🇦🇪 Dubai International Financial Center
Informations
Extracts :
Extract :
3. Territorial scope
(1) These Regulations apply to the Processing of Personal Data in the context of the activities of an Establishment of a Controller or a Processor in ADGM, regardless of whether the Processing takes place in ADGM or not.
(2) Where the Processor is Processing Personal Data for a Controller outside of ADGM, the Processor must comply with the requirements of these Regulations to the extent possible, taking into account whether the Controller is subject to similar obligations under the laws of its home jurisdiction.
(3) These Regulations apply to natural persons whatever their nationality or place of residence.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
3. Territorial scope
(1) These Regulations apply to the Processing of Personal Data in the context of the activities of an Establishment of a Controller or a Processor in ADGM, regardless of whether the Processing takes place in ADGM or not.
(2) Where the Processor is Processing Personal Data for a Controller outside of ADGM, the Processor must comply with the requirements of these Regulations to the extent possible, taking into account whether the Controller is subject to similar obligations under the laws of its home jurisdiction.
(3) These Regulations apply to natural persons whatever their nationality or place of residence.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(2) These Regulations do not apply to the Processing of Personal Data:
(a) by a natural person for the purposes of purely personal or household activity; or
(b) by public authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to national security.
3. Territorial scope
(1) These Regulations apply to the Processing of Personal Data in the context of the activities of an Establishment of a Controller or a Processor in ADGM, regardless of whether the Processing takes place in ADGM or not.
(2) Where the Processor is Processing Personal Data for a Controller outside of ADGM, the Processor must comply with the requirements of these Regulations to the extent possible, taking into account whether the Controller is subject to similar obligations under the laws of its home jurisdiction.
(3) These Regulations apply to natural persons whatever their nationality or place of residence.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
4. Principles relating to Processing of Personal Data
(1) PersonalDatamustbe:
(a) Processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
(b) collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are Processed, is erased or rectified without delay;
(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed; and
(f) Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
(2) The Controller is responsible for, and must be able to demonstrate compliance with, section 4(1).
(3) Where Personal Data is Processed for Archiving and Research Purposes;
(a) this Processing is deemed to be compatible with the initial purposes for which the Personal Data was collected as required by section 4(1)(b); and
(b) it may be stored for longer periods than stated in section 4(1)(e) provided appropriate technical and organisational measures are used to safeguard the rights of the Data Subject.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
4. Principles relating to Processing of Personal Data
(1) PersonalDatamustbe:
(a) Processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
(b) collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are Processed, is erased or rectified without delay;
(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed; and
(f) Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
(2) The Controller is responsible for, and must be able to demonstrate compliance with, section 4(1).
(3) Where Personal Data is Processed for Archiving and Research Purposes;
(a) this Processing is deemed to be compatible with the initial purposes for which the Personal Data was collected as required by section 4(1)(b); and
(b) it may be stored for longer periods than stated in section 4(1)(e) provided appropriate technical and organisational measures are used to safeguard the rights of the Data Subject.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
27. Processing under the authority of the Controller or Processor
The Processor and any person acting under the authority of the Controller or of the Processor, who has access to Personal Data, must not Process that data except on instructions from the Controller, unless required to do so by Applicable Law.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
7. ProcessingofSpecialCategoriesofPersonalData
(1) Processing of:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
(c) Personal Data relating to criminal convictions and offences or related security measures,
(together, ‘Special Categories of Personal Data’) is prohibited.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
7. ProcessingofSpecialCategoriesofPersonalData
(1) Processing of:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
(c) Personal Data relating to criminal convictions and offences or related security measures,
(together, ‘Special Categories of Personal Data’) is prohibited.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
7. ProcessingofSpecialCategoriesofPersonalData
(1) Processing of:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
(c) Personal Data relating to criminal convictions and offences or related security measures,
(together, ‘Special Categories of Personal Data’) is prohibited.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
7. ProcessingofSpecialCategoriesofPersonalData
(1) Processing of:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
(c) Personal Data relating to criminal convictions and offences or related security measures,
(together, ‘Special Categories of Personal Data’) is prohibited.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
7. ProcessingofSpecialCategoriesofPersonalData
(1) Processing of:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
(c) Personal Data relating to criminal convictions and offences or related security measures,
(together, ‘Special Categories of Personal Data’) is prohibited.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
7. ProcessingofSpecialCategoriesofPersonalData
(1) Processing of:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
(c) Personal Data relating to criminal convictions and offences or related security measures,
(together, ‘Special Categories of Personal Data’) is prohibited.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
7. ProcessingofSpecialCategoriesofPersonalData
(1) Processing of:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
(c) Personal Data relating to criminal convictions and offences or related security measures,
(together, ‘Special Categories of Personal Data’) is prohibited.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(2) The Controller is responsible for, and must be able to demonstrate compliance with, section 4(1).
(3) Where Personal Data is Processed for Archiving and Research Purposes;
(a) this Processing is deemed to be compatible with the initial purposes for which the Personal Data was collected as required by section 4(1)(b); and
(b) it may be stored for longer periods than stated in section 4(1)(e) provided appropriate technical and organisational measures are used to safeguard the rights of the Data Subject.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
5. Lawfulness of Processing
(1) Processing is lawful only if and to the extent that:
(a) the Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the Controller is subject under Applicable Law;
(d) Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
(e) Processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; or (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller under Applicable Law; or
(f) Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or rights of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
5. Lawfulness of Processing
(1) Processing is lawful only if and to the extent that:
(a) the Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the Controller is subject under Applicable Law;
(d) Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
(e) Processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; or (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller under Applicable Law; or
(f) Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or rights of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(c) Processing is necessary to protect vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;
(d) Processing is necessary for health purposes, including preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care or treatment or the management of health care systems or services or pursuant to a contract with a health professional provided that Processing is by or under the responsibility of a health professional subject to the obligation of professional secrecy or duty of confidentiality;
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(e) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;
(f) Processing is necessary for Archiving and Research Purposes in accordance with Applicable Law;
(g) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not -for-profit body including religious, cultural, educational, social or fraternal purposes or for other charitable purposes and on condition that the Processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed outside that body without the Consent of the Data Subjects;
(h) Processing relates to Personal Data which is intentionally made public by the Data Subject;
(i) Processing is required for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(j) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
(k) Processing is necessary for reasons of substantial public interest, provided that (unless specified otherwise) the Controller has, when the Processing is carried out, an appropriate policy document in place in accordance with section 7(3), where it is necessary for:
(i) the exercise of a function or requirement conferred on a person by Applicable Law;
(ii) the exercise of a function of the Board, Abu Dhabi or United Arab Emirate government;
(iii) the administration of justice;
(iv) equality of opportunity or treatment provided that the Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual; and it does not relate to an individual who has given written notice to the Controller not to Process their Personal Data;
(v) diversity at senior levels of organisations, where the Controller cannot reasonably be expected to obtain the Consent of the Data Subject and is not aware of the Data Subject withholding Consent provided that the Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual;
(vi) the prevention or detection of an unlawful act or omission where the Processing must be carried out without the Consent of the Data Subject so as not to prejudice this purpose; and if the Processing relates to the disclosure of Personal Data to a relevant public authority an appropriate policy document in accordance with section 7(3) need not be in place for the Processing to be lawful under these Regulations;
(vii) the protection of the members of the public against dishonesty, malpractice or other seriously improper conduct, unfitness or incompetence, mismanagement in the administration of a company, body or association, or failures in services provided by a company, body or association where the Processing must be carried out without the Consent of the Data Subject so as not to prejudice this purpose;
(viii) compliance with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has committed an unlawful act or omission, or been involved in dishonesty, malpractice or other seriously improper conduct where the Controller cannot reasonably be expected to obtain the Consent of the Data Subject to the Processing;
(ix) the prevention of fraud in connection with Processing of Personal Data as a member of, or in accordance with arrangements made by, an anti- fraud organisation;
(x) the disclosure in good faith to an appropriate public authority regarding suspected terrorist financing, to identify terrorist property or in relation to suspected money laundering, in accordance with Applicable Law; or
(xi) the publication of a judgment or other decision of a court or tribunal or if the Processing is necessary for the purposes of publishing such a judgment or decision.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(f) Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or rights of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child.
(2) Section 5(1)(f) does not apply if Processing is necessary for any of the purposes described in section 5(1)(e).
(3) For the purposes of section 4(1)(b) the Controller must, in order to ascertain whether Processing for another purpose is compatible with the purpose for which the Personal Data is initially collected, take into account:
(a) any link between the purposes for which the Personal Data has been collected and the purposes of the intended further Processing;
(b) the context in which the Personal Data has been collected, in particular the relationship between Data Subjects and the Controller;
(c) the nature of the Personal Data, in particular whether Special Categories of Personal Data are Processed, pursuant to section 7;
(d) the possible consequences of the intended further Processing for Data Subjects; and
(e) the existence of appropriate safeguards, which may include encryption or Pseudonymisation.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
58. Application to the Court
(1) Notwithstanding any other administrative or non-judicial remedy:
(a) a Controller or Processor in respect of whom a Penalty Notice or Direction is issued may refer the matter to the Court for review within three months of the Penalty Notice or Direction being issued;
(b) a Controller, Processor or affected Data Subject who considers the Commissioner of Data Protection has failed to handle a complaint under section 57 in accordance with these Regulations may refer the matter to the Court for review within three months immediately following the date that the complaint was made.
(2) The Court may make any orders that the Court may think just and appropriate in the circumstances, including remedies for damages, penalties or compensation, imposition of administrative fines and findings of fact in relation to whether or not these Regulations have been contravened.
(3) Court Procedure Rules may make provision for any reference to the Court under this section.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
58. Application to the Court
(1) Notwithstanding any other administrative or non-judicial remedy:
(a) a Controller or Processor in respect of whom a Penalty Notice or Direction is issued may refer the matter to the Court for review within three months of the Penalty Notice or Direction being issued;
(b) a Controller, Processor or affected Data Subject who considers the Commissioner of Data Protection has failed to handle a complaint under section 57 in accordance with these Regulations may refer the matter to the Court for review within three months immediately following the date that the complaint was made.
(2) The Court may make any orders that the Court may think just and appropriate in the circumstances, including remedies for damages, penalties or compensation, imposition of administrative fines and findings of fact in relation to whether or not these Regulations have been contravened.
(3) Court Procedure Rules may make provision for any reference to the Court under this section.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
57. Right to lodge a complaint with the Commissioner of Data Protection
(1) Without prejudice to any other administrative or judicial remedy, a Data Subject has the right to lodge a complaint with the Commissioner of Data Protection if the Data Subject considers that the Processing of Personal Data relating to him or her contravenes these Regulations.
(2) Where multiple Data Subjects are affected by the same alleged contravention, they may raise such complaint collectively, including via a representative body.The Commissioner of Data Protection may choose to deal collectively with multiple allegations which relate to the same contravention, whether or not such allegations are brought collectively .
(3) The Commissioner of Data Protection must assess the complaint and inform the complainant on the progress and the outcome of the complaint.
(4) Upon completion of the assessment, the Commissioner of Data Protection may, as appropriate:
(a) dismiss the complaint;
(b) uphold the complaint and take further action including under sections 54 or 55; or
(c) uphold the complaint and take no further action.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
57. Right to lodge a complaint with the Commissioner of Data Protection
(1) Without prejudice to any other administrative or judicial remedy, a Data Subject has the right to lodge a complaint with the Commissioner of Data Protection if the Data Subject considers that the Processing of Personal Data relating to him or her contravenes these Regulations.
(2) Where multiple Data Subjects are affected by the same alleged contravention, they may raise such complaint collectively, including via a representative body.The Commissioner of Data Protection may choose to deal collectively with multiple allegations which relate to the same contravention, whether or not such allegations are brought collectively .
(3) The Commissioner of Data Protection must assess the complaint and inform the complainant on the progress and the outcome of the complaint.
(4) Upon completion of the assessment, the Commissioner of Data Protection may, as appropriate:
(a) dismiss the complaint;
(b) uphold the complaint and take further action including under sections 54 or 55; or
(c) uphold the complaint and take no further action.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
57. Right to lodge a complaint with the Commissioner of Data Protection
(1) Without prejudice to any other administrative or judicial remedy, a Data Subject has the right to lodge a complaint with the Commissioner of Data Protection if the Data Subject considers that the Processing of Personal Data relating to him or her contravenes these Regulations.
(2) Where multiple Data Subjects are affected by the same alleged contravention, they may raise such complaint collectively, including via a representative body.The Commissioner of Data Protection may choose to deal collectively with multiple allegations which relate to the same contravention, whether or not such allegations are brought collectively .
(3) The Commissioner of Data Protection must assess the complaint and inform the complainant on the progress and the outcome of the complaint.
(4) Upon completion of the assessment, the Commissioner of Data Protection may, as appropriate:
(a) dismiss the complaint;
(b) uphold the complaint and take further action including under sections 54 or 55; or
(c) uphold the complaint and take no further action.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
34. Data Protection Impact Assessment
(1) The Controller must, prior to Processing that is likely to result in a high risk to the rights of natural persons, carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (a ‘Data Protection Impact Assessment’).
(2) A single Data Protection Impact Assessment may address a set of similar Processing operations that present similar high risks. The outcome of the Data Protection Impact Assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the Processing of Personal Data complies with these Regulations.
(3) The Controller must seek the advice of the Data Protection Officer, where designated, when carrying out a Data Protection Impact Assessment.
(4) The Commissioner of Data Protection must publish a list of the kind of Processing operations which are subject to the requirement for a Data Protection Impact Assessment pursuant to section 34(1) and may review this list from time to time.
(5) The Data Protection Impact Assessment must:
(a) describe the nature, scope, context and purpose of the Processing;
(b) assess necessity, proportionality and compliance measures;
(c) identify and assess risks to individuals; and
(d) identify any additional measures to mitigate the risks identified .
(6) Where necessary, the Controller must carry out a review to assess if Processing is performed in accordance with the Data Protection Impact Assessment including when there is a change of the risk represented by Processing operations.
(7) The Controller must notify the Commissioner of Data Protection prior to carrying out any Processing where a Data Protection Impact Assessment indicates that the Processing would be likely to result in a high risk to the rights of natural persons. The notification must contain information in section 34(5).
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Security of Processing
(1) Taking into account the State Of The Art , the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights of natural persons, the Controller and the Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
(a) the Pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
33. Communication of a Personal Data Breach to the Data Subject
(1) When the Personal Data Breach is likely to result in a high risk to the rights of natural persons, the Controller must communicate the Personal Data Breach to the Data Subject without undue delay.
(2) The communication to the Data Subject referred to in section 33(1) must describe in clear and plain language the nature of the Personal Data Breach and contain at least the information and measures referred to in sections 32(3)(b), 32(3)(c) and 32(3)(d). The communication must where practical make recommendations for the natural person concerned to mitigate potential adverse effects and contain sufficient detail to allow him or her to take the necessary precautions.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Notification of a Personal Data Breach to the Commissioner of Data Protection
(1) In the case of a Personal Data Breach, the Controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the Commissioner of Data Protection, unless the Personal Data Breach is unlikely to result in a risk to the rights of natural persons. Where the notification to the Commissioner of Data Protection is not made within 72 hours, it must be accompanied by reasons for the delay.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(1) In the case of a Personal Data Breach, the Controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the Commissioner of Data Protection, unless the Personal Data Breach is unlikely to result in a risk to the rights of natural persons. Where the notification to the Commissioner of Data Protection is not made within 72 hours, it must be accompanied by reasons for the delay.
(2) The Processor must notify the Controller without undue delay after becoming aware of a Personal Data Breach.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Notification of a Personal Data Breach to the Commissioner of Data Protection
(1) In the case of a Personal Data Breach, the Controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the Commissioner of Data Protection, unless the Personal Data Breach is unlikely to result in a risk to the rights of natural persons. Where the notification to the Commissioner of Data Protection is not made within 72 hours, it must be accompanied by reasons for the delay.
(2) The Processor must notify the Controller without undue delay after becoming aware of a Personal Data Breach.
(3) The notification referred to in sections 32(1) and 32(2) must:
(a) describe the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
(b) communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the Personal Data Breach; and
(d) describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
(4) Where it is not possible to provide the information referred to in section 32(3) at the same time, the information may be provided in phases without undue further delay.
(5) The Controller must document any Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken. The documentation must enable the Commissioner of Data Protection to verify compliance with this section.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
33. Communication of a Personal Data Breach to the Data Subject
(1) When the Personal Data Breach is likely to result in a high risk to the rights of natural persons, the Controller must communicate the Personal Data Breach to the Data Subject without undue delay.
(2) The communication to the Data Subject referred to in section 33(1) must describe in clear and plain language the nature of the Personal Data Breach and contain at least the information and measures referred to in sections 32(3)(b), 32(3)(c) and 32(3)(d). The communication must where practical make recommendations for the natural person concerned to mitigate potential adverse effects and contain sufficient detail to allow him or her to take the necessary precautions.
(3) The communication to the Data Subject referred to in section 33(1) is not required if any of the following conditions are met:
(a) the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the Personal Data affected by the Personal Data Breach, in particular those that render the Personal Data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the Controller has taken subsequent measures which ensure that the high risk to the rights of Data Subjects referred to in section 33(1) is no longer likely to materialise; or
(c) it would involve disproportionate effort (having regard to the number of Data Subjects, the age of the data and any appropriate safeguards adopted) . In such a case, there must instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.
(4) If the Controller has not already communicated the Personal Data Breach to the Data Subject, the Commissioner of Data Protection, having considered the likelihood of the Personal Data Breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in section 33(3) are met.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
30. Security of Processing
(1) Taking into account the State Of The Art , the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights of natural persons, the Controller and the Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
(a) the Pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
(2) In assessing the appropriate level of security the Controller and Processor must take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
(3) The Controller and Processor must take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to Personal Data does not Process it except on instructions from the Controller, unless they are required to do so by Applicable Law.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
19. Right to object
(1) A Data Subject has the right to object at any time, on grounds relating to their particular situation, to the Processing of their Personal Data, which is based on sections 5(1)(e) and 5(1)(f), including Profiling based on those provisions.
(2) Where the Data Subject objects to the Processing of their Personal Data, the Controller must not Process the Personal Data unless the Controller reasonably considers that:
(a) there are legitimate grounds for the Processing which override the interests or rights of the Data Subject; or
(b) the Processing is necessary for the establishment, exercise or defence of legal claims.
(3) Where Personal Data is Processed for direct marketing purposes, the Data Subject has the right to object at any time to the Processing, including Profiling, of their Personal Data for such direct marketing purposes.
(4) Where the Data Subject objects to Processing for direct marketing purposes, the Personal Data must not be Processed for such purposes.
(5) Where Personal Data is Processed for Archiving and Research Purposes the Data Subject has the right to object to Processing of their Personal Data, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.
(6) No later than the time of the first communication with the Data Subject, the right referred to in sections 19(1) and 19(3) must be explicitly brought to the attention of the Data Subject and must be presented clearly and separately from any other information.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
18. Right to data portability
(1) The Data Subject has the right to receive the Personal Data that is held by, or on behalf of, the Controller concerning them, which they have provided to a Controller, in a structured, commonly used and machine-readable format and has the right to transmit that data to another Controller without hindrance from the Controller to which the Personal Data has been provided, where:
(a) the Processing is based on Consent pursuant to section 5(1)(a) or 7(2)(a) or on a contract pursuant to section 5(1)(b); and
(b) the Processing is carried out by automated means.
(2) A Data Subject has the right to have the Personal Data transmitted directly from one Controller to another, where technically feasible.
(3) Section 18(1) does not apply to any Processing that is carried out in reliance on section 5(1)(e).
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
20. Automated individual decision-making, including Profiling
(1) The Data Subject has the right not to be subject to a decision based solely on automated Processing, including Profiling, which produces legal effects concerning him or her , or similarly significantly affects him or her.
(2) Section 20(1) does not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the Data Subject and a Controller;
(b) is based on the Data Subject's explicit Consent; or
(c) (not falling within section 20(2)(a) or 20(2)(b)) is required or authorised by Applicable Law (including for fraud prevention, anti-money laundering and security and integrity purposes) and in respect of which:
(i) the Controller has, as soon as reasonably practicable, notified the Data Subject in writing that a decision has been taken based solely on automated Processing; and
(ii) the Data Subject has not, before the end of a period of 1 month beginning with the receipt of the notification, requested the Controller to either reconsider the decision or take a new decision that is not based solely on automated decision making.
(3) In the cases referred to in sections 20(2)(a) and 20(2)(b), the Controller must implement suitable measures to safeguard the Data Subject's rights and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
(4) Decisions referred to in section 20(2) must not be based on Special Categories of Personal Data, unless section 7(2)(a) or 7(2)(k) applies and suitable measures to safeguard the Data Subject's rights and legitimate interests are in place.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Transparent information, communication and modalities for the exercise of the rights of the Data Subject
(1) The Controller must take appropriate measures to provide any information referred to in sections 11 and 12 and any communication under sections 13 to 20 and section 32 relating to Processing to the Data Subject:
(a) in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a Child; and
(b) in writing, electronically or, if requested by the Data Subject, orally as long as that Data Subject has provided proof of their identity.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
5. Lawfulness of Processing
(1) Processing is lawful only if and to the extent that:
(a) the Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the Controller is subject under Applicable Law;
(d) Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
(e) Processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; or (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller under Applicable Law; or
(f) Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or rights of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
13. Right of access by the Data Subject
(1) A Data Subject has the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her is being Processed, and, where that is the case, access to the Personal Data and the following information:
(a) the purposes of the Processing;
(b) the categories of Personal Data concerned;
(c) the Recipients or categories of Recipient to whom the Personal Data has been or will be disclosed, in particular Recipients outside of ADGM or International Organisations;
(d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing;
(f) the right to lodge a complaint with the Commissioner of Data Protection;
(g) where the Personal Data is not collected from the Data Subject, any available information as to its source; and
(h) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
(2) Where Personal Data is transferred outside of ADGM or to an International Organisation, the Data Subject has the right to be informed of the appropriate safeguards pursuant to section 41 relating to the transfer.
(3) The Controller must provide a copy of the Personal Data undergoing Processing. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information must be provided in a commonly used electronic form.
(4) The right to obtain a copy referred to in section 13(3) must not adversely affect the rights of others.
(5) Where the Controller Processes a large quantity of information concerning the Data Subject, the Controller may request that, before the information is delivered, the Data Subject specify the information or Processing activities to which the request relates.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
14. Right to rectification
(1) A Data Subject has the right to request and obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the Processing, the Data Subject has the right to have incomplete Personal Data completed, including by means of the Controller providing a supplementary statement.
(2) Where rectification of Personal Data is not feasible for technical reasons, then the Controller is not in violation of these Regulations for failing to comply with a request for rectification of the Personal Data under section 14(1), if:
(a) the Controller collected the Personal Data fr om the Data Subject; and
(b) the information provided to the Data Subject under section 11(2)(h) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that rectification of the Personal Data at the request of the Data Subject would not be feasible.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
15. Right to erasure
(1) The Data Subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay and the Controller has the obligation to erase Personal Data without undue delay where one of the following applies:
(a) the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
(b) the Data Subject withdraws Consent on which the Processing is based according to section 5(1)(a) or 7(2)(a), and where there is no other legal ground for the Processing;
(c) the Data Subject objects to the Processing pursuant to section 19(1) and there are no overriding legitimate grounds for the Processing, or the Data Subject objects to the Processing pursuant to section 19(3);
(d) the Personal Data has been unlawfully Processed; or
(e) the Personal Data has to be erased for compliance with a legal obligation in Applicable Law to which the Controller is subject.
(2) Where the Controller has made the Personal Data public and is obliged pursuant to section 15(1) to erase the Personal Data, the Controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform Controllers which are Processing the Personal Data that the Data Subject has requested the erasure by such Controllers of any links to, or copy or replication of, that Personal Data.
(3) Sections 15(1) and 15(2) will not apply to the extent that Processing is necessary:
(a) for compliance with a legal obligation which requires Processing under Applicable Law to which the Controller is subject or for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; and (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller;
(b) for reasons of public interest in the area of public health in accordance with sections 7(2)(d) and 7(2)(e);
(c) for Archiving and Research Purposes to the extent that the right referred to in section 15(1) is likely to render impossible or seriously impair the achievement of the objectives of that Processing, or
(d) for the establishment, exercise or defence of legal claims.
(4) Where erasure of Personal Data is not feasible for technical reasons, then the Controller is not in violation of these Regulations for failing to comply with a request for erasure of the Personal Data under section 15(1), if:
(a) the Controller collected the Personal Data from the Data Subject; and
(b) the information provided to the Data Subject under section 11(2)(h) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that erasure of the Personal Data at the request of the Data Subject would not be feasible.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
6. Conditions for Consent
(1) Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they (whether in writing, electronically or orally), by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.
(2) Silence, pre-ticked boxes or inactivity do not constitute Consent.
(3) For Consent to be informed, the Data Subject should be aware at least of the identity of the Controller and the purposes for which it is intended the Personal Data will be Processed.
(4) Where Processing is based on Consent, the Controller must be able to demonstrate that the Data Subject has consented to Processing of their Personal Data.
(5) If the Data Subject's Consent is given in the context of a written declaration which also concerns other matters, the request for Consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
(6) Any part of such a declaration which constitutes a contravention of these Regulations will not be binding.
(7) The Data Subject has the right to withdraw their Consent at any time. The withdrawal of Consent will not affect the lawfulness of Processing based on Consent before its withdrawal. The Data Subject must be informed of this before giving Consent.
(8) It must be as easy to withdraw Consent as it is to give Consent.
(9) When assessing if Consent is freely given the assessor must take into account whether:
(a) the Data Subject has a genuine or free choice or is unable to refuse or withdraw Consent without detriment; and
(b) the performance of a contract is conditional on Consent to the Processing of Personal Data that is not necessary for the performance of that contract.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
16. Right to restriction of Processing
(1) The Data Subject has the right to obtain from the Controller restriction of Processing where one of the following applies:
(a) the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data;
(b) the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of its use instead;
(c) the Controller no longer needs the Personal Data for the purposes of the Processing, but it is required by the Data Subject for the establishment, exercise or defence of legal claims; or
(d) the Data Subject has objected to Processing pursuant to section 19(1) pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
(2) Where Processing has been restricted under section 16(1), such Personal Data must, with the exception of storage, only be Processed with the Data Subject's Consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
(3) The Controller must inform a Data Subject who has obtained restriction of Processing pursuant to section 16(1) before the restriction of Processing is lifted.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
40. General principle for transfers
(1) All provisions in this Part must be applied to ensure that the high level of protection of Personal Data guaranteed by these Regulations is not undermined.
(2) Any transfer of Personal Data that is undergoing Processing or is intended for Processing after transfer to a jurisdiction outside of ADGM or to an International Organisation can only take place if, subject to the other provisions of these Regulations, the conditions in this Part are complied with by the Controller and Processor, including for further onward transfers of Personal Data.
41. Transfers on the basis of an adequacy decision
(1) A transfer of Personal Data outside of ADGM or to an International Organisation may take place where the Commissioner of Data Protection has decided that the receiving jurisdiction, one or more specified sectors within that jurisdiction, or the International OrganisationinquestionensuresanadequatelevelofprotectionofPersonalData.Such a transfer will not require any specific authorisation.
(2) When assessing the adequacy of the level of protection of Personal Data, the Commissioner of Data Protection must, in particular, take account of the following elements:
(a) the rule of law, respect for individuals’ rights, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to Personal Data, as well as the implementation of such legislation, data protection rules, professional rulesandsecuritymeasures,includingrulesfortheonwardtransferof Personal Data to another jurisdiction, sector or International Organisation which are complied with in that jurisdiction, sector or International Organisation, case-law, as well as effective and enforceable Data Subject rights and effective administrative and judicial redress for the Data Subjects whose Personal Data is being transferred;
(b) the existence and effective functioning of one or more independent supervisory authorities in the receiving jurisdiction or sector or to which an International Organisation is subject, with responsibility for ensuring and enforcing compliance with adequate data protection rules described in section 41(2)(a), including adequate enforcement powers, for assisting and advising the Data Subjects in exercising their rights and for cooperation with the Commissioner of Data Protection; and
(c) the international commitments the receiving jurisdiction, sector or International Organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of Personal Data.
3) The Commissioner of Data Protection, after assessing the adequacy of the level of protection, may decide that a jurisdiction outside of ADGM, or one or more specified sectors within a jurisdiction outside of ADGM, or an International Organisation ensures an adequate level of protection:
(a) within the meaning of section 41(2); or
(b) on the basis that the jurisdiction, sector or International Organisation has received an adequacy decision by the European Commission in accordance with Article 45(3) of the GDPR.
In each case the Commissioner of Data Protection must provide for a review of the decision within four years, which must take into account all relevant developments in the jurisdiction outside of ADGM or International Organisation.
(4) The Commissioner of Data Protection must, on an ongoing basis, monitor developments in jurisdictions outside of ADGM and International Organisations that could affect the functioning of decisions adopted pursuant to section 41(3).
(5) The Commissioner of Data Protection must, where available information reveals, in particular following the review referred to in section 41(3), that a jurisdiction outside of ADGM or one or more specified sectors within a jurisdiction outside of ADGM, or an International Organisation no longer ensures an adequate level of protection within the meaning of section 41(2), to the extent necessary, repeal, amend or suspend the decision referred to in section 41(3) without retroactive effect.
(6) The Commissioner of Data Protection must publish a list of the jurisdictions outside of ADGM and specified sectors within jurisdictions outside of ADGM and International Organisations for which it has decided that an adequate level of protection is or is no longer ensured.
(7) Jurisdictions designated as providing an adequate level of protection for Personal Data under section 4 of the ADGM Data Protection Regulations 2015 will remain valid until amended, replaced or repealed by the Commissioner of Data Protection.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
The Commissioner of Data Protection may adopt standard contractual clauses for the matters referred to in sections 26(3) and 26(5), including by approving the then current standard contractual clauses issued by the European Commission or adopted by a Supervisory Authority for the same purpose, upon which approval of such standard contractual clauses will be incorporated into these Regulations by reference .
(7) The contract or the other legal act referred to in sections 26(3) and 26(5) may be based, in whole or in part, on standard contractual clauses referred to in section 26(6), including when they are part of a certification granted to the Controller or Processor pursuant to section 38.
(8) The contract or the other legal act referred to in sections 26(3) and 26(5) must be in writing.
(9) Without limiting the effect of sections 55, 56 and 60, if a Processor contravenes these Regulations by determining the purposes and means of Processing, the Processor will be a Controller in respect of that Processing.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Derogations for specific situations
(1) In the absence of an adequacy decision pursuant to sections 41(3) or 41(7), or of appropriate safeguards pursuant to section 42, including Binding Corporate Rules, a transfer or a set of transfers of Personal Data outside of ADGM or to an International Organisation, must take place only on one of the following conditions:
(a) the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the Data Subject and the Controller or the implementation of pre-contractual measures taken at the Data Subject's request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is required by law enforcement agencies of the UAE in accordance with Applicable Law;
(f) the transfer is necessary for the establishment, exercise or defence of legal claims (including judicial, administrative, regulatory and out-of-court procedures); or
(g) the transfer is necessary in order to protect the vital interests of the Data Subject or of another person, where the Data Subject is physically or legally incapable of giving Consent.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Binding Corporate Rules
(1) The Commissioner of Data Protection may approve Binding Corporate Rules, provided that they:
(a)
have the following features:
(i) are legally binding and apply to and are enforced by every member concerned of the Group, including their employees;
(ii) expressly confer enforceable rights on Data Subjects with regard to the Processing of their Personal Data; and
(iii) fulfil the requirements in section 43(2), or
(b) have already been approved by a Supervisory Authority for the same purpose.
(2) TheBindingCorporateRulesreferredtoinsection43(1)mustspecifyatleast:
(a) the structure and contact details of the Group and of each of its members;
(b) the details of the data transfers, including the categories of Personal Data, the type of Processing and its purposes, the type of Data Subjects affected and the identification of the relevant jurisdiction(s) outside of ADGM;
(c) their legally binding nature, both internally and externally;
(d) the application of the general data protection principles, including purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for Processing, Processing of Special Categories of Personal Data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the Binding Corporate Rules;
(e) the rights of Data Subjects and the means to exercise those rights, including the right to obtain redress and, where appropriate, compensation for a breach of the Binding Corporate Rules;
(f) how the information on the Binding Corporate Rules, in particular on the provisionsreferredtoinsections43(2)(d)and43(2)(e)areprovidedtotheData Subjects in addition to sections 11 and 12;
(g) the tasks of any Data Protection Officer designated in accordance with section 35 or any other person or entity in charge of monitoring compliance with the Binding Corporate Rules within the Group;
(h) the complaint procedures;
(i) the mechanisms within the Group for monitoring compliance with the Binding Corporate Rules and cooperating with the Commissioner of Data Protection to ensure compliance. Such mechanisms must include data protection audits and methods for ensuring corrective actions to protect the rights of Data Subjects. Results of such monitoring activities should be communicated to the board of the parent company of a Group, and should be made available to the Commissioner of Data Protection upon request;
(j) the procedures for reporting and recording changes to the rules and reporting those changes to the Commissioner of Data Protection;
(k) the reporting mechanisms for notifying the Commissioner of Data Protection of any legal requirements to which a member of the Group, is subject outside of ADGM and which are likely to have a substantial adverse effect on the protections provided by the Binding Corporate Rules; and
(l) the data protection training provided to personnel with permanent or regular access to Personal Data.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Designation of the Data Protection Officer
(1) The Controller and the Processor must appoint a person to perform the tasks listed in section 37 (a ‘Data Protection Officer’) where:
(a) the Processing is carried out by a public authority, except for courts acting in their judicial capacity;
(b) the core activities of the Controller or the Processor consist of Processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
(c) the core activities of the Controller or the Processor consist of Processing on a large scale of Special Categories of Personal Data.
(2) A Data Protection Officer:
(a) may be appointed in respect of a single entity, a Group or multiple, independent entities;
(b) may perform additional roles in respect of a Controller or Processor in addition to performing the role of Data Protection Officer;
(c) does not need to be an employee of the relevant Controller or Processor provided it enters into an agreement in writing with the Controller, or Processor, as the case may be; and
(d) does not need to be resident within ADGM,
in each case, provided that the Data Protection Officer is easily accessible by each entity it acts for, and no other role held by the Data Protection Officer conflicts or is likely to conflict with the Data Protection Officer’s obligations under these Regulations.
(3) The Data Protection Officer must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in section 37.
(4) The Controller or the Processor must notify the Commissioner of Data Protection within one month following the appointment or resignation of any Data Protection Officer. The notification must include the contact details of the new Data Protection Officer and, in the case of a resignation, reasons for the resignation.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
A Data Protection Officer:
(a) may be appointed in respect of a single entity, a Group or multiple, independent entities;
(b) may perform additional roles in respect of a Controller or Processor in addition to performing the role of Data Protection Officer;
(c) does not need to be an employee of the relevant Controller or Processor provided it enters into an agreement in writing with the Controller, or Processor, as the case may be; and
(d) does not need to be resident within ADGM,
in each case, provided that the Data Protection Officer is easily accessible by each entity it acts for, and no other role held by the Data Protection Officer conflicts or is likely to conflict with the Data Protection Officer’s obligations under these Regulations.
(3) The Data Protection Officer must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in section 37.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
37. Tasks of the Data Protection Officer
(1) The tasks of the Data Protection Officer include:
(a) to inform and advise the Controller or the Processor and the employees who carry out Processing of their obligations pursuant to these Regulations and to other data protection provisions under Applicable Law;
(b) to monitor compliance with these Regulations, with other data protection provisions under Applicable Law and with the policies of the Controller or Processor in relation to the protection of Personal Data, including the assignment of responsibilities, awareness-raising and training of Staff involved in Processing operations, and the related audits;
(c) to provide advice where requested as regards the Data Protection Impact Assessment and monitor its performance pursuant to section 34;
(d) to cooperate with the Commissioner of Data Protection; and
(e) to act as the contact point for the Commissioner of Data Protection on issues relating to Processing and to consult with the Commissioner of Data Protection, where appropriate, with regard to any other matter.
(2) The Data Protection Officer must in the performance of their tasks have due regard to the risk associated with Processing operations, taking into account the nature, scope, context and purposes of Processing.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
A Data Protection Officer:
(a) may be appointed in respect of a single entity, a Group or multiple, independent entities;
(b) may perform additional roles in respect of a Controller or Processor in addition to performing the role of Data Protection Officer;
(c) does not need to be an employee of the relevant Controller or Processor provided it enters into an agreement in writing with the Controller, or Processor, as the case may be; and
(d) does not need to be resident within ADGM,
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Transparent information, communication and modalities for the exercise of the rights of the Data Subject
(1) The Controller must take appropriate measures to provide any information referred to in sections 11 and 12 and any communication under sections 13 to 20 and section 32 relating to Processing to the Data Subject:
(a) in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a Child; and
(b) in writing, electronically or, if requested by the Data Subject, orally as long as that Data Subject has provided proof of their identity.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
11. Information to be provided where Personal Data is collected from the Data Subject
(1) Where Personal Data relating to a Data Subject is collected from the Data Subject, the Controller must, at the time when Personal Data is obtained, provide the Data Subject with all of the following information:
(a) the identity and the contact details of the Controller;
(b) the contact details of the Data Protection Officer, where applicable;
(c) the purposes of the Processing for which the Personal Data is intended as well as the legal basis for the Processing;
(d) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
(e) the Recipients or categories of Recipients of the Personal Data, if any; and
(f) where applicable, the fact that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
(i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
(ii) inthecaseoftransfersreferredtoinsections42,43,orsection44(1)(b), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
Information to be provided where Personal Data is collected from the Data Subject
(1) Where Personal Data relating to a Data Subject is collected from the Data Subject, the Controller must, at the time when Personal Data is obtained, provide the Data Subject with all of the following information:
(a) the identity and the contact details of the Controller;
(b) the contact details of the Data Protection Officer, where applicable;
(c) the purposes of the Processing for which the Personal Data is intended as well as the legal basis for the Processing;
(d) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
(e) the Recipients or categories of Recipients of the Personal Data, if any; and
(f) where applicable, the fact that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
(i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
(ii) inthecaseoftransfersreferredtoinsections42,43,orsection44(1)(b), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
11. Information to be provided where Personal Data is collected from the Data Subject
(1) Where Personal Data relating to a Data Subject is collected from the Data Subject, the Controller must, at the time when Personal Data is obtained, provide the Data Subject with all of the following information:
(a) the identity and the contact details of the Controller;
(b) the contact details of the Data Protection Officer, where applicable;
(c) the purposes of the Processing for which the Personal Data is intended as well as the legal basis for the Processing;
(d) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
(e) the Recipients or categories of Recipients of the Personal Data, if any; and
(f) where applicable, the fact that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
(i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
(ii) inthecaseoftransfersreferredtoinsections42,43,orsection44(1)(b), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
12. Information to be provided where Personal Data has not been obtained from the Data Subject
(1) Where Personal Data has not been obtained from the Data Subject, the Controller must provide the Data Subject with the following information:
(a) the identity and the contact details of the Controller;
(b) the contact details of the Data Protection Officer, where applicable;
(c) the purposes of the Processing for which the Personal Data is intended as well as the legal basis for the Processing;
(d) the categories of Personal Data concerned;
(e) the Recipients or categories of Recipients of the Personal Data, if any; and
(f) where applicable, that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
(i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
(ii) inthecaseoftransfersreferredtoinsections42,43,orsection44(1)(b), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(f) where applicable, the fact that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
(i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
(ii) inthecaseoftransfersreferredtoinsections42,43,orsection44(1)(b), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
(2) In addition to the information referred to in section 11(1), the Controller must, at the time when Personal Data is obtained, provide the Data Subject with the following further information necessary to ensure fair and transparent Processing:
(a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
(b) the existence of the rights set out in sections 13 to 16, 18 and 19;
(c) where the Processing is based on either of sections 5(1)(a) or 7(2)(a):
(i) the existence of the right to withdraw Consent at any time; and
(ii) that the lawfulness of any Processing based on Consent prior to that withdrawal will not be affected by the subsequent withdrawal of Consent;
(d) the right to lodge a complaint with the Commissioner of Data Protection;
(e) whether the provision of Personal Data is a requirement under Applicable Law, a contractual requirement, or a requirement necessary to enter into a contract;
(f) whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide such data;
(g) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject; and
(h) if the Controller intends to Process Personal Data in a manner that will restrict or prevent the Data Subject from exercising their rights to request rectification or erasure of Personal Data in accordance with sections 14(1) or 15(1), or to object to the Processing of the Personal Data in accordance with section 19. In such cases, the Controller must:
(i) include a clear and explicit explanation of the expected impact on such rights; and
(ii) satisfy itself that the Data Subject understands and acknowledges the extent of any such restrictions.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(2) In addition to the information referred to in section 12(1), the Controller must provide the Data Subject with the following information necessary to ensure fair and transparent Processing in respect of the Data Subject:
(a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(2) In addition to the information referred to in section 12(1), the Controller must provide the Data Subject with the following information necessary to ensure fair and transparent Processing in respect of the Data Subject:
(a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
(c) the existence of the rights set out in sections 13 to 16, 18 and 19;
(d) where Processing is based on either section 5(1)(a) or 7(2)(a),
(i) the existence of the right to withdraw Consent at any time; and
(ii) that the lawfulness of any Processing based on Consent prior to that withdrawal will not be affected by the subsequent withdrawal of Consent;
(e) the right to lodge a complaint with the Commissioner of Data Protection;
(f) from which source the Personal Data originates, and if applicable, whether it came from publicly accessible sources; and
(g) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
64. Short title, scope and commencement
(1) These Regulations may be cited as the Data Protection Regulations 2021.
(2) These Regulations apply in the Abu Dhabi Global Market.
(3) The Board may by rules make any transitional, transitory, consequential, saving, incidental or supplementary provision in relation to the commencement of these Regulations as the Board thinks fit.
(4) Rules made under section 64(3) may amend any provision of any other enactment including subordinate legislation made under such enactment .
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
(2) Each Processor must maintain a record of all categories of Processing activities carried out on behalf of a Controller, containing:
(a) the name and contact details of the Processor or Processors and of each Controller on behalf of which the Processor is acting and the Data Protection Officer;
(b) the categories of Processing carried out on behalf of each Controller;
(c) where applicable, transfers of Personal Data outside of ADGM or to an InternationalOrganisation,includingtheidentificationofthatlocationoutsideof ADGM or the International Organisation and, in the case of transfers referred to in section 44(1)(b), the documentation of suitable safeguards; and
(d) where possible, a general description of the technical and organisational security measures referred to in section 30(1).
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
Extracts :
Extract :
6. Conditions for Consent
(1) Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they (whether in writing, electronically or orally), by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.
(2) Silence, pre-ticked boxes or inactivity do not constitute Consent.
(3) For Consent to be informed, the Data Subject should be aware at least of the identity of the Controller and the purposes for which it is intended the Personal Data will be Processed.
(4) Where Processing is based on Consent, the Controller must be able to demonstrate that the Data Subject has consented to Processing of their Personal Data.
(5) If the Data Subject's Consent is given in the context of a written declaration which also concerns other matters, the request for Consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
(6) Any part of such a declaration which constitutes a contravention of these Regulations will not be binding.
(7) The Data Subject has the right to withdraw their Consent at any time. The withdrawal of Consent will not affect the lawfulness of Processing based on Consent before its withdrawal. The Data Subject must be informed of this before giving Consent.
(8) It must be as easy to withdraw Consent as it is to give Consent.
(9) When assessing if Consent is freely given the assessor must take into account whether:
(a) the Data Subject has a genuine or free choice or is unable to refuse or withdraw Consent without detriment; and
(b) the performance of a contract is conditional on Consent to the Processing of Personal Data that is not necessary for the performance of that contract
Reference :
DATA PROTECTION REGULATIONS 2021
Official text of ARE Data Protection Law in 2021
| Name | Short name | Classification | Jurisdiction | Year of creation |
|---|
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|