KSA PDPL | UAE PDPL | DIFC | ADGM Compliance Checker:
Saudi Arabia - Personal Data Protection Law (Royal Decree No. M/19 of 2021) - KSA PDPL
UAE (Federal) - Federal Decree-Law No. 45 of 2021 - UAE PDPL
UAE (DIFC) - DIFC Law No. 5 of 2020 - DIFC DP Law
UAE (ADGM) - ADGM Data Protection Regulations 2021 - ADGM DP Regs
Qatar - Law No. 13 of 2016 (Personal Data Privacy Protection) - Qatar PDP Law
Bahrain - Law No. 30 of 2018 (Personal Data Protection Law) - Bahrain PDPL
Kuwait - Law No. 20 of 2014 (Electronic Transactions - Privacy Provisions) - Kuwait Privacy Law
Oman - Law No. 6 of 2022 (Personal Data Protection Law) - Oman PDPL
Jordan - Law No. 24 of 2023 (Personal Data Protection Law) - Jordan PDPL
Egypt - Law No. 151 of 2020 (Personal Data Protection Law) - Egypt PDPL
Created by: Ankit Bhargava.
If you have customers located in the Middle East, including Saudi Arabia and/or the UAE, this compliance checker can help you identify what data privacy rules apply to you and what steps you need to take next. It's free, easy, and simple. No email or sign up required.
If you have customers located in the Middle East, including Saudi Arabia and/or the UAE, this compliance checker can help you identify what data privacy rules apply to you and what steps you need to take next. It's free, easy, and simple. No email or sign up required.
When your users/customers are located in: Saudi Arabia, UAE & Middle East.
Your Takeaway:
Your customers are in the Middle East, specifically the United Arab Emirates. That means you need to comply with the UAE's Federal Decree-Law No. 45 of 2021, also known as the UAE Personal Data Protection Law (PDPL). This law is relatively new – it came into full effect in 2023 – and it's heavily inspired by the EU's GDPR, but with some important local differences. For example, the UAE requires many businesses to register with the UAE Data Office, something that doesn't exist in Europe. The law applies to you even if your company is outside the UAE, as long as you process personal data of UAE residents. The UAE also has separate data protection laws for free zones like DIFC and ADGM – but the PDPL is the main federal law.
Your Privacy Best Practices:
– Get a copy of the UAE PDPL from the UAE Data Office website. Read the summary guidance – the full law is dense, but the office has published helpful overviews in English and Arabic.
– Check if you need to register with the UAE Data Office. Under PDPL, any business that processes personal data of UAE residents may need to register – there are thresholds, but they're not clearly defined yet. Don't assume you're exempt.
– If you're in a free zone like DIFC or ADGM, check their separate data protection laws – they may apply instead of or alongside PDPL. Most free zones have their own regimes.
– Appoint a point of contact for UAE customer enquiries. Under PDPL, you need someone who can handle data subject requests and communicate with the UAE authority. This can be you or an employee – doesn't have to be a lawyer.
– Understand that UAE PDPL has its own rules on cross-border transfers, sensitive data, and breach notification – different from GDPR.
How I Can Help:
I can walk you through your customer volumes, where your servers are, what data you collect, and whether you're in a free zone. By the end, you'll know exactly what you need to do: whether you need to register with the UAE Data Office, whether you need a local representative (if you're outside the KSA or UAE or Middle East), and which parts of PDPL apply to you most urgently.
Select Your Scenario Below — I'll Show You What To Fix & How.
QUESTION 1: What type of personal data do you collect?
QUESTION 3: What is your legal basis for processing personal data?
QUESTION 5 : Do you share customer personal information with others or third parties?
QUESTION 2: Why do you collect customer data?
QUESTION 4: How long do you keep customer personal information?
We collect only basic personal data of our users/customers:
Your Takeaway:
You collect only basic contact or identification details – name, email, phone number, and address. Under UAE or KSA PDPL, basic data is considered lower risk than sensitive data, but you still have obligations. You need a lawful basis – usually consent or contract. You need a privacy notice that meets PDPL's transparency requirements (Article 13). And you may need to register with the UAE Data Office, depending on your processing volume. The good news: basic data is manageable. The bad news: don't skip the registration step – many businesses think they're too small, but the UAE authority expects registration even for modest processing.
Your Privacy Best Practices:
Document what basic data you collect and why. Keep a simple list: data type, purpose, lawful basis, retention period.
– Publish a privacy notice that meets UAE PDPL requirements. It must include: what data you collect, why you collect it, how long you keep it, who you share it with (if anyone), how to withdraw consent, and how to complain to the UAE Data Office.
– Check if you need to register with the UAE Data Office. The current guidance suggests that any business processing UAE resident data should register – but there may be exemptions for very low volume. I recommend registering anyway – it's not expensive or difficult.
– Appoint a point of contact for UAE customer inquiries. Put their email in your privacy notice. This can be you.
– Set a retention period – 2 years after last activity is reasonable for basic data under PDPL.
How I Can Help:
I will help you create a KSA or UAE‑specific privacy notice that meets PDPL's Article 13 requirements. I'll also help you determine whether you need to register.
We collect both basic and sensitive personal data of our users/customers.
Your Takeaway:
You collect sensitive data – under UAE PDPL, this includes health information, biometric data, financial account details, criminal records, and data about children. The law is strict on sensitive data. You need explicit consent – not just regular consent, but explicit, unambiguous, written agreement. You almost certainly need a Data Protection Impact Assessment (DPIA) – a formal risk assessment document. In some cases, you may need prior approval from the UAE Data Office before you start processing. Cross‑border transfer of sensitive data is heavily restricted – you cannot send it outside the UAE without specific safeguards (adequacy decision, binding corporate rules, or explicit consent from the data subject). This is high risk.
Your Privacy Best Practices:
– First, challenge yourself: do you really need this sensitive data? Many businesses collect it without thinking. If you can deliver your service without it, stop collecting it. This is the single best way to reduce risk under PDPL.
– If you truly need it, get explicit written consent. Not a pre‑ticked box. Not a hidden clause. A clear, separate "Yes, I agree" that you store as proof. The consent form must specify exactly what sensitive data you're collecting and why.
– Conduct a DPIA. The UAE Data Office hasn't published a template yet, but you can adapt GDPR's DPIA format. Document the risks, how you'll mitigate them, and whether you need prior approval.
– Check if you need prior approval from the UAE Data Office. For certain types of sensitive data processing, the law requires you to notify or get approval before starting. This is not optional – check with a local expert.
– For cross‑border transfers of sensitive data, assume they are prohibited unless you have a specific safeguard. The UAE has a short list of "adequate" countries – if your vendor isn't in one of those, you need explicit consent from each customer or binding corporate rules. Get legal advice.
– Store sensitive data separately with encryption. Limit access to only those employees who absolutely need it. Keep access logs.
How I Can Help:
I can help you run a DPIA for UAE sensitive data – we'll go through each sensitive data field together. And if you're transferring sensitive data outside the UAE, I'll help you understand your obligations.
We collect our users'/customers' personal data for Selling our products/services.
Your Takeaway:
Your customers expect you to use their data only to deliver what they bought from you. Under KAS & UAE PDPL, this is acceptable. A delivery‑only expectation is low risk. You still need a lawful basis – a contract works well for delivery. You still need a privacy notice, but it can be short. The biggest risk is accidentally using delivery data for marketing or analytics without separate consent. Unlike some other laws, the UAE PDPL doesn't have a "soft opt‑in" for existing customers – if you want to use delivery data for marketing, you need explicit consent.
Your Privacy Best Practices:
– Write a one‑sentence notice on your checkout page: "We use your information only to complete your purchase, send order confirmations, and provide customer support." We do not use your data for marketing unless you separately agree."
– Rely on "contract" as your lawful basis for delivery data. Document this in your legal basis register.
– Do not add customers to any marketing list unless they separately and actively opt in – via an unchecked checkbox or a clear "yes" button.
– Train your team: if someone asks, "Can we use this customer's email for a newsletter?" the answer is no unless there's a separate, unchecked checkbox that they ticked.
– Review your order confirmation emails. They should not contain marketing messages unless the customer opted in separately.
How I Can Help:
I'll look at your checkout flow, order confirmation emails, and any automated messages you send. I'll tell you exactly where you might be accidentally using data beyond "delivery only" – and how to fix it.
We collect our users'/customers' personal data for Marketing & Promotion.
Your Takeaway:
Your customers expect you to use their data for marketing or promotions. Under UAE PDPL, you need prior consent for direct marketing. There's no "soft opt‑in" like the UK has. No "deemed consent" like Singapore has. You need explicit, opt‑in consent before you send any marketing message – email, SMS, phone call, WhatsApp, or any other channel. You must keep records of this consent. You must also offer a clear opt‑out method with every marketing message – and honour it immediately. This is stricter than many other laws.
Your Privacy Best Practices:
– Use an unchecked checkbox on your signup forms: "Yes, I agree to receive marketing messages about products and offers." Do not pre-tick it.
– Keep a consent log: customer email, date and time of consent, exact wording they agreed to, and a copy of the form.
– In every marketing email or message, include a one‑click unsubscribe link that works immediately – no "login to manage preferences". The UAE Data Office expects this.
– Do not assume that existing customers have consented. If you haven't got explicit consent before, you need to get it now. Send a re‑consent campaign.
– Separate your marketing list from your transaction list. Never email marketing to people who only bought something unless they separately opted in.
How I Can Help:
I can help you create forms that meet UAE and KSA PDPL's consent requirements.
We collect our users'/customers' personal data for Monitoring & Profiling.
Your Takeaway:
You monitor customer behaviour – tracking clicks, time on site, pages viewed – or you build profiles based on that behaviour. Under UAE PDPL, you need consent for monitoring and profiling unless it's strictly necessary for the contract you have with the customer. "Necessary" means the service literally wouldn't work without it – for example, keeping items in a shopping cart. You also need to inform customers before starting any tracking – in your privacy notice and via a consent banner. Profiling that leads to legal or similarly significant effects (like automatically rejecting a loan or flagging someone as high‑risk) is treated very strictly – you may need explicit consent and a DPIA.
Your Privacy Best Practices:
– Separate your tracking into two groups: "essential for service" (shopping cart, security, fraud prevention) and "everything else" (Google Analytics, heatmaps, personalisation, session recording). Get consent for the second group.
– Use a consent management banner that lets people say no to non‑essential tracking – and honour that choice. The banner must appear before any tracking starts.
– In your privacy notice, list all monitoring and profiling activities. Explain why you do them and what data you collect.
– If you use profiling that affects customers (credit scoring, insurance pricing, loan decisions, or job screening), stop immediately and get legal advice. The UAE PDPL is strict on automated decision‑making.
– Document your legitimate interest assessment if you claim monitoring is "necessary for contract" – keep it on file.
How I Can Help:
I can help you assess whether your specific business activity is allowed under PDPL – and if not, I'll help you change it. If you're claiming monitoring is "necessary for contract", I can help you document that justification properly.
We collect our users'/customers' personal data for Third‑Party sharing.
Your Takeaway:
You share customer data with third parties – analytics providers, advertising networks, payment processors, or business partners. Under UAE PDPL, you must disclose every single recipient in your privacy notice. For sharing with third parties outside the UAE, you have additional obligations: you need either an adequacy decision from the UAE government (they have a short list of adequate countries), or binding corporate rules (very complex), or the explicit consent of each customer. This is a big deal – cross‑border sharing is heavily restricted under PDPL. You may also need to register with the UAE Data Office, especially if you do significant sharing.
Your Privacy Best Practices:
– Create a vendor table with columns: vendor name, what data they see, where they are located (country), and whether you have a data processing agreement (DPA) signed.
– Put this vendor table on your website as part of your privacy notice – not buried but easy to find.
– For vendors outside the UAE, check if the country is on the UAE's adequacy list (currently a short list – ask me or check the Data Office website). If not, you need explicit consent from each customer before sharing.
– Sign a DPA with every vendor that processes data on your behalf. Most major vendors have them – accept or download them.
– Check if your sharing activity triggers registration with the UAE Data Office. If you're sharing significant volumes or sensitive data, you likely need to register.
How I Can Help:
I'll help you create a DPA that you can send to any vendor that doesn't have their own.
We have not informed our users/customers anything.
Your Takeaway:
You haven't told your customers what you do with their data. Under the UAE PDPL, this is a direct violation of Article 13 – the right to be informed. The law requires you to provide a privacy notice at or before the time of collection. The UAE Data Office has indicated that transparency is a priority for enforcement. The good news: fixing this is simple and cheap. A basic privacy notice takes an hour to write. The bad news: ignoring it is expensive if you get caught – fines under PDPL can be significant (up to millions of dirhams).
Your Privacy Best Practices:
– Publish a privacy notice by the end of this week. Start simple: "We collect [list data]. We use it for [list purposes]. We keep it for [time period]. We share it with [list third parties, or 'no one']. You can withdraw consent by [method]. You can complain to the UAE Data Office at [contact]."
– Put a link to your privacy notice everywhere you collect data: signup forms, checkout, email footers, and website footers.
– If you already have customer data, send a short email or notification: "We've updated our privacy notice." You can read it here."
– Make sure your notice includes a contact email for customer enquiries – this can be your regular support email.
– If you're registered with the UAE Data Office, include your registration number in the notice (not required but builds trust).
How I Can Help:
I can help you create a UAE PDPL‑compliant privacy notice as required under Article 13. And where to place it.
We do 'personal data processing' based on our users’/customers’ consent.
Your Takeaway:
You rely on customer consent as your legal basis. Under UAE PDPL, consent is a primary legal basis. It must be freely given, specific, informed, and unambiguous. Silence, pre-ticked boxes, inactivity, or "by using our service you agree" do not count. You must keep records of when, how, and what the customer agreed to. And you must make withdrawal as easy as giving consent – ideally one click or one email. The UAE Data Office has indicated that they follow GDPR‑like standards for consent – strict ones.
Your Privacy Best Practices:
– Use double opt‑in for important data: the customer checks a box, then you send a confirmation email and they click a link to verify. This gives you clear proof.
– Keep a consent log: customer ID, date and time, exact wording they saw (copy and paste it), and a screenshot or copy of the form.
– On every consent form, include a sentence: "You can withdraw your consent at any time by clicking here [link] or emailing us at [email]."
– Never bundle consent with terms of service or other checkboxes; they must be separate.
– Review your consent requests every year. Do they still make sense? Are they still specific?
How I Can Help:
I'll review your consent forms and tell you if they'd survive an inspection by the UAE Data Office. I'll also help you set up a simple consent log, so you can prove consent if asked. If you're not sure whether you need consent for a particular activity, I'll help you access that.
We do 'personal data processing' based on contract.
Your Takeaway:
You rely on contract as your legal basis. This means you collect and process data only because you need it to fulfil a contract with the customer – delivering a product, providing a service, sending invoices, or handling support tickets. Under UAE PDPL, a contract is a valid basis, but you can only process data that is strictly necessary for that contract. You cannot use a contract as an excuse to collect extra data for marketing, analytics, or any other purpose. If the customer doesn't provide the necessary data, you can refuse to enter into the contract. After the contract ends, you must delete the data unless another basis applies (like legal obligation for tax records).
Your Privacy Best Practices:
– In your signup or checkout form, clearly mark which fields are "required for contract" and which are "optional". The required ones are the only ones you can rely on for a contract.
– Create a simple list: each piece of data you collect and a one‑sentence explanation of why it's strictly necessary for the contract. Keep this list in your files.
– Do not use contract‑collected data for any other purpose without a separate legal basis (like consent for marketing).
– After the contract ends, set a timer to delete the data – or move it to a different basis if one applies (e.g., legal obligation for tax records).
– Document your contract basis in your legal basis register – include the contract clause or terms of service reference.
How I Can Help:
I’ll help you separate your “contract necessary” data from your “nice to have” data. We’ll go through your forms together, and I’ll point out which fields you can remove or make optional. This often simplifies your business and reduces your privacy risk at the same time.
We do 'personal data processing' based on legal obligation.
Your Takeaway:
You collect data because a specific UAE law requires you to – for example, tax laws, anti‑money laundering rules, or health and safety regulations. Under UAE PDPL, legal obligation is a valid basis, but you must be able to point to the exact UAE law that creates the obligation. You cannot collect more data than that law requires, and you cannot keep it longer than the law says. This basis is narrow – don't stretch it. For example, "we keep data for 10 years because we might need it" is not a legal obligation – you need a specific law.
Your Privacy Best Practices:
– For each legal obligation data point, write down the exact UAE law name, article number, and section. For example: "Federal Decree-Law No. 8 of 2017 on Value Added Tax, Article 68" or "Federal Law No. 20 of 2018 on Anti-Money Laundering, Article 15".
– Keep a one‑page "legal basis register" that lists the following: data point → UAE law → retention period required by that law.
– Do not use data collected for legal reasons for any other purpose (like marketing) without a separate legal basis.
– Review your legal obligations once a year. UAE laws change – especially new data protection and tax laws.
– If you're not sure whether a law applies, consult a UAE lawyer – but start with the official legislation (available in English).
How I Can Help:
I’ll help you create a legal basis register. You fill in what you collect and why. I’ll review it and tell you if any of your claimed legal obligations are actually too broad. I’ve seen many businesses claim “legal obligation” for things that aren’t really required – I’ll help you clean that up.
We do 'personal data processing' based on legitimate interest.
Your Takeaway:
You believe it's in your legitimate business interest to collect and process the data – for example, to prevent fraud, improve your website, or send certain types of non-marketing communications (like service updates). Under UAE PDPL, legitimate interest is allowed as a basis – similar to GDPR. However, you must conduct a Legitimate Interest Assessment (LIA) before you start. You need to balance your interest against the customer's rights and expectations. If the customer wouldn't reasonably expect the processing, or if it causes harm, legitimate interest fails. Marketing by email almost never qualifies. You must document your LIA and keep it on file.
Your Privacy Best Practices:
– Conduct an LIA using a three‑question template: 1) What is our interest? 2) Is the processing necessary for that interest? 3) Do the customer's rights override our interest? Write down your answers in plain English.
– Be honest with yourself. If you're unsure, switch to consent instead – it's safer.
– Do not use legitimate interest for sensitive data, marketing emails, or tracking behaviour across websites.
– Keep your LIA on file. The UAE Data Office can ask to see it.
– Review your LIAs every year. Circumstances change.
– For fraud prevention, legitimate interest often works – but document why you can't rely on a contract instead.
How I Can Help:
I’ll help you conduct a LIA pre-processing of personal data. I’ll review your answers and tell you if your legitimate interest claim would hold up. If it won’t, I’ll help you switch to a safer basis like consent or contract.
We are not sure about our lawful basis of users' personal data processing.
Your Takeaway:
You don't have a clear legal reason for collecting customer data. Under UAE PDPL, this means you are likely processing personal data unlawfully. Article 5 of PDPL requires a legal basis – there's no exception for "I didn't know" or "Everyone does it." The UAE Data Office has the power to fine businesses for non‑compliance. This is urgent. You should stop collecting any data you can't justify immediately. For data you already have, assign a legal basis as soon as possible. Consent, contract, and legitimate interest are all possible under PDPL, but you need to pick one and document it. If you can't assign a basis within two weeks, delete the data.
Your Privacy Best Practices:
– Stop all optional data collection right now – you can always restart after you have a legal basis.
– For existing data, go through each type and ask, "Do we have a contract with this person? If yes, the contract may work. If no, can we get consent? If no, is there a legitimate interest? If none of the above, delete it."
– Document every legal basis you assign. Write it down simply: "Data type X → Basis: contract because we need it to deliver service."
– If you claim legitimate interest, conduct an LIA and keep it on file.
– If you cannot assign a basis within two weeks, delete the data. Keeping it is not safe.
– Don't forget registration – even if you have a legal basis, you may still need to register with the UAE data office.
How I Can Help:
If you are unsure about your legal basis for processing your personal data, I can assist you in deciding the appropriate lawful basis to use for your users’ personal data processing.
We keep our users’/customers’ personal information for a Definite time.
Your Takeaway:
You keep customer data only for a defined period of time – for example, two years after their last purchase. Under UAE PDPL, having a definite retention period is good practice and aligns with the law's requirements. Article 5 of PDPL requires that data be kept only as long as necessary for the purpose. You should document your retention period and include it in your privacy notice. Also, "only with us" means no sharing – but double‑check that your cloud provider, email service, or analytics tool doesn't count as sharing. The UAE Data Office expects you to have documented retention policies.
Your Privacy Best Practices:
– Write down your retention periods in a simple document. Example: "Customer contact data → deleted 2 years after last activity. Transaction data → kept 7 years for UAE tax purposes (VAT law). Support tickets → deleted 1 year after the ticket is closed."
– Add a sentence to your privacy notice: "We keep your data for [X years] after your last interaction. For tax records, we keep transaction data for 7 years as required by UAE law."
– Set up an automated reminder or script to delete old data – don't rely on memory. Many CRMs and email tools have auto‑delete rules.
– For cloud tools, check their data retention policies. Some keep data even after you delete it from your account. You need to know.
– Test your deletion process once a quarter. Delete a small batch of old data and confirm it's gone from all systems.
How I Can Help:
I’ll review your current retention practices. I’ll ask you a few simple questions about each data type, and then I’ll write a custom retention schedule for you – including exactly what to put in your privacy notice.
We keep our users’/customers’ personal information for an Indefinite time
Your Takeaway:
You keep customer data for an indefinite period – basically, forever. Under UAE PDPL, this is risky. The law requires retention only as long as necessary for the purpose. Keeping data indefinitely without a deletion plan could be seen as a violation. The UAE Data Office has the power to fine businesses for non‑compliance. You need to set a retention period – even a rough one – and implement a deletion process. You also need to be able to delete an individual customer's data if they withdraw consent or request deletion. Indefinite retention is not "safe" – it's actually riskier than having a short retention period, because it's an easy violation for a regulator to spot.
Your Privacy Best Practices:
– This week, pick a default retention period. For most businesses, 2 years after last activity works well for customer data. For transaction data, 7 years for UAE tax purposes (VAT law requires this). Write it down.
– Go through your existing customer data. Delete anything older than your new retention period. Yes, delete it. You can keep aggregated statistics if you need them – but no personal data.
– Set a calendar reminder every quarter to review and delete old data.
– Make sure you can find and delete one customer's data on request. Test this with a colleague pretending to be a customer.
– Document your retention policy. The UAE Data Office expects to see it if they ask.
How I Can Help:
I’ll help you set up a simple retention policy specific to your business. We’ll decide on retention periods for each data type, write them down in a document, and add the right wording to your privacy notice. I’ll also help you create a step‑by‑step process for deleting old data from common tools like your CRM, email platform, and cloud storage.
We do No Sharing of our users’/customers’ personal information with others/third parties.
Your Takeaway:
You don't share customer data with anyone outside your business. Under UAE PDPL, no sharing is the cleanest scenario. However, "outside your business" includes third‑party tools like your website hosting provider, email delivery service, analytics tool, customer support software, and even your CRM if it's cloud‑based. If any of those tools can see customer data – even temporarily – that counts as disclosure under PDPL. You need to verify each tool carefully. Even with no sharing, you still need a privacy notice and a legal basis. Also, even with no sharing, you may still need to register with the UAE Data Office – don't assume you're exempt.
Your Privacy Best Practices:
– List every single online tool your business uses, including free ones, one‑off tools, and even tools you forgot about. For each tool, ask: "Does this tool ever see a customer's name, email, IP address, or any other personal data?" Be honest.
– If the answer is yes, you are sharing. Update your answer to "Yes, sharing" and follow those best practices.
– If the answer is truly no (very rare – only possible if you run everything on your own servers with no external services), document your verification and keep it on file.
– Even with no sharing, publish a privacy notice that says, "We do not share your data with anyone outside our company" – but only if it's true.
– Check if you need to register with the UAE Data Office. Registration is based on processing, not just sharing – you may need to register even with no sharing.
How I Can Help:
I’ll help run a “data flow scan” of your business. We can identify which tools are silently receiving customer data – you’re often surprised. Once we have the real picture, I’ll help you either stop the sharing or disclose it properly.
Yes, We Do Share our users’/customers’ personal information with others/third parties.
Your Takeaway:
You share customer data with third‑party vendors or business partners. Under UAE PDPL, sharing is allowed but comes with significant obligations. First, you must disclose every single recipient in your privacy notice (Article 13). Second, you need a valid legal basis – for sharing that isn't strictly necessary for your service, you usually need explicit consent. Third, you must sign Data Processing Agreements (DPAs) with each vendor. Fourth – and this is critical – if the vendor is outside the UAE, you need either (a) an adequacy decision from the UAE government (they have a short list of adequate countries), (b) binding corporate rules (complex, only for large groups), or (c) the explicit consent of each customer for the transfer. Cross‑border transfers are heavily restricted, especially for sensitive data. You may also need to register with the UAE Data Office – and your sharing activity likely triggers that requirement.
Your Privacy Best Practices:
– Create a vendor table with columns: vendor name, what data they see, where they are located (country), whether you have a DPA signed, and whether you have consent for cross‑border transfer (if applicable).
– Put this vendor table on your website as part of your privacy notice – not buried but easy to find.
– Sign a DPA with every vendor that processes data on your behalf. Most major vendors have them – accept or download them.
– For vendors outside the UAE, check if their country is on the UAE's adequacy list. Currently, the list is short – ask me or check the Data Office website. If not, you need explicit consent from each customer before sharing. This is not optional.
– Register with the UAE Data Office. If you're sharing data (especially cross‑border), you almost certainly need to register. The process is online and straightforward.
– For sensitive data, assume cross‑border transfer is prohibited unless you have explicit consent and possibly prior approval. Get legal advice.
How I Can Help:
I’ll review your vendor list and tell you exactly what’s missing. I can also help you create a plain-English DPA template you can send to any vendor that doesn’t have their own. If you have cross‑border transfers,
Ready to take your next step?
Let's put people first in your data & technology.
I'm just one click away!
Spread the word. Someone out there may need this.
Disclaimer: This information is for general informational purposes only and does not constitute legal advice. Privacy laws vary by jurisdiction and change over time. Feel free to connect with me for further clarification or your specific case matter.