What is the UAE Corporate Tax rate and when does it apply?

The UAE Corporate Tax applies at a standard rate of 9% on taxable income exceeding AED 375,000. Income up to AED 375,000 is taxed at 0%. The tax is effective for financial years starting on or after 1 June 2023, as established by Federal Decree-Law No. 47 of 2022.

What is the filing deadline for UAE Corporate Tax returns?

Businesses must file their Corporate Tax return within nine months from the end of the relevant tax period. For example, a company with a financial year ending 31 December 2025 must file by 30 September 2026. Late filing is subject to administrative penalties enforced by the Federal Tax Authority.

What is ICV (In-Country Value) and why is it important?

In-Country Value (ICV) is a program established by the UAE Ministry of Industry and Advanced Technology (MoIAT) to stimulate economic growth by directing government procurement spending toward local suppliers. An ICV certificate is mandatory for bidding on contracts with government and semi-government entities including ADNOC, Mubadala, and EDGE Group.

How is the ICV score calculated?

The ICV score is calculated as a percentage based on weighted components: revenue retention within the UAE economy, Emiratization (employment of UAE nationals), spending with local and ICV-certified suppliers, capital investment in the UAE, and export revenue. Each component carries different weightings determined by MoIAT.

When does the UAE e-invoicing mandate take effect?

The voluntary pilot phase begins on 1 July 2026. Phase 1 (mandatory for large enterprises) starts in late 2026, Phase 2 (medium-sized businesses) in 2027, and full mandatory compliance for all in-scope businesses is expected by October 2027, per Ministerial Decision No. 244 of 2025.

What technical format is required for UAE e-invoices?

The UAE has adopted the PINT AE format (Peppol International Invoice, UAE localization) based on the UBL 2.1 XML standard. Invoices must be transmitted through certified Access Service Providers (ASPs) connected to the Peppol network using a decentralized Continuous Transaction Controls (CTC) model.

Can foreign investors own 100% of a UAE mainland company?

Yes. Following the amendment of the Commercial Companies Law, foreign investors can now own 100% of mainland companies in most business activities. However, certain strategic sectors may still require Emirati ownership or partnership. Free zones have always permitted 100% foreign ownership.

UAE PDPL Compliance Guide | Farah Solutions

Understanding the UAE Personal Data Protection Law

The UAE Personal Data Protection Law (PDPL), enacted through Federal Decree-Law No. 45 of 2021 and its Executive Regulations (Cabinet Decision No. 111 of 2023), represents a watershed moment in the country's digital governance landscape. The law establishes comprehensive rules for the collection, processing, storage, and transfer of personal data, bringing the UAE into alignment with international data protection standards such as the EU's GDPR.

The UAE Data Office, established under the law, serves as the primary regulatory authority responsible for overseeing compliance, issuing guidance, and enforcing penalties. As of 2026, the enforcement framework is fully operational, and businesses that have not yet achieved compliance face significant regulatory and reputational risks.

Key Definitions Every Business Must Know

Understanding the PDPL starts with its core definitions:

Personal Data: Any data relating to an identified or identifiable natural person (the "Data Subject"). This includes names, identification numbers, location data, online identifiers, and any factor specific to the physical, physiological, economic, cultural, or social identity of that person.

Sensitive Personal Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal records, biometric data, or health data. Processing of sensitive data requires explicit consent and additional safeguards.

Controller: The natural or legal person that determines the purposes and means of processing personal data.

Processor: The natural or legal person that processes personal data on behalf of the Controller.

Core Compliance Obligations

The PDPL imposes several fundamental obligations on businesses:

1. Lawful Basis for Processing

Every processing activity must have a lawful basis. The PDPL recognizes the following:

Explicit consent of the Data Subject
Performance of a contract to which the Data Subject is a party
Compliance with a legal obligation
Protection of vital interests of the Data Subject
Performance of a task carried out in the public interest
Legitimate interests of the Controller (subject to a balancing test)

2. Consent Requirements

Where consent is the lawful basis, it must be:

Freely given: The Data Subject must have a genuine choice
Specific: Consent must relate to a defined purpose
Informed: The Data Subject must understand what they are consenting to
Unambiguous: Demonstrated by a clear affirmative action
Withdrawable: The Data Subject must be able to withdraw consent at any time

3. Data Subject Rights

The PDPL grants Data Subjects the following rights:

Right of access to their personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right not to be subject to automated decision-making

Businesses must establish processes to respond to Data Subject requests within 14 business days of receipt.

4. Data Protection Impact Assessments (DPIAs)

DPIAs are mandatory for processing activities that are likely to result in a high risk to Data Subjects, including:

Large-scale processing of sensitive personal data
Systematic monitoring of publicly accessible areas
Automated decision-making with legal or significant effects
Cross-border data transfers to jurisdictions without adequate protection

5. Data Breach Notification

In the event of a personal data breach, Controllers must:

Notify the UAE Data Office within 72 hours of becoming aware of the breach
Notify affected Data Subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
Document all breaches, including their effects and remedial actions taken

Cross-Border Data Transfers

The PDPL restricts the transfer of personal data outside the UAE unless one of the following conditions is met:

The receiving country provides an adequate level of data protection (as determined by the UAE Data Office)
Appropriate safeguards are in place (e.g., Standard Contractual Clauses, Binding Corporate Rules)
The Data Subject has given explicit consent after being informed of the risks
The transfer is necessary for the performance of a contract

The UAE Data Office maintains a list of countries with adequate data protection levels. Businesses should regularly check this list and ensure their cross-border transfer mechanisms are up to date.

Penalties for Non-Compliance

The PDPL establishes a graduated penalty framework:

Administrative fines of up to AED 5,000,000 for serious violations
Warning notices and compliance orders for minor infractions
Potential criminal liability for certain offenses (e.g., unauthorized disclosure of sensitive data)
Reputational damage and loss of business trust

Building Your PDPL Compliance Program

We recommend the following step-by-step approach:

Data Mapping: Conduct a comprehensive inventory of all personal data your organization collects, processes, and stores. Identify data flows, storage locations, and third-party processors.

Gap Analysis: Compare your current practices against PDPL requirements. Identify areas of non-compliance and prioritize remediation efforts.

Privacy Policies: Update your privacy notices to include all PDPL-required disclosures, including the lawful basis for processing, data retention periods, and Data Subject rights.

Consent Management: Implement robust consent collection and management mechanisms, including clear opt-in processes and easy withdrawal options.

Data Protection Officer: Consider appointing a Data Protection Officer (DPO), particularly if your organization processes sensitive data at scale.

Training: Conduct regular data protection training for all employees who handle personal data.

Vendor Management: Review all third-party processor agreements to ensure PDPL-compliant data processing terms are in place.

Incident Response: Establish a data breach response plan that meets the 72-hour notification requirement.

How Farah Solutions Can Help

Our Data Protection Compliance service provides end-to-end support for PDPL compliance, from initial data mapping and gap analysis through policy development, staff training, and ongoing monitoring. The Farah Suite platform includes built-in privacy management tools, including consent tracking, Data Subject request management, and breach notification workflows.

Disclaimer: This article provides general guidance on the UAE PDPL and does not constitute legal advice. Businesses should consult with qualified legal advisors for advice specific to their circumstances.

Sources: Federal Decree-Law No. 45 of 2021, Cabinet Decision No. 111 of 2023 (Executive Regulations), UAE Data Office (dataoffice.ae)

UAE Personal Data Protection Law (PDPL): A Comprehensive Compliance Guide for Businesses

Understanding the UAE Personal Data Protection Law

Key Definitions Every Business Must Know

Core Compliance Obligations

1. Lawful Basis for Processing

2. Consent Requirements

3. Data Subject Rights

4. Data Protection Impact Assessments (DPIAs)

5. Data Breach Notification

Cross-Border Data Transfers

Penalties for Non-Compliance

Building Your PDPL Compliance Program

How Farah Solutions Can Help

Need Expert Compliance Support?

Related Insights

UAE Corporate Tax Filing: Key Deadlines and Compliance Requirements for 2026

UAE E-Invoicing Mandate: What SMEs Need to Know Before July 2026

Maximizing Your ICV Score: A Strategic Guide for UAE Government Contract Eligibility

Free Zone vs. Mainland: Tax Implications and Strategic Considerations for UAE Businesses in 2026

The Complete Guide to UAE Business Setup in 2026: Licensing, Visas, and Compliance Essentials