UAE data protection for digital-asset operations
Three-layer privacy framework: federal PDPL, ADGM data-protection regulations, DIFC data-protection law.
Privacy architecture
The UAE has three data-protection regimes that apply to digital-asset operations depending on venue. The federal Personal Data Protection Law (PDPL, Federal Decree-Law No. 45 of 2021) applies to all organisations processing personal data of UAE residents, with mandatory compliance by 1 January 2027. Administrative fines reach AED 5 million (~$1.4M) and breach notification must occur within 72 hours.
ADGM Data Protection Regulations 2021 apply to all ADGM-registered entities. They require a Data Protection Officer for high-risk processing, maintain an approved list of adequate jurisdictions for cross-border transfers, and mandate breach notification to the ADGM Office of Data Protection within 72 hours.
The DIFC Data Protection Law No. 5 of 2020 applies in DIFC. The Commissioner of Data Protection supervises compliance, and breach reporting must occur within 72 hours of becoming aware of the incident.
For VASPs specifically, the VARA Travel Rule circular creates additional data-handling obligations: originator and beneficiary data must be collected, verified, securely transmitted, and retained. The CBUAE PTSR adds KYC data-handling requirements for payment-token licensees.
Privacy control matrix
| Regime | Scope | Key obligation |
|---|---|---|
| Federal PDPL | All organisations processing UAE-resident personal data. | Mandatory by Jan 2027. 72-hour breach notification. AED 5M (~$1.4M) max fine. |
| ADGM DPR 2021 | All ADGM-registered entities. | DPO for high-risk processing. Adequate-jurisdiction list for transfers. 72-hour breach notification. |
| DIFC DP Law | All DIFC entities. | Commissioner supervision. 72-hour breach reporting. |
| VARA Travel Rule data | Dubai VASPs handling VA transfers. | Originator/beneficiary data: collect, verify, transmit, retain. |
| CBUAE PTSR KYC data | Payment-token licensees. | KYC data handling per PTSR requirements. |
| AML record retention | All licensed VASPs. | 7-year retention for AML/CFT records across all venues. |