Guide
UAE PDPL and AI — a practical guide
UAE PDPL came into force in 2022. AI projects touch almost every restricted area: personal data, automated decisions, biometrics, cross-border transfer. This page is a non-legal practitioner guide — talk to counsel for binding advice.
Data residency reality
PDPL allows cross-border transfer to jurisdictions with adequate protection or under standard contractual safeguards. In practice, for security/HR workloads we recommend defaulting to AWS me-central-1 (UAE) or Azure UAE North; OpenAI and Anthropic both offer regions that can be configured for non-training of submitted data.
Article 21 — automated decisions
Decisions made solely by automated processing that significantly affect the data subject are restricted. Build a human-review step into hiring, credit, access, and any safety-critical decision pipeline.
Biometrics and sensitive data
Biometric data is sensitive personal data. Consent is the safest lawful basis where feasible; document storage location, retention, and a deletion workflow up front.
FAQ
Can we send data to OpenAI/Anthropic?+
Yes, under PDPL safeguards: a Data Processing Agreement, no-training opt-out, and a documented lawful basis. For sensitive workloads consider Azure OpenAI in UAE region or Anthropic via AWS Bedrock in me-central-1.
Ready to apply this to your company?
10 minutes. Free. No sales call required.
Start the free assessment