Performing Due Diligence in the United Arab Emirates (UAE)

Conducting due diligence in the United Arab Emirates:

The United Arab Emirates (UAE) is a federation of seven emirates, namely Abu Dhabi, Ajman, Dubai, Fujairah, Ras al-Khaimah, Sharjah and Umm al-Quwain.

Contrary to general perception, conducting due diligence investigations in the UAE is actually allowed.  The UAE has no legislation that prohibits companies performing background checks, executive screening or due diligence into individuals or companies as long as you adhere to the UAE’s Federal law and the local laws that govern privacy.  However, there can be serious consequences to those who don’t comply – often involving prosecution.

Local Expertise:

If you require accurate and reliable information in the UAE, use a local agent.  This is essential for a number of reasons:

1.  Police and Court Records

In Dubai, specifically in the Dubai International Financial Centre (DIFC) Free Zone it now has its own Data Protection Law of 2007.  This Data Protection Law, which aligns very closely with the European Data Protection Directive, actually permits people to process personal information, such as police checks and court records, however, you will require specific levels of authorisation from the individual you are conducting your research on.

For instance, in most Emirates, if you have a specific letter of authorisation and a copy of the individuals passport, a local associate can enter a main Police station and find out whether that person has any court cases or fines on their record.  If there are cases on the individuals file, then the Police will give you the case number and date.  Once you have this information, you can then conduct searches through the Dubai Courts which is available to the public.

Certificates of Good Standing are also available from the Police if the individual is prepared to submit fingerprints too.

2.  Language & Culture

The language and culture for Westerners is the main barrier in conducting due diligence in the UAE.  However, using a local professional and experienced associate, will help you overcome these barriers. Not only are they familiar with the diverse cultures, languages and privacy legislation in the UAE, but they will also be able to report back accurate information and in the correct manner that is required for western companies to understand and that does not contravene privacy issues.

3.  Local and national press research

This is naturally easier for local associates to search, review and analyse (some publications are in English, but most are in Arabic, especially outside of the Emirate of Dubai).

4.  Law Enforcement

Local investigators also work with different Emirate law enforcement agencies and public authorities on a regular basis.  Being transparent and working alongside law enforcement agencies is the best way to conduct investigations in the UAE. Relationships built on mutual trust is extremely important in this region.

5.  Surveillance

Although there is nothing wrong with physically visiting and verifying an address, taking photos or videoing is not allowed, unless you have the specific permission from the individual you are pursuing [which is highly unlikely) or are in compliance with Article 12, as described below*.

6Information Sources

There are of course some difficulties in verifying some information in the UAE, such as PO Box addresses etc. However, some Emirates and individual Free Zones within each Emirate, now offers a reverse PO Box facility which will give you a name of an individual or company associated with that PO Box.

There is not yet a public facility to search for ownership of property records, or to conduct directorship searches by name in the UAE. Although, as we write, some Emirates and Free Zones are in the process of computerising some of this data.  Information on companies however, is more widely available.  Different Free Zones give access to computerised records and some disclose more information than others.

About TenIntelligence

TenIntelligence has an operational presence in the UAE to help companies perform regulatory due diligence and executive employment screening assignments in the region.  Our presence in the UAE also serves our regional investigation operations in the Middle East and East Africa. If you have any specific requirements or would like more information, please contact us on +971 (0) 4333 4669, +44 20 3102 7720 or email us at

Data Protection (DIFC) Law: //

*Personal data is defined under the law as any information relating to an identifiable natural person.  An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity. Article 11 of the DIFC Law 2007 provides that data can be transferred to third country only if recipients country has adequate data protection laws.
In other events, such data can also be transferred only upon complying with one of the requirements set out below in Article 12:

  1. The commissioner or his delegate has granted a permit or written authorization for such transfer;
  2. The data subject has given his approval for such transfer
  3. Transfer is necessary for performance of contract between DIFC and data subject or for implementation of certain legal measures arising prior to such contract
  4. Such transfer is necessary in the best interest of data subject
  5. Such transfer is necessary in the best interest of DIFC
  6. Transfer is made from a public register
  7. The transfer is necessary for compliance with any legal obligation to which the Data Controller is subject or the transfer is made at the request of a regulator, police or other government agency
  8. The transfer is necessary to uphold the legitimate interests of the data controller recognised in the international financial markets except where such interests are overridden by legitimate interests of the data subject; or
  9. The transfer is necessary to comply with any regulatory requirements, auditing, accounting, anti-money laundering or counter terrorist financing obligations or obligations relating to prevention or detection of any crime that apply to a data controller.