AiAiya
Back to blog
Compliance

UAE PDPL and Biometric Attendance: A Practical Guide for Workforce Leaders

7 June 20267 min read

The UAE Personal Data Protection Law — Federal Decree-Law No. 45 of 2021 — came into force in 2022 and is now the baseline data protection law for the UAE private sector. For organisations deploying biometric attendance (face matching, fingerprint, iris), it imposes specific obligations that go beyond the general protections for ordinary personal data. This post covers what workforce leaders need to know in practical terms.

Why biometric attendance is "special category" data

Biometric data — facial geometry, fingerprint patterns, iris scans — is treated as more sensitive than ordinary personal data under PDPL. Three reasons:

  • It identifies uniquely. Unlike an employee ID, you can’t reissue a face.
  • It can’t be revoked. If biometric data is breached, you can’t change the underlying fact.
  • It enables surveillance. If misused, it makes mass tracking and profiling trivial.

For these reasons, biometric attendance requires extra care. The good news: doing it right is straightforward, and the right approach also produces a cleaner operational record.

The five practical PDPL requirements for biometric attendance

1. Explicit, informed consent

Staff must explicitly consent to biometric processing before their face is captured, in language they understand. The consent must be granular (specific to biometric attendance, not buried in a generic onboarding agreement), timestamped, and revocable.

2. Encryption at rest and in transit

Biometric data must be encrypted whenever it is stored or transmitted. Industry-standard encryption is the baseline expectation. Encryption keys should be controlled by the data controller, not handed to a third party.

3. Configurable retention

Biometric data should not be kept indefinitely. The retention window should be configurable per the organisation’s policy and the audit trail (who, when, where, with what confidence) can be retained separately without the biometric image. This is the right way to preserve audit evidence without holding special-category data forever.

4. Data-subject rights

Staff have the right to:

  • Access the biometric data held about them.
  • Ask for corrections.
  • Ask for deletion, where there is no overriding legal requirement to retain it.
  • Withdraw consent (which typically means switching to non-biometric attendance going forward and deleting the biometric image).

These rights need to be exercisable in practice, not just listed in a policy. A clear “Manage my data” option in the staff app is the right delivery.

5. No third-party AI processing

If biometric data leaves your environment for processing by a third-party AI provider, you significantly widen the legal and operational exposure. The right architecture keeps the face matching inside your provider’s own infrastructure, processed in a UAE-aligned regional data centre, never sent to external AI vendors.

Common mistakes to avoid

  • Bundled consent. “By signing this contract you agree to biometric attendance.” Not granular enough; PDPL requires specific consent for biometric data.
  • Indefinite retention. Keeping the face image forever “in case” is not consistent with PDPL principles.
  • Storage abroad without safeguards. Biometric data on cloud servers outside the UAE requires additional protections under PDPL international-transfer rules.
  • No revocation path. If a staff member withdraws consent and there’s no fallback (e.g. supervisor-confirmed check-in), you’re forcing the choice on them.
  • One policy for all data. Biometric data needs its own retention rule, its own consent flow, and its own access controls.

What to ask any vendor before signing

  1. Where is biometric data stored, and what is the encryption standard?
  2. Is the face matching done in your infrastructure or sent to a third party?
  3. What is the default retention window for biometric data, and can we configure it?
  4. How do staff exercise data-subject rights in the product?
  5. What happens to a staff member’s biometric record when they leave the company?

Aiya was designed around these answers from day one. Explicit consent at enrolment, encryption at rest and in transit, processing in a UAE-aligned regional data centre, configurable retention with the audit trail retained separately, and data-subject rights through the staff app. PDPL-aligned is not an add-on; it’s the design centre.

Frequently asked questions

Is face data biometric under PDPL?+

Yes — facial geometry is a recognised biometric category under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). It requires explicit consent and additional protections including encryption and retention controls.

Can we store biometric data forever for audit?+

You should retain the audit metadata (who, when, where, with what confidence) but the biometric image itself should be deleted after the configured retention window. Aiya enforces this split automatically.

What if a staff member withdraws consent?+

They can switch to non-biometric attendance (e.g. supervisor-confirmed check-in) and their biometric record is deleted. The audit metadata for past check-ins is retained, without the biometric image.

Continue reading

UAE Labour Law and attendance

What Federal Decree-Law No. 33 of 2021 requires.

Security & Compliance

How Aiya handles biometric and location data.

This article is for informational purposes only and does not constitute legal, regulatory, or compliance advice. UAE labour, data, and tax rules can change; consult a qualified advisor for decisions specific to your organisation. UAE PDPL guidance can evolve as the Data Office issues clarifications. Consult a qualified data protection advisor for decisions specific to your organisation.