No — consent is one of six lawful bases under the UAE Personal Data Protection Law (PDPL) [1]:
- Consent (must be free, specific, informed, unambiguous)
- Contract performance (processing necessary to perform a contract with the data subject)
- Legal obligation (processing required by law)
- Vital interest (protecting life of the data subject or another person)
- Public interest (processing required for public-interest or official-authority tasks)
- Legitimate interest (controller's legitimate interest, balanced against the data subject's rights)
In practice this means:
- A bank can verify your identity to satisfy AML rules without separate consent (legal obligation).
- An employer can pay your salary to your account using contract performance, not consent.
- Marketing emails generally require consent (opt-in).
- Analytics on user behaviour can rely on legitimate interest, but the controller must run a balancing test and document it.
Whichever basis applies, the data subject still has the rights set out in Article 13 [2]: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
If consent is the basis, withdrawing it must be as easy as giving it.
Citations
More questions readers asked
Sub-questions our research cluster pulls together — each links to its full Tier-B/C answer.
+−How quickly must my company report a personal data breach in the UAE?
72 hours from confirmed assessment. Notify the UAE Data Office. If high-risk, also notify affected data subjects without undue delay. Processors must notify their controller without delay.
This is general legal information, not legal advice. For advice tailored to your specific situation, consult a UAE-licensed lawyer.
Did this answer your question?