1. Introduction
The right to data portability enables individuals to access and transfer their personal data between service providers in a structured, machine-readable format, promoting consumer autonomy, digital innovation, and market competition. By preventing data lock-in, portability allows users to seamlessly switch providers while retaining control over their information.
In the Middle East, data portability laws are evolving. Free zones like Dubai and Abu Dhabi have GDPR-like frameworks, while national laws within the United Arab Emirates (UAE), Oman, Jordan, Qatar, and Saudi Arabia impose varying degrees of regulatory control.
This paper provides a comprehensive comparison of data portability regulations across the region, presented in a detailed table outlining each law’s scope, requirements, response timelines, and limitations, offering businesses a clear roadmap for compliance.
2. Regulatory Landscape of Data Portability in the Middle East
I. Abu Dhabi Global Market (ADGM) Data Protection Regulations (2021)
The ADGM Data Protection Regulations (DPR) were enacted on February 14, 2021, and enforced by the ADGM Office of Data Protection. For new entities, the law took effect on August 14, 2021, while existing entities had until February 14, 2022, to comply. These Regulations apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in ADGM, regardless of whether the processing takes place in ADGM or not. The law covers all automated personal data processing but excludes public authorities processing data for law enforcement, national security, and purely personal or household activities.
II. Dubai International Financial Centre (DIFC) Data Protection Law (2020)
The DIFC Data Protection Law No. 5 of 2020 and its Data Protection Regulations were enacted on June 1, 2020. The law establishes data processing, transfer protocols, and compliance requirements for entities operating in DIFC. The regulations specify record-keeping obligations, DPO appointment criteria, notification requirements for certain processing activities, cross-border transfer rules, and enforcement mechanisms. The DIFC Commissioner of Data Protection oversees compliance and imposes fines for violations.
III. UAE Personal Data Protection Law (PDPL) – Federal Decree-Law No. (45) of 2021
The UAE Personal Data Protection Law (PDPL) – Federal Decree-Law No. 45 of 2021 came into effect on January 2, 2022, as part of the UAE’s broader legislative reforms to align with international data protection standards. The law establishes a legal framework for securing personal data, defining the rights of data subjects and the obligations of organizations. It applies to data controllers and processors inside and outside the UAE that handle the personal data of individuals in the country, granting it extraterritorial scope. The UAE Data Office, the designated regulatory authority, is responsible for policy development, enforcement, and issuing compliance guidelines. The law excludes free zones with existing data protection laws, such as DIFC and ADGM.
IV. Saudi Arabia Personal Data Protection Law (PDPL)
Saudi Arabia’s Personal Data Protection Law (PDPL) aims to safeguard individuals' privacy and regulate the collection, processing, disclosure, and retention of personal data. Enforced by the Saudi Data & Artificial Intelligence Authority (SDAIA), the PDPL outlines processing principles, data subject rights, cross-border transfer rules, and penalties for non-compliance. Initially set for enforcement in March 2022, amendments were introduced and approved on March 21, 2023. The Implementing Regulations were published on September 7, 2023, and came into force on September 14, 2023, with a one-year grace period ending September 14, 2024, for organizations to achieve compliance.
V. Bahrain Personal Data Protection Law (PDPL)
Bahrain’s Personal Data Protection Law (PDPL) came into effect on August 1, 2019, establishing a framework for data processing, security, and confidentiality. The law applies to automated and non-automated data processing within a filing system and regulates entities inside and outside Bahrain that process data using means located within the country. It mandates data subject rights, business compliance obligations, and penalties for non-compliance, ensuring organizations align with evolving data protection standards.
VI. Jordan Personal Data Protection Law (PDPL) – Law No. 24 of 2023
The Jordan Personal Data Protection Law (PDPL) 2023 (Law No. 24 of 2023) was published in the Official Gazette on September 17, 2023, and took effect six months later on March 17, 2024. However, it will only be fully enforceable after a one-year transition period, ending on March 17, 2025.
The law establishes a supervisory body within the Council of Ministers to oversee its implementation and imposes strict financial and legal penalties for non-compliance. Responsibility for enforcing the PDPL is shared by the Prime Minister and other Ministers within the Council.
VII. Oman Personal Data Protection Law (PDPL) – Royal Decree No. 6/2022
Oman’s Personal Data Protection Law (PDPL) was enacted under Royal Decree 6/2022 on February 9, 2022, and came into effect on February 9, 2023, replacing Chapter Seven of the Electronic Transactions Law. The law is enforced by the Ministry of Transport, Communication, and Information Technology (MTCIT) and applies to all personal data processing activities. It prohibits the processing of sensitive data (e.g., genetic, biometric, health, religious, and political data) unless permitted by the MTCIT, which has 45 days to approve or reject such requests. The Executive Regulation, issued on February 4, 2024, provides further compliance guidelines for organizations handling personal data in Oman.
VIII. Qatar Personal Data Protection Law (PDPPL) – Law No. 13 of 2016
Qatar was the first Gulf nation to introduce the Personal Data Privacy Protection Law (PDPPL) – Law No. 13 of 2016, which governs the processing of personal data within Qatar, excluding the Financial Center Free Zone. The law outlines data subject rights, breach notification requirements, and cross-border transfer regulations but initially lacked detailed compliance guidelines. To address this, the Ministry of Transport and Communications (MOTC) issued 14 regulatory guidelines on January 31, 2021, followed by further guidance from the National Cyber Governance and Assurance Affairs (NCGAA) to assist organizations in meeting PDPPL compliance obligations.
IX. Qatar Financial Centre (QFC) Data Protection Regulations
The QFC Data Protection Regulations came into effect in 2021, replacing the 2005 framework to align with international standards like the GDPR. Enforced by the QFC Regulatory Authority (QFCRA), the law applies to all entities operating in the Qatar Financial Centre, regulating data collection, processing, and transfers. It establishes key data subject rights, mandates lawful processing, and requires DPIAs for high-risk activities.
3. Right To Data Portability Table
|
Law Name
|
Right to Portability
|
Requirements
|
Limitation/Exception
|
| UAE Federal PDPL (2021) |
Yes |
- Applies to data provided by the user, processed based on consent or contractual necessity, and handled by automated means.
- Data must be provided in an orderly, machine-readable format.
|
- The transfer is subject to technical feasibility.
|
| UAE DIFC Data Protection Law (2020) |
Yes |
- Applies to data provided by the Data Subject, processed based on consent or contractual necessity, and handled by automated means.
- Data must be provided in a structured, commonly used, machine-readable format.
- Controllers must respond within one month and facilitate direct transmission if technically feasible.
|
- Response time may be extended by two additional months for complex or multiple requests, with prior notice.
- Portability cannot infringe on the rights of other individuals.
- Controllers may refuse excessive or unfounded requests or charge a reasonable fee for processing them.
|
| UAE ADGM Data Protection Regulations (2021) |
Yes |
- Data subjects can request their personal data in a structured, commonly used, and machine-readable format if the processing is based on consent or contractual necessity and is conducted by automated means.
- Direct transmission between controllers must be facilitated if technically feasible.
- Controllers must respond within two months, extendable by one additional month for complex or multiple requests, with prior notification.
|
- Does not apply to processing based on public authority functions.
- Requests must not adversely affect the rights of others.
- Controllers may charge a reasonable fee for excessive or repetitive requests or refuse to act if requests are manifestly unreasonable, with justification provided within two months.
|
| Saudi PDPL |
Yes |
- Data subjects can request their personal data in a readable format, as per regulatory procedures.
- Requests must be fulfilled within 30 days, extendable by another 30 days if justified, with prior notification.
- Access must not disclose the personal data of other individuals.
|
- The Controller may reject requests that are repetitive, unfounded, or require disproportionate effort, with a clear justification provided to the Data Subject.
|
| Bahrain PDPL |
No |
-
|
-
|
| Jordan PDPL |
Yes |
- Data subjects can request the transfer of a copy of their data from one controller to another.
- The transfer must be documented by the controller, including the purpose and consent of the data subject.
- Controllers cannot impose financial or contractual penalties for exercising portability rights.
|
-
|
| Qatar Data Privacy Protection Law |
No specific data portability rights, only data access rights |
- Controllers are to provide a copy of the Personal Data to data subjects after they’ve paid an amount that shall not exceed the service charge.
|
- There is no obligation for controllers to provide data in a portable format.
|
| QFC Data Protection Regulations |
Yes |
- If Processing was based on consent or contractual necessity and carried out by automated means, then data subjects can request their personal data in a structured, commonly used, and machine-readable format.
- Controllers must provide the data within 30 days, with a possible 60-day extension for complex or multiple requests, provided the data subject is notified.
- Data can be transferred directly to another controller if technically feasible.
|
- Portability does not apply to processing for public interest tasks or official authority functions.
- Requests must not adversely affect the rights or freedoms of others.
- Controllers may charge a reasonable fee for additional copies.
- Requests may be denied if manifestly unfounded or excessive, with the data subject informed within 30 days, including their right to file a complaint.
|
| Oman PDPL |
Yes |
- Copy of personal data in readable and clear electronic or paper format.
- Data subjects can obtain a copy of their processed data.
- Data Subjects can also request the transfer of their personal data to another controller.
- Controllers must respond within 45 days.
|
- The controller can refuse a request if unjustifiably repetitive or extraordinary effort
|
4. Conclusion
The right to data portability is becoming a key aspect of data protection laws across the Middle East, empowering individuals to access and transfer their personal data between service providers in a structured, machine-readable format. There are both opportunities and challenges for businesses in financial services, telecommunications, cloud computing, and insurance, where data interoperability, retention mandates, and localization requirements significantly impact operations.
Ensuring compliance with these evolving regulations requires efficient data governance and automation. Securiti’s Data Subject Request (DSR) Automation simplifies and streamlines data subject request management, enabling organizations to automate access, deletion, and correction requests while ensuring compliance with Middle Eastern and global privacy laws. By reducing manual effort and risk, Securiti helps businesses maintain seamless regulatory adherence while enhancing consumer trust and data transparency.
Request a demo to learn more.
