The UAE Personal Data Protection Law and your AI.
Federal Decree-Law No. 45 of 2021 governs personal data across onshore UAE — and AI systems are some of the most intensive personal-data processors your organisation runs.
The federal baseline for every AI that touches personal data.
The PDPL is the UAE's first federal data protection law, broadly aligned with international norms: lawful basis for processing, purpose limitation, individual rights, cross-border transfer conditions and breach notification. For AI, the implications are direct — training data, inference inputs and model outputs are all processing under the law, and decisions made by automated means engage individuals' rights. Executive regulations will add operational detail, which makes building adaptable controls now the prudent path.
Who is in scope
- Onshore UAE entities processing personal data with or through AI
- Organisations training or fine-tuning models on customer or employee data
- Businesses using AI vendors that process UAE personal data abroad
- Groups centralising data into AI platforms across borders
At a glance
Where the PDPL bites on AI.
Lawful basis for AI processing
Training and running models on personal data needs a defensible legal basis — consent obtained for one purpose doesn't stretch to model training by default.
Purpose limitation & minimisation
"We might need it for the model later" is not a purpose. Data fed to AI must be limited to what the stated purpose requires.
Automated decision-making
Individuals have rights in relation to decisions made by automated processing — AI-driven outcomes need human review and contest routes.
Cross-border transfers
AI pipelines that move UAE personal data to overseas clouds or vendors must satisfy the PDPL's transfer conditions.
Security & breach notification
AI systems holding personal data are in scope for security obligations and breach reporting to the UAE Data Office.
Records & accountability
Processing records must cover AI systems too — what data goes in, why, and where it flows.
PDPL compliance that understands AI.
AI-focused PDPL gap analysis
Your AI systems mapped against PDPL obligations — lawful basis, transfers, rights and records.
Transfer & vendor assessment
Cross-border AI data flows documented and assessed, with contractual safeguards where needed.
Future-proofed controls
Control design that anticipates the executive regulations rather than waiting for them.
This page summarises the UAE PDPL for general information — it is not legal advice. Verify obligations against the current law and any executive regulations issued under it.
UAE Government — data protectionMake your AI defensible under the PDPL.
Start with the systems that process the most personal data — we'll map the obligations and the gaps.
Book a consultation