
The countries of Saudi Arabia, Kuwait, the United Arab Emirates, Qatar, Bahrain, and Oman form the consortium of Co-operation Council for the Arab States of the Gulf (GCC).

UAE has implemented a new Federal Data Protection Law (FDPL) which has been enforced since 2nd January 2022. Some key features of the law are as follows
- Applicability: The law aims to govern any form of processing of personal data by organizations inside the UAE as well as organizations outside the UAE processing personal data of data subjects inside the UAE.
- Rights of data subjects : FDPL grants data subjects with the right of access to information, right to data portability, right to rectification or erasure, right to restrict processing, right to suspend processing, and right to object to automated decision making.
- Legal Basis: Consent is the primary lawful basis for processing under the FDPL. However, there are various exceptions to this rule which are effectively alternate legal bases for processing.
- Obligations of the data controller: The FDPL obligates the data controller to implement appropriate technical and organizational measures to protect personal data. The data controller shall implement techniques such as pseudonymisation and anonymisation to secure the data. The controller is also obligated to maintain a record of processing activities, implement mechanisms for data subjects to exercise their rights and appoint processors who have appropriate technical and organizational measures which meet the requirement of the law.

Qatar was the first of GCC countries to pass a comprehensive data protection law called ‘Law No. (13) of 2016 on Protecting Personal Data Privacy’. The key features of this law are:
- Application: The law applies to Personal Data when it is electronically processed, or obtained, gathered or extracted in preparation in any other way for electronic processing, or when processed via a combination of electronic and traditional processing.
- Rights of Data Subjects: The rights given to data subjects include- right to receive information about the purpose of processing data; right to object; right to get data corrected by the controller; right to withdraw consent and right to request erasure of data.
- Obligations of Data Controllers: Organizations are required to process request of data subjects within a time frame of 30 days; furnish privacy policy for data subjects to go through; obtain consent of data subjects before data processing; maintain record of processing activities; and implement privacy by design and default in their systems.
- Personal Data with Special Nature: The law creates special provisions for Personal Data with Special Nature, i.e., data related to ethnic origin, children, health, physical or psychological condition, religious creeds, marital relations, and criminal offenses. The Law requires that any entity processing personal data with special nature to obtain permission from the competent authority. The concerned minister can impose additional obligations on such entities.
- Special Provision for protection of Children: Any website addressing children should make sure that- information regarding child data, its use and policy towards its disclosures are given; explicit consent should be obtained from guardian of the child; child’s guardian shall be able to exercise right to access and erasure of child’s data on their behalf. Further, any competition for children cannot make participation contingent upon giving up more personal data than ordinarily required.
- Penalties and Fines: The penalties for violating various provisions of data protection law ranges from QAR 1,000,000 to QAR 5,000,000. No provision for imprisonment has been made.
The business center of Qatar, ‘The Qatar Financial Centre (“QFC”)’ has its own regulations that are separate and distinct from those of the State of Qatar, the QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (“DPL”).

Personal Data Protection Law, 30 of 2018, Bahrain’s prime data protection and privacy law, came into force on 1st August 2019. Following are the key features of the law:
- Application: The law applies to natural or legal person residing or maintaining a business in Bahrain and every natural or legal person residing outside Bahrain but processing personal data by means available within the kingdom, other than for transitory purposes. Any person residing outside Bahrain to whom the law is applicable has to appoint a legal representative in Bahrain.
- Rights of Data Subjects: The rights given to data subjects include- right to receive information about the purpose of processing data; right to object; right to get data corrected by the controller; right to withdraw consent and right to request erasure of data, right not to be subjected to automated decision making, right to data portability and right to object or opt-out of data proccessing.
- Obligations of Data Controllers: The obligations of Data controllers include deploying adequate measures to ensure safety of personal data; ensuring that data processor is acting in accordance with data processing agreement; maintain confidentiality of data; informing data subjects about controller’s identity, purpose of processing data and whether such data is being used for direct marketing; ensuring that data subjects can enforce their rights by contacting the controller; and maintaining data processing records.
- Sensitive Personal Data: Processing of sensitive personal data is prohibited subject to the exceptions provided in the law. Some of the exceptions are- processing of sensitive data to for the purposes of carrying out the legal obligations and rights of the data controller; processing is allowed when it relates to relates to data which is made available to the public by the data subject; processing is also allowed when it is necessary for pursuing any legal claims or defenses, etc.
- Penalties and fines: The law provides that any data subject who suffers damage as a result of processing by data controller is entitled to receive compensation from the data controller. Apart from this criminal liability for violation of the law can lead to imprisonment for a term not exceeding one year, and / or a fine not less than BD 1000/- and not exceeding BD 20,000/-.

Saudi Arabia passed its data protection law called Personal Data Protection Law (PDPL) in September 2021. The law will be fully implemented by March 2022. The main features of PDPL are:
- Application: The law extends to any processing by businesses or public entities of personal data performed in Saudi Arabia by any means, including the processing of the personal data of Saudi residents by entities located outside the Kingdom.
- Rights of data subjects: these include rights such as right to information on processing of personal data, right to access personal data, right to request correction and right to request destruction of personal data.
- Obligations of Data Controllers: Major obligations of controllers and processors under the PDPL are- obtaining registration before processing of personal data, informing data subjects about the legal basis of processing their data, adopting and implementing privacy policies, appointing data officer, notifying regulatory authority about data breaches, ensuring accuracy of data, ensuring timely destruction of data and conducting staff training on data protection laws.
- Fines and penalties: Fines and penalties for companies that violate the PDPL:
- Imprisonment of up to two years and/or a fine up to SAR 3,000,000 for anyone who discloses or publishes Sensitive Data in violation of the Law
- Imprisonment of up to one year and/or a fine up to SAR 1,000,000 for anyone who violates the general prohibition on transfers of Personal Data outside Saudi Arabia.
- A warning or fine up to SAR 5,000,000 for any other violations of the Law, which fine may be doubled if repeated.

Oman announced its Personal Data Protection Law (PDPL) on 13th February 2022. The law will come into for from 13th February 2023 onwards. Some key features of the law are as follows:
- Application: The law is applicable to processing of personal data. An exhaustive list of exceptions for applicability of the law is provided in the PDPL.
- Rights of data subjects: These include rights such as right of access, right to withdraw consent, right to erasure, right of rectification, right to data portability, and the right to be notified in case of a data breach.
- Obligations of the data controller: PDPL states that controllers shall establish controls and procedures for processing personal data to
- determine risks that may fall on the data subjects due to processing
- transfer personal data
- ensure processing is carried out in accordance of the law
- notifying the data subject before processing
- maintaining documents of processing operations
- Fines and penalties: Fines and penalties for contravention of provisions of PDPL range from OMR 500 to OMR 500,000 depending upon the nature of contravention and applicability of the appropriate provision.

Kuwait does not have a specific law for data protection. The most comprehensive data protection regulation in Kuwait currently is Data Privacy Protection Regulation, No. 42 of 2021 formulated by Communication and Information Technology Regulatory Authority (‘CITRA’). Prime features of the regulations are:
- Application: Regulations applies to all public or private bodies that process, collect or transmit data, irrespective of whether such processing is done in Kuwait tor not.
- Legal basis for processing data: For processing of data to be legal at least one of the following parameters have to be met- processing is done after obtaining user consent and incase of children consent should be obtained from their guardian; or processing is required for fulfilling legal obligations; or if data subject is not identifiable.
- Obligations of service providers: Service providers are required to obtain consent of their users before processing; provide all information about data processing, transmission, identity and location of service provider, data storing period and location to the data holder; attending to all request of data erasure or alteration; provide appropriate training to staff dealing with data processing; and deploy appropriate security measures.
Apart from the regulations introduced by CITRA provisions regulating data protection can be found in the following laws:
- Cyber Security Framework for the Kuwaiti Banking Sector
- Labour Law No. 6/2010 for the Private Sector
- Law No. 20 of 2014 (the E-Commerce Law)

Abu Dhabi Global Market’s (ADGM) Data Protection Regulation, 2021 (“Regulation”) came into force on 14th February 2022. Some key features of the law are as follows:
- Application: The Regulations apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the ADGM, regardless of where the processing takes place. The Regulation applies to the processing of personal data partly or wholly by automated means and to the processing of personal data which forms or is intended to form a part of a filing system.
- Legal basis for processing data: The Regulation provides for the following legal basis for processing of – the data subject has given consent to the processing of their personal data for specific purposes; processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering a contract; processing is necessary for compliance with a legal obligation; processing is necessary to protect the vital interests of the data subject or another natural person; processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of functions of the Financial Services Regulatory Authority, AGDM Courts, The Registration Authority, or in the exercise of official authority vested in the controller; or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
- Obligations of controllers and processors: Controllers and the Processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Each Controller must maintain a detailed record of its processing activities. Controllers must carry out DPIA prior to the processing that is likely to result in a high risk to the rights of natural persons. Controllers and processors must notify personal data breach to the commissioner of data protection.
- Fines and penalties: A maximum fine of USD 28,000,000 for administrative breaches may be imposed for contraventions under the regulation.

Dubai International Financial Centre’s (DIFC) Law No. 5 of 2020 came into force on 1st July, 2020. Some key features of the law are:
- Application: The DIFC Data Protection law applies to the processing of private information through a controller or a processor incorporated within the DIFC, irrespective of where the processing takes place; controller or processor, irrespective of its region of incorporation, if it processes personal data in the DIFC as a part of stable arrangements, aside from on an occasional basis; and processing activities conducted in the DIFC, including transfers of personal data out of the DIFC.
- Legal basis for processing data: Processing under DIFC would be considered lawful if: lawful consent has been given; processing is necessary for the purpose of legitimate interests; or processing is necessary for : (a) the performance of a contract to which a Data Subject is a party; (b) compliance with Applicable Law; (c) the protection of the vital interests of a Data Subject or of another natural person; (d) performance of a task carried out by a DIFC Body in the interests of the DIFC; (e) exercise of a DIFC Body’s powers and functions; or (f) the exercise of powers or functions vested by a DIFC Body in a Third Party to whom Personal Data is disclosed by the DIFC Body.
- Obligations of controllers and processors: Controllers and Processors must maintain written records of processing activities for which it is responsible. Controller or Processor must notify the Commissioner of processing of personal data, processing of special categories of data, and transfer of personal data outside of DIFC. Controllers and processors must appoint a Data Protection Officer in certain cases. Controller and processor is required to implement appropriate technical and organizational measures to demonstrate that processing is performed in accordance with the law, including ensuring a level of security.
- Fines and penalties: The penalties range from USD 10,000 to USD 100,000 as per non-compliance to specific articles listed out in the law.

Qatar Financial Centre’s (QFC) QFC 2021 Regulation will come into force on 21st May 2022. Some key features of the law are:
- Application: The regulation applies to the processing of personal data by a data controller or data processor incorporated or registered in the QFC. The regulation also applies to the processing of personal data by a data controller or data processor that is not incorporated or registered in the QFC, if, as part of ongoing arrangements, that data controller or data processor processes personal data through a data controller or data processor that is incorporated or registered in the QFC.
- Legal basis for processing data: Processing under DIFC would be considered lawful if: the data subject has given their consent to the processing of their personal data for one or more specific purposes; the processing is necessary for the performance of a contract to which the data subject is a party; to comply with an obligation imposed on the data controller by law; to protect the vital interests of the data subject or another individual; for public interest, for performance of the functions of the QFC Authority, QFC Regulatory Authority, Civil or Commercial Courts, for legitimate interest of the data controller, etc.
- Obligations of controllers and processors: Data controller must implement appropriate technical and organizational measures to ensure that processing is performed in accordance with the regulation. Controller must conduct a DPIA before processing personal data if the processing may result in high risk to to the rights and legitimate interests of the data subject. Data controller and the data processor must enter into a written contract that sets out the information contained in the Data Protection Rules. Data controller must make and retain a written record of all processing of personal data under its responsibility.
- Fines and penalties: Infringements of any provision of the regulation or non-compliance with an order by the Data Protection Office will be subject to a maximum penalty of USD 1,500,000.
The regulations of different regions in the GCC require a different set of compliances by businesses operating in the region. For any assistance in the compliance of data protection laws of the GCC member Countries, please reach to us.