🇦🇪
UAE Mainland

Material Applicability Factors

The UAE Federal PDPL sets out several material applicability factors. In this jurisdiction (UAE Mainland), the key factors include:

  • Automated Means Criterion
  • Government and Public Agency Exemption
  • Personal and Domestic Use Exemption
  • Sectoral Exceptions Regulated by Other Laws
  • Central Bank and Financial Institutions Exclusion
  • Location of Individual who Processes Data
  • National Security and Law Enforcement Exemption
  • Judicial Proceedings and Court Records Exemption

Automated Means Criterion

Brief Introduction

This factor addresses whether the law applies to personal data processed through automated methods, such as electronic or digital systems.

Relevant Provisions

Federal PDPL Art.2(1):

"1. The provisions of this Decree Law shall apply to the Processing of Personal Data, whether totally or partially, through automatically operated electronic systems or other means, by: a. any Data Subject who resides or has a place of business in the State. b. any Controller or Processor located in the State who carries out the activities of Processing Personal Data of Data Subjects inside or outside the State. c. any Controller or Processor located outside the State who carries out the activities of Processing Personal Data of Data Subjects inside the State."

Original (Arabic):

(1. تسري أحكام هذا المرسوم بقانون على معالجة البيانات الشخصية سواء كلها أو جزء منها عن طريق وسائل الأنظمة الإلكترونية التي تعمل بشكل تلقائي وآلي، أو غيرها من الوسائل الأخرى...)

Analysis

When personal data is processed in whole or in part by automated means, the Federal PDPL applies. The phrase automatically operated electronic systems captures a broad range of technology-driven data processing.

Implications

  • Nearly all forms of computer-based processing come under the PDPL.
  • Entities using electronic or digital tools must ensure compliance with data protection requirements.

Government and Public Agency Exemption

Brief Introduction

Certain government entities and data fall outside the PDPL’s scope of application.

Relevant Provisions

Federal PDPL Art.2(2)(b):

"2. The provisions of this Decree Law shall not apply to the following: b. government authorities that control or process Personal Data."

Original (Arabic):

(2. لا تسري أحكام هذا المرسوم بقانون على ما يلي: ب. الجهات الحكومية التي تتحكم أو تعالج البيانات الشخصية.)

Analysis

Article 2(2)(b) exempts government authorities from the PDPL. Simultaneously, Article 2(2)(a) excludes government data itself from the law’s scope. Thus, personal data used by public agencies generally lies outside the Federal PDPL.

Implications

  • No PDPL obligations for purely governmental data processing.
  • Public-private data processing collaborations may need careful review to determine whether the exemption applies.

Personal and Domestic Use Exemption

Brief Introduction

Individuals processing their own data for personal, non-commercial purposes benefit from an exemption.

Relevant Provisions

Federal PDPL Art.2(2)(d):

"2. The provisions of this Decree Law shall not apply to the following: d. a Data Subject who processes his/her data for personal purposes."

Original (Arabic):

(2. لا تسري أحكام هذا المرسوم بقانون على ما يأتي: د. صاحب البيانات الذي يعالج بياناته لأغراض شخصية.)

Analysis

The exemption applies only where an individual is acting in a personal or household capacity. If there is any commercial or professional context, the exemption may no longer apply.

Implications

  • Private, family, or household uses of personal data remain outside the PDPL.
  • Businesses cannot rely on this exemption even when processing employees’ personal data.

Sectoral Exceptions Regulated by Other Laws

Brief Introduction

Certain sectors are excluded to avoid regulatory overlap when industry-specific data protection rules already exist.

Relevant Provisions

Federal PDPL Art.2(2)(e) and (f):

"2. The provisions of this Decree Law shall not apply to the following: e. health personal data that is subject to legislation regulating the protection and Processing thereof. f. banking and credit personal data and information that is subject to legislation regulating the protection and Processing thereof."

Original (Arabic):

(2. لا تسري أحكام هذا المرسوم بقانون على ما يلي: ه. البيانات الشخصية الصحية الخاضعة للتشريعات التي تنظم حمايتها ومعالجتها. و. البيانات والمعلومات الشخصية المتعلقة بالبنوك والائتمان والخاضعة للتشريعات المنظمة لحمايتها ومعالجتها.)

Analysis

Article 2(2)(e) and (f) exclude data processing in the healthcare or financial sectors if covered by other laws. This ensures these sectors adhere to their own specialized frameworks without duplicative requirements.

Implications

  • Health and finance organizations remain primarily regulated by industry legislation.
  • They must still confirm whether any data processing activities fall outside their specialized laws, in which case the PDPL could apply.

Central Bank and Financial Institutions Exclusion

Brief Introduction

This factor is closely linked to the preceding sectoral exception but highlights the unique position of banks and credit data.

Relevant Provisions

Federal PDPL Art.2(2)(f):

"2. The provisions of this Decree Law shall not apply to the following: f. banking and credit personal data and information that is subject to legislation regulating the protection and Processing thereof."

Analysis

Financial institutions remain outside the PDPL for this category of data if covered by other applicable legislation. The focus is on ensuring data processing in the banking sector aligns with specialized financial regulations.

Implications

  • Banks avoid parallel compliance burdens for data specifically governed by banking regulations.
  • Institutions must assess whether some of their data still falls within PDPL scope if not comprehensively regulated by other laws.

Location of Individual who Processes Data

Brief Introduction

This factor considers whether individuals who are physically present in UAE Mainland trigger the law’s applicability when processing personal data.

Relevant Provisions

Federal PDPL Art.2(1)(a):

"1. The provisions of this Decree Law shall apply to the Processing of Personal Data, whether totally or partially, through automatically operated electronic systems or other means, by: a. any Data Subject who resides or has a place of business in the State."

Analysis

By referencing data subjects who live or have a business in the UAE, the law centers on presence or residence. There is no explicit separate clause targeting individuals temporarily in the UAE if they do not meet the residency or business criterion.

Implications

  • Individuals ordinarily resident in the UAE or conducting business there remain subject to the PDPL when processing personal data.
  • The law does not address short-term physical presence alone.

National Security and Law Enforcement Exemption

Brief Introduction

Data held by security authorities is exempt from the PDPL for reasons of public or state interest.

Relevant Provisions

Federal PDPL Art.2(2)(c):

"2. The provisions of this Decree Law shall not apply to the following: c. Personal Data held with security and judicial authorities."

Original (Arabic):

(2. لا تسري أحكام هذا المرسوم بقانون على ما يأتي: ج. البيانات الشخصية المحفوظة لدى الجهات الأمنية والقضائية.)

Analysis

Security authorities can process personal data without adhering to the PDPL rules. This aligns with common international practice.

Implications

  • Private entities surrender data to these authorities without the PDPL’s obligations continuing on that transferred data.
  • The scope of “held with security authorities” could create uncertainties if data only partly resides with law enforcement.

Judicial Proceedings and Court Records Exemption

Brief Introduction

Judicial authorities and courts do not need to comply with the PDPL when handling personal data.

Relevant Provisions

Federal PDPL Art.2(2)(c):

"2. The provisions of this Decree Law shall not apply to the following: c. Personal Data held with security and judicial authorities."

Analysis

Court-related data remains outside the Federal PDPL. This exemption acknowledges the judicial system’s independence and prevents legal conflicts between trial procedures and data protection obligations.

Implications

  • Compliance obligations differ significantly for data used in litigation or other judicial processes.
  • Businesses involved in court proceedings should note that data transferred to the court no longer falls under the PDPL.


🇦🇪

UAE Mainland

🏦 Central Bank and Financial Institutions Exclusion Judicial Proceedings and Court Records Exemption 👮🏼 National Security and Law Enforcement Exemption🏛️ Government and Public Agency Exemption🖥️ Automated Means Criterion☑️ Data Processing Based on Contract or Consent by Data Subject in Jurisdiction🏢 Free Zone Special Legislation Exemption📍 Processing by Local Establishment🏡 Personal and Domestic Use Exemption💼 Processing by Entity Registered or Incorporated in Jurisdiction⚖️ Sectoral Exceptions Regulated by Other Laws Physical Location/Residency of Data Subject in Jurisdiction🧍🏿 Location of Individual who Processes Data

globe_book Resources (1)

link UAE Data Office

Groups Consultants: (6)

person Julia Bahdanava

person Ulyana Dzerhachova

person Siarhei Varankevich

person Jamal Ahmed

person Rahul Kaushik

person Tuhina Kahali

Consultations

Need consultation on this jurisdiction?
Julia Bahdanava
Julia Bahdanava
CIPP/E, CIPP/US, Strategic Privacy by design (Jason Cronk)
Ulyana Dzerhachova
Ulyana Dzerhachova
CIPP/E, CIPM
Siarhei Varankevich
Siarhei Varankevich
CIPP/E, CIPM, CIPT, FIP
External consultations
3 external consultations
Leave a request and our managers will help you contact external consultants