Understanding UAE PDPL for School Attendance

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) established a comprehensive framework for how organisations collect, process, and store personal data. For schools operating attendance systems, several provisions are directly relevant.

What counts as personal data?

Under PDPL, personal data includes any information that can identify a person — directly or indirectly. For attendance systems, this includes employee names, ID numbers, GPS coordinates, timestamps, and biometric data such as facial features or fingerprints.

Consent for biometric data

Biometric data is classified as sensitive personal data under PDPL. Schools using face verification or fingerprint recognition for attendance must obtain explicit consent from employees before collecting this data. The consent must be informed (employees understand what is collected and why), specific (for the stated purpose only), and freely given (not a condition of employment).

GPS location tracking

Collecting GPS coordinates at check-in falls under personal data processing. Schools should inform staff that location is recorded at the point of check-in and check-out, explain that it is used to verify presence within the school geofence, and confirm that continuous tracking does not occur outside check-in events.

Data minimisation

PDPL requires that only necessary data is collected. An attendance system should collect the minimum data needed to verify presence and identity — not continuous location tracking, not browsing history, and not personal device information beyond what is strictly required.

Storage and retention

Personal data should not be retained longer than necessary. Schools should define retention periods for attendance records (typically aligned with academic years), automatically delete temporary data like face verification photos, and ensure proper data disposal when an employee leaves.

Employee rights

Under PDPL, employees have the right to access their attendance data, request corrections to inaccurate records, request deletion (subject to legitimate retention needs), and withdraw consent for optional features like face verification.