UAE PDPL Compliance for Apps and Websites — What Dubai Businesses Need to Know in 2026
The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, known as PDPL) came into full effect and has real consequences for any business operating an app or website in the UAE that collects personal data. Fines of up to AED 5,000,000 apply for serious violations. Yet the majority of Dubai SMEs operating apps and websites have taken no meaningful steps toward compliance.
This guide explains what PDPL requires from your app or website, what you need to do to comply, and how The Codx builds PDPL-compliant software for UAE clients.
What is UAE PDPL?
The UAE Personal Data Protection Law is the UAE's comprehensive data privacy regulation — similar in concept to GDPR in Europe but with UAE-specific provisions. It governs how businesses collect, process, store, and transfer personal data about individuals in the UAE.
It applies to any organisation that processes personal data of UAE residents — regardless of where the organisation is based. If your app or website collects data from UAE users, PDPL applies to you.
What Counts as Personal Data Under PDPL?
Personal data under PDPL is broadly defined and includes:
- Name, email address, phone number
- Emirates ID number, passport number
- Location data (GPS coordinates, IP address)
- Financial information (bank account, card details)
- Health and medical information
- Biometric data (fingerprints, facial recognition)
- Behavioural data (browsing history, app usage patterns)
- Device identifiers (IDFA, GAID, device fingerprint)
If your app collects any of the above — and virtually every app does — PDPL applies.
Key PDPL Requirements for Apps and Websites
1. Lawful Basis for Processing
You must have a legal basis for every type of personal data you collect. The main bases are:
- Consent — User explicitly agrees to data collection for a specific purpose
- Contract performance — Data necessary to deliver the service the user signed up for
- Legal obligation — Required by UAE law
- Legitimate interests — Balanced against user privacy rights
2. Privacy Notice Requirements
Your app or website must have a clear privacy policy that explains in plain language (Arabic and English):
- What personal data you collect
- Why you collect it (purpose)
- How long you keep it (retention periods)
- Who you share it with (third parties, processors)
- User rights and how to exercise them
- How to contact you about privacy concerns
3. Consent Mechanisms
For data collected on consent basis:
- Consent must be freely given, specific, informed, and unambiguous
- Pre-ticked boxes are not valid consent
- Users must be able to withdraw consent as easily as they gave it
- Consent for marketing must be separate from consent for core service
4. Data Subject Rights
UAE PDPL gives individuals the following rights that your app or website must support:
- Right to access — Users can request a copy of their data
- Right to correction — Users can request correction of inaccurate data
- Right to deletion — Users can request deletion of their data (with some exceptions)
- Right to data portability — Users can request their data in a portable format
- Right to object — Users can object to certain types of processing
Your app needs a mechanism for users to exercise these rights — typically an in-app request form or a dedicated email address.
5. Data Security Requirements
PDPL requires appropriate technical and organisational measures to protect personal data including:
- Encryption of data in transit (HTTPS) and at rest
- Access controls limiting who can see personal data
- Audit logs of who accessed what data and when
- Incident response plan for data breaches
- Data breach notification within 72 hours to the UAE Data Office
6. Data Transfer Outside UAE
Transferring personal data of UAE residents to servers outside the UAE requires either:
- The receiving country provides equivalent data protection
- Appropriate safeguards are in place (standard contractual clauses)
- Explicit user consent for the specific transfer
This has practical implications for UAE apps using AWS US-East, Google Cloud US, or other non-UAE infrastructure for storing personal data.
PDPL Violations and Penalties
| Violation Type | Maximum Penalty |
|---|---|
| Processing without legal basis | AED 5,000,000 |
| Unlawful data transfer outside UAE | AED 5,000,000 |
| Failure to implement security measures | AED 3,000,000 |
| Failure to notify data breach | AED 2,000,000 |
| Failure to respond to data subject rights | AED 1,000,000 |
How The Codx Builds PDPL-Compliant Software
PDPL compliance is built into The Codx's development process for all UAE projects:
- Privacy by design — data minimisation and purpose limitation built into architecture from day one
- Consent management system — granular consent capture and withdrawal mechanism
- Data subject rights dashboard — in-app access, correction, and deletion request handling
- Encryption at rest and in transit as standard for all UAE builds
- UAE data residency — we recommend and configure UAE-based hosting (Azure UAE North, AWS Bahrain) for sensitive personal data
- Privacy policy generation — bilingual Arabic/English, PDPL-compliant, updated to reflect your specific data practices
PDPL Compliance Checklist for UAE Apps and Websites
- Privacy policy published in Arabic and English, covering all PDPL requirements
- Cookie consent banner with granular options (analytics, marketing, functional)
- Marketing consent separate from service consent
- Data subject rights request mechanism in-app or on website
- HTTPS enabled on all pages (no exceptions)
- Personal data encrypted at rest
- Third-party data processors documented and contractually bound
- Data retention policy defined and technically enforced
- Data breach response plan documented
- UAE-based data storage for sensitive personal data categories
Frequently Asked Questions
Does UAE PDPL apply to my app if my company is not based in UAE?
Yes. PDPL applies to any organisation that processes personal data of UAE residents, regardless of where the organisation is established. If your app has UAE users, PDPL applies.
What is the difference between UAE PDPL and GDPR?
Both are comprehensive data protection laws with similar core principles. Key differences: PDPL has UAE-specific data residency requirements, different legitimate interest provisions, and compliance oversight by the UAE Data Office rather than EU supervisory authorities. If you are GDPR compliant, you are close to PDPL compliant but not automatically there.
How much does PDPL compliance cost for a UAE app?
For apps built from scratch by PDPL-aware agencies like The Codx, compliance is built in during development at no significant additional cost. Retrofitting PDPL compliance to an existing non-compliant app typically costs AED 15,000–50,000 depending on the complexity of the data flows involved.
Do UAE apps need a Data Protection Officer (DPO)?
PDPL requires appointment of a Data Protection Officer for organisations that process personal data at scale or handle sensitive data categories (health, financial, biometric). Most UAE SME apps do not require a dedicated DPO but should designate a responsible person internally.