النسخة العربية: موقع كامل باللغة العربية بتخطيط من اليمين إلى اليسار، بنفس البنية والتصميم. تُستكمل النصوص العربية في مرحلة البناء.
Compliance UAE PDPL Notice
How we approach UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
Last updated: 6 July 2026
1. Our compliance posture
UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") came into force in January 2022. Its Executive Regulations are still being finalised by the UAE Data Office at the time of writing. As a result, no UAE business can credibly claim a final "PDPL certification" today.
Our position is that we are PDPL-aware: every engagement we design applies the core principles of PDPL, and we update our practices as the Executive Regulations and any future amendments are published.
2. Principles we apply
- Lawfulness, fairness, transparency: we process personal data only on a clearly identified lawful basis.
- Purpose limitation: we collect personal data for specified purposes and do not use it for incompatible purposes.
- Data minimisation: we collect only what is necessary for the stated purpose.
- Accuracy: we take reasonable steps to keep personal data accurate and up to date.
- Storage limitation: we retain personal data only as long as needed.
- Integrity and confidentiality: appropriate technical and organisational security controls.
- Accountability: documented policies, controls, and records of processing activities.
3. Data subject rights
Subject to PDPL's conditions and limitations, data subjects whose personal data we control have the following rights:
- Right to information about the processing of their data.
- Right to access their data and obtain a copy.
- Right to rectification of inaccurate data.
- Right to erasure, subject to our legal and contractual retention obligations.
- Right to restriction of processing in defined circumstances.
- Right to object to processing based on legitimate interest.
- Right to withdraw consent where processing is based on consent.
- Right to complain to the UAE Data Office once its mechanism is operational.
5. Categories of personal data we process
As a service provider, we encounter two broad categories of personal data:
- Our own controller-data: data of website visitors, prospects, suppliers, and employees. We are the controller.
- Client data (processor role): personal data that flows through systems we manage on behalf of nonprofit clients. The client remains the controller; we act as processor under our engagement letter.
6. Sub-processors and cross-border transfers
We rely on a limited set of reputable sub-processors (e.g. Microsoft for cloud productivity, Hostinger for website hosting) under written terms aligned with PDPL. Where personal data is transferred outside the UAE, we rely on appropriate safeguards including jurisdiction-equivalence assessments and contractual data-protection commitments.
For clients handling data subject to UAE Federal Law No. 2 of 2019 (health data localisation), we design storage and backup architecture so that the regulated category of data remains within the UAE.
7. Breach notification
We maintain an incident-response procedure that includes:
- Triage and containment within hours of detection.
- Notification to affected clients (where we are processor) without undue delay and in line with our engagement letters.
- Notification to the UAE Data Office and affected data subjects as required by PDPL, once the mechanism is operational.
8. Updates to this Notice
This Notice will be updated as the PDPL Executive Regulations, UAE Data Office guidance, or our practices change. Material changes will be reflected in the "Last updated" date above.