UAE Federal Personal Data Protection Law (PDPL) Article 21
UAE Federal Decree-Law No. 45 of 2021 — the Personal Data Protection Law (PDPL) — entered force in January 2022. PDPL establishes federal-level data protection in the UAE, parallel to the financial-free-zone-specific regimes (DIFC Data Protection Law 2020, ADGM Data Protection Regulations 2021).
For ITAD specifically, PDPL Article 21 establishes the right to erasure, and Articles 9-13 establish controller obligations on data security including disposition. Maxicom UAE engagements are structured to satisfy PDPL in admissible form for UAE Data Office inspection.
PDPL Article 21 — right to erasure
Article 21 grants data subjects the right to request erasure of their personal data. Operationally, this requires controllers to identify the data on retired media, sanitise per appropriate standard, and document the destruction. Maxicom engagement model supports the controller's Article 21 response: per-asset Certificate of Destruction with the data classification noted, retention vault for the post-engagement period.
PDPL Articles 9-13 — controller obligations
Articles 9-13 establish controller obligations on data security, including the obligation to implement appropriate technical and organisational measures. For ITAD, this means the controller must select a vendor whose discipline is appropriate to the sensitivity. Maxicom's vendor due-diligence pack supports the controller's pre-engagement assessment.
Federal vs free-zone regimes
PDPL is the federal law applicable to the UAE mainland. DIFC and ADGM operate their own data protection laws (DIFC DPL 2020 and ADGM DP Regs 2021) within their respective free zones. Maxicom certificates are written to satisfy whichever regime applies to the engagement entity — federal mainland, DIFC, or ADGM.
Implementing regulations
PDPL's implementing regulations were issued through 2022-2024 by the UAE Data Office. The framework continues to evolve; Maxicom tracks updates and refreshes operating procedures accordingly.
UAE Data Office inspection
The UAE Data Office is the federal supervisor. Inspections may include sampling of ITAD documentation. Maxicom certificates are designed for UAE Data Office inspection.
Authoritative references
Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.
Frequently asked questions
Does PDPL require physical destruction of all retired drives?
No. PDPL is method-neutral; appropriate technical measures depend on sensitivity. NIST SP 800-88 Rev. 1 Purge satisfies most classifications.
How does PDPL compose with DIFC DPL or ADGM DP Regs?
PDPL applies to the mainland; DIFC DPL and ADGM DP Regs apply within their respective free zones. Maxicom certificates satisfy whichever applies to the engagement entity.
What about Central Bank of UAE engagements?
CBUAE imposes additional banking-specific cybersecurity requirements. Maxicom certificates satisfy CBUAE + PDPL simultaneously.
Related practices, regulators & markets
IT Asset Disposal (ITAD)
ITAD
→Data Destruction
Data destruction
→Dell Server Buyback
Dell server buyback
→HPE Server Buyback
HPE server buyback
→Banking & Finance
Banking
→Government & Public Sector
Government
→NIST SP 800-88 Rev. 1
NIST 800-88
→IEEE 2883-2022
IEEE 2883
→IT disposal in Dubai
Dubai
→Send the asset list. We will send the number.
A photograph of the rack works. A spreadsheet works better. AED settlement, against PO.