Name, Image and Likeness (NIL) – personal data in the UAE? How should sports entities stay compliant from breaching data protection regulations?

As athletes increasingly monetize their personal brand beyond performance, understanding how NIL rights are protected and regulated is critical—especially in fast-growing sports hubs like the UAE. 

What Are NIL Rights?

In the sports world, NIL rights allow athletes to control how their identity is used for commercial purposes. While countries like the US recognize NIL under “right of publicity” laws, the UAE takes a more restrictive but protective approach through a mix of civil, cyber, media, and data protection regulations.

The UAE doesn’t yet have standalone NIL legislation, but its Personal Data Protection Law (PDPL)forms the backbone of athlete data protection. It treats NIL as “personal data,” meaning its use must be explicitly consented to by the athlete. 

Under the PDPL, any collection or monetization of an athlete’s name, image, or likeness requires explicit consent. Whether it’s a social media post, merchandise campaign, or biometric tracking, sports clubs and commercial partners must ensure they have legal permission—especially for high-risk data like physiological outputs from wearables.

While the UAE’s PDPL is modelled on the EU’s GDPR, there are notable distinctions:

• No “legitimate interest” clause: Unlike the GDPR, which sometimes allows data processing without consent under certain business needs, the PDPL mandates explicit consent unless narrowly defined exceptions apply.
• Stricter rules for sensitive data: Biometric and health-related data require additional safeguards, such as Data Protection Impact Assessments (DPIAs).

Athletes in the UAE can:

• Access their personal data
• Request correction or deletion
• Withdraw consent at any time
• Object to unauthorized commercial use

For example, if an athlete’s performance data is used post-event to promote next year’s tournament without permission, they can demand its removal and even seek compensation for misuse.

To stay compliant, organizations should:

• Draft clear, consent-based contracts with athletes
• Conduct cross-jurisdictional risk assessments
• Appoint a Data Protection Officer (DPO)
• Implement strong data security policies (e.g., encryption, access controls)
• Regularly review how athlete data is collected, stored, and shared

NIL protection in the UAE is evolving, with strong emphasis on data privacy and consent. Whether you’re an athlete, club, or commercial sponsor, understanding and respecting these legal boundaries is essential to building ethical, profitable, and compliant sports partnerships in the region.