The UAE has had a Personal Data Protection Law on the books since 2021 — Federal Decree-Law No. 45 of 2021, in force since January 2022. What it did not have, for four years, was the implementing detail that makes a law enforceable. That changed in 2026, when the UAE Cabinet issued the Executive Regulations. The principles became specific, audit-able obligations, and the UAE Data Office now has the framework to enforce them.
If you collect personal data from UAE residents through an online form — a contact form, an event sign-up, a job application, a survey — you are in scope. The law is extraterritorial: it applies to any organisation anywhere that processes the personal data of people in the UAE, not only to companies registered there. Here is what your form actually has to do.
1. Stand on a lawful basis — and for most forms, that is consent
The Regulations recognise five lawful bases: consent, performance of a contract, a legal obligation, vital interest, and legitimate interest. For a public-facing form collecting data you do not strictly need to deliver a service, the basis is almost always consent. And consent under PDPL is a high bar: it must be explicit, specific, freely given, and given by a clear affirmative action. A pre-ticked box is not consent. A buried line in a privacy policy is not consent. Silence is not consent.
2. Tell the respondent who is collecting their data, and why
At the point of collection — on the form itself, not three clicks away — the respondent must be able to see who the controller is, what data is being collected, the purpose, and how to exercise their rights. This is the controller notice. SahlForm is the processor; the tenant running the form is the controller, and the form has to name them.
3. Honour data-subject rights with a channel that works
UAE residents can ask to access their data, correct it, delete it, port it, and object to automated decision-making. The Executive Regulations attach binding response timelines to these requests — “we’ll get to it” is no longer a position. A form that collects data needs a real, monitored path for someone to later say “delete what I submitted.”
4. Keep a record of the processing
Each form is a processing activity. The Regulations expect controllers to maintain a records-of-processing register documenting the lawful basis, the categories of data, the purpose, and the retention period for each activity. The practical version: before you publish a form, you should be able to answer “why are we allowed to collect this, and how long do we keep it?” in one sentence.
5. Get cross-border storage right
Most form tools store submissions wherever their cloud happens to be. Under PDPL, moving UAE residents’ data outside the UAE requires one of: an adequacy decision for the destination, contractual safeguards that apply PDPL-equivalent protection, or the data subject’s explicit consent — plus a documented transfer impact assessment for higher-risk destinations. This is the question to put to any form vendor: where do submissions physically live, and what is the legal mechanism for that transfer?
6. Have a breach plan before you need one
A reportable breach has to be notified to the UAE Data Office within the window the Regulations define, and to affected individuals where the risk to them is high. For a form, the breach surface is the submission store and anywhere submissions are forwarded (webhooks, email, integrations). Know, in advance, who notifies and how fast.
The consent checkbox, done correctly
Because consent carries most public forms, the consent field is where compliance is won or lost. Four rules: it must be a clear affirmative action (an unticked checkbox the respondent ticks themselves); it must be specific (separate the “process my application” consent from the “send me marketing” consent — no bundling); the language must be plain and, for an Arabic audience, available in Arabic; and withdrawal must be as easy as granting. If you cannot honour a later “I withdraw,” you did not have valid consent to begin with.
What this costs to get wrong
Administrative fines under the framework reach up to AED 5 million for serious or repeated violations, alongside orders to suspend processing. But the more common cost is quieter: a UAE enterprise buyer who asks where your submissions are stored, hears “multiple regions, auto-balanced,” and ends the evaluation. Post-2026, that question is now standard.
Where SahlForm fits
SahlForm is built for exactly this split: a controller notice on every public form that names the tenant, consent fields that record an affirmative action, an Arabic-first interface so plain-language consent is not an afterthought, and a clear data-residency answer rather than “multiple regions.” The compliance work is the tenant’s — SahlForm is the processor — but the platform should make doing it the path of least resistance.