PDPL Data Protection

1. Legal Position

AELION Digital Ltd processes Personal Data in line with UAE Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data. This framework applies across the UAE mainland, subject to its statutory exclusions, including sectors already governed by sector-specific data laws and free zones with their own data protection regimes. The present compliance position is structured against the 1 January 2027 mainland implementation deadline now being cited in 2026 UAE compliance guidance. (uaelegislation.gov.ae)

Where processing occurs in or through the DIFC, the applicable regime is the DIFC Data Protection Law, DIFC Law No. 5 of 2020, as amended, including the 2025 amendment package. (DIFC)

2. Lawful Basis

For commercial delivery, account administration, onboarding, service execution, infrastructure support, supplier control, and client communications necessary to perform an engagement, the primary lawful basis used is Contractual Necessity. Under the DIFC regime, that is Article 10(b).

For limited operational monitoring, fraud prevention, platform security, audit trails, service continuity, and proportionate governance controls, the lawful basis used is Legitimate Interests. Under the DIFC regime, that is Article 10(f), subject to the balancing test and the rights of the Data Subject.

Consent is not treated as the default legal basis for enterprise processing where a stronger and more appropriate basis already exists.

3. Data Residency

For regulated workloads, data location is not left to default vendor architecture.

In the UAE financial sector, the Central Bank’s Cloud Computing rules under the 2021 enabling-technology framework remain in force. The Central Bank has since moved further and announced a sovereign financial cloud services infrastructure in February 2026. For banking, payments, and adjacent regulated environments, sovereign or dedicated UAE-hosted architecture is the correct default position. (rulebook.centralbank.ae)

In health, Federal Law No. 2 of 2019 Concerning the Use of the Information and Communications Technology in Health Fields applies to health ICT across the State, including free zones. Its structure is explicit: national control, system compatibility, confidentiality, controlled access, and centralised handling of health data and information. For health-sector processing, UAE-based control architecture is therefore not cosmetic. It is statutory design. (uaelegislation.gov.ae)

AELION therefore deploys sovereign cloud nodes or equivalent UAE-controlled hosting architecture where sectoral exposure, regulator posture, client mandate, or contractual risk requires it.

4. Breach Protocol

The breach position is direct.

Under the UAE PDPL, where a Controller becomes aware of a breach or violation that prejudices privacy, confidentiality, or security, it must notify the Bureau and provide the prescribed breach details. A Processor that becomes aware of a breach must notify the Controller as soon as it becomes aware. (uaelegislation.gov.ae)

This page adopts an immediate notification model. That means internal escalation begins at awareness, not after an internal waiting cycle. It does not adopt the UK-GDPR habit of treating 72 hours as the operational benchmark. The legal posture is earlier. The trigger is awareness. (uaelegislation.gov.ae)

Where the breach is likely to prejudice the Data Subject, direct notice is issued in line with the governing regime and the severity of the incident. Under DIFC law, notification to the Commissioner and, where high risk arises, to affected Data Subjects must occur as soon as practicable in the circumstances.

5. Subject Rights

Data Subjects may exercise the following rights, subject to statutory limits and sector-specific exemptions.

Access
Under the UAE PDPL, the Data Subject has the right to receive information concerning processing. Under the DIFC regime, the Data Subject may obtain confirmation, access, and a copy of Personal Data. (uaelegislation.gov.ae)

Portability
Under the UAE PDPL, the Data Subject may request transfer of Personal Data to another Controller where technically feasible. Under the DIFC regime, portability applies where processing is based on consent or contract and carried out by automated means. (uaelegislation.gov.ae)

Erasure
Under the UAE PDPL, the Data Subject may request correction or erasure where the legal grounds are met, including where the data is no longer necessary, consent is withdrawn, objection prevails, or processing is unlawful. Under the DIFC regime, access, rectification, and erasure rights are expressly recognised. (uaelegislation.gov.ae)

Redress
Within the DIFC, the 2025 amendment package introduced an express Private Right of Action. A Data Subject who suffers damage by reason of a contravention of the DIFC Data Protection Law may apply to the Court for compensation.

6. Cross-Border Transfers

Transfers outside the UAE or outside the DIFC are not treated as routine.

Under the UAE PDPL, transfer outside the State is permitted where an adequate level of protection exists, or where the transfer is supported by approved contractual measures, explicit consent, or other statutory grounds. (uaelegislation.gov.ae)

Under the DIFC regime, transfers out of the DIFC require either an adequate level of protection or appropriate safeguards with enforceable Data Subject rights and effective legal remedies.

AELION therefore documents an adequacy assessment or equivalent safeguard review for every material transfer outside the UAE mainland or the DIFC perimeter. That review records destination, legal basis, hosting chain, onward transfer risk, contractual control, and remediation position before transfer proceeds. (uaelegislation.gov.ae)

7. Governance Position

Data protection is treated here as a governance function, not a website disclaimer.

For regulated sectors, residency is engineered.
For cross-border transfers, adequacy is documented.
For breaches, escalation begins at awareness.
For subject rights, response routes are defined in advance.

That is the standard.

8. Contact

Governance Desk
hello@aelion.ae