Home · Standards · UAE Federal Personal Data Protection Law (PDPL) Article 21

Standard · UAE PDPL Article 21

UAE Federal Personal Data Protection Law (PDPL) Article 21

UAE Federal Decree-Law No. 45 of 2021 — the Personal Data Protection Law (PDPL) — entered force in January 2022. PDPL establishes federal-level data protection in the UAE, parallel to the financial-free-zone-specific regimes (DIFC Data Protection Law 2020, ADGM Data Protection Regulations 2021).

For ITAD specifically, PDPL Article 21 establishes the right to erasure, and Articles 9-13 establish controller obligations on data security including disposition. Maxicom UAE engagements are structured to satisfy PDPL in admissible form for UAE Data Office inspection.

Request a Quote Contact

PDPL Article 21 — right to erasure

Article 21 grants data subjects the right to request erasure of their personal data. Operationally, this requires controllers to identify the data on retired media, sanitise per appropriate standard, and document the destruction. Maxicom engagement model supports the controller's Article 21 response: per-asset Certificate of Destruction with the data classification noted, retention vault for the post-engagement period.

PDPL Articles 9-13 — controller obligations

Articles 9-13 establish controller obligations on data security, including the obligation to implement appropriate technical and organisational measures. For ITAD, this means the controller must select a vendor whose discipline is appropriate to the sensitivity. Maxicom's vendor due-diligence pack supports the controller's pre-engagement assessment.

Federal vs free-zone regimes

PDPL is the federal law applicable to the UAE mainland. DIFC and ADGM operate their own data protection laws (DIFC DPL 2020 and ADGM DP Regs 2021) within their respective free zones. Maxicom certificates are written to satisfy whichever regime applies to the engagement entity — federal mainland, DIFC, or ADGM.

Implementing regulations

PDPL's implementing regulations were issued through 2022-2024 by the UAE Data Office. The framework continues to evolve; Maxicom tracks updates and refreshes operating procedures accordingly.

UAE Data Office inspection

The UAE Data Office is the federal supervisor. Inspections may include sampling of ITAD documentation. Maxicom certificates are designed for UAE Data Office inspection.

Reviewed by the Maxicom compliance desk. Last updated April 2026.

Operates to NIST 800-88 · UAE PDPL Art. 21 · NAID-grade · IEEE 2883-2022

References

Authoritative references

Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.

Frequently asked questions

Does PDPL require physical destruction of all retired drives?

No. PDPL is method-neutral; appropriate technical measures depend on sensitivity. NIST SP 800-88 Rev. 1 Purge satisfies most classifications.

How does PDPL compose with DIFC DPL or ADGM DP Regs?

PDPL applies to the mainland; DIFC DPL and ADGM DP Regs apply within their respective free zones. Maxicom certificates satisfy whichever applies to the engagement entity.

What about Central Bank of UAE engagements?

CBUAE imposes additional banking-specific cybersecurity requirements. Maxicom certificates satisfy CBUAE + PDPL simultaneously.

Explore further

Related practices, regulators & markets

Service

IT Asset Disposal (ITAD)

ITAD

→

Service

Data Destruction

Data destruction

→

Buyback

Dell Server Buyback

Dell server buyback

→

Buyback

HPE Server Buyback

HPE server buyback

→

Industry

Banking & Finance

Banking

→

Industry

Government & Public Sector

Government

→

Standard

NIST SP 800-88 Rev. 1

NIST 800-88

→

Standard

IEEE 2883-2022

IEEE 2883

→

Location

IT disposal in Dubai

Dubai

→

When you are ready

Send the asset list. We will send the number.

A photograph of the rack works. A spreadsheet works better. AED settlement, against PO.

Get a quote → Request a service WhatsApp +971 55 124 1746

sales@maxicom.ae · 1 business day