Skip to main content

Last Updated on February 16, 2024

Data Protection Laws in the Middle East: Safeguarding Privacy in a Digital Age

Source: Enactia


As the Middle East continues to embrace digital transformation, the need for robust data protection laws becomes increasingly evident. With the proliferation of technology and the rapid growth of data-driven industries, safeguarding personal information and privacy has become a paramount concern. This article provides an overview of the data protection laws in the Middle East, highlighting key regulations and their significance in ensuring the security and privacy of personal data.

1. United Arab Emirates (#UAE):

The UAE has taken significant strides in data protection by enacting the UAE Data Protection Law (#DPL). On 28th November 2021, the UAE Cabinet made a significant announcement regarding the enactment of Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL 2021), which was officially issued on 20th September 2021. This newly introduced law marked a significant milestone as the UAE did not previously have a standalone federal data protection legislation. With the #PDPL 2021 that came into effect on 2nd January 2022, businesses are now obligated to comply with the data protection requirements outlined in the law.

The DPL aims to regulate the processing of personal data and governs both public and private entities. It outlines the rights of individuals regarding their personal data, imposes obligations on data controllers and processors, and establishes mechanisms for complaints and enforcement. The DPL also emphasizes the need for obtaining consent, data security measures, and cross-border transfers of personal data.

2. Kingdom of Saudi Arabia #KSA

Saudi Arabia has introduced the Personal Data Protection Law (#PDPL) to safeguard the privacy rights of individuals. Following the approval of amendments to the Saudi Data Protection Law (DPL) by the Council of Ministers in March 2023, the new amendments have recently been implemented through Royal Decree No. M147 of 5/9/1444H (corresponding to March 27, 2023). As a result, the effective date of the DPL has been set for September 2023. These amendments aim to further align the Saudi DPL with the principles and requirements of the General Data Protection Regulation (GDPR). While the amendments represent a significant step forward, the issuance of the DPL’s executive regulations is still awaited. These regulations are expected to provide more detailed guidance on various aspects of the DPL. Although the proposed executive regulations have been made available for public feedback, no final version has been approved at this time. Once the executive regulations are issued, they will offer further clarity and practical instructions for businesses and organizations regarding compliance with the DPL and its GDPR-inspired provisions.

The PDPL applies to all personal data processed within Saudi Arabia, regardless of the nationality of the individuals involved. The law sets out principles for lawful processing, data subject rights, and the establishment of a data protection authority responsible for enforcement and supervision. It emphasizes the importance of consent, data accuracy, security measures, and cross-border data transfers.

4. #Bahrain:

Bahrain has enacted the Personal Data Protection Law (PDPL) to safeguard personal information and privacy. On July 12, 2018, Bahrain introduced Law No. 30 of 2018, known as the Personal Data Protection Law (#PDPL), as its primary data protection regulation. With its enactment, the PDPL replaced any existing laws that contained conflicting provisions. The PDPL officially came into effect on August 1, 2019, establishing a comprehensive framework for personal data protection in Bahrain. In a significant development, the Personal Data Protection Authority (Authority) issued ten ministerial resolutions, referred to as the Resolutions, on March 17, 2022. These Resolutions serve as supplementary guidelines to further enhance the implementation and enforcement of the PDPL. The Resolutions provided additional clarity and practical instructions for organizations and individuals regarding their obligations and rights under the PDPL, ensuring a more robust and comprehensive data protection ecosystem in Bahrain.

The PDPL applies to the processing of personal data by entities operating within Bahrain, including government agencies and private organizations. It emphasizes transparency, consent, data accuracy, security measures, and the rights of data subjects. The law establishes a data protection authority responsible for overseeing compliance, handling complaints, and enforcing the provisions of the PDPL.

5. #Oman:

In February 2023, the Sultanate of Oman implemented the Personal Data Protection Law (#PDPL), establishing a robust legal framework for businesses engaged in the processing of personal data. The PDPL introduces a set of new obligations and requirements that organizations must adhere to. Notably, the law adopts an opt-in approach, whereby the processing of personal data is permissible only if explicit user consent has been obtained or if there exists another lawful basis for processing. This alignment with the principles set forth in the European Union’s General Data Protection Regulation (GDPR) signifies Oman’s commitment to upholding internationally recognized standards of data protection and privacy. The PDPL serves to enhance individuals’ control over their personal information and reinforces the responsibility of businesses to handle data in a transparent and lawful manner. The PDPL applies to data controllers and processors, including both the public and private sectors. It outlines principles for lawful processing, data subject rights, security measures, and cross-border transfers of personal data. The law establishes a data protection authority responsible for supervision and enforcement, promoting compliance with data protection requirements.


Data protection laws in the Middle East play a crucial role in ensuring the privacy and security of personal information in an increasingly digitized world. These laws establish a framework for data controllers and processors to adhere to ethical and responsible data handling practices. Middle Eastern countries are taking significant steps to protect data privacy, aligning themselves with global data protection standards and fostering trust in the digital ecosystem. By leveraging Enactia, businesses gain access to robust solutions for data protection and cybersecurity governance. The software enables organizations to streamline their data protection processes and compliance, ensuring adherence to local regulations and promoting transparency and accountability. With features such as data mapping and processing activities, compliance assessments, vendor management, data breach & incident management, etc., Enactia assists Middle Eastern companies in maintaining comprehensive records, implementing appropriate safeguards, and demonstrating compliance with data protection laws. Ultimately, Enactia empowers organizations to navigate the complex landscape of data governance efficiently and effectively, mitigating the risk of legal consequences while fostering a culture of responsible data management.

Source: Enactia, july 2023