Noor Royal GalleryStaff sign in →

GDPR & UAE PDPL Compliance

Last updated: 10 June 2026 · Governed by the laws of the United Arab Emirates

The United Arab Emirates regulates personal data primarily through Federal Decree-Law No. (45) of 2021 on the Protection of Personal Data ("UAE PDPL"), with sector-specific frameworks in the DIFC (DIFC Data Protection Law No. 5 of 2020) and ADGM (Data Protection Regulations 2021). Although the EU General Data Protection Regulation ("GDPR") does not directly apply in the UAE, Noor Royal Gallery voluntarily aligns its processing with the core principles of the GDPR where they strengthen the rights of our staff and visitors.

1. Data Protection Principles

  • Lawfulness, fairness and transparency (Art. 5 PDPL / Art. 5(1)(a) GDPR).
  • Purpose limitation — data collected for specified, explicit, legitimate purposes only.
  • Data minimisation — only fields required for daily reporting and HR processes are collected.
  • Accuracy — staff may correct their profile at any time.
  • Storage limitation — see retention schedule in the Privacy Policy.
  • Integrity and confidentiality — encryption, RLS, role-based access.
  • Accountability — maintained Record of Processing Activities (ROPA).

2. Lawful Bases

We rely on the lawful bases listed in Article 4 of the UAE PDPL, equivalent to Article 6 GDPR: consent, performance of a contract, legal obligation, vital interests, public interest, and legitimate interests.

3. Data Subject Rights

Data subjects (staff, customers, visitors) are entitled to: access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, and to withdraw consent — mirroring Articles 15–22 GDPR and Article 13 UAE PDPL. Requests are handled within thirty (30) days at dpo@royaldailycrm.com.

4. International Transfers

Where personal data is transferred outside the UAE, we assess adequacy under Article 22 UAE PDPL. In the absence of an adequacy decision, we rely on contractual safeguards equivalent to Standard Contractual Clauses and conduct a transfer impact assessment.

5. Data Breach Notification

In accordance with Article 9 UAE PDPL, we will notify the UAE Data Office and affected data subjects without undue delay following discovery of a personal data breach that is likely to result in a risk to their rights. Our internal target is within seventy-two (72) hours, in line with Article 33 GDPR.

6. Data Protection Impact Assessment (DPIA)

Before launching any new processing activity that involves high-risk data (e.g. biometric monitoring, automated decision-making with legal effects), we perform a DPIA covering necessity, proportionality, risks, and mitigations.

7. Records of Processing

We maintain an internal ROPA describing categories of data, purposes, recipients, retention periods, transfers, and security measures, in line with Article 7 UAE PDPL.

8. Sub-processors

A current list of sub-processors (hosting, AI inference, transactional email) is available on request from the Data Protection Officer. All sub-processors are bound by written data processing agreements.

9. Contact / Complaints

Data Protection Officer: dpo@royaldailycrm.com. You may also lodge a complaint with the UAE Data Office (u.ae) or, where applicable, with the DIFC Commissioner of Data Protection or ADGM Office of Data Protection.