Data Protection & Privacy Regulations in the GCC

ADGM Data Protection Regulations (Substantial Public Interest) Rules 2025

The ADGM Data Protection Regulations (Substantial Public Interest) Rules 2025 outlines specific conditions for processing special categories of personal data when it is necessary for reasons of substantial public interest. These rules supplement the Data Protection Regulations 2021 and are enforced by the Commissioner of Data Protection of the ADGM. The regulation focuses on scenarios where consent may not be required.

ADGM Office of Data Protection — Circular No. 1 of 2025

ADGM Office of Data Protection Circular No. 1 of 2025 reminds ADGM entities of their obligations under the DPR 2021 to maintain an accurate and up-to-date Data Protection Register, including the contact details of their designated Data Protection Contact Person. Failure to comply may result in enforcement actions, including fines and inspections.

DIFC Data Protection Regulations — Consolidated Version (incl. Reg 10 AI, 2023)

The DIFC Data Protection Regulations outline the requirements for processing personal data within the Dubai International Financial Centre. This consolidated version includes updates related to AI and covers obligations related to data processing records, notifications, supervision, data transfers, breach reporting, and potential fines for non-compliance. It aims to protect personal data and ensure responsible data handling practices.

DIFC Commissioner of Data Protection — Overview of Personal Data Regime

This document provides an overview of the data protection law and regulations within the Dubai International Financial Centre (DIFC). It outlines the interplay between DIFC, Federal, and Emirate laws, the authority of the DIFC Commissioner of Data Protection, and the principles for processing personal data. It also covers the rights of data subjects and the legal duties of controllers and processors.

DIFC Comprehensive Guide to Data Protection Law and Regulations

This document is a comprehensive guide issued by the DIFC Commissioner of Data Protection regarding Data Protection Law, DIFC Law No. 5 of 2020, and its associated regulations. It aims to provide accessible information about the legislation, covering definitions of personal and special category data, obligations of controllers and processors, data export, data subject rights, and breach procedures.

DIFC Data Protection Law No. 5 of 2020 (Consolidated Version)

The DIFC Data Protection Law No. 5 of 2020 (Consolidated Version) outlines the requirements for processing personal data within the Dubai International Financial Centre (DIFC). It establishes principles for lawful processing, special categories of data, consent, legitimate interests, and accountability. The law aims to protect individuals' privacy rights and regulate data processing activities within the DIFC.

DIFC Regulation 10 — Accreditation and Certification Framework for Autonomous Systems

DIFC Regulation 10 establishes an accreditation and certification framework for autonomous and semi-autonomous systems that process personal data within the Dubai International Financial Centre (DIFC). It outlines the criteria for accrediting certification bodies and the requirements for certifying systems used in high-risk processing activities, ensuring compliance with the Data Protection Law and Regulations.

DIFC Regulation 10 Accelerator Framework — AI and Autonomous Systems

DIFC Regulation 10 Accelerator Framework provides an environment for testing autonomous and semi-autonomous systems for privacy by design and compliance with Regulation 10. It allows developers, deployers, and operators to assess their systems using various standards and frameworks, acting as a bolt-on to existing regulatory sandboxes or as a standalone assessment.

Dubai Blockchain Policy

The Dubai Blockchain Policy outlines the framework for blockchain network formation, governance, and operations within Dubai. It establishes guidelines for data privacy, security, interoperability, and the use of smart contracts. The policy aims to promote the adoption of blockchain technology while ensuring compliance and standardization across various applications.

Dubai Data Policies

Resolution No. (2) of 2017 approves the Policies Document on Classification, Dissemination, Exchange, and Protection of Data in the Emirate of Dubai. The document establishes rules, procedures, regulations, forms, and mechanisms for managing data. The Dubai Data Establishment (DDE) is responsible for supervising the implementation of these policies.

Framework for Implementation of Synthetic Data Techniques

This framework, issued by the Digital Dubai Authority (DDA), provides guidance on the implementation of synthetic data techniques in Dubai. It outlines the benefits of synthetic data for data sharing and privacy preservation. The framework includes a decision matrix to help organizations determine if synthetic data is the right solution for their needs.

Guidance on Responsible Use of Artificial Intelligence in Financial Services

The CBUAE issued guidance on the responsible adoption and use of AI and machine learning by licensed financial institutions in the UAE. It establishes a framework to safeguard consumer rights, strengthen governance and transparency, and promote fair practices. The guidance aligns with the UAE’s national AI strategy.

VARA Virtual Assets and Related Activities Regulations 2023

Cabinet Decision No. 112/2022 delegates certain competencies related to the regulation of virtual assets to the Dubai Virtual Assets Regulatory Authority (VARA). VARA is authorized to license, supervise, and control virtual asset activities and service providers within the Emirate of Dubai and its free zones, ensuring compliance with relevant legislation and international requirements.

AI Law in Saudi Arabia — In-Depth Analysis (Latham & Watkins / Lexology)

This document analyzes the developing AI legal landscape in Saudi Arabia, focusing on the Saudi Data and Artificial Intelligence Authority's (SDAIA) role in promoting AI adoption and establishing a regulatory environment. It highlights key developments such as the draft amendments to intellectual property legislation and the issuance of the AI Ethics Principles.

Saudi Arabia Data Privacy Handbook 2023 (PwC)

This handbook, published by PwC, serves as a starter guide for organizations to comply with the Saudi Arabia Personal Data Protection Law (PDPL). It explains key concepts, principles, and steps for building effective data privacy programs in accordance with the PDPL, which came into force on September 14, 2023, with full enforceability starting September 14, 2024.

Data Cybersecurity Controls (DCC-1: 2022)

The Data Cybersecurity Controls (DCC-1: 2022) framework, issued by the NCA in Saudi Arabia, establishes cybersecurity controls for data protection. It outlines requirements for cybersecurity governance, defense, and third-party/cloud computing cybersecurity. The framework aims to safeguard data assets in accordance with Saudi Arabian laws and regulations.

CBB Rulebook Vol. 5 — Open Banking Regulatory Module 2023

This Central Bank of Bahrain (CBB) regulation outlines the framework for Open Banking, focusing on ancillary service providers like Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). It establishes regulatory standards to ensure the security and integrity of customer data when accessing accounts through APIs, emphasizing risk management and customer protection.

Bahrain PDPA Order No. 42 of 2022 — Transfer of Personal Data Outside Bahrain

Bahrain's Order No. 42 of 2022 outlines the regulations for transferring personal data outside of the Kingdom of Bahrain, as per the Personal Data Protection Law No. 30 of 2018. It specifies conditions under which data controllers can transfer data, including transfers to countries listed in an attached record and transfers authorized by the Personal Data Protection Authority.

Bahrain PDPA Order No. 43 of 2022 — Technical and Organisational Measures

Bahrain's Order No. 43 of 2022 outlines the technical and organizational measures required to ensure the protection of personal data, as mandated by the Personal Data Protection Law No. 30 of 2018. It details specific actions data controllers must take to maintain an adequate level of data security during processing activities. The order emphasizes proactive privacy measures and risk mitigation.

Bahrain PDPA Order No. 46 of 2022 — Data Protection Auditor Tasks

Bahrain's Order No. 46 of 2022 outlines the regulations for Data Protection Guardians, both internal and external, as mandated by the Personal Data Protection Law (PDPL). It establishes a register for these guardians and sets forth the conditions for enrollment, including qualifications and ethical standards. The order empowers the Authority to require specific controllers to appoint a guardian.

Bahrain PDPA Order No. 48 of 2022 — Data Subjects' Rights

Bahrain's Order No. 48 of 2022 outlines the rights of data subjects under the Personal Data Protection Law (PDPL). It details obligations for data controllers regarding automated processing, consent, and objection procedures. The order aims to ensure data subjects can exercise their rights related to their personal data effectively.

Bahrain Personal Data Protection Law (Law No. 30 of 2018)

Bahrain's Personal Data Protection Law (Law No. 30 of 2018) establishes a legal framework for safeguarding personal data. It outlines the rights of individuals regarding their data and imposes obligations on data controllers and processors. The law aims to regulate the collection, processing, and transfer of personal data within Bahrain.

Oman Personal Data Protection Law — Royal Decree 6/2022

Royal Decree 6/2022 promulgates the Oman Personal Data Protection Law, repealing Chapter seven of the Electronic Transactions Law. The law defines key terms such as Personal Data, Controller, and Processor, and establishes a framework for the processing of personal data. It aims to protect individuals' privacy by regulating how their personal information is handled.

Kuwait CITRA Data Classification Policy v2.3

The Kuwait CITRA Data Classification Policy v2.3 outlines a methodology for data classification in both the public and private sectors within Kuwait. It aims to define acceptable security protection levels, ensure adherence to best practices, and determine appropriate data handling, transmission, and processing methods to mitigate electronic risks.

Kuwait Data Privacy Protection Regulation (Resolution 42/2021)

Kuwait's Data Privacy Protection Regulation (Resolution 42/2021) establishes rules for data privacy within the country. Issued by CITRA, the regulation aims to protect personal data and ensure its responsible handling. It applies to both public and private sectors operating within the State of Kuwait and takes effect upon publication.