ADGM DPR

Abu Dhabi Global Market Data Protection Regulations 2021

Flag of AE
Abu Dhabi Global Market (ADGM) free zoneOpt-inFinancial Free Zone
UAE PDPL
Back to Regulations Guide

Key Facts

Effective Date
August 14, 2021
Enacted
February 14, 2021
Enforcing Authority
Commissioner of Data Protection (ADGM)
Consent Model
Opt-in
Applies To
All entities operating within the ADGM free zone; different effective dates for new vs. existing entities

Overview

The ADGM DPR is the data protection regulation for the Abu Dhabi Global Market free zone, closely modeled on GDPR principles. It carries the highest penalty ceiling in the Middle East at USD 28,000,000 for general contraventions. The regulations require data protection by design and default, mandatory record-keeping, and written contracts between controllers and processors.

What This Means for Your Website

  • Consent or another lawful basis is required before processing personal data of ADGM users
  • Data protection by design and default must be implemented
  • Processing activities must be recorded
  • Written contracts are required between controllers and processors
  • Cross-border transfers must use SCCs, BCRs, or adequacy mechanisms
  • Data breach notification to the Commissioner and affected data subjects is required

Key Requirements

The Commissioner of Data Protection enforces the regulations with penalties up to USD 28,000,000 — the highest in the Middle East. The GDPR-style framework requires data protection by design and default, mandatory DPO appointment for certain processing activities, and processor obligations with written contracts. New entities had 6 months to comply while existing entities had 12 months.

How ConsentStack Handles This

ConsentStack supports ADGM compliance with opt-in consent collection, data protection by design principles, and adaptable cross-border transfer mechanisms aligned with GDPR-style requirements.

Penalties

Up to USD 28,000,000 for general contraventions — highest penalty ceiling in the Middle East.

Maximum Fine
$28,000,000 per violation

Key Requirements

  • Consent or other lawful basis required for processing
  • Data protection by design and default mandated
  • Record of processing activities mandatory
  • DPO appointment required for certain processing activities
  • Written contracts required between controllers and processors
  • Cross-border transfers via SCCs, BCRs, or adequacy mechanisms

Notable Provisions

  • Highest penalties in the Middle East (USD 28M)
  • Closely modeled on GDPR
  • Part of the UAE's three-regime system
  • Different transition periods for new (6 months) vs. existing entities (12 months)

Other UAE PDPL Related Regulations

DIFC DPLDubai International Financial Centre (DIFC)
DIFC's standalone data protection law applying within the Dubai financial free zone, significantly strengthened by a 2025 amendment introducing a private right of action for data subjects. Explicitly requires minimum necessary cookies and easily accessible cookie controls, making it one of the more cookie-specific frameworks in the Middle East.

Other Middle East & North Africa Regulations

KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.

Frequently Asked Questions

Why are ADGM penalties so high?

ADGM modeled its regulations closely on the GDPR and set penalties up to USD 28,000,000, the highest ceiling in the Middle East, to signal serious enforcement commitment.

How does ADGM relate to the UAE federal PDPL?

The UAE has three separate data protection regimes. ADGM operates its own regulations independently from the federal PDPL and DIFC's DPL.

Does the ADGM DPR require data protection by design?

Yes. Controllers must implement appropriate technical and organizational measures at the design stage to ensure data protection by design and default.

Stay compliant with ADGM DPR

ConsentStack helps you implement Opt-in consent for Abu Dhabi Global Market (ADGM) free zone automatically.

Get started free