Data protection for HR in the United Arab Emirates
Reviewed by Mellow Editorial Team, HR & payroll content team
Data protection in UAE HR is governed primarily by Federal Decree-Law No. 45/2021 on Personal Data Protection (PDPL), which sets out binding obligations for any organisation that collects, processes or stores personal data about employees or job applicants. Compliance is not optional — it applies to businesses of all sizes operating in the UAE mainland, with separate regimes covering the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM).
The legal landscape: PDPL, DIFC and ADGM
The UAE PDPL is the mainland framework. It covers the processing of personal data by organisations established in the UAE and, in some cases, organisations outside the UAE that process data about UAE residents.
Parallel regimes apply in the financial free zones. The DIFC operates under its own Data Protection Law (DIFC Law No. 5 of 2020), supervised by the DIFC Commissioner of Data Protection. The ADGM follows the ADGM Data Protection Regulations 2021, modelled closely on the UK GDPR standard. If your business is licensed in either free zone, that zone's rules take precedence over the PDPL for activities conducted within it.
For most mainland employers, the PDPL and its executive regulations are the operative framework.
What counts as employee personal data
HR departments handle some of the most sensitive personal data a business touches. Under the PDPL, personal data means any information that identifies or can identify a natural person. In an employment context that includes:
- Names, Emirates ID numbers, passport copies and visa details
- Salary figures, bank account details and payroll records
- Medical certificates, sick leave records and health insurance data
- Performance reviews, disciplinary records and termination letters
- Biometric data used for access control or attendance tracking
The PDPL applies stricter rules to sensitive categories of data, which include health data, biometric data and data revealing ethnic or religious background. You need a clear lawful basis before processing any of it.
Core obligations for HR and payroll
Establish a lawful basis. The PDPL requires a valid legal ground for processing personal data. For employees, the most common grounds are contractual necessity (you need the data to perform the employment contract), compliance with a legal obligation (for example, running payroll through the Wage Protection System requires submitting salary data), and, where neither applies, consent. Consent under the PDPL must be freely given, specific and informed — bundling consent into an employment contract is problematic because of the power imbalance.
Be transparent. Employees must be told what data you collect, why you collect it, how long you keep it, and who you share it with. A clear, plain-language privacy notice given at onboarding is the practical way to meet this requirement.
Limit collection and retention. Collect only what you genuinely need. Define retention periods and apply them consistently. Passport copies held years after an employee has left, or payroll records kept indefinitely, create unnecessary risk. Set a schedule: end-of-service gratuity calculations under Federal Decree-Law No. 33/2021 create a practical reason to retain payroll records for a defined period after termination, but not forever.
Control access. Salary data, medical records and disciplinary files should be accessible only to the people who need them to do their job. Payroll teams should not have visibility of performance files; line managers should not have access to health data. Document who has access to what and review it regularly.
Manage data transfers carefully. If you use a global payroll platform, an overseas HR system or a parent-company shared-services function, personal data is likely leaving the UAE. The PDPL requires that transfers to countries without an adequate level of data protection use a recognised safeguard such as standard contractual clauses or explicit consent. Check where your HR software stores and processes data.
Respond to individual rights requests. Employees have rights to access, correct and — in defined circumstances — request deletion of their personal data. You need a process to handle these requests within the timeframes set by the PDPL.
Practical steps to reduce risk
A few concrete actions make a material difference:
- Audit what employee data you hold, where it lives and who can access it before any other step.
- Update your employment contract template and onboarding pack to include a PDPL-compliant privacy notice.
- Review contracts with HR software vendors, payroll bureaus and any other processor that handles employee data on your behalf — they should have a data processing agreement in place.
- Train the people in HR and payroll who handle sensitive data; human error is the most common cause of a data breach.
- If you operate across the DIFC or ADGM as well as the mainland, map which rules apply to which workforce and do not assume one policy covers all three.
The regulatory environment is still maturing — executive regulations and guidance continue to be issued — so building a habit of periodic review into your HR compliance calendar is more durable than a one-off project.
---
Run HR and payroll in UAE with Mellow
Mellow brings HR, payroll and 12 AI agents into one platform — built to handle UAE properly, with payroll included, from £4 per employee per month. The AI agents don't just answer questions; they generate contracts, run cost estimates and draft letters for you.
[Start a free trial →](/register)