Does Peoplifi support UAE WPS payroll?

Yes. Peoplifi generates WPS-compliant SIF files for Emirates NBD, Mashreq, ADCB, FAB, and other major UAE banks in the exact format each bank requires. Upload directly to your corporate banking portal — no manual reformatting.

Does Peoplifi calculate UAE end-of-service gratuity?

Yes. Peoplifi computes EOS gratuity under Article 51 of UAE Labour Law (Federal Decree-Law No. 33 of 2021) — 21 days basic per year for years 1–5, 30 days per year thereafter, capped at 24 months total. The engine handles limited and unlimited contracts identically per the 2022 reforms.

Can Peoplifi track Emiratisation quotas?

Yes. Peoplifi tracks UAE National headcount, calculates your current Emiratisation ratio against the MoHRE-mandated annual targets, and generates quarterly Tafa'ud-ready reports. Nafis programme registration is integrated into the standard onboarding flow.

Does Peoplifi work for DIFC or ADGM employees?

DIFC and ADGM employees can be tracked in Peoplifi alongside mainland staff. The DEWS qualifying-scheme contributions for DIFC and Mercer GIM (or equivalent) for ADGM replace the Article 51 EOS engine for those employees. Multi-entity workspaces handle the separation cleanly.

Which UAE biometric devices does Peoplifi integrate with?

Peoplifi has native integrations with ZKTeco (F18, K40, SpeedFace V4L, V5L, M4) and Suprema BioStar 2 (BioStation A2, FaceStation F2, BioLite Net). Real-time ADMS push for ZKTeco, REST API sync for Suprema. Biometric templates stay on the device — Peoplifi only ingests hashed punch events.

What is Peoplifi's UAE pricing?

Starter AED 11 per seat per month (up to 15 employees). Growth AED 26 per seat per month (up to 100 employees). Business AED 44 per seat per month (unlimited). All plans include WPS, EOS gratuity, time tracking, leave management, and performance reviews. 14-day free trial with no credit card required.

← Back to HR Glossary

UAE PDPL (Personal Data Protection Law)

Federal Decree-Law No. 45 of 2021 — the UAE's first comprehensive federal personal-data protection framework, effective from January 2022, broadly aligned with EU GDPR but with UAE-specific lawful-basis categories and a more activist regulator role through the UAE Data Office.

Detailed Definition

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), commonly called the UAE PDPL, is the country's first comprehensive federal personal-data protection framework. Effective from January 2022 and supplemented by detailed Implementing Regulations issued in 2022-2023, the law establishes a modern data-protection regime broadly aligned with international best practice (notably EU GDPR) but with UAE-specific adaptations. For HR practitioners, PDPL is one of the most consequential regulatory developments of the 2020s — every employer holding employee personal data is subject to substantive obligations on lawful basis, transparency, security, retention, breach notification, and data-subject rights.

**Scope of application.** PDPL applies to (1) UAE-based controllers and processors of personal data, (2) controllers and processors outside the UAE who process personal data of UAE residents in connection with offering services or monitoring behaviour. Personal data is broadly defined to include any information relating to an identified or identifiable natural person — names, contact details, identification numbers, location data, online identifiers, and any factor specific to physical, physiological, genetic, mental, economic, cultural or social identity. Sensitive personal data — health data, biometric data, genetic data, racial or ethnic origin, religious beliefs, political opinions — receives heightened protection.

**Key data-subject rights.** Under PDPL, individuals have several substantive rights. (1) **Right to access** — request confirmation of whether their personal data is being processed and obtain a copy. (2) **Right to correction** — request correction of inaccurate or incomplete data. (3) **Right to deletion** — request deletion in defined circumstances (no longer necessary, consent withdrawn, unlawful processing). (4) **Right to restrict processing** — request that processing be limited in defined circumstances. (5) **Right to data portability** — receive personal data in a structured machine-readable format. (6) **Right to object** — object to processing for direct marketing or automated decision-making. (7) **Right to withdraw consent** — where consent is the lawful basis. Controllers must respond to data-subject requests within 30 days of receipt.

**Lawful basis for processing.** PDPL requires a lawful basis for every processing operation. The recognised bases are (1) **consent** of the data subject, (2) **contractual necessity** — processing needed to perform a contract to which the data subject is party, (3) **legal obligation** — required by UAE law, (4) **vital interests** — protection of life or physical safety, (5) **public interest** — function of a public authority, (6) **legitimate interests** of the controller or third parties, balanced against the data subject's rights. For HR, contractual necessity is typically the primary basis for core employee data processing (payroll, benefits administration, performance management); consent is rarely the appropriate basis for employment relationships because of the inherent power imbalance.

**HR-specific obligations.** Employers as controllers of employee personal data have specific obligations. (1) **Privacy notice** — provide employees with clear information about what data is collected, why, how long it's retained, who it's shared with, and what rights employees have. (2) **Lawful basis documentation** — document the lawful basis for each category of processing. (3) **Data minimisation** — collect only what's necessary for the stated purpose. (4) **Accuracy** — keep employee data accurate and up-to-date. (5) **Storage limitation** — retain data only as long as necessary, with documented retention schedules. (6) **Security** — implement appropriate technical and organisational measures (encryption at rest and in transit, access controls, audit logging, security training). (7) **Confidentiality** — restrict access to authorised personnel. (8) **Vendor management** — ensure third-party processors (HRIS providers, payroll services, benefits administrators) are bound by appropriate data-processing agreements.

**Breach notification.** If a personal data breach occurs that is likely to result in risk to data subjects, the controller must notify (1) the UAE Data Office without undue delay and within 72 hours of becoming aware of the breach, and (2) affected data subjects without undue delay if the breach is likely to result in high risk to their rights and freedoms. The breach notification must include the nature of the breach, categories and approximate numbers of affected data subjects, likely consequences, and measures taken or proposed. Documentation of all breaches (including those not requiring external notification) must be maintained.

**Cross-border data transfers.** PDPL restricts transfers of personal data outside the UAE to jurisdictions that don't provide an adequate level of protection. Permitted transfer mechanisms include (1) jurisdictions with adequacy decisions from the UAE Data Office, (2) appropriate safeguards (standard contractual clauses, binding corporate rules), (3) specific derogations (consent, necessity for contract performance, public interest, vital interests). For multinationals operating UAE entities, cross-border data transfers within group structures need to be assessed and supported with appropriate documentation.

**The UAE Data Office.** The law establishes the UAE Data Office as the federal regulator responsible for enforcement. The Data Office can investigate complaints, audit controllers and processors, issue warnings, impose corrective measures, and recommend penalties. It also issues guidance, accredits certification bodies, and serves as the focal point for international data-protection cooperation.

**Penalties.** PDPL violations attract administrative penalties, with the exact framework set out in implementing regulations. Penalties scale with the severity and persistence of the violation, with significant fines for major breaches involving sensitive data or cross-border transfers without authorisation. Beyond fines, reputational damage and potential civil claims from affected data subjects are material consequences.

**DIFC and ADGM data protection.** DIFC and ADGM operate their own data-protection regimes parallel to (and largely consistent with) federal PDPL. DIFC's Data Protection Law (DIFC Law No. 5 of 2020) and ADGM's Data Protection Regulations 2021 are heavily aligned with EU GDPR, providing similar substantive protections. Multi-jurisdiction employers should ensure compliance with the framework that applies to each entity — federal PDPL for MoHRE-jurisdiction, DIFC DP Law for DIFC, ADGM DP Regulations for ADGM.

**Comparison with GDPR.** PDPL is broadly aligned with EU GDPR in substantive content and structure, making compliance for multinationals already operating GDPR programmes relatively straightforward to extend. Key UAE-specific differences include (1) narrower categories of legitimate interest, (2) more prescriptive rules on cross-border transfers, (3) different breach-notification thresholds and timelines, (4) UAE Data Office's regulator role, (5) some specific UAE cultural and legal considerations (e.g., differences in how 'sensitive' categories are defined).

**Common compliance traps.** First, treating PDPL as a marginal update to existing privacy practices when it requires substantive programme work. Second, relying on consent for employment-related processing where contractual necessity is the appropriate basis. Third, missing the 30-day data-subject-request response window. Fourth, failing to notify breaches within 72 hours. Fifth, transferring data outside the UAE without appropriate safeguards. Sixth, neglecting vendor data-processing agreements with HRIS providers, payroll services, and benefits administrators. Seventh, inadequate retention scheduling — keeping employee data forever when the legal requirement is shorter.

**Automation through Peoplifi.** Peoplifi is built with PDPL compliance in mind: encryption at rest and in transit for all personal data, role-based access controls with audit logging, configurable retention policies aligning with legal requirements, data-subject-request workflows for the 30-day response window, breach-detection capabilities supporting the 72-hour notification window, vendor data-processing agreements, and regional data residency with appropriate cross-border transfer safeguards. Privacy notice templates and lawful-basis documentation templates support employer compliance programmes.

Example

We updated our HR privacy notice for UAE PDPL compliance after the law came into force in 2022, including the 30-day data-subject-access SLA.

Related Terms

DIFC ADGM

Automate UAE PDPL (Personal Data Protection Law) with Peoplifi

Peoplifi handles UAE payroll (WPS, end-of-service gratuity, Emiratisation, GPSSA), ZKTeco / Suprema biometric attendance, and IBFT bank-sheet export in one platform — so concepts like UAE PDPL (Personal Data Protection Law) stay handled, not stuck in spreadsheets.

Start free 14-day trial