Guidance

Part 1. This guide provides an overview of the Data Protection Regulations 2021 including key concepts, terms, scope, principles of processing and the lawful bases for processing personal data.

Part 2. This guide provides information on data subject rights and the data controller’s obligations with regards to individual rights requests.

Part 3. This guide provides information on data protection by design and default, the fees, the record of processing activity, the requirement of data protection officers and processor obligations.

Part 4. This guide provides information on Data Protection Impact Assessments (“DPIA”). In particular, what is the DPIA, what must a DPIA contain, how to conduct a DPIA and some FAQs.

Part 5. This guide provides information regarding the security of processing, the cessation of processing and managing personal data breaches, which includes notification requirements.

Part 6. This guide provides information on international transfers. In particular, the definition of ‘transfer’ and the mechanism and conditions required under the Regulations to transfer personal data from the ADGM.

Part 7. This guide provides information regarding the newly introduced code of conduct mechanism. Also, the role of the Commissioner of Data Protection and the Office of Data Protection.

Part 8. This Guide focuses on individual rights and remedies. In particular, how individuals can raise concerns, exercise their right and seek redress.

The ADGM Standard Contractual Clauses (“SCCs”) is an appropriate safeguard under Article 42(2) of the Regulations to transfer personal data from the ADGM to a third party located in a third country or jurisdiction that does not provide an adequate level of protection. You can find here the list of adequate jurisdictions. SCCs are used by two or more parties and includes a new modular approach catering to different transfer scenarios. The use of SCCs are optional but if used, parties cannot amend the clauses.

The Appropriate Policy Document (“APD”) is required where a Controller relies on certain conditions for processing special category of personal data. The purpose of the APD is to imbed transparency and governance around the processing activity.

The Data Protection Agreement is required by Controllers when appointing Processors to conduct activities on their behalf. As is, the template below meets the requirement of Article 26(3).

A Data Protection Impact Assessment (DPIA) is required by Controllers proposing a new project, product or initiative that is likely to result in a high risk to the rights of individuals. Prior to the activity, the Controller must conduct the DPIA to assess and mitigate risks from the envisaged processing of personal data.

A Record of Processing Activity (ROPA) is required by all ADGM entities that process personal data. The ROPA must contain key information from all the processing activities undertaken by the Data Controller.

Data Protection Officer Requirement

This assessment was developed to help you understand whether you are required to appoint a Data Protection Officer (“DPO”) under the Data Protection Regulations 2021. The assessment should only be used as a Guide and does not constitute legal advice. To access the tool, please click here.

Data Breach Notification Requirement

This assessment was developed to help you understand your notification requirements for a personal data breach under the Data Protection Regulations 2021. The assessment should only be used as a Guide and does not constitute legal advice. To access the tool, please click here.