tiktok³ΙΘΛ°ζ

Book a demo

Controller To Controller DPA Template for the United Arab Emirates

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Controller To Controller DPA?

The Controller to Controller DPA is essential when two organizations acting as independent data controllers need to share personal data while maintaining compliance with UAE data protection laws. This agreement is specifically required when both parties independently determine the purposes and means of processing personal data, as defined under Federal Decree-Law No. 45/2021. The document should be used whenever there is systematic sharing of personal data between two controllers, whether for business partnerships, service delivery, or joint initiatives. It covers crucial aspects such as data protection responsibilities, security measures, breach notification procedures, and mechanisms for protecting data subject rights. The agreement is particularly important given the UAE's robust data protection framework and potential penalties for non-compliance.

Frequently Asked Questions

Is a Controller To Controller DPA legally binding in the United Arab Emirates?

Yes, a Controller To Controller DPA is legally binding in the UAE under Federal Decree-Law No. 45/2021. Once signed by both parties, it creates enforceable legal obligations regarding personal data sharing and protection. Non-compliance can result in penalties up to AED 10 million for organizations.

Can UAE authorities penalize my company for missing a Controller To Controller DPA?

Yes, operating without a proper Controller To Controller DPA when sharing personal data can result in significant penalties under UAE Federal Decree-Law No. 45/2021. The UAE Data Office can impose fines ranging from AED 50,000 to AED 10 million depending on the violation's severity. Missing agreements demonstrate non-compliance with mandatory data sharing requirements.

How does UAE Federal Decree-Law No. 45/2021 affect Controller To Controller DPAs?

Federal Decree-Law No. 45/2021 mandates that Controller To Controller DPAs include specific provisions for data subject rights, breach notification procedures, and cross-border transfer restrictions. The law requires written agreements before any personal data sharing between independent controllers. Cabinet Resolution No. 100/2022 provides detailed implementation requirements.

How is a Controller To Controller DPA different from a Data Processing Agreement in UAE?

A Controller To Controller DPA governs data sharing between independent controllers who each determine processing purposes, while a Data Processing Agreement covers controller-processor relationships where the processor acts on the controller's instructions. Under UAE law, both agreements have different liability structures and compliance requirements.

How long does it typically take to finalize a Controller To Controller DPA in UAE?

Creating a Controller To Controller DPA in the UAE typically takes 2-6 weeks depending on complexity and negotiation requirements. Simple agreements may be completed in 1-2 weeks, while complex multi-jurisdictional arrangements can take 8-12 weeks. Legal review and compliance verification with UAE regulations often extend the timeline.

Can I use international DPA templates for UAE Controller To Controller agreements?

International templates should not be used without significant modification for UAE Controller To Controller DPAs. Federal Decree-Law No. 45/2021 has specific requirements that differ from GDPR and other international frameworks. Using non-compliant templates can result in regulatory violations and inadequate legal protection.

Which common mistakes invalidate Controller To Controller DPAs in UAE?

Common mistakes include failing to specify data retention periods required by UAE law, omitting mandatory breach notification timelines, and inadequate cross-border transfer safeguards. Missing data subject rights provisions or unclear controller responsibilities can also invalidate agreements. Each mistake can result in regulatory penalties under Federal Decree-Law No. 45/2021.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United Arab Emirates

Reviewed by

&

Publisher

GenieAI

Category

Data Processing Agreement

Sector

Business

Cost

Free to use

Last updated

About the Controller To Controller DPA

When your organization needs to share personal data with another independent controller in the United Arab Emirates, a Controller To Controller Data Processing Agreement (DPA) is legally required under Federal Decree-Law No. 45/2021. This specialized agreement governs the relationship between two data controllers who independently determine the purposes and means of processing personal data while ensuring full compliance with UAE data protection laws.

When do you need this document?

You must execute a Controller To Controller DPA whenever your organization systematically shares personal data with another entity that acts as an independent controller. Common scenarios include business partnerships where customer data is exchanged, joint marketing initiatives between companies, mergers and acquisitions involving data transfer, or service arrangements where both parties process shared data for their own purposes. The agreement is also essential when collaborating with international partners, as it ensures compliance with both UAE laws and potentially applicable foreign regulations. If either organization operates within the DIFC or ADGM free zones, additional specific requirements under their respective data protection frameworks may apply.

Key legal considerations

Your Controller To Controller DPA must clearly define each party's roles, responsibilities, and data processing purposes to avoid regulatory violations. Critical provisions include detailed data security measures, breach notification protocols within 72 hours as required by UAE law, and mechanisms for handling data subject rights requests including access, rectification, and deletion. The agreement should specify categories of personal data being shared, retention periods, and cross-border transfer safeguards if data leaves the UAE. You must also establish joint liability frameworks for potential data breaches and include termination clauses that protect data subjects' rights when the relationship ends. Regular compliance auditing provisions help demonstrate ongoing adherence to regulatory requirements.

Legal requirements in United Arab Emirates

Under Federal Decree-Law No. 45/2021 and Cabinet Resolution No. 100/2022, your agreement must ensure lawful processing bases for all shared data and implement appropriate technical and organizational security measures. Both controllers remain jointly liable for data protection violations, making clear responsibility allocation crucial. The UAE Data Protection Office requires that agreements include specific provisions for handling data subject complaints and regulatory investigations. If your organization processes sensitive personal data categories, enhanced protection measures and explicit consent requirements apply. For organizations in DIFC or ADGM, additional compliance with their respective 2020 and 2021 data protection regulations is mandatory, potentially requiring dual-jurisdiction legal review of your agreement terms.

GOVERNING LAW

Applicable law

This Controller To Controller DPA is drafted to comply with United Arab Emirates law. Key legislation includes:









Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it