ADGM’s New Data Protection Law

The new Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021 (“New Regulations”) have now been issued, and replace the Data Protection Regulations 2015.

The New Regulations are binding after a 12-month transition period for existing establishments in the ADGM, and a 6-month transition period for new establishments that are registered after the date the new regulations were published i.e. 14 February 2021.

The New Regulations align the ADGM’s legal requirements for the processing of personal data with the EU’s General Data Protection Regulation (GDPR). The New Regulations follow the DIFC’s adoption of the new DIFC Data Protection Law No.5 of 2020 (“DIFC Law”) in July 2020, which is also based on the GDPR.

Key Features of the New Regulations

Below are some key features of the New Regulations that will likely affect the Processing of Personal Data that is already being carried out in the ADGM.

It is not a comprehensive list. Matters such as data subject rights and transfers of personal data outside of the of the ADGM are not discussed in further detail in our full update but do need detailed consideration by Data Controllers and Data Processors responsible for those conducting business in the ADGM.

(Please note that unless otherwise defined above, capitalised terms used below have definitions under the New Regulations available here).

• Who is covered by the New Regulations? The New Regulations includes within its scope Processing of Personal Data carried out by either a Controller or a Processor operating or conducting business in or from the ADGM, regardless of whether the Processing takes place in the ADGM or whether the Controller or Processor is incorporated in the ADGM.
• Data Protection Fee: A Controller must pay a Data Protection Fee (in an amount yet to be determined by the ADGM) to the Commissioner of Data Protection in respect of the twelve months from the date it commenced Processing Personal Data.  Yearly Renewal Fees are payable thereafter.
• Data Protection Officer “DPO”: Generally, it is not mandatory for Controllers or Processors to appoint a Data Protection Officer (DPO). However, the appointment of a DPO is required where: (1) Processing is carried out by a public authority (excluding courts acting in their judicial capacity); (2) Processing operations which require regular and systematic monitoring of Data Subjects on a large scale are being undertaken; or (3) Processing on Special Categories of Personal Data is undertaken on a large scale. The New Regulations explicitly state that the DPO does not need to be an employee of the Controller or Processor, or be present in the ADGM. The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of Data Protection Law and practices and the ability to fulfil the tasks referred to in the New Regulations. The New Regulations includes an exemption from the requirement to appoint a DPO for organisations employing fewer than five employees unless it carries out High Risk Processing Activities.
• High Risk Processing Activities: The New Regulations introduce the concept of High Risk Processing Activities, which lead to an obligation on the Controller to conduct a Data Protection Impact Assessment This is consistent with both the GDPR and the DIFC Law. The New Regulations create an exemption where Processing of such data is required by Applicable Law.
• Time-line for Responding to Data Subjects requests: The New Regulations sets a timeline of two months (which can be extended for a further one month where necessary, taking into account the complexity of the request).
• Notification of a Personal Data Breach: In the case of a Personal Data Breach, the Controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the Commissioner of Data Protection, unless the Personal Data Breach is unlikely to result in a risk to the rights of natural persons. Where the notification to the Commissioner is not made within 72 hours, it must be accompanied by reasons for the delay. When the Personal Data Breach is likely to result in a high risk to the rights of natural persons, the Controller must communicate the Personal Data Breach to the Data Subject without undue delay.
• “Appropriate Policy Documents”: A unique provision in the New Regulations, is the explicit requirement to have an “appropriate policy document” in place when processing Special Categories of Personal Data on the basis of carrying out the obligations and the specific rights of the Controller or the Data Subject “in the field of employment law”, and/ or where they are processed on the basis of a “substantive public interest”. The New Regulations explicitly set out what such a document must include to be considered as “appropriate”. Given the breadth of what may come under the scope of “employment law” or “substantive public interest’, as defined under the New Regulations, we anticipate that in order to achieve full compliance under the New Regulations, companies will not only be required to update their privacy policies, but may also need to review and update their fraud policies, diversity and inclusion policies, employment policies, AML policies, and any other policies falling within this scope.
• A New Fines Regime: The New Regulations imposes significant fines for data breach, with a strict cap not exceeding exceed USD 28 million. Data Subjects also have direct rights under the New Regulations to claim compensation.

Upcoming Webinar

Al Tamimi’s data protection specialists will be running a webinar on 8 March 2021 at 14:00 (GMT) where they will provide a detailed review of the New Law and its implications for ADGM businesses in detail. If you would like to join, please register here.

In the meantime, if you have any questions about the New Regulations, please do not hesitate to contact us.