As digital businesses expand across borders, the handling of personal data becomes a crucial legal and operational challenge. The United Arab Emirates’ Federal Decree-Law №45 of 2021 on the Protection of Personal Data (PDPL) sets the foundation for how personal data of UAE residents can be transferred internationally. If you’re a business in or operating with the UAE, understanding and complying with these rules is essential to avoid penalties and ensure data privacy.

Understanding the PDPL and Its Scope

The PDPL came into effect on January 2, 2022, and provides an overarching framework for handling personal data across the UAE. Inspired by global data protection practices like the GDPR, the law emphasizes principles such as lawfulness, fairness, transparency, and clearly defined rights for data subjects, including the right to access, correct, delete, or restrict the processing of their personal data.

However, it’s critical to note that the PDPL does not apply to:

• Government-held data
• Data processed by security or judicial authorities
• Personal health and financial data (regulated by separate laws)

Thus, when dealing with cross-border data transfers, businesses must also be mindful of sector-specific regulations.

Article 22 and 23: The Heart of Cross-Border Transfers

Transfers to Adequate Jurisdictions

Article 22 of the PDPL allows international transfers of personal data if the destination country ensures an “adequate level of protection.” This means:

• The country must have legislation with provisions that match the PDPL’s standards on privacy, confidentiality, and user rights.
• There should be enforceable mechanisms to hold controllers and processors accountable.
• Transfers can also be permitted if the UAE has signed bilateral or multilateral agreements with that country on personal data protection.

These “adequate jurisdictions” are expected to be listed by the UAE Data Office, a regulatory body established under Federal Decree Law №44 of 2021. The office is responsible for issuing guidelines, supervising compliance, and publishing approved jurisdictions.

Read Also — Third-Party Risk Management: The Ever-Growing Banking Dependency in the UAE Market

Transfers to Non-Adequate Jurisdictions

When no adequacy decision exists, Article 23 provides several exceptions allowing data transfers:

• Contractual Safeguards: Data exporters can sign agreements with foreign entities, ensuring that they follow PDPL standards and that regulatory enforcement mechanisms are in place.
• Consent of the Data Subject: If users explicitly agree to the transfer, and it does not threaten national security or public interest, it may be permitted.
• Legal Obligations: Transfers are allowed for purposes like fulfilling legal contracts, defending rights in court, or international judicial cooperation.
• Public Interest: Transfers essential to public health, security, or government-approved purposes may also be justified.

Sector-Specific Data Transfer Restrictions

While the PDPL provides a unified framework, certain industries in the UAE are governed by stricter sectoral laws, especially when it comes to data transfers.

1. Health Sector

Under Article 13 of the ICT in Health Fields Law, personal health data cannot be transferred outside the UAE unless explicitly approved by the relevant emirate’s Health Authority, in coordination with the Federal Ministry of Health. Federal Ministerial Decision №51 of 2021 outlines exceptional cases when such transfers are permissible. These restrictions are particularly important for hospitals, telemedicine providers, and health insurers.

2. Financial Services

Article 10 of the Stored Value Facilities (SVF) Regulation mandates that customer identification and transaction records must be stored within the UAE. Businesses operating financial services, fintech apps, or digital wallets must host sensitive customer data locally.

3. Telecommunications

The TDRA Consumer Protection Regulations (v2.0, Article 24.9) require telecom providers to ensure that any third-party or affiliate accessing subscriber data does so securely and only for the intended services. Any cross-border data sharing must be backed by contracts obligating the foreign party to maintain the confidentiality and security of user data.

Additional Data Privacy Laws Influencing Transfers

While PDPL is central, UAE businesses must also comply with related federal laws:

• UAE Constitution (1971): Recognizes the right to privacy.
• Consumer Protection Law (№15 of 2020): Protects consumers’ data against unauthorized use.
• Cybercrime Law (№34 of 2021): Criminalizes the misuse or unauthorized access of personal data.
• Crimes and Penalties Law (№31 of 2021): Addresses data-related violations in family and private life contexts.

Read Also- Strengthening Cybersecurity to Meet UAE PDPL Requirements: A 2025 Guide

Preparing for Compliance: Practical Steps

To ensure lawful cross-border data transfers, businesses should:

1. Audit Data Flows
2. Identify which personal data is being transferred, to which countries, and for what purposes.
3. Check Jurisdiction Status
4. Await the UAE Data Office’s adequacy list and adjust data flows accordingly.
5. Implement Contracts and SCCs
6. Draft Data Transfer Agreements incorporating UAE PDPL requirements for non-adequate jurisdictions.
7. Obtain Explicit Consent Where Needed
8. Ensure your privacy policies clearly outline cross-border transfers and obtain explicit user consent.
9. Monitor Regulatory Updates
10. The Implementing Regulations for PDPL are expected in 2024. Stay updated and be ready to modify internal practices within six months of their enactment.
11. Sector-Specific Compliance
12. Ensure that health, telecom, and financial data follow the relevant vertical-specific UAE laws in addition to the PDPL.

Conclusion

Cross-border data transfers under the UAE PDPL demand strategic planning, legal awareness, and a commitment to privacy-by-design. While the framework introduces compliance complexities, it also brings clarity and international alignment, especially for companies expanding their digital footprint globally.

As the UAE Data Office releases implementing regulations and adequacy decisions, businesses should proactively build flexible data governance models that can adapt to both national and international data protection standards.