The countries of Saudi Arabia, Kuwait, the UAE, Qatar, Bahrain, and Oman form the consortium of middle east countries.

Oman has no regulation for the protection of personal data, other regions have different regulations for the protection of data.

Saudi Arabia

Saudi Arabia passed its data protection law called Personal Data Protection Law (PDPL) in September 2021. The law will be fully implemented by March 2022. The main features of PDPL are:

  • Application: The law extends to any processing by businesses or public entities of personal data performed in Saudi Arabia by any means, including the processing of the personal data of Saudi residents by entities located outside the Kingdom.
  • Rights of data subjects: these include rights such as right to information on processing of personal data, right to access personal data, right to request correction and right to request destruction of personal data.
  • Obligations of Data Controllers: Major obligations of controllers and processors under the PDPL are- obtaining registration before processing of personal data, informing data subjects about the legal basis of processing their data, adopting and implementing privacy policies, appointing data officer, notifying regulatory authority about data breaches, ensuring accuracy of data, ensuring timely destruction of data and conducting staff training on data protection laws.
  • Fines and penalties: Fines and penalties for companies that violate the PDPL:
    • Imprisonment of up to two years and/or a fine up to SAR 3,000,000 for anyone who discloses or publishes Sensitive Data in violation of the Law
    • Imprisonment of up to one year and/or a fine up to SAR 1,000,000 for anyone who violates the general prohibition on transfers of Personal Data outside Saudi Arabia.
    • A warning or fine up to SAR 5,000,000 for any other violations of the Law, which fine may be doubled if repeated.


Kuwait does not have a specific law for data protection. The most comprehensive data protection regulation in Kuwait currently is Data Privacy Protection Regulation, No. 42 of 2021 formulated by Communication and Information Technology Regulatory Authority (‘CITRA’). Prime features of the regulations are:

  • Application: Regulations applies to all public or private bodies that process, collect or transmit data, irrespective of whether such processing is done in Kuwait tor not.
  • Legal basis for processing data: For processing of data to be legal at least one of the following parameters have to be met- processing is done after obtaining user consent and incase of children consent should be obtained from their guardian; or processing is required for fulfilling legal obligations; or if data subject is not identifiable.
  • Obligations of service providers: Service providers are required to obtain consent of their users before processing; provide all information about data processing, transmission, identity and location of service provider, data storing period and location to the data holder; attending to all request of data erasure or alteration; provide appropriate training to staff dealing with data processing; and deploy appropriate security measures.

Apart from the regulations introduced by CITRA provisions regulating data protection can be found in the following laws:

  • Cyber Security Framework for the Kuwaiti Banking Sector
  • Labour Law No. 6/2010 for the Private Sector
  • Law No. 20 of 2014 (the E-Commerce Law)

United Arab Emirates (UAE)

The UAE has various law for the protection of personal data for different sectors along with dedicated laws for privacy.

UAE’s federal data protection law has been announced and details are yet to be made public. Currently, in the absence of a federal data protection law, data processing in UAE is currently governed by a patchwork of different provisions spread across different legislations:

  • Article 379 of the UAE Penal Code prohibits a professional who is entitled to know a secret by virtue of their profession to disclose to the public such secret as received by him.
  • The Stored Value Facilities Regulation issued by Central Bank of UAE which governs online payment systems, digital wallets and crypto-assets requires any company operating in this field to obtain license and make appropriate arrangements for protection of information relating to consumers and their finances.
  • Federal law No. 2 Issued on 06/02/2019 on The Use of The Information and Communication Technology (ICT) In Health Fields enacted to protect health data of its residents, prohibits processors and controllers to transfer health data outside UAE for any purpose.

Apart from the aforementioned laws, UAE’s financial capital Dubai has a separate data protection law called the ‘Data Protection Law 2020’ issued by Dubai International Financial Center (DIFC). The major features of the law are:

  • Law applies to processing of personal data by automated means or by way of filling systems.
  • The law applies to any controller or processor processing data received from DFIC as part of stable arrangements. Whether or not such controller or processor is based in Dubai is immaterial.
  • Obligations of data controllers under the law are – duty to inform data subject of the nature, purpose and scope of data processing; duty to ensure accuracy of data; duty to prevent unauthorized party from accessing personal data; duty to obtain consent and inform data subjects of any processor who might subsequently process data; and duty to have legally binding agreement with processors.
  • The penalties under this law range from USD 10,000 to USD 100,000 depending upon the gravity of violation.

Abu Dhabi- The Data Protection Regulation 2021 apply to the Processing of Personal Data in the by any establishment of a Controller or a Processor in the region, even if such processing does not take place in Abu Dhabi.


Qatar was the first of GCC countries to pass a comprehensive data protection law called ‘Law No. (13) of 2016 on Protecting Personal Data Privacy’. The key features of this law are:

  • Application: The law applies to Personal Data when it is electronically processed, or obtained, gathered or extracted in preparation in any other way for electronic processing, or when processed via a combination of electronic and traditional processing.
  • Rights of Data Subjects: The rights given to data subjects include- right to receive information about the purpose of processing data; right to object; right to get data corrected by the controller; right to withdraw consent and right to request erasure of data.
  • Obligations of Data Controllers: Organizations are required to process request of data subjects within a time frame of 30 days; furnish privacy policy for data subjects to go through; obtain consent of data subjects before data processing; maintain record of processing activities; and implement privacy by design and default in their systems.
  • Personal Data with Special Nature: The law creates special provisions for Personal Data with Special Nature, i.e., data related to ethnic origin, children, health, physical or psychological condition, religious creeds, marital relations, and criminal offenses. The Law requires that any entity processing personal data with special nature to obtain permission from the competent authority. The concerned minister can impose additional obligations on such entities.
  • Special Provision for protection of Children: Any website addressing children should make sure that- information regarding child data, its use and policy towards its disclosures are given; explicit consent should be obtained from guardian of the child; child’s guardian shall be able to exercise right to access and erasure of child’s data on their behalf. Further, any competition for children cannot make participation contingent upon giving up more personal data than ordinarily required.
  • Penalties and Fines: The penalties for violating various provisions of data protection law ranges from QAR 1,000,000 to QAR 5,000,000. No provision for imprisonment has been made.

The business center of Qatar, ‘The Qatar Financial Centre (“QFC”)’ has its own regulations that are separate and distinct from those of the State of Qatar, the QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations (“DPL”).


Personal Data Protection Law, 30 of 2018, Bahrain’s prime data protection and privacy law, came into force on 1st August 2019. Following are the key features of the law:

  • Application: The law applies to natural or legal person residing or maintaining a business in Bahrain and every natural or legal person residing outside Bahrain but processing personal data by means available within the kingdom, other than for transitory purposes. Any person residing outside Bahrain to whom the law is applicable has to appoint a legal representative in Bahrain.
  • Rights of Data Subjects: The rights given to data subjects include- right to receive information about the purpose of processing data; right to object; right to get data corrected by the controller; right to withdraw consent and right to request erasure of data, right not to be subjected to automated decision making, right to data portability and right to object or opt-out of data proccessing.
  • Obligations of Data Controllers: The obligations of Data controllers include deploying adequate measures to ensure safety of personal data; ensuring that data processor is acting in accordance with data processing agreement; maintain confidentiality of data; informing data subjects about controller’s identity, purpose of processing data and whether such data is being used for direct marketing; ensuring that data subjects can enforce their rights by contacting the controller; and maintaining data processing records. 
  • Sensitive Personal Data: Processing of sensitive personal data is prohibited subject to the exceptions provided in the law. Some of the exceptions are- processing of sensitive data to for the purposes of carrying out the legal obligations and rights of the data controller; processing is allowed when it relates to relates to data which is made available to the public by the data subject; processing is also allowed when it is necessary for pursuing any legal claims or defenses, etc.
  • Penalties and fines: The law provides that any data subject who suffers damage as a result of processing by data controller is entitled to receive compensation from the data controller. Apart from this criminal liability for violation of the law can lead to imprisonment for a term not exceeding one year, and / or a fine not less than BD 1000/- and not exceeding BD 20,000/-.

The regulations of different regions in the Middle east require a different set of compliances by businesses operating in the region. For any assistance in the compliance of data protection laws of the Middle Eastern Countries, please reach to us.

Get in touch with us