Abu Dhabi Global Market Data Protection Regulation

Few countries define financial activity as the United Arab Emirates. It has been the tourism and financial hub of activity in the Middle East for decades now. The advent of the information age led to the UAE formulating legislation that protected users within its jurisdiction and afforded equal protection to the organisations operating from the country.

This is the primary reason why certain zones will be excluded even when the Federal Decree-Law No. (45) of 2021 on Personal Data Protection Law (PDPL) officially came into force. These include the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM). This is because these regions have their versions of data protection laws tailored to strike the perfect balance between user privacy without trampling on business operations.

The Data Protection Regulations (DPR) 2021 is Abu Dhabi Global Market (ADGM)'s data protection regulation enacted on 14 February 2021. For new entities incorporated on or after the 14th February 2021, ADGM DPR came into effect on the 14th August 2021. For existing entities, came into effect on the 14th February 2022.

Who Needs to Comply with the Law

Territorial Scope

The territorial scope of this law is relatively simple and less complicated than most other data protection laws. Hence, any organisation that operates from inside ADGM or is registered with the ADGM Commissioner of Data Protection must comply with it if they process personal data of any kind.

Where the data processor is processing personal data for a data controller outside of ADGM, the data processor must comply with the requirements of ADGM DPR to the extent possible, taking into account whether the data controller is subject to similar obligations under the laws of its home jurisdiction. ADGM DPR applies to natural persons whatever their nationality or place of residence.

Material Scope

As far as the kind of data covered by this law, any data processed wholly or partly by automated means is covered by the law.

However, this law does not extend to public authorities involved in processing of information related to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to national security. ADGM DPR does not apply to the processing by a natural person for the purposes of purely personal or household activity.

Obligations for Organizations Under ADGM DPR

Much like every other major data protection law globally, the ADGM DPR places certain obligations on data handlers. Failure to adhere to these obligations can lead to non-compliance with the law itself and result in heavy fines or suspension of their operations in the most extreme cases.

Lawful Basis Requirements

A data handler cannot process the personal data of data subjects without a legitimate reason to do so. Some of the legitimate reasons to continue with the processing of data include the following:

• The processing of data is important to carry out or fulfill a contractual agreement;
• The data subject has consented to the processing;
• The processing is necessary for the vital interests of the data subject;
• The processing of data is important to comply with a regulatory obligation;
• The processing of data is important to the interests of the ADGM or to ensure the (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; (iv) the Registration Authority’s; (v) the Commissioner of Data Protection’s functions;
• The processing of data is important for regulatory, auditing, accounting, anti-money laundering, or counter-terrorist financing obligations.

Consent Requirements

The ADGM DPR follows a rather strict set of consent requirements since the data subject must inform the data handler or data processor (whether in writing, electronically, or orally), by a statement or by clear affirmative action, signify agreement to the processing of personal data relating to them.

Moreover, silence, pre-ticked boxes, or inactivity does not constitute consent under the ADGM DPR. Hence, explicit consent in written form is crucial before collecting any data on users.

Similarly, a data processor or data handler must make it just as easy for a user to withdraw consent as it is to give their consent.

Additionally, explicit consent needs to be gained before a data handler or data processor can process the following information deemed as Special Categories of Personal Data:

1. Racial or ethnic origin, political opinions, religious or philosophical beliefs;
2. Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation;
3. Criminal convictions and offences or related security measures.

However, the need for explicit consent in the aforementioned case is not required under the following reasons:

• The data subject has given their explicit consent to the processing of their Special Categories of Personal Data;
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment law, provided that when the Processing is carried out, the Controller has an appropriate policy document in place;
• Processing is necessary to protect vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;
• Processing is necessary for health purposes, including preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care or treatment or the management of health care systems or services or pursuant to a contract with a health professional;
• Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;
• Processing is necessary for Archiving and Research Purposes in accordance with Applicable Law;
• Processing relates to Personal Data which is intentionally made public by the Data Subject;
• Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Registration Requirements

Before a data handler can begin operations related to collecting or processing data, they are first required to register with the ADGM Commissioner of Data Protection's office. The data handler must fulfill all legal obligations to complete the registration.

The Commissioner of Data Protection must then provide the data handler with a written notification permitting them to proceed with their data processing activities while also providing them with the necessary documents to inform them of their responsibilities towards the Commissioner of Data Protection.

Lastly, the data handler must inform the Commissioner of Data Protection if they plan to cease their data processing activities, change their contact details, or appoint any third-party data processors.

Security Requirements

The data handler is required to guarantee certain assurances or undertake security measures if they plan to continue processing data.

The data handler must undertake appropriate technical and organisational measures to ensure no unlawful access or processing of data takes place.
When choosing a third party data processor, the data handler must ensure that the data processor has appropriate technical security and organisational measures in place to ensure all data collected is afforded the best protection possible.

Data Breach Requirements

In case an unauthorized breach of data occurs, the data handler must take the appropriate measures to inform the Commissioner of Data Protection within 72 hours of the breach. Furthermore, if a third-party data processor is handling the data, they must inform the principal data handler of the breach as soon as possible.

The data handler must then inform the affected data subjects promptly without any undue delay if the data breach is likely to result in high risk to the data subjects’ rights. However, the data handler may be exempt from this requirement if:

1. Doing so would require a disproportionate amount of effort;
2. The data handler has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach;
3. The data handler has taken measures that ensure the high risk to data subjects’ rights is no longer likely to materialize.

Data Protection Officer Requirement

The Data Protection Officer (DPO) must be appointed to both oversee and advise the organisation in its functions which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of data subjects on a large scale.

The DPO does not need to be a full-time employee within the organisation or even based within the ADGM. However, a DPO’s appointment must be made keeping in mind the strict eligibility criteria set forth by the regulatory bodies. Moreover, once hired, the Commissioner of Data Protection must be informed of this appointment within one month.

Data Protection Impact Assessment

All data processors or data handlers are required to carry out an extensive data protection impact assessment if any of their processing activity is likely to result in high risk to data subject rights. Such assessments must be carried out at regular intervals while the results of each assessment must be reflected in the organisation's measures to prevent any potential data breaches.

If an assessment reveals issues with an organisation’s current practices, the regulatory body must be informed of these as well as the steps the organisation plans to take to remedy this.

Record of Processing Activities

This is more of an extension of the data handler's registration requirements. A data handler must establish and maintain records of any personal data processing operations or set of such operations intended to secure a single purpose or several related purposes.

Moreover, the data handler must provide the Commissioner of Data Protection with access to these records whenever requested.

Cross border data transfer Requirements

The ADGM DPR does allow cross-border data transfers outside the ADGM. A transfer may take place only if the jurisdiction is designated by the Commissioner of Data Protection as an adequate jurisdiction.

Additionally, data can be transferred to jurisdictions that have not been deemed as adequate by the Commissioner of Data Protection under the following circumstances:

• A special permit has been provided for the country data is to be transferred by the Commissioner of Data Protection;
• The data subject has provided their informed consent to the transfer of data;
• Transfer of data is essential to the fulfillment of a contractual obligation;
• Transfer of data is essential to the interest of the ADGM;
• Transfer of data is being requested by a regulator, the police, or other government agency;
• The transfer is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
• The Commissioner of Data Protection has deemed a receiving jurisdiction to have an adequate level of protection of personal data;
• There are binding corporate rules (BCR) in place regarding the transfer of data;
• There are standard contractual clauses (SCC) in place regarding the transfer of data;
• The transfer is made between one or more members of a group of companies per a global data protection compliance policy of that group.