26 April 2021
Middle East update – April 2021 – 1 of 4 Insights
On 14 February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021. The Regulations replace the current Data Protection Regulations and will come into force following a transition period of 12 months for current establishments (ie those companies that were incorporated in the ADGM before 14 February 2021), and six months for new establishments (ie those companies that were incorporated in the ADGM on or after 14 February 2021).
The Regulations have been enacted following a period of public consultation and further align the ADGM's personal data processing requirements with the European Union's General Data Protection Regulations. Notably, the Regulations introduce changes to recognise the importance of personal data and the protection of data subjects' rights.
Below, we've outlined some of the key changes implemented by the Regulations that you should consider if you or your business is based in ADGM or conducts business with an establishment based there.
The Regulations have widened the net to capture any personal data processing connected to activities of a data controller or data processor established in or operating out of the ADGM. This is irrespective of whether the processing actually takes place in the ADGM or whether the data is being processed through an establishment outside of the ADGM.
The Regulations require your business to appoint a Data Protection Officer in circumstances where:
However, it's important to note that the obligation to appoint a Data Protection Officer will not apply to your company if it employs fewer than five people, unless it carries out high-risk processing activities. This includes (but isn't limited to) scenarios where:
Furthermore, the Data Protection Officer does not need to be present in the ADGM or be an employee of a data controller – it may even hold multiple roles in a business and/or operate multiple businesses. Nevertheless, a key requirement is that the Data Protection Officer must be appointed on the basis of their professional qualities and (in particular) expert knowledge of the data protection law and practices, and their ability to fulfil the tasks referred to in the Regulations. Therefore, if your business is obligated to appoint a Data Protection Officer, you must ensure that the relevant person is able to meet these requirements.
If your business acts as a data controller, it must now pay a data protection fee to the Commissioner of Data Protection covering 12 months from the date your business commenced the processing of personal data, and an annual renewal fee. However, the specific amount of the fees payable to the Commissioner has not yet been determined.
The Regulations also introduce the unique requirement for all companies that are subject to the Regulations to have "appropriate policy documents" in place if it processes special categories of personal data. In practice, this is likely to mean that your company will need to update or draft policies and contractual documents to achieve full compliance under the Regulations. In particular, your company may need to revisit its privacy policy, employment related policies, and anti-money laundering policies to address how and why personal data will be collected and how long it will be retained.
If your business suffers a personal data breach or acts as a data controller for personal data where such a breach has occurred, you must notify the Commissioner within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to the rights of the data subjects. If you fail to make the notification within 72 hours of the data breach occurring, you must provide reasons for the delay. However, in circumstance where the personal data breach is likely to result in a high risk to the rights of the data subjects, the data controller must communicate the data breach to the affected parties without unnecessary delay.
The Regulations grant data subjects certain rights and sets a timeline of two months for your company to respond to/comply with any data subject request once it has been received. However, the timeline for compliance may be extended by a further two months for complex requests.
The Regulations introduce the requirement for a data controller to conduct a data protection impact assessment in circumstances where the processing of data is likely to result in high risk to the rights of natural persons. A list of processing operations which are subject to the requirement for a data protection impact assessment is due to be published by the Commissioner. Therefore, if your business acts as a data controller, you should keep an eye out for further communications from the Commissioner.
The Regulations imposes substantial fines for any data breaches; therefore, adequate measures/procedures should be put in place by your company to ensure that data is projected appropriately. The Regulations impose a maximum fine of USD 28 million for administrative breaches, with additional scope for larger fines for more serious violations. In cases of multiple breaches for the same or linked conduct, fines imposed will be assessed and the USD 28 million cap will apply on a cumulative basis.
Please reach out to a member of our Data Protection & Cyber team if you need advice on data due diligence, development of policy and contractual documentation, dealing with data subject requests, complaints or in-house training.
26 April 2021
22 April 2021
by Jerry Parks
26 April 2021
by Jerry Parks