UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection + UAE AI Strategy 2031: AI Compliance Requirements
The UAE Personal Data Protection Law (PDPL/PDPA) is enforced by the UAE Data Office. It covers processing of personal data of individuals in the UAE regardless of where the organization is located. The UAE AI Strategy 2031 targets becoming a global AI hub and requires compliance with both PDPL and sectoral regulations. Financial services, healthcare, and government AI deployments face additional CBUAE, DoH, and TDRA requirements. Dubai DIFC and Abu Dhabi ADGM have separate data protection frameworks.
Key Facts
January 2, 2022
October 2, 2022
AED 20,000,000 (~$5.5M USD) administrative fines. Criminal fines up to AED 5,000,000 for data breaches.
What Your Business Must Do
4 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.
Establish Lawful Basis for AI Data Processing
CriticalUAE PDPL Article 4 requires a lawful basis for processing personal data: consent, contractual necessity, legal obligation, vital interests, or legitimate interests. AI systems processing UAE residents' data must document the lawful basis for each processing activity, with explicit consent for sensitive data categories.
Deadline: October 2, 2022
Data Subject Rights Implementation
CriticalUAE PDPL Articles 14-16 grant individuals rights of access, correction, deletion, restriction, and objection. AI systems must have mechanisms to honor these rights within 30 days. Profiling and automated decision-making must be disclosed.
Cross-Border Data Transfer Controls
High PriorityUAE PDPL Article 22 restricts transfer of UAE personal data outside the UAE to countries with adequate protection. AI cloud services, training data, and API calls that process UAE data internationally require adequacy determination or Standard Contractual Clauses approved by the UAE Data Office.
UAE AI Strategy 2031 Alignment
Medium PriorityGovernment and regulated-sector AI deployments must align with the UAE National AI Strategy 2031, which requires responsible AI governance, human oversight for consequential decisions, and bias auditing. CBUAE circular requires financial institutions to have an AI governance framework.
Frequently Asked Questions
Does UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection + UAE AI Strategy 2031 apply to my business?
The UAE Personal Data Protection Law (PDPL/PDPA) is enforced by the UAE Data Office. It covers processing of personal data of individuals in the UAE regardless of where the organization is located. The UAE AI Strategy 2031 targets becoming a global A. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.
What is the penalty for non-compliance?
The maximum penalty under UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection + UAE AI Strategy 2031 is: AED 20,000,000 (~$5.5M USD) administrative fines. Criminal fines up to AED 5,000,000 for data breaches.. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.
How do I comply with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection + UAE AI Strategy 2031?
The 4 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.
Official Source
https://u.ae/en/information-and-services/justice-safety-and-the-law/handling-cybercrimes-and-other-offences/personal-data-protectionLast updated: 2026-04-14 — verify at source before relying on this information.
Don't leave compliance to chance
ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.
Start your free compliance scan