SCCs + BCRs (International Data Transfer) â UAE (Federal PDPL 2021) ðĶðŠ
Federal Decree-Law No. 45 of 2021 · UAE Data Office
UAE (Federal PDPL 2021) is regulated by UAE Data Office under Federal Decree-Law No. 45 of 2021 â breach notification within 72 hours.
Certifications: CIPP/E, CIPP/A, CIPM, CIPT (IAPP), ISO/IEC 27001 Lead Auditor, ISO/IEC 27701 Lead Implementer, FIP.
UAE (Federal PDPL 2021) legal regime: Federal Decree-Law No. 45 of 2021 â enforced by UAE Data Office with max fines of AED 5M. DIFC + ADGM have separate free-zone privacy laws + EU adequacy pending.
Breach notification: 72 hours â 24/7 incident hotline available.
End-to-end: SCCs + BCRs (International Data Transfer) â mapping â control implementation â UAE Data Office registration (where applicable) â ongoing audit.
72-hour breach response SLA â 38 incidents handled in 2024-2025 (ransomware, vendor breach, insider) â every case notified PDPC/DPA/customer within window.
Coverage
How it works
- 1
Map Federal Decree-Law No. 45 of 2021
Compliance plan aligned with UAE Data Office.
- 2
Prepare SCCs + BCRs (International Data Transfer)
21-60 working days at 85,000-285,000 āļāļēāļ.
- 3
Transfer mechanism
SCC + BCR + TIA + adequacy assessment as required.
- 4
Local representative
Local DPO or representative per destination law.
- 5
DPA registration
Notification/filing with UAE Data Office where required.
- 6
Ongoing monitoring
Quarterly review + annual audit + breach drill + DSAR queue monitoring.
Frequently asked questions
Which law applies in UAE (Federal PDPL 2021)?
Federal Decree-Law No. 45 of 2021
Supervisory authority?
UAE Data Office
Maximum fine?
AED 5M
Breach window?
Within 72 hours.
Market-specific caution?
DIFC + ADGM have separate free-zone privacy laws + EU adequacy pending.
Local representative required?
Depends on scope of processing.
Cross-border transfer requirements?
SCC + TIA + (for CN/RU) data localisation + government security assessment.