Data Protection Office

service
What are the ADGM Data Protection Regulations 2015?

Open

The ADGM Data Protection Regulations 2015 provide for the protection of personal data within the ADGM.

The Regulations control how personal data is used by organisations and businesses in Abu Dhabi Global Market. It also provides rights to individuals.

All entities registered in ADGM that collect and process personal data are subject to its requirements.

What is Data?

Open

‘Data’ means any information which:

  • is being processed by means of equipment operating automatically in response to instructions given for that purpose;
  • is recorded with the intention that it should be processed by means of such equipment; or
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.
What is Personal Data?

Open

Personal Data means any data relating to an identified natural person or Identifiable Natural Person.

In other words it means data which relates to a living individual who can be identified:

  • from that data, or
  • from that data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

What do you mean by Identifiable Natural Person?

Open

Identifiable Natural Person refers to a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, biological, biometric, physiological, mental, economic, cultural or social identity.
What is Sensitive Personal Data?

Open

Sensitive personal data refers to a category of Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, criminal record, political opinions, religious or philosophical beliefs, trade‐union membership, and health or sex life.

Due to its ‘sensitive’ nature and its potential misuse in a discriminatory manner, it must be treated more carefully than other Personal Data. Consequently, more stringent requirements must be met by ADGM registered entities for processing Sensitive Personal Data than for other types of Personal Data.

What is the difference between Personal Data and Sensitive Personal Data?

Open

Refer to the questions on what is Personal Data and Sensitive Personal Data.

Sensitive Personal Data is a category of Personal Data, notwithstanding, the difference between Personal Data and Sensitive Personal Data can sometimes be difficult to define.

For example, names and surnames in connection with addresses and dates of birth are usually Personal Data rather than Sensitive Personal Data.

But where a Data Controller is processing such names due to the specific reason that these names and surnames indicate a certain religion or ethnicity, e.g. to send advertising or marketing materials for items or services that are targeted at individuals of this particular religion or ethnicity, then this would be Sensitive Personal Data.

Who is a Data Controller?

Open

A Data Controller is any person in the Abu Dhabi Global Market (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
Who is a Data Processor?

Open

A Data Processor is defined as any person (excluding a natural person acting in his capacity as a staff member) who processes Personal Data on behalf of a Data Controller.

Data Processors may include but are not limited to external service providers that have been appointed by an ADGM Data Controller.

Data Controllers must notify the ADGM Office of Data Protection of the appointment of a Data Processor (there is no fee for this).

Who is a Data Subject?

Open

A Data Subject is the individual (natural person) to whom Personal Data relates or whom particular Personal Data is about.

For example, staff members, clients and customers.

Who is a Recipient?

Open

A recipient is any person to whom Personal Data is disclosed, whether a Third Party or not, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.
What is meant by the term “Processing”?

Open

Processing means any collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.

What is the Role of the Data Controller in relation to Personal Data?

Open

The Data Controller determines the purposes for which and the manner in which any Personal Data is processed and must ensure that any processing of Personal Data for which they are responsible complies with the Regulations.

Failure to do so risks enforcement action and compensation claims from individuals or Data Subject.

Data Controllers shall ensure that Personal Data, which they Process, is:

  • Processed fairly, lawfully and securely
  • Processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights
  • Adequate, relevant and not excessive in relation to the purposes for which it is collected or further Processed
  • Accurate and, where necessary, kept up to date; and 
  • Kept in a form, which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected or for which they are further Processed.
What are the requirements for legitimately processing Personal Data at ADGM?

Open

Personal Data may only by processed in accordance with the requirements set forth in section 2 of the ADGM Data Protection Regulations 2015.

At least one of the following conditions must be met whenever the Data Controller processes Personal Data:

  • The Data Subject has given his written consent to the Processing of that Personal Data
  • Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract
  • Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject
  • Processing is necessary in order to protect the vital interests of the Data Subject
  • Processing is necessary for the performance of a task carried out in the interests of the Abu Dhabi Global Market or in the exercise of the Board's, the Court's, the Registrar's or the Regulator's functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data is disclosed; or 
  • Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party to whom the Personal Data is disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.
What considerations do I need to make if I wish to transfer Personal Data outside of ADGM?

Open

Personal Data shall not be transferred to a country or territory outside of the ADGM unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data.

For guidance on the transfer of Personal Data, please view this guide.

What is meant by an adequate level of protection?

Open

The adequacy of the level of protection ensured by laws to which the Recipient is subject, is assessed by the Registrar in the light of all the circumstances surrounding a Personal Data transfer including, but not limited to:

  • the nature of the Personal Data
  • the purpose and duration of the proposed Processing operation or operations
  • if the data does not emanate from the Abu Dhabi Global Market, the country of origin and country of final destination of the Personal Data; and 
  • any relevant laws to which the Recipient is subject, including professional rules and security measures.
Which jurisdictions offer an adequate level of protection?

Open

A list of the jurisdictions that have been designated by the Registrar as providing an adequate level of protection is set out in Schedule 3 of the ADGM Data Protection Regulations 2015.

You can view the list here.

What are the conditions for transferring Personal Data outside of ADGM in the absence of an adequate level of protection?

Open

A transfer of Personal Data to a recipient that is located in a jurisdiction that is not on the designated list (see here) is only possible if safeguards are put in place to provide protection for the data, as set out in Section 5 of the ADGM Data Protection Regulations 2015, such as obtaining the consent of the data subject or using standard contractual clauses. 
What notifications does a data controller need to make?

Open

Registration as a Data Controller

An ADGM entity that intends to process Personal Data must register as a Data Controller with the ADGM Registrar to do so.

When setting up a company the Data Controller registration is embedded in the application form.

If an existing ADGM entity needs to register as a Data Controller, the form is available via the Registration Authority’s online portal.

Annual Renewal

Data Controller registration is valid for a year and can be renewed annually by submitting an “Application for renewal of registration – Data Protection” through the online portal.

Change in details of the Data Controller

The Data Controller must give notice to the Registrar of any changes in its particulars.  Such notice can be done by completing a Notice of Change of Particulars of Data Controller through our Online Solution.

Appoint a new Data Processor

The Data Controller must notify the Registrar of such appointment or cessation of Data Processor. The first appointment can be made in the initial registration form. Notification of any new appointments and cessations can be done by completing a Notice of Appointment/Cessation of Data Processor through the online portal.

Change in the details of the Data Processor

The Data Controller must give notice to the Registrar of any change in the particulars of its Data Processors. Such notice can be done by completing a “Notice of Change of Particulars of Data Processor” through the online portal.

What fees do I need to pay?

Open

 

Transaction

Price in USD

Registration as a Data Controller

300

Application for appointment of Data Processor

Nil

Annual renewal of Data Controller registration

100

Annual renewal of appointment of Data Processor appointment

Nil

Notification of Data Controller no longer processing personal data or removal of Data Processor

Nil

Notification of change in particulars of a Data Processor

Nil

Notification of change of contact details of Data Controller

Nil

Application for a permit to process sensitive personal data

100

Application for a permit to transfer personal data

100


As an individual what are my data privacy rights?

Open

For more information on your privacy rights under the ADGM Data Protection Regulations 2015, please go to the Information for Individuals page on the Office of Data Protection microsite here.
1
2