The UAE has three parallel data protection regimes, each with different rules for transferring personal data abroad. Federal law applies to mainland companies. DIFC and ADGM have their own frameworks for entities licensed in those free zones. The problem is that these regimes don't fully align, and at federal level, key implementing regulations still haven't been issued.

This creates genuine compliance uncertainty for businesses that need to move data across borders. Here's what the law actually requires and what you can do about it.

The Three Regimes

Federal PDPL (Mainland UAE)

Federal Decree-Law No. 45 of 2021 governs personal data processing for mainland entities. The law came into force in January 2022, but the Executive Regulations that should detail transfer procedures remain unpublished. The UAE Data Office, which should oversee compliance, is not yet fully operational.

Full compliance is required by 1 January 2027.

The PDPL excludes certain data categories that have their own sectoral rules: health data (governed by Federal Law No. 2 of 2019), banking and credit data (Central Bank regulations), and government data.

DIFC Data Protection Law

DIFC-licensed entities follow DIFC Data Protection Law No. 5 of 2020. This framework is mature and closely aligned with GDPR. Amendment Law No. 1 of 2025, effective 15 July 2025, introduced significant changes: mandatory documented adequacy assessments for transfers, a private right of action allowing data subjects to sue in DIFC Courts, and increased administrative fines (USD 25,000-50,000 for specific failures).

ADGM Data Protection Regulations

ADGM Data Protection Regulations 2021 apply to ADGM-registered entities. The framework mirrors EU GDPR and includes standard contractual clauses, binding corporate rules, and an adequacy list that follows European Commission decisions.

Transfer Mechanisms: What's Actually Available

Federal PDPL

Articles 22-23 of the PDPL set out the framework for cross-border transfers:

Transfers to "adequate" jurisdictions are permitted where the UAE Data Office determines the recipient country has equivalent data protection. The catch: no adequacy list has been published. No standard contractual clauses have been issued.

Transfers without adequacy are permitted if:

  • A contract requires the recipient to implement PDPL protections
  • The data subject gives express consent (not conflicting with UAE public interest)
  • The transfer is necessary for contract performance, legal claims, judicial cooperation, or protecting vital interests

In practice, businesses transferring data from mainland UAE are operating without official guidance. The prudent approach is to use contractual safeguards modelled on international standards and document your legal basis for each transfer.

DIFC

DIFC provides clear transfer mechanisms:

Adequacy: Transfers to jurisdictions on the DIFC adequacy list (Appendix 3 of the Regulations) can proceed without additional safeguards. The list includes EU/EEA states, UK, Switzerland, Japan, South Korea, and others. California was added in August 2023 following a CCPA adequacy decision.

Standard Contractual Clauses: DIFC has published its own SCCs, based on EU Model Clauses and UK IDTA. Abbreviated SCCs are also available for simpler transfers. These are available from the DIFC Commissioner's website.

Binding Corporate Rules: Available for intragroup transfers.

Post-July 2025 Requirement: Controllers must now conduct a documented assessment of whether data subjects will have adequate protections and remedies in the recipient jurisdiction. This applies even for transfers using SCCs.

ADGM

ADGM follows the same structure:

Adequacy: ADGM recognises all jurisdictions deemed adequate by the European Commission, plus DIFC.

Standard Contractual Clauses: ADGM has its own SCCs. Entities already using EU SCCs can apply the ADGM Addendum instead.

Binding Corporate Rules: Available for multinational groups.

The Intra-UAE Transfer Problem

Here's what catches many businesses off guard: UAE mainland is not on the DIFC or ADGM adequacy lists.

This means:

  • Transfers from DIFC to mainland UAE require appropriate safeguards (SCCs or BCRs)
  • Transfers from ADGM to mainland UAE require the same
  • Groups with entities in both free zones and mainland need internal data transfer agreements

A Dubai mainland parent company sharing employee data with its DIFC subsidiary—or vice versa—must treat this as a cross-border transfer requiring contractual protections.

Sector-Specific Rules

Healthcare

Federal Law No. 2 of 2019 imposes strict requirements on health data:

Localization: Electronic health data must be stored in the UAE.

Transfer Restriction: Cross-border transfers of patient data are generally prohibited unless approved by the relevant emirate health authority.

Exceptions (Ministerial Resolution 51/2021): Ten categories can be approved case-by-case:

  • Patient treatment overseas
  • Pharmacovigilance reporting
  • Insurance claims administration
  • Clinical trials and research
  • Telemedicine
  • Wearable device monitoring
  • Medical diagnostic testing
  • Government cooperation
  • Personal use
  • Other approved purposes

Abu Dhabi: The Healthcare Information Cybersecurity Standard (ADHICS 2.0) requires ultimate full localization. Exemptions can be granted for up to one year, renewable, but companies must demonstrate progress toward localization. The AAMEN portal handles exemption requests.

Retention: Health data must be retained for minimum 25 years from the last procedure.

For healthcare businesses planning UAE operations, data architecture decisions should be made early. Retrofitting localization is expensive.

Financial Services

The Central Bank's Consumer Protection Standards (2021) require licensed financial institutions to store customer and transaction data within the UAE. Cross-border transfers require Central Bank approval and customer consent.

The Retail Payment Services and Card Schemes Regulation (2021) requires personal and payment data to be stored and maintained in the UAE.

These requirements layer on top of PDPL obligations. Fintech companies and payment service providers face the strictest data localization rules.

Penalties

Regime Administrative Fines Other Consequences
Federal PDPL AED 50,000 - AED 5 million Criminal penalties under Cybercrime Law: up to AED 5 million + imprisonment
DIFC USD 10,000 - USD 100,000 (Schedule 2); USD 25,000-50,000 for specific failures post-July 2025 Private right of action in DIFC Courts
ADGM Up to USD 28 million Commissioner enforcement powers

DIFC and ADGM have demonstrated willingness to enforce. Federal enforcement has been limited pending the Data Office becoming fully operational, but the Cybercrime Law provides criminal penalties for unlawful data disclosure that regulators can already use.

Practical Compliance Steps

1. Map Your Data Flows

Document what personal data you collect, where it's processed, where it's stored, and where it transfers. Identify which regime applies to each flow.

2. Assess Each Transfer

For each cross-border transfer:

  • Is the recipient jurisdiction adequate under the applicable regime?
  • If not, what transfer mechanism applies?
  • What's your legal basis?

3. Implement Transfer Mechanisms

  • For DIFC/ADGM: Execute appropriate SCCs or establish BCRs
  • For mainland UAE: Use contractual safeguards modelled on international standards
  • For all: Conduct and document transfer impact assessments

4. Address Intra-UAE Transfers

If you have entities in both free zones and mainland, put internal data transfer agreements in place.

5. Sector-Specific Compliance

  • Healthcare: Verify localization, obtain emirate approvals, develop localization roadmap
  • Financial services: Obtain Central Bank approvals, document customer consents

6. Document Everything

Maintain records of processing activities, transfer assessments, consent records, and contractual agreements. When enforcement increases, documentation is your defence.

FAQs

Has the UAE published an adequacy list?

No. The UAE Data Office has not published a list of adequate jurisdictions under the federal PDPL. DIFC and ADGM have their own lists based on EU adequacy decisions.

Can I transfer data from DIFC to mainland Dubai without safeguards?

No. UAE mainland is not on DIFC's adequacy list. You need SCCs, BCRs, or a valid derogation.

When will the PDPL Executive Regulations be issued?

Unknown. They were due within six months of the law's publication (by July 2022). As of February 2026, they remain unpublished.

What should I do while waiting for Executive Regulations?

Implement compliance measures based on the PDPL text and international best practices. Use contractual safeguards for transfers. Document your approach. When regulations are issued, you'll have six months to adjust.

Do healthcare data rules apply to telemedicine?

Yes. Telemedicine is one of the exception categories that can be approved for cross-border transfer, but approval must be obtained from the relevant emirate health authority.

Which regime applies to my business?

  • Mainland UAE entity → Federal PDPL (plus sectoral rules)
  • DIFC entity → DIFC Data Protection Law
  • ADGM entity → ADGM Data Protection Regulations
  • Multiple jurisdictions → All applicable regimes

Let’s talk

Your success starts with the right guidance.

Whether it’s business or personal, our team provides the insight and guidance you need to succeed.

contact us