UAE PDPL Data Subject Rights — Access, Erasure, and the Executive-Regulations GapUAE

Researched by , Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data; Federal Decree-Law No. 44 of 2021 establishing the UAE Data Office. Initial Executive Regulations issued 2024; further Implementing Regulations still developing through 2026.

Sourced from UAE federal decrees, laws, and ministerial decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

UAE Federal Law

What is this right?

The UAE Personal Data Protection Law (PDPL), Federal Decree-Law No. 45 of 2021, gives data subjects in the UAE the rights of access, correction, erasure / right to be forgotten, restriction, data portability, and objection — the GDPR-style data-subject toolkit, applied to any data controller or processor either located in the UAE or processing the personal data of UAE residents (Article 2).

The implementation layer is still developing: an initial set of Executive Regulations was issued in 2024, but further Implementing Regulations clarifying key provisions have not all been published, and the UAE Data Office (established by FDL 44/2021) is not yet fully empowered as the enforcement regulator. Some PDPL rights are practically enforceable today; others remain in transition. The situation continues to develop through 2026.

If you live or work within a DIFC or ADGM-licensed entity's data ecosystem, those free-zone regimes have working DSAR / erasure mechanisms today — DIFC's Data Protection Law DIFC Law No. 5 of 2020 (Commissioner of Data Protection) and ADGM's Data Protection Regulations 2021 (Office of Data Protection).

When does it apply?

  • You are a UAE resident or have personal data processed by a UAE-located controller or processor (Article 2).
  • You want to access, correct, or delete personal data held about you by a UAE business or government body.
  • You are within a DIFC-licensed entity's data ecosystem — use DIFC DP Law 5/2020 instead (Commissioner of Data Protection, working regime).
  • You are within an ADGM-licensed entity's data ecosystem — use ADGM DPR 2021 instead (Office of Data Protection, working regime).

Exercising PDPL Data Subject Rights in the UAE

  1. Identify the controller and use its privacy contact. Most UAE businesses publish a Data Protection Officer or privacy team contact in the privacy notice. Submit the request in writing, identify yourself, and state which PDPL right you are exercising (Article 13 for access, Article 14 for correction, Article 15 for erasure, Article 16 for restriction, Article 17 for portability, Article 18 for objection).
  2. For DIFC entities, use the DIFC Commissioner of Data Protection. DIFC's framework is fully operational — file the request with the controller; if refused, complain to the Commissioner (dp.difc.ae). DIFC enforcement is active.
  3. For ADGM entities, use the ADGM Office of Data Protection. ADGM's framework is fully operational — file with the controller; complaints go to the ADGM Office of Data Protection (adgm.com).
  4. For a UAE-mainland controller that refuses or ignores the request, document everything. While further Implementing Regulations and the UAE Data Office's enforcement powers are still being built out, formal escalation routes are limited compared to GDPR / UK GDPR. Many large controllers voluntarily comply because they also fall under DIFC / ADGM or under foreign laws like GDPR (extra-territorial scope).
  5. For employer data, consider the labour-side route. If the controller is your employer and the data dispute is mixed with a labour-rights issue, MoHRE's complaint route may be available alongside.
  6. For health data, check the sector-specific Federal Law on ICT in Healthcare (Federal Law No. 2 of 2019), which has its own data-protection rules and is enforced by the Ministry of Health & Prevention.

What should you NOT do?

  • Don't assume PDPL enforcement looks like GDPR enforcement. The PDPL is a GDPR-style framework on paper, but the operational enforcement layer is materially behind GDPR/UK GDPR as of 2025. Set expectations honestly.
  • Don't pay services that 'guarantee' deletion under PDPL. Until the UAE Data Office is fully empowered with enforcement powers, no service can credibly guarantee enforced PDPL deletion.
  • Don't conflate PDPL with the DIFC or ADGM regimes. They are separate. A DIFC-based fintech is governed by DIFC DP Law 5/2020, not (primarily) the federal PDPL.
  • Don't ignore the criminal-side defamation / privacy offences under FDL 34/2021. If your data has been weaponised against you (doxxing, blackmail, harassment), the FDL 34/2021 criminal route via eCrime / MoI is materially more active than civil PDPL enforcement today.

Common Questions

Is the UAE PDPL actually enforced?

The PDPL is in force as of 2 January 2022. An initial set of Executive Regulations was issued in 2024 but further Implementing Regulations clarifying key provisions have not all been published, and the UAE Data Office is not yet fully empowered as the enforcement regulator (as of 2026). Practical enforcement varies by provision. The DIFC and ADGM free-zone regimes are fully operational with their own active regulators.

What's the difference between the federal PDPL and DIFC / ADGM regimes?

The federal PDPL applies to UAE-mainland entities and to processing of UAE residents' personal data. DIFC and ADGM are separate financial free-zones with their own data-protection laws enforced by their own regulators (Commissioner of Data Protection for DIFC; Office of Data Protection for ADGM). If you work in a DIFC- or ADGM-licensed entity, those regimes — fully operational today — apply to your data.

Does the PDPL have extra-territorial scope?

Yes. Article 2 of the PDPL applies to any data controller or processor located in the UAE processing the personal data of data subjects residing or working within or outside the UAE, AND to any data controller or processor established outside the UAE processing the personal data of UAE data subjects. Practical enforcement of the extra-territorial scope depends on the UAE Data Office's evolving enforcement capabilities.

Are there sector-specific privacy laws in the UAE?

Yes. Federal Law No. 2 of 2019 governs the use of Information and Communications Technology in Healthcare; Central Bank of the UAE Consumer Protection Standards govern banking-customer data. Telecoms data is regulated by the TDRA. Each sector has its own regulator that may act faster than the federal PDPL framework while the UAE Data Office's enforcement layer is still building up.

When does it applyuae pdpl data subject rights — access, erasure, and the executive-regulations gap?

You are a UAE resident or have personal data processed by a UAE-located controller or processor (Article 2).You want to access, correct, or delete personal data held about you by a UAE business or government body.You are within a DIFC-licensed entity's data ecosystem — use DIFC DP Law 5/2020 instead (Commissioner of Data Protection, working regime).You are within an ADGM-licensed entity's data ecosystem — use ADGM DPR 2021 instead (Office of Data Protection, working regime).

How do I request access to or deletion of my personal data in the UAE?

Identify the controller and use its privacy contact. Most UAE businesses publish a Data Protection Officer or privacy team contact in the privacy notice. Submit the request in writing, identify yourself, and state which PDPL right you are exercising (Article 13 for access, Article 14 for correction, Article 15 for erasure, Article 16 for restriction, Article 17 for portability, Article 18 for objection).For DIFC entities, use the DIFC Commissioner of Data Protection. DIFC's framework is fully operational — file the request with the controller; if refused, complain to the Commissioner (dp.difc....

What should you NOT douae pdpl data subject rights — access, erasure, and the executive-regulations gap?

Don't assume PDPL enforcement looks like GDPR enforcement. The PDPL is a GDPR-style framework on paper, but the operational enforcement layer is materially behind GDPR/UK GDPR as of 2025. Set expectations honestly.Don't pay services that 'guarantee' deletion under PDPL. Until the UAE Data Office is fully empowered with enforcement powers, no service can credibly guarantee enforced PDPL deletion.Don't conflate PDPL with the DIFC or ADGM regimes. They are separate. A DIFC-based fintech is governed by DIFC DP Law 5/2020, not (primarily) the federal PDPL.Don't ignore the criminal-side defamation /...

More in Data Privacy & Digital Rights

Intimate Images and Deepfakes — Criminal Route + Global HelplinesIf you are in immediate danger, dial 999. The UAE has no dedicated standalone NCII statute equivalent to UK SOA 2003 s. ...Read more →Online Harassment, Cyberbullying, and Defamation in the UAEIf you are in immediate danger, dial 999. Online harassment, cyberbullying, defamation, and reputation-based offences in...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission