transfer) and may not require them in the reverse direction. The data flow map and the transfer mechanism map for a dual-jurisdiction architecture is more complex than either jurisdiction alone.
Breach Notification Windows
GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. UAE PDPL requires notification to the UAE Data Office "without undue delay" — the Executive Regulation specifies a 72-hour window for notification to the authority, but requires notification to data subjects "without undue delay" when the breach is likely to result in harm. The notification content requirements differ: PDPL requires the notification to include the categories and approximate number of data subjects affected and the measures taken or proposed — similar to GDPR but with different specific fields required.
The Architecture for Dual-Jurisdiction Compliance
- Map your processing activities against both GDPR lawful bases and PDPL lawful bases — they don't map 1:1
- Implement consent capture and storage that records the specific disclosures made at time of consent — GDPR and PDPL require different disclosures
- Build data flow maps that distinguish UAE-origin data from EU-origin data — they may have different transfer constraints
- Implement transfer mechanism documentation for UAE-to-EU and EU-to-UAE flows separately
- Build breach notification workflows that support both 72-hour authority notification and subject notification with different triggers
- Localize privacy notices per jurisdiction — a single unified privacy notice is unlikely to satisfy both frameworks' disclosure requirements
Our compliance infrastructure and regulatory intelligence practices support organizations operating in both UAE and EU markets. Our UAE-Gulf market practice includes PDPL compliance architecture alongside the DIFC and ADGM regulatory frameworks relevant to financial services and technology companies in the region.
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.