1. Home
  2. FAQs
  3. Data Protection Office

Data Protection Office

service
 

We use cookies and similar technologies that are necessary to operate the website. Additional cookies are used to perform analysis of website usage. By continuing to use our website, you consent to our use of cookies. For more information, please read our Cookies Policy.

Accept Cookies Reject Cookies
What are the ADGM Data Protection Regulations 2021?

The ADGM Data Protection Regulations 2021 provide for the protection of personal data within the ADGM.

The Regulations control how personal data is used by organisations and businesses in Abu Dhabi Global Market. It also provides rights to individuals.

All entities registered in ADGM that collect and process personal data are subject to its requirements.

What is Personal Data?

Personal Data means any data relating to an identified natural person or Identifiable Natural Person.

In other words it means data which relates to a living individual who can be identified:

  • from that data, or
  • from that data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

What do you mean by Identifiable Natural Person?
Identifiable Natural Person refers to a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, biological, biometric, physiological, mental, economic, cultural or social identity.
What is Sensitive Personal Data?

Sensitive personal data refers to a category of Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, criminal record, political opinions, religious or philosophical beliefs, trade‐union membership, and health or sex life.

Due to its ‘sensitive’ nature and its potential misuse in a discriminatory manner, it must be treated more carefully than other Personal Data. Consequently, more stringent requirements must be met by ADGM registered entities for processing Sensitive Personal Data than for other types of Personal Data.

What is the difference between Personal Data and Sensitive Personal Data?

Refer to the questions on what is Personal Data and Sensitive Personal Data.

Sensitive Personal Data is a category of Personal Data, notwithstanding, the difference between Personal Data and Sensitive Personal Data can sometimes be difficult to define.

For example, names and surnames in connection with addresses and dates of birth are usually Personal Data rather than Sensitive Personal Data.

But where a Data Controller is processing such names due to the specific reason that these names and surnames indicate a certain religion or ethnicity, e.g. to send advertising or marketing materials for items or services that are targeted at individuals of this particular religion or ethnicity, then this would be Sensitive Personal Data.

Who is a Data Controller?
A Data Controller is any natural or legal person in the Abu Dhabi Global Market (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
Who is a Data Processor?

A Data Processor is defined as any natural or legal person (excluding a natural person acting in his capacity as a staff member) who processes Personal Data on behalf of a Data Controller.

Data Processors may include but are not limited to external service providers that have been appointed by an ADGM Data Controller.

Data Controllers must notify the ADGM Office of Data Protection of the appointment of a Data Processor (there is no fee for this).

Who is a Data Subject?

A Data Subject is the individual (natural person) to whom Personal Data relates or whom particular Personal Data is about.

For example, staff members, clients and customers.

Who is a Recipient?
A recipient is any person to whom Personal Data is disclosed, whether a Third Party or not, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.
What is meant by the term “Processing”?

Processing means any collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.

What is the Role of the Data Controller in relation to Personal Data?

The Data Controller determines the purposes for which and the manner in which any Personal Data is processed and must ensure that any processing of Personal Data for which they are responsible complies with the Regulations.

Failure to do so risks enforcement action and compensation claims from individuals or Data Subject.

Data Controllers shall ensure that Personal Data, which they Process, is:

  • Processed fairly, lawfully and securely
  • Processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights
  • Adequate, relevant and not excessive in relation to the purposes for which it is collected or further Processed
  • Accurate and, where necessary, kept up to date; and 
  • Kept in a form, which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected or for which they are further Processed.

All Data Controllers must be able to demonstrate compliance with the above principles.

What are the requirements for legitimately processing Personal Data at ADGM?

Personal Data may only by processed in accordance with the requirements set forth in section 2 of the ADGM Data Protection Regulations 2015.

At least one of the following conditions must be met whenever the Data Controller processes Personal Data:

  • The Data Subject has given written consent to the Processing of that Personal Data
  • Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract
  • Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject
  • Processing is necessary in order to protect the vital interests of the Data Subject
  • Processing is necessary for the performance of a task carried out in the interests of the Abu Dhabi Global Market or in the exercise of the Board's, the Court's, the Registrar's or the Regulator's functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data is disclosed; or 
  • Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party to whom the Personal Data is disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.
What considerations do I need to make if I wish to transfer Personal Data outside of ADGM?

Personal Data shall not be transferred to a country or territory outside of the ADGM unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects; or you can rely upon appropriate safeguards or specific derogations listed in the Regulations.

For guidance on the transfer of Personal Data, please view this guide.

What is meant by an adequate level of protection?

The adequacy of the level of protection ensured by laws to which the Recipient is subject, is assessed by the Office of Data Protection in the light of all the circumstances surrounding a Personal Data transfer including, but not limited to:

  • the nature of the Personal Data
  • the purpose and duration of the proposed Processing operation or operations
  • if the data does not emanate from the Abu Dhabi Global Market, the country of origin and country of final destination of the Personal Data; and 
  • any relevant laws to which the Recipient is subject, including professional rules and security measures.
Which jurisdictions offer an adequate level of protection?

A list of the jurisdictions that have been designated by the Office of Data Protection as providing an adequate level of protection is available online here

What are the conditions for transferring Personal Data outside of ADGM in the absence of an adequate level of protection?
A transfer of Personal Data to a recipient that is located in a jurisdiction that is not on the designated list (see here) is only possible if safeguards are put in place to provide protection for the data, as set out in Part V of the ADGM Data Protection Regulations 2021, such as obtaining the consent of the data subject or using standard contractual clauses. 
What notifications does a data controller need to make?

Registration as a Data Controller

An ADGM entity that intends to process Personal Data must register as a Data Controller with the ADGM Registrar to do so.

When setting up a company the Data Controller registration is embedded in the application form.

If an existing ADGM entity needs to register as a Data Controller, the form is available via the Registration Authority’s online portal.

Annual Renewal

Data Controller registration is valid for a year and can be renewed annually by submitting an “Application for renewal of registration – Data Protection” through the online portal.

Change in details of the Data Controller

The Data Controller must give notice to the Registrar of any changes in its particulars.  Such notice can be done by completing a Notice of Change of Particulars of Data Controller through our Online Solution.

Appoint a new Data Processor

The Data Controller must notify the Registrar of such appointment or cessation of Data Processor. The first appointment can be made in the initial registration form. Notification of any new appointments and cessations can be done by completing a Notice of Appointment/Cessation of Data Processor through the online portal.

Change in the details of the Data Processor

The Data Controller must give notice to the Registrar of any change in the particulars of its Data Processors. Such notice can be done by completing a “Notice of Change of Particulars of Data Processor” through the online portal.

Appointing or Cessation of a Data Protection Officer

The Controller or the Processor must notify the Commissioner of Data Protection within one month following the appointment or resignation of any Data Protection Officer. The notification must include the contact details of the new Data Protection Officer and, in the case of a resignation, reasons for the resignation

Data Breach Notification

In case of a Personal Data Breach, the Data Controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the Commissioner of Data Protection, unless the Personal Data Breach is unlikely to result in a risk to the affected individuals.

Data Protection Impact Assessment

The Controller must notify the Commissioner of Data Protection prior to carrying out any Processing where a Data Protection Impact Assessment indicates that the Processing would be likely to result in a high risk to the rights of natural persons.

What fees do I need to pay?

 

Transaction

Price in USD

Registration as a Data Controller

300

Application for appointment of Data Processor

Nil

Annual renewal of Data Controller registration

300

Annual renewal of appointment of Data Processor appointment

Nil

Notification of Data Controller no longer processing personal data or removal of Data Processor

Nil

Notification of change in particulars of a Data Processor

Nil

Notification of change of contact details of Data Controller

Nil

Application for a permit to process sensitive personal data

100

Application for a permit to transfer personal data

100

As an individual what are my data privacy rights?
For more information on your privacy rights under the ADGM Data Protection Regulations 2021, please go to the Information for Individuals page on the Office of Data Protection microsite here.
When is the effective date of the new Regulation?
As per Article 63 of the Data Protection Regulation 2021 (“DPR 2021”), the Data Protection Regulation 2015 will be repealed and becomes effective six (6) months after the date of publication for new ADGM entities (14th August 2021) . For existing ADGM entities, the DPR 2021 comes into effect twelve (12) months after the date of publication (14th February 2022)
1
2