DLA Piper Intelligence

Data Protection
Laws of the World

Law

UAE - Abu Dhabi Global Market Free Zone
UAE - Abu Dhabi Global Market Free Zone
Note: Please also see UAE – General, UAE – DIFC, UAE – DHCC.

The Abu Dhabi Global Market (ADGM) implemented the ADGM Data Protection Regulations 2015 (DPR 2015). These were subsequently amended by Data Protection (Amendment) Regulation 2018.

Note that in late 2020 the ADGM issued a public consultation on a new set of regulations.  The following does not reflect these proposed changes, but will be updated once the revised regulations are published in final form.

Last modified 21 Jan 2021
Law
UAE - Abu Dhabi Global Market Free Zone
Note: Please also see UAE – General, UAE – DIFC, UAE – DHCC.

The Abu Dhabi Global Market (ADGM) implemented the ADGM Data Protection Regulations 2015 (DPR 2015). These were subsequently amended by Data Protection (Amendment) Regulation 2018.

Note that in late 2020 the ADGM issued a public consultation on a new set of regulations.  The following does not reflect these proposed changes, but will be updated once the revised regulations are published in final form.

Last modified 21 Jan 2021
Definitions

Definition of Data Controller

Any person in the ADGM (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the processing of personal data.

Definition of Data Processor

Any person (excluding a natural person acting in his capacity as a staff member) who processes personal data on behalf of a data controller.

Definition of Data Subject

A natural person to whom personal data relate.

Definition of Identifiable Natural Person

Is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity.

Definition of Personal Data

Any information relating to an identified natural person or an identifiable natural person.

Definition of Processing

Any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Definition of Registrar

The Registrar is the ADGM Registration Authority.

Definition of Sensitive Personal Data

Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, trade‐union membership and health or sex life.

Last modified 21 Jan 2021
Authority

The Office of Data Protection (which forms part of the Registrar) is the official body with day-to-day responsibility for enforcement and administration of the DPR 2015 in the ADGM.

The Office of Data Protection
Authorities Building
ADGM Square
Al Maryah Island
Abu Dhabi
UAE
Data.Protection@adgm.com 
+971 2 333 8888

Last modified 21 Jan 2021
Registration

Data controllers must register with the Office of Data Protection in order to be entitled to act in that capacity. Furthermore, data controllers must notify the Office of Data Protection of the appointment and removal of a processor within the timeframe specified in the DPR 2015.

Data controllers must also establish and maintain records of any personal data processing operations or set of such operations intended to secure a single purpose or several related purposes.

Last modified 21 Jan 2021
Data Protection Officers

There is no requirement under the DPR 2015, for organizations to appoint a data protection officer, though note the general obligation of a data controller to implement appropriate technical and organizational measures to protect personal data, as further detailed below (see separate section on Security). It is however recommended that an organization that operates on a large scale or carries out regular and systematic monitoring of individuals appoint an individual responsible for overseeing the organization’s compliance with data protection requirements.

Last modified 21 Jan 2021
Collection & Processing

Data Controllers may process Personal Data when any of the following conditions are met:

  • the Data Subject has given his written consent to the Processing of that Personal Data (Article 2(a), DPR 2015);

  • Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 2(b), DPR 2015);

  • Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject (Article 2(c), DPR 2015);

  • Processing is necessary in order to protect the vital interests of the Data Subject (Article 2(d), DPR 2015);

  • Processing is necessary for the performance of a task carried out in the interests of the ADGM or in the exercise of the functions or powers of one of its official bodies (as specified in the DPR 2015) vested in the Data Controller or in a third party to whom the Personal Data are disclosed (Article 2(e), DPR 2015); or

  • Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the third party to whom the Personal Data are disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation (Article 2(f), DPR 2015).

Data Controllers may process Sensitive Personal Data when any of the following conditions are met:

  • the Data Subject has given an additional written consent to the Processing (Article 3(1)(a), DPR 2015);

  • Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller (Article 3(1)(b), DPR 2015);

  • Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent (Article 3(1)(c), DPR 2015);

  • Processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data are not disclosed to a third party without the consent of the Data Subjects (Article 3(1)(d), DPR 2015);

  • the Processing relates to Personal Data which are manifestly made public by the Data Subject, or is necessary for the establishment, exercise or defence of legal claims (Article 3(1)(e), DPR 2015);

  • Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject (Article 3(1)(f), DPR 2015);

  • Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided the Processing is undertaken in accordance with applicable standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation (Article 3(1)(g), DPR 2015);

  • Processing is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller or for the prevention or detection of any crime (Article 3(1)(h), DPR 2015); or

  • Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where those Personal Data are Processed by a health professional subject under law or rules established by competent bodies to the obligation of confidence or by another person subject to an equivalent obligation (Article 3(1)(i), DPR 2015).

Note, however, that Sensitive Personal Data may be processed by a Data Controller irrespective as to whether any of the above have been satisfied if:

  1. a permit has been obtained from the Registrar to Process Sensitive Personal Data; and

  2. the Data Controller applies adequate safeguards with respect to the Processing of the Personal Data (Article 3(2), DPR 2015).
Last modified 21 Jan 2021
Transfer

Transfers of personal data outside of the ADGM may take place where there is an adequate level of protection for personal data, ensured by the laws and regulations applicable to the recipient. The jurisdictions deemed to have an adequate level of protection are set out in Schedule 3 to the ADGM Data Protection Regulations and this list may be added to by the Office of Data Protection over time (we are not aware of any additional countries having been added to the list).

In the absence of an adequate level of protection, Data Controllers may transfer Personal Data out of the ADGM if the:

  • the Registrar has granted a permit for the transfer or the set of transfers and the Data Controller applies adequate safeguards with respect to the protection of such Personal Data (Article 5(1)(a), DPR 2015);

  • the Data Subject has given his written consent to the proposed transfer (Article 5(1)(b), DPR 2015);

  • the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the implementation of pre‐contractual measures taken in response to the Data Subject's request (Article 5(1)(c), DPR 2015);

  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and a third party (Article 5(1)(d), DPR 2015);

  • the transfer is necessary for the establishment, exercise or defence of legal claims (Article 5(1)(e), DPR 2015);

  • the transfer is necessary in order to protect the vital interests of the Data Subject (Article 5(1)(f), DPR 2015);

  • the transfer is necessary in the interests of the ADGM (Article 5(1)(g), DPR 2015);

  • the transfer is made at the request of a regulator, the police or other government agency (Article 5(1)(h), DPR 2015);

  • the transfer is made from a register which according to law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case (Article 5(1)(i), DPR 2015);

  • the transfer is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject (Article 5(1)(j), DPR 2015);

  • the transfer is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that the transfer is carried out in accordance with applicable standards and except where such interests are overridden by legitimate interests of the Data Subject relating to the Data Subject's particular situation (Article 5(1)(k), DPR 2015);

  • the transfer is necessary to comply with any regulatory, auditing, accounting, anti‐ money laundering or counter terrorist financing obligations that apply to a Data Controller which is established in the ADGM, or for the prevention or detection of any crime (Article 5(1)(l), DPR 2015);

  • the transfer is made to a person established outside the ADGM who would be a Data Controller (if established in the ADGM) or who is a Data Processor, if, prior to the transfer, a legally binding agreement in the form set out in Schedule 1 or Schedule 2 respectively of the DPR 2015 has been entered into between the transferor and recipient (Article 5(1)(m), DPR 2015); or

  • the transfer is made between members of a company group in accordance with a global data protection compliance policy of that group, under which all the members of such group that are or will be transferring or receiving the personal data are bound to comply with all the provisions of the ADGM Data Protection Regulations as if such group members were established in the ADGM (i.e., effectively, Binding Corporate Rules) (Article 5(1)(n), DPR 2015).
Last modified 21 Jan 2021
Security

Data Controllers must implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss or destruction of, or damage to such Personal Data (Article 9(1), DPR 2015).

The measures implemented ought to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected (Article 9(2), DPR 2015).

Data Controller when appointing a Data Processor must ensure that such Data Processor provides sufficient guarantees in respect of the technical security measures and organisational measures governing the Processing to be carried out, and shall ensure compliance with those measures (Article 9(3), DPR 2015).

Last modified 21 Jan 2021
Breach Notification

In the event of a breach of any Personal Data held by a Data Processor, the Data Processor shall inform the Data Controller of the incident as soon as reasonably practicable (Article 9(4), DPR 2015).

If a Data Controller becomes aware of any breach of any Personal Data under its control, the Data Controller must inform the Registrar of the incident without undue delay, and where feasible, not later than 72 hours after becoming aware of it (Article 9(5), DPR 2015).

Last modified 21 Jan 2021
Enforcement

In the ADGM, the Office of Data Protection (forming part of the Registrar) oversees the enforcement of the DPR 2015.

The Office of Data Protection has the power under the DPR 2015 to:

  • issue directions or warnings and make recommendations to Data Controllers (Article 14(1)(d), DPR 2015);

  • impose fines in the event of non-compliance with its direction (Article 14(1)(e), DPR 2015); and

  • impose fines in the event of non-compliance with the DPR 2015 and any rules made pursuant to them (Article 14(1)(f), DPR 2015).

If the Office of Data Protection is satisfied that a Data Controller has contravened or is contravening the DPR 2015, it may issue a direction to the Data Controller requiring it to do either or both of the following:

  • to do or refrain from doing any act or thing within such time as may be specified in the direction (DPR 2015, Article 17(1)(a)), or

  • to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal Data for a purpose or in a manner specified in the direction (DPR 2015, Article 17(1)(b)).

A Data Controller who receives a fine from the Office of Data Protection for its contravention of the DPR 2015 may refer such matter to the ADGM courts for review to contest either the issue of the fine or the amount of the fine (Article 17A(7), DPR 2015). 

Last modified 21 Jan 2021
Electronic Marketing

Immediately upon commencing to collect Personal Data, the DPR 2015 requires Data Controllers to provide Data Subjects who they have collected Personal Data from, with, amongst other things, any further information to the extent necessary (having regard to the specific circumstances in which the Personal Data is collected). This includes information on whether the Personal Data will be used for direct marketing purposes (Article 6(1)(c)(iv), DPR 2015).

If the Personal Data has not been obtained from the Data Subject, the Data Controller or their representative must at the time of undertaking the Processing of the Personal Data – or if it is envisaged that the Personal Data will be disclosed to a third party, no later than when the Personal Data is first disclosed to that third party – provide the Data Subject with, amongst other things, information regarding whether the Personal Data will be used for direct marketing purposes (Article 7(1)(c)(iv), DPR 2015).

Before Personal Data is disclosed for the first time to third parties or used on a Data Subject’s behalf for the purposes of direct marketing, Data Subjects also have the right to be informed and to be expressly offered the right to object to such disclosures or uses (Article 11(1)(b), DPR 2015).

Last modified 21 Jan 2021
Online Privacy

The DPR 2015 does not contain specific provisions relating to online privacy, however, the broad provisions detailed above are likely to apply. In addition, as UAE criminal law applies in the ADGM, the privacy principles laid out therein may apply (see UAE – General).

Last modified 21 Jan 2021
Contacts
Eamon Holley
Eamon Holley
Partner
T +971 4 438 6293
Alex Mackay
Alex Mackay
Associate
T +971 4 438 6160
Last modified 21 Jan 2021