AE

UAE Federal Personal Data Protection Law (PDPL): AI Compliance Requirements

UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") came into force January 2, 2022 and was strengthened by executive regulations in 2024. The UAE Data Office oversees enforcement. The law applies to any organization processing personal data of UAE residents, including foreign organizations that target UAE residents. AI-specific triggers: organizations using new technologies or conducting large-scale automated processing must appoint a Data Protection Officer, conduct Data Protection Impact Assessments, and notify the UAE Data Office of high-risk processing. The law is GDPR-influenced and treats automated decision-making with significant effects as requiring disclosure and human review options.

Check your compliance — freeDownload checklist

Key Facts

Effective Date

January 2, 2022

Maximum Penalty

Administrative fine up to AED 20,000,000 (~$5.4M USD); increased fines for sensitive data violations

What Your Business Must Do

3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Data Protection Impact Assessment for AI Systems

Critical

UAE PDPL requires a DPIA when AI processing involves: (1) New technologies or methods. (2) Large-scale processing of personal data. (3) Automated decision-making with significant effects. (4) Profiling of individuals. Conduct a DPIA before deploying any AI system touching UAE residents' personal data. Document: data flows, risks, mitigations, residual risk acceptance.

Data Protection Officer (DPO) Appointment

High Priority

A DPO is mandatory if your organization processes UAE residents' data using new technologies (including AI systems), performs large-scale processing, or systematically monitors individuals. The DPO must be registered with the UAE Data Office. Ensure the DPO is involved in all AI system deployment and vendor decisions.

Automated Decision Transparency & Consent

High Priority

AI systems making decisions with significant effects on UAE residents must: (1) Disclose the use of automated processing in privacy notices. (2) Provide individuals the right to request human review of significant automated decisions. (3) Allow individuals to object to automated profiling. Ensure your AI vendor agreements include appropriate data processing terms.

Frequently Asked Questions

Does UAE Federal Personal Data Protection Law (PDPL) apply to my business?

UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") came into force January 2, 2022 and was strengthened by executive regulations in 2024. The UAE Data Office oversees enforcement. The law applies to any organization. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.

What is the penalty for non-compliance?

The maximum penalty under UAE Federal Personal Data Protection Law (PDPL) is: Administrative fine up to AED 20,000,000 (~$5.4M USD); increased fines for sensitive data violations. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with UAE Federal Personal Data Protection Law (PDPL)?

The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://ai.gov.ae/personal-data-protection-law/

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan