ADGM Enacts New Data Protection Regulations
On 11 February 2021, the Board of Directors of the Abu Dhabi Global Market, in the exercise of its powers under Article 6(1) of the Law No.4 of 2013 concerning the ADGM issued by His Highness the Ruler of the Emirate of Abu Dhabi, enacted new Data Protection Regulations. They were published on 14 February 2021 and replaced the Data Protection Regulations 2015.
According to ADGM's international benchmark of international standards and best practices, the European Union's General Data Protection Regulation (which took effect in May 2018) was found to be the leading international standard and best practice for comprehensive data protection law. The revised Regulations were tailored to ADGM's needs and designed to be proportionate and business-friendly, without jeopardizing the primary goal of achieving a high level of personal data security.
The formation of an independent Office of Data Protection, led by a Commissioner of Data Protection, is a vital feature of the new system. Its regulatory functions will be supported by a yearly data protection fee payable to the ODP's Commissioner of data protection from the commencement of personal processing data. Mr. Sami Mohammed has been appointed as the ADGM Commissioner of Data Protection by the ADGM Board.
Adoption of the new Regulations will result in significant changes and new duties for Data Controllers and Data Processors, according to ADGM. As a result, starting on 14 February 2021, a 12-month transition time for existing facilities and a 6-month transition period for new businesses were proposed. This transition time allows organizations to prioritize understanding their obligations under the new ADGM Data Protection Regulations, conduct a gap analysis to determine whether their existing systems are vulnerable or appropriate, consider any changes to their framework, and take the necessary steps to comply.
The DIFC Data Protection Law No. 5 of 2020 (DIFC DPL 2020), which governs the processing of personal data in the Dubai International Financial Centre, was passed shortly after these Regulations. The General Data Protection Regulation (EU GDPR) concepts are being accepted and incorporated in new laws and regulations, as evidenced by the Regulations, the recent DIFC DP Law 2020, and the general direction of data protection law in the UAE and broader region.
These regulations highlight that businesses in the UAE are responsible for handling personal data to high quality, and the regulations facilitate the execution of business activities by allowing for secure cross-border data movement.
Abu Dhabi Global Market (ADGM)
On 21 October 2015, the Abu Dhabi Global Market (ADGM), an international financial center (IFC) in the capital city of the United Arab Emirates, opened for operation. ADGM, established as a broad-based financial center by a UAE Federal Decree, strengthens Abu Dhabi's position as a worldwide trade and economic hub, serving as a critical link between the Middle East, Africa, and South Asia's expanding economies and the rest of the globe.
Abu Dhabi's primary capabilities, including private banking, wealth management, asset management, derivatives and commodities trading, financial innovation, sustainability, and more, are at the heart of ADGM's strategy. ADGM as an IFC governs the entire 114 hectares (1.14 sqm) of Al Maryah Island, a recognized financial free zone, and comprises three independent authorities: ADGM Courts, the Financial Services Regulatory, and the Registration Authority.
It enables registered financial and non-financial institutions, companies, and entities to operate, innovate and succeed within an international regulatory framework based on common law. Since its inception, ADGM has been awarded the "Financial Centre of the Year (MENA)" for four consecutive years for its initiatives and contributions to the region's financial and capital markets industry.
Data Protection Regulations 2021
The New Regulations apply to Personal Data Processing carried out by either a Controller or a Processor operating or conducting business in or from the ADGM, regardless of whether the processing is carried out in the ADGM or whether the Controller or Processor is incorporated in the ADGM.
A New Fines Regime: The New Regulations establish significant penalties fines for data breaches and non-compliance, with a strict limit of USD 28 million. The New Regulations also give data subjects direct rights to reparation.
Data Protection Fee: A Controller must pay a Data Protection Fee to the Commissioner of Data Protection for the twelve months following the date it began Processing Personal Data (in an amount to be established by the ADGM). Following that, yearly renewal fees are due.
Data Protection Officer (DPO): Professional qualifications, including expert knowledge of data protection law and practices, and the competence to carry out the responsibilities described in the New Regulations, must be used as factors to consider when nominating the DPO. Unless they participate in High-Risk Processing Activities, organizations with fewer than five workers are exempt from the necessity to designate a DPO under the New Regulations. ACCORDING TO THE NEW REGULATIONS, the DPO does not have to be an employee of the Controller or Processor, nor does he or she have to be present in the ADGM. In general, Controllers and Processors are not required to appoint a Data Protection Officer (DPO). Unless:
- processing is carried out by a public authority (excluding courts);
- processing operations requiring regular and systematic monitoring of Data Subjects on a large scale; or
- processing on Special Categories of Personal Data (such as those related to healthcare, insurance, tech sectors) is carried out on a large scale.
High-Risk Processing Activities: These require the Controller to conduct a Data Protection Impact Assessment (DPIA). When a Controller, or even the Commissioner of Data Protection, determines or assesses whether adequate measures have been taken to demonstrate compliance, the results of this DPIA will be taken into account. This is consistent with the GDPR as well as the DIFC Law. The New Regulations create an exemption for situations where the processing of such data is required by Applicable Law.
Response Timeline for Data Subject Requests: The regulations oblige enterprises to adhere to several data subject rights, including assisting persons in gaining access to personal data. The New Regulations provide a two-month response timeframe for the requests (this can be extended for a further one month if necessary, considering the request's complexity).
Notification of a Personal Data Breach: In the event of a Personal Data Breach, the Controller must notify the Commissioner of Data Protection without undue delay and, where possible, no later than 72 hours after becoming aware of it, unless the Personal Data breach is unlikely to result in a risk to natural persons' rights. If the Commissioner is not notified within 72 hours, the notification must be supported by reasons for the delay. When a Personal Data Breach is likely to result in a high risk to natural people's rights, the Controller shall notify the Data Subject without undue delay. Where data processing is outsourced, processors who experience a personal data breach must notify controllers as soon as they know the incident.
"Appropriate Policy Documents": There is an explicit requirement to have an "appropriate policy document" in place when processing Special Categories of Personal Data based on carrying out the obligations and specific rights of the Controller or the Data Subject "in the field of employment law," and/or where they are processed based on a "substantive public interest." The New Regulations specify precisely what must be included in such a document for it to be judged "appropriate." Given the broad spectrum of what may fall under the purview of "employment law" or "substantive public interest," as defined by the New Regulations, we expect that to achieve complete compliance under the New Regulations; businesses will need to update not only their privacy policies, but also their fraud policies, diversity and inclusion policies, employment policies, anti-money laundering policies, and any other policies that come under this category. Companies subject to the Regulations will be required to update or draft policies and contractual instruments, which will include and/or address the following:
a data protection policy to be distributed to employees that explain why and how personal data will be gathered, as well as how long it will be kept;
- the Controller's and DPO's names and contact information;
- the types of personal data processed by the company;
- the purpose(s) of processing the personal data;
- the company's data retention policy;
- A description of:
- the types of data subjects;
- the people who will have access to personal data;
- the "technical and organizational measures" put in place to ensure personal data security; and
- relevant safeguards used when sharing personal data abroad (if applicable).
- Adopting a deletion plan and process to ensure that Personal Data is securely and permanently removed when the retention period has expired.
- Preparing written agreements with suppliers, distributors, and clients (such as a data processing/sharing agreement or data processing/sharing addendums) (where needed).
- Significant fines (not exceeding $28 million) for Controllers found in violation of the Regulations. It is also worth emphasizing that data subjects harmed by the data breach will now be entitled to seek compensation.
Many of the new obligations in the Regulations are based on well-considered and comprehensive existing principles in the United Kingdom and the European Union, for example, where guidance and direction can be relied upon when evaluating your best compliance options.
The regulations will facilitate cross-border data transfers and result in better protection of personal data due to higher penalties for non-compliance with the regulations, which ensures accountability in businesses.