Skip to main content
Home · Standards · UAE Federal Personal Data Protection Law (PDPL)
Standard · UAE PDPL

UAE Federal Personal Data Protection Law (PDPL)

UAE Federal Decree-Law No. 45 of 2021 — the Personal Data Protection Law (PDPL) — entered force in January 2022. PDPL establishes federal-level data protection in the UAE, parallel to the financial-free-zone-specific regimes (DIFC Data Protection Law 2020, ADGM Data Protection Regulations 2021). For ITAD specifically, the PDPL establishes data-subject erasure rights and sets controller obligations on data security, including secure disposition of personal data on retired media. Maxicom UAE engagements are structured to satisfy PDPL in admissible form for UAE Data Office inspection.

PDPL — right to erasure

The PDPL grants data subjects the right to request erasure of their personal data. Operationally, this requires controllers to identify the data on retired media, sanitise per appropriate standard, and document the destruction. Maxicom engagement model supports the controller's erasure response: per-asset Certificate of Destruction with the data classification noted, retention vault for the post-engagement period.

UAE PDPL — controller obligations

Articles 9-13 establish controller obligations on data security, including the obligation to implement appropriate technical and organisational measures. For ITAD, this means the controller must select a vendor whose discipline is appropriate to the sensitivity. Maxicom's vendor due-diligence pack supports the controller's pre-engagement assessment.

Federal vs free-zone regimes

PDPL is the federal law applicable to the UAE mainland. DIFC and ADGM operate their own data protection laws (DIFC DPL 2020 and ADGM DP Regs 2021) within their respective free zones. Maxicom certificates are written to satisfy whichever regime applies to the engagement entity — federal mainland, DIFC, or ADGM.

Implementing regulations

PDPL's implementing regulations were issued through 2022-2024 by the UAE Data Office. The framework continues to evolve; Maxicom tracks updates and refreshes operating procedures accordingly.

UAE Data Office inspection

The UAE Data Office is the federal supervisor. Inspections may include sampling of ITAD documentation. Maxicom certificates are designed for UAE Data Office inspection.

Regulator & standards stack — UAEEvery Maxicom certificate is admissible against the full UAE stackUNIVERSALNIST SP 800-88 Rev. 1 · IEEE 2883-2022 · DoD 5220.22-M · documented chain-of-custody🇦🇪 UNITED ARAB EMIRATES · AEDPrivacy: UAE PDPL · DIFC DPL · ADGM Data ProtectionCyber / sector: CBUAE · NESA · TDRASettlement in AED · admissible at UAE audit
Reviewed by the Maxicom compliance desk. Last updated April 2026.
Operates to NIST 800-88 · UAE PDPL · IEEE 2883-2022
References

Authoritative references

Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.

Frequently asked questions

Frequently asked questions

Does PDPL require physical destruction of all retired drives?

No. PDPL is method-neutral; appropriate technical measures depend on sensitivity. NIST SP 800-88 Rev. 1 Purge satisfies most classifications.

How does PDPL compose with DIFC DPL or ADGM DP Regs?

PDPL applies to the mainland; DIFC DPL and ADGM DP Regs apply within their respective free zones. Maxicom certificates satisfy whichever applies to the engagement entity.

What about Central Bank of UAE engagements?

CBUAE imposes additional banking-specific cybersecurity requirements. Maxicom certificates satisfy CBUAE + PDPL simultaneously.

When you are ready

Send the asset list. We will send the number.

A photograph of the rack works. A spreadsheet works better. AED settlement, against PO.

[email protected] · per engagement SLA