On 14 February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021. The Regulations replace the current Data Protection Regulations and will come into force following a transition period of 12 months for current establishments (ie those companies that were incorporated in the ADGM before 14 February 2021), and six months for new establishments (ie those companies that were incorporated in the ADGM on or after 14 February 2021).

The Regulations have been enacted following a period of public consultation and further align the ADGM's personal data processing requirements with the European Union's General Data Protection Regulations. Notably, the Regulations introduce changes to recognise the importance of personal data and the protection of data subjects' rights.

Below, we've outlined some of the key changes implemented by the Regulations that you should consider if you or your business is based in ADGM or conducts business with an establishment based there.

What is the territorial scope of the Regulations?

The Regulations have widened the net to capture any personal data processing connected to activities of a data controller or data processor established in or operating out of the ADGM. This is irrespective of whether the processing actually takes place in the ADGM or whether the data is being processed through an establishment outside of the ADGM.

Appointing a Data Protection Officer

The Regulations require your business to appoint a Data Protection Officer in circumstances where: 

• the processing of data is carried out by a public authority (except for courts acting in their judicial capacity)
• core activities of your business consist of personal data processing operations which require regular and systemic monitoring of data subjects on a large scale, or 
• core activities of your business consist of processing special categories of personal data on a large scale (ie data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric information, health information, sexual orientation or criminal convictions).

However, it's important to note that the obligation to appoint a Data Protection Officer will not apply to your company if it employs fewer than five people, unless it carries out high-risk processing activities. This includes (but isn't limited to) scenarios where: 

• a high volume of personal data is processed
• the processing is likely to result in high risk to the relevant data subjects
• the processing includes special categories of personal data (set out above).

Furthermore, the Data Protection Officer does not need to be present in the ADGM or be an employee of a data controller – it may even hold multiple roles in a business and/or operate multiple businesses. Nevertheless, a key requirement is that the Data Protection Officer must be appointed on the basis of their professional qualities and (in particular) expert knowledge of the data protection law and practices, and their ability to fulfil the tasks referred to in the Regulations. Therefore, if your business is obligated to appoint a Data Protection Officer, you must ensure that the relevant person is able to meet these requirements.

Paying the new data protection fee

If your business acts as a data controller, it must now pay a data protection fee to the Commissioner of Data Protection covering 12 months from the date your business commenced the processing of personal data, and an annual renewal fee. However, the specific amount of the fees payable to the Commissioner has not yet been determined.

Completing appropriate policy documents

The Regulations also introduce the unique requirement for all companies that are subject to the Regulations to have "appropriate policy documents" in place if it processes special categories of personal data. In practice, this is likely to mean that your company will need to update or draft policies and contractual documents to achieve full compliance under the Regulations. In particular, your company may need to revisit its privacy policy, employment related policies, and anti-money laundering policies to address how and why personal data will be collected and how long it will be retained.

Notifying the Commissioner of personal data breaches

If your business suffers a personal data breach or acts as a data controller for personal data where such a breach has occurred, you must notify the Commissioner within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to the rights of the data subjects. If you fail to make the notification within 72 hours of the data breach occurring, you must provide reasons for the delay. However, in circumstance where the personal data breach is likely to result in a high risk to the rights of the data subjects, the data controller must communicate the data breach to the affected parties without unnecessary delay.

Responding to a data subject's request on time

The Regulations grant data subjects certain rights and sets a timeline of two months for your company to respond to/comply with any data subject request once it has been received. However, the timeline for compliance may be extended by a further two months for complex requests.

Conducting an impact assessment

The Regulations introduce the requirement for a data controller to conduct a data protection impact assessment in circumstances where the processing of data is likely to result in high risk to the rights of natural persons. A list of processing operations which are subject to the requirement for a data protection impact assessment is due to be published by the Commissioner. Therefore, if your business acts as a data controller, you should keep an eye out for further communications from the Commissioner.

Avoiding penalties

The Regulations imposes substantial fines for any data breaches; therefore, adequate measures/procedures should be put in place by your company to ensure that data is projected appropriately. The Regulations impose a maximum fine of USD 28 million for administrative breaches, with additional scope for larger fines for more serious violations. In cases of multiple breaches for the same or linked conduct, fines imposed will be assessed and the USD 28 million cap will apply on a cumulative basis.

Here to help

Please reach out to a member of our Data Protection & Cyber team if you need advice on data due diligence, development of policy and contractual documentation, dealing with data subject requests, complaints or in-house training.