The UAE passed the Federal Decree-Law No.

45 of 2021- Personal Data

Protection Law (PDPL) on 28th November 2021, and it came into force on 2nd
January 2022. The PDPL is said to be influenced by the EU's General Data
Protection Law (GDPR), and several comparisons can be drawn between the
GDPR and the PDPL. The two laws share noticeable differences along with many
similarities.

The PDPL applies to any company registered in the UAE that gathers or processes
data about UAE residents. This rule also applies to any corporation that is not
registered in the UAE but processes data of data subjects inside the UAE. In
contrast, the GDPR simplifies the scope and who is required to comply with it.
According to the GDPR, any company that collects data on EU nationals must
adhere to the legislation's rules, whether inside or outside the EU. Additionally, the
GDPR contains rules requiring you to comply with the GDPR if your product is
sold or accessible to consumers in the EU.

Another difference between the GDPR and the PDPL is their approach to breach of
law and the penalties set in place for non–compliance. The GDPR is extremely
strict when penalising firms and websites that violate any of the GDPR's
provisions. In contrast, the PDPL has not set any standardised penalties to date.

Cross Border Data Transfers or transfers of data outside the UAE's jurisdiction are
permitted if the receiving country provides an "adequate level of protection." As
transfers are permitted only to approved countries, there is no process for using
contracts to establish data transfers to countries that have not been approved. As a
result, this could be restricting. In the UAE, companies and firms are supposed to
inform the UAE data office of breaches immediately. Unlike the PDPL, the GDPR
requires businesses to report a breach without undue delay and within 72 hours of
becoming aware of it.

Consent is one of several legal bases under GDPR; however, it is not stated as the
valid primary basis. Nevertheless, the PDPL prohibits the processing of personal
data without the individual's consent. According to the PDPL, consent must be
definite and informed and clearly indicated the data subject's agreement to the
processing of personal data, whether expressed in writing or electronically.

Although the GDPR and the PDPL vary in some ways, they are similar in giving
all users a variety of data privacy rights. There are also similar terminologies
between the two, like - "controller", "processor", "consent", etc. The PDPL
includes a general criterion for lawfulness, fairness, transparency and data quality,
retention, and security, roughly like the GDPR's principles.

The UAE federal data protection law clarifies what is permissible regarding
personal data collection, processing, review, and transfer in the UAE. It
strengthens data subjects' privacy rights. As a result, the responsibility of those
reviewing and transferring personal data and how businesses in the UAE deal with
personal data is fundamentally altered.