The UAE recently released the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. The PDPL has extra-territorial scope, applying to any company established in the UAE and processing personal data overseas, or a company established outside of the UAE and processing personal data inside the UAE. The PDPL does not apply to government entities and government data, nor personal data that is already regulated by the Abu Dhabi Global Market (ADGM) or Dubai International Financial Centre (DIFC) data protection laws, or pursuant to special legislation (for example, personal health data and banking and credit personal data). What are the rules for data processing controls and data transfers and what are the penalties under the PDPL?