Draft pending counsel review. This statement addresses UAE PDPL compliance, with full compliance expected by 1 January 2027.
1. Applicability
The PDPL applies to:
- Processing of personal data of data subjects residing in the UAE, regardless of where the controller or processor is based.
- Controllers and processors based in the UAE processing personal data inside or outside the UAE.
Brand Atlas is in scope on both grounds.
2. Transition timeline
The PDPL came into force on 2 January 2022. The UAE Data Office’s Executive Regulation, which translates the law into operational requirements, was published with a transition period. Full compliance is expected by 1 January 2027.
We are progressing toward full compliance throughout 2026, with the following milestones:
- Q1 2026: Internal PDPL gap assessment.
- Q2 2026: Update of privacy notices, DPA, and breach notification procedures (in progress).
- Q3 2026: PDPL-specific cross-border transfer mechanisms operationalised.
- Q4 2026: Final readiness review.
- 1 January 2027: Full PDPL compliance.
3. Lawful processing
We process personal data only on lawful bases. Under PDPL Article 4, lawful bases include:
- The data subject’s consent.
- Performance of a contract.
- Legal obligation.
- Vital interests.
- Public interest.
- Legitimate interests of the controller, balanced against the data subject’s rights.
We rely primarily on contract (to provide the Service) and legitimate interests (to operate, secure, and improve the Service).
4. Data subject rights
Under the PDPL, UAE data subjects have the following rights, exercisable by writing to legal@brandatlas.pro:
- Access. Request a copy of personal data we hold.
- Correction. Correct inaccurate data.
- Erasure. Request deletion.
- Restriction. Restrict processing.
- Portability. Receive data in a portable format.
- Object. Object to specific processing.
We respond within 30 days, consistent with PDPL Article 27.
5. Cross-border transfer mechanisms
The PDPL restricts cross-border transfers of personal data. Article 22 permits transfers where:
- The destination jurisdiction has been determined to provide adequate protection.
- Appropriate safeguards are in place (UAE-approved Standard Contractual Clauses, Binding Corporate Rules, or codes of conduct).
- The data subject has consented after being informed of the risks.
- Specific exceptions apply (contract performance, legal claims, vital interests, public interest).
For transfers from the UAE to:
- The European Economic Area. Adequacy determinations and our supplementary safeguards apply.
- The United States. UAE-approved Standard Contractual Clauses apply where required.
- Other jurisdictions. Assessed case by case; supplementary safeguards (encryption, access controls) supplement contractual mechanisms.
Specific transfer assessments are documented in our Data Processing Addendum.
6. Breach notification
The PDPL requires notification of personal data breaches to the UAE Data Office and to affected data subjects within timeframes set by the Executive Regulation. Our internal procedure aligns with the 72-hour timeline used by GDPR; see Breach Notification.
7. Data Protection Impact Assessments
We conduct DPIAs for processing activities likely to result in high risk to individuals’ rights, including the use of AI features and processing of large datasets. DPIAs are documented and reviewed annually.
8. Data Protection Officer
Brand Atlas does not currently meet the PDPL threshold for a mandatory DPO appointment. We maintain a privacy contact:
If our scale or processing nature triggers the DPO requirement, we will appoint one and publish the contact.
9. Records of processing
We maintain records of processing activities consistent with PDPL Article 24. Records are made available to the UAE Data Office on request.
10. Complaints
UAE residents can lodge complaints with:
11. Changes
We update this Statement as the PDPL Executive Regulation is finalised and our compliance position evolves.
What changed
- 27 May 2026: Initial draft published for counsel review.
