UAE Federal Decree-Law No. 45 of 2021 (UAE PDPL) 📍 UAE Effective: 02 Jan 2022

UAE PDPL and visitor management: what every building manager, school, and office needs to know

When a visitor signs in at your front desk, whether it is a guest at a gated compound, a parent at a school, or a client at a DIFC office, you collect personal data. Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "UAE PDPL"), that data is subject to specific legal obligations. This guide explains what those obligations are and how MyGatePass is designed to help you meet them.

What is UAE PDPL?

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) is the UAE's first comprehensive federal data protection law. It came into effect in January 2022 and applies to any organisation processing the personal data of individuals in the UAE, including businesses, schools, residential developments, and Owners Associations.

UAE PDPL applies to visitor data. A visitor's name, nationality, ID number, phone number, and photo are all personal data under the law. If you collect any of these at sign-in, you have legal obligations.

What UAE PDPL requires for visitor data

1. A lawful basis for processing

You must have a recognised legal basis to collect and process visitor data. For most organisations, this will be either the legitimate interests of the controller (security, building management, safeguarding) or a legal obligation (UAE Civil Defence evacuation requirements, Ministry of Education regulations). The basis must be documented.

2. A purpose limitation

Visitor data collected for security access control cannot be used for marketing or any other unrelated purpose. If you collect a visitor's phone number for gate notifications, that number cannot be added to a marketing database.

3. Data minimisation

You should collect only the data you actually need. Most visitor management use cases require: name, ID type (not necessarily the full ID number), host name, purpose of visit, and time of entry/exit. Collecting passport copies for all visitors to a corporate office lobby is likely excessive.

4. A defined retention period

You cannot keep visitor records indefinitely. You must define how long visitor data is retained, typically 12 months for standard access records, longer if required by specific regulations (e.g. UAE Civil Defence). Records must be deleted or anonymised at the end of the retention period.

5. Data subject rights

Visitors have rights under UAE PDPL, including the right to know what data is collected about them. You should have a brief, accessible privacy notice visible at your sign-in point explaining what data is collected and why.

6. Security of processing

Visitor records must be stored securely. A paper logbook left on a reception desk, accessible to every subsequent visitor, does not meet this requirement.

How MyGatePass supports UAE PDPL compliance

  • Configurable data collection fields, collect only what your use case requires. Turn off fields you do not need.
  • Defined retention and automatic deletion, set a retention period per visitor category. Records are automatically flagged for deletion when the period expires.
  • Secure encrypted storage, visitor records are encrypted at rest and in transit. No paper log accessible to subsequent visitors.
  • Privacy notice display, configure a brief privacy notice to display on the sign-in screen before data is collected.
  • Purpose limitation by visitor type, visitor data collected for access control is separated from any CRM or marketing data.
  • Exportable deletion log, produce a record of deleted data for compliance documentation.

Note: MyGatePass provides tools to support compliance with UAE PDPL. It does not constitute legal advice. Organisations should seek independent legal guidance on their specific data protection obligations.

Frequently asked questions

Does UAE PDPL apply to residential compounds and Owners Associations?

Yes. UAE PDPL applies to any organisation that processes personal data in the UAE, regardless of size or sector. A gated compound that logs visitor names and ID numbers at the gate is processing personal data and has obligations under the law.

What is the fine for non-compliance with UAE PDPL?

Penalties under UAE PDPL can reach AED 5 million for certain violations. Organisations are encouraged to seek legal advice to understand their specific exposure. The law is enforced by the UAE Data Office (formerly the UAE Telecommunications and Digital Government Regulatory Authority's data function).

Does UAE PDPL apply differently in DIFC or ADGM free zones?

DIFC and ADGM are independent jurisdictions with their own data protection laws, the DIFC Data Protection Law 2020 and the ADGM Data Protection Regulations 2021. Entities registered in those free zones are primarily subject to those laws, not UAE PDPL. However, if a DIFC entity processes data of individuals outside the DIFC, UAE PDPL may also apply. Seek specialist advice.

How long should we keep visitor sign-in records?

UAE PDPL does not specify a fixed retention period for visitor data. The general principle is that data should be kept for no longer than necessary for the purpose it was collected. For most access control purposes, 12 months is a defensible retention period. If your organisation is subject to specific sector regulations (e.g. UAE Civil Defence, Ministry of Education), those regulations may specify different retention periods.

See how MyGatePass handles UAE PDPL compliance

Book a demo to see the privacy notice display, configurable data fields, and retention management in action.

Book a demo