What is the primary objective of **UAE PDPL**?

**The primary objective of UAE PDPL (Federal Decree-Law No. 45 of 2021) is to regulate the processing of personal data to protect privacy, confidentiality, and the rights of data subjects in onshore UAE.** It embeds principles like fairness, purpose limitation, data minimization, accuracy, security, and storage limitation (Article 5), while enabling responsible data use through lawful bases, accountability via records of processing (Articles 7–8), and oversight by the UAE Data Office.

Who is legally or professionally required to comply with **UAE PDPL**?

**UAE PDPL applies to controllers and processors established in onshore UAE, and foreign entities processing personal data of data subjects located in the UAE (Article 2).** Exemptions include government data, security/judicial authorities, personal/family processing, health/banking data under sectoral laws, and free zones like DIFC/ADGM with their own regimes (Article 2(2)). The UAE Data Office may exempt low-volume processors (Article 3).

Does **UAE PDPL** require an external audit or third-party certification?

**UAE PDPL does not mandate external audits or third-party certification.** It requires controllers/processors to maintain detailed records of processing activities (Articles 7(4), 8(7)) and demonstrate compliance via technical/organizational measures (Article 20), with records submittable to the UAE Data Office on request. Security aligns to best international practices, but no statutory certification is specified.

How often should an assessment for **UAE PDPL** be performed?

**UAE PDPL requires Data Protection Impact Assessments (DPIAs) prior to high-risk processing, with no fixed frequency for general assessments.** DPIAs are mandatory before using new technologies posing high privacy risks or processing large volumes of sensitive personal data/profiling (Article 21). Ongoing records of processing (Articles 7–8) and security evaluations (Article 20) imply continuous monitoring, adaptable to Executive Regulations.

What are the consequences of non-compliance with **UAE PDPL**?

**Non-compliance with UAE PDPL triggers administrative penalties via Cabinet decision, plus criminal/sectoral sanctions.** The UAE Data Office verifies breaches (Article 9(4)) and imposes fines (exact schedule pending); violations also invoke UAE Criminal Law, Cyber Crime Law (detention/fines), and sectoral rules (e.g., Central Bank penalties). Processors must notify controllers immediately.

Can **UAE PDPL** be mapped to other international frameworks?

**Yes, UAE PDPL aligns structurally with international privacy frameworks through shared principles and controls.** Its fairness, minimization, security (Article 5), DPIAs (Article 21), pseudonymisation (Article 7), and transfer safeguards (Articles 22–23) enable mapping, though organizations must adapt for PDPL-specific records (Articles 7–8), DPO triggers (Article 10), and UAE exemptions (Article 2(2)).

What is the first step to begin implementing **UAE PDPL**?

**The first step to implement UAE PDPL is conducting an applicability assessment and building a data inventory/records of processing.** Map processing to Article 2 scope/exemptions, identify high-risk activities (DPO/DPIA triggers per Articles 10/21), and create RoPAs detailing categories, purposes, security, and transfers (Articles 7(4), 8(7)) for UAE Data Office readiness.

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of structural steel and aluminium components and kits for permanent incorporation in construction works.** As a harmonized standard under the Construction Products Regulation (CPR), **EN 1090-1** enables **CE marking** via certified **Factory Production Control (FPC)**, while **EN 1090-2** and **EN 1090-3** specify technical requirements for steel and aluminium execution, including welding, tolerances, traceability, and inspection scaled by **Execution Classes (EXC1–EXC4)**.

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers placing load-bearing steel and aluminium structural components or kits on the European market must comply with EN 1090 to affix CE marking.** This applies to fabricators, welding shops, and suppliers of components for buildings, bridges, and industrial structures, as EN 1090-1 mandates FPC certification by a Notified Body for market access under CPR.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 requires third-party certification of the FPC system by a Notified Body, including initial inspection and ongoing surveillance audits.** Certification under AVCP systems enables CE marking and Declaration of Performance (DoP) issuance, with Notified Bodies like TÜV SÜD verifying constancy of performance through factory audits and product surveillance.

How often should an assessment for **EN 1090** be performed?

**EN 1090 requires initial FPC certification followed by continuous surveillance audits by the Notified Body, typically annually depending on Execution Class and prior performance.** Internal audits maintain FPC effectiveness, with frequencies scaled to EXC (e.g., higher for EXC3/EXC4), ensuring ongoing compliance with technical execution requirements.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance with EN 1090 prevents lawful CE marking, risking market exclusion, product withdrawal, fines under CPR, and certificate suspension by Notified Bodies.** Manufacturers face liability for structural failures, reputational damage, and inability to supply EU/EEA construction projects without certified FPC.

Can **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality and Eurocodes for design, but formal mappings to non-EU frameworks are not prescribed.** Compliance supports alignment with ISO 9001 quality systems, with Execution Classes providing risk-based scaling adaptable to international welding and quality management practices.

What is the first step to begin implementing **EN 1090**?

**The first step is to conduct a gap analysis of current processes against EN 1090-1 FPC requirements and determine Execution Classes (EXC1–EXC4) for product families.** Classify products by consequence class (CC), service category (SC), and production category (PC) using the matrix, defaulting to EXC2 if unspecified, to scope FPC development and Notified Body engagement.

UAE PDPL vs EN 1090

Standards Comparison

UAE PDPL

Mandatory

2022

UAE federal law for personal data protection compliance

EN 1090

Mandatory

2009

EU harmonized standard for steel and aluminium structural execution

Quick Verdict

UAE PDPL governs personal data protection across onshore private sectors with rights and breach rules, while EN 1090 mandates CE marking for steel/aluminium structures via FPC. Organizations adopt PDPL for privacy compliance, EN 1090 for EU market access.

Data Privacy

UAE PDPL

Federal Decree-Law No. 45/2021 on Personal Data Protection

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Mandatory DPO and DPIAs for high-risk processing
Extraterritorial scope for foreign entities processing UAE data
Universal Records of Processing Activities requirement
Pre-processing transparency on purposes and transfers
Carve-outs for free zones and sectoral regimes

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Factory Production Control (FPC) certification by Notified Body
Risk-based Execution Classes (EXC1-EXC4)
CE marking and Declaration of Performance (DoP)
Welding quality management via ISO 3834
Material traceability and scaled NDT inspection

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

UAE PDPL Details

What It Is

UAE PDPL (Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data) is a comprehensive federal regulation establishing economy-wide personal data governance in onshore UAE. Effective 2 January 2022, it adopts a risk-based approach with principles like fairness, purpose limitation, minimization, accuracy, security, and storage limitation, overseen by the UAE Data Office.

Key Components

Core pillars: lawful bases (consent primary, exceptions for contracts/public interest), data subject rights (access, portability, erasure, objection), controller/processor obligations (RoPAs, security, breach notification).
Mandatory for high-risk: DPOs, DPIAs.
Built on GDPR-like framework with UAE exclusions (free zones, health/banking sectors).
No certification; compliance via records and audits.

Why Organizations Use It

Mandated for onshore entities and extraterritorial processors of UAE data; mitigates fines, builds trust, enables secure digital economy. Enhances cybersecurity, vendor controls, global interoperability.

Implementation Overview

Phased: discovery/gap analysis, remediation (RoPAs, DPIAs), operationalization (DSR workflows, training), monitoring. Applies to private sector; 6-12 months typical, risk-based for all sizes.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) governing execution and conformity assessment of structural steel and aluminium components under the EU Construction Products Regulation (CPR). It enables CE marking for load-bearing metal products in construction. The risk-based approach uses Execution Classes (EXC1-EXC4) to scale requirements by failure consequence, service, and production categories.

Key Components

**EN 1090-1Factory Production Control (FPC), Declaration of Performance (DoP), Notified Body certification.
**EN 1090-2/-3Technical rules for materials, welding, tolerances, corrosion protection, inspection/NDT.
Built on ISO 3834 for welding quality; traceability and process controls core.
AVCP systems with ongoing surveillance.

Why Organizations Use It

Mandatory for EEA market access; avoids exclusion, fines, liability.
Drives quality, reduces rework, enhances traceability.
Builds trust with clients, insurers; competitive for high-risk projects.

Implementation Overview

Phased: gap analysis, FPC development, welding quals, NB audits. Targets fabricators; 3-12 months; suits all sizes with welding focus.

Key Differences

Aspect	UAE PDPL	EN 1090
Scope	Personal data processing onshore UAE	Steel/aluminium structural components execution
Industry	All private sectors onshore UAE	Construction/metal fabrication EU/EEA
Nature	Mandatory federal privacy law	Harmonized standard for CE marking
Testing	DPIAs for high-risk, records of processing	FPC certification, ITT/ITC by notified bodies
Penalties	Administrative fines, criminal liability	Certificate suspension, market exclusion

Scope

UAE PDPL

Personal data processing onshore UAE

EN 1090

Steel/aluminium structural components execution

Industry

UAE PDPL

All private sectors onshore UAE

EN 1090

Construction/metal fabrication EU/EEA

Nature

UAE PDPL

Mandatory federal privacy law

EN 1090

Harmonized standard for CE marking

Testing

UAE PDPL

DPIAs for high-risk, records of processing

EN 1090

FPC certification, ITT/ITC by notified bodies

Penalties

UAE PDPL

Administrative fines, criminal liability

EN 1090

Certificate suspension, market exclusion

Frequently Asked Questions

Common questions about UAE PDPL and EN 1090

UAE PDPL FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

Your Guide to Implementing PCI DSS in Your Organization

Step-by-step guide to implementing PCI DSS in your organization. Achieve compliance, protect cardholder data, and reduce risks. Start securing payments today!

ISO 27701 Implementation Roadmap: Step-by-Step Guide for Extending Your ISO 27001 ISMS to PIMS

Extend ISO 27001 ISMS to ISO 27701 PIMS with this step-by-step roadmap. Master role-specific controls, avoid pitfalls, meet certification evidence needs for pri

NIST CSF 2.0 Supply Chain Risk Management: Complete Playbook with Profiles, Tiers, and Vendor Assessment Templates

Master NIST CSF 2.0 ID.SC supply chain risk management with vendor assessment templates, profile gap analysis, and tier strategies. Mitigate third-party threats

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

APPI vs 23 NYCRR 500

Discover APPI vs 23 NYCRR 500: Japan's privacy law meets NYDFS cybersecurity rules. Uncover key differences, compliance strategies & pitfalls for financial firms. Master both now!

ISO 27017 vs APRA CPS 234

Compare ISO 27017 vs APRA CPS 234: Key cloud security standards for financial CSPs. Uncover control gaps, governance, testing & third-party rules. Achieve compliance today!

Six Sigma vs ISO 31000

Compare Six Sigma vs ISO 31000: DMAIC defect reduction & belts vs risk principles/framework. Key diffs, benefits for process excellence & governance. Choose wisely—optimize now!

UAE PDPL

EN 1090

Quick Verdict

UAE PDPL

Key Features

EN 1090

Key Features

Detailed Analysis

UAE PDPL Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

UAE PDPL FAQ

What is the primary objective of UAE PDPL?

Who is legally or professionally required to comply with UAE PDPL?

Does UAE PDPL require an external audit or third-party certification?

How often should an assessment for UAE PDPL be performed?

What are the consequences of non-compliance with UAE PDPL?

Can UAE PDPL be mapped to other international frameworks?

What is the first step to begin implementing UAE PDPL?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

Can EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

Your Guide to Implementing PCI DSS in Your Organization

ISO 27701 Implementation Roadmap: Step-by-Step Guide for Extending Your ISO 27001 ISMS to PIMS

NIST CSF 2.0 Supply Chain Risk Management: Complete Playbook with Profiles, Tiers, and Vendor Assessment Templates

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

APPI vs 23 NYCRR 500

ISO 27017 vs APRA CPS 234

Six Sigma vs ISO 31000