What’s PDPL and how does it differ from GDPR?

UAE’s Personal Data Protection Law (PDPL) is Federal Decree-Law No. 45 of 2021, in force since January 2022. It’s GDPR-flavoured but with key UAE differences:

• Scope — PDPL applies to UAE-mainland processing. DIFC has its own DPL 2020 (more EU-aligned), and ADGM has its DPR 2021. Free-Zone stores fall under whichever zone’s rules.
• Consent + lawful basis — mandatory for personal data, similar to GDPR Article 6.
• DSAR rights — access, rectification, erasure, objection — same as GDPR.
• Cross-border transfers — allowed to “adequate” jurisdictions or with safeguards (similar to GDPR SCCs).
• No fixed fines yet — PDPL fines are determined per case (vs GDPR’s 4% global turnover cap), but Cybercrime law has separate criminal penalties.
• Mandatory DPO only above certain processing volumes — lighter than GDPR.

We configure Magento customer + sales_order retention rules, DSAR automation, cookie banner copy, and PDPL-aligned privacy policy.