UAE Federal PDPL — Data Protection Impact Assessment

Overview

Draft and validate a DPIA under UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL) and its Executive Regulations. Covers data inventory, lawful basis, cross-border transfers, and 72-hour breach notification.

Example Conversation

You: We need a DPIA for our UAE entity under Federal PDPL. We need to document lawful basis per processing, cross-border transfers, 72-hour breach notification, and data subject rights. Can you draft it and run the checker?

Agent: I’ll draft the DPIA with processing inventory, lawful basis per activity (consent, contractual, legal obligation, etc.), cross-border transfer mechanism (adequacy or contractual safeguards), data subject rights (access, rectification, erasure, restriction, portability, objection), DPO where required, and 72-hour breach notification procedure. Then I’ll run uae_pdpl_dpia_checker.

Agent: Created dpia-uae-pdpl.md. Running uae_pdpl_dpia_checker…

Agent: Check PASS — lawful basis is specified per processing, cross-border transfer mechanism is documented, 72-hour breach notification is in place, data subject rights are addressed, and DPO is documented. Ready for review.

What the Tools Validate

uae_pdpl_dpia_checker scans the DPIA document for:

Lawful basis — Each processing activity must have a specified lawful basis (consent, contractual necessity, legal obligation, vital interests, public interest, legitimate interests).
Cross-border transfer mechanism — Adequate jurisdictions (per UAE Data Office list) or approved contractual/other safeguards must be documented.
Breach notification — Procedure for notifying the UAE Data Office (and affected individuals as required) within 72 hours must be documented.
Data subject rights — Access, rectification, erasure, restriction, portability, objection must be addressed.
DPO — DPO appointment must be documented where required under the PDPL.

Output: PASS if all are present; otherwise FAIL with a line per missing element. Fix gaps and re-run until the check passes.

Output Excerpt

DPIA (excerpt):

## Lawful basis
| Processing activity        | Lawful basis           |
|----------------------------|------------------------|
| HR payroll                 | Contractual necessity  |
| Marketing (email)          | Consent                |
| Regulatory reporting       | Legal obligation       |

## Breach notification
- Breaches that pose a risk to personal data are reported to the UAE Data Office within **72 hours** of becoming aware. Affected individuals are notified where required by the PDPL and Executive Regulations.

uae_pdpl_dpia_checker report (excerpt):

=== UAE PDPL DPIA CHECK ===
Result: PASS
Document: dpia-uae-pdpl.md
Lawful basis is specified per processing activity...
Data breach notification timeline (72 hours) is documented.
DPIA meets UAE PDPL DPIA expectations.

Getting Started

Add your source materials to the project workspace (e.g. processing inventory or transfer map), then activate the UAE Federal PDPL — Data Protection Impact Assessment skill. The agent will guide you through drafting the DPIA and running uae_pdpl_dpia_checker until the check passes.