The Abu Dhabi Global Market (hereinafter referred to as “ADGM”), announced on July 25th, 2021, that pursuant to section 60 of the Data Protection Regulations 2021 (hereinafter referred to as “DPR 2021”) and after taking into account the general provisions of sections 1, 2 and 3 of the Regulations, it has issued new rules under the DPR 2021.
The following new rules are as such to be implemented and enforced by the Commissioner of Data Protection of the ADGM:
- Data Protection Regulations (Fees) Rules 2021 (DPR Fees Rules); and
- Data Protection Regulations (Fines) Rules 2021 (DPR Fines Rules)
The new rules aim to lay down the fines and fees to be applicable and imposed under various provisions of the Data Protection Regulations 2021.
Abu Dhabi, one of the seven emirates that comprise the United Arab Emirates (UAE), opened a free zone, or special economic area, for banking and finance called the Abu Dhabi Global Market (ADGM). The ADGM was created by Federal Decree No. 15 of 2013 and Cabinet Resolution Number 15 of 2013 and is an international financial centre and free zone located on Al Maryah Island. The financial centre was established in 2013 by the Abu Dhabi Chamber of Commerce and became fully operational in October 2015.
The ADGM has been established as a separate jurisdiction, like another financial zone of UAE, Dubai International Financial Centre (DIFC). Accordingly, the ADGM has developed its own laws, regulator, and judiciary. The common law forms the basis of its legal system. By being a free zone this enables, among other things, 100% foreign ownership.
ADGM has three independent authorities of its own – the Registration Authority (RA), the Financial Services Regulatory Authority (FSRA) and ADGM Courts.
Data Protection Regulations 2021
The ADGM with an aim to empower “entities and authorities with a robust foundation to update their existing data protection compliance programmes” issued a new Data Protection Regulation on 11th February 2021 superseding and substituting the previous Data Protection Regulations of 2015 (as amended in 2018).
The revised regulation covers eight key areas of the regulations, includes advisory information and provides examples of practical application and provides controls that reflect recognition of the importance of personal data and fundamental protection of data subjects’ rights. This includes the applicability and governance of personal data in emerging technologies. One of the significant features of the new data protection regulation is the requirement to establish an independent data protection office to monitor compliance with the regulation.
A transition period of 12 months is proposed for current establishments, and six months for new establishments, from 14 February 2021.
Scope and Applicability
The Regulations have widened the net to capture any personal data processing connected to activities of a data controller or data processor established in or operating out of the ADGM. Hence the scope of Data Protection has now been widened to:
- Any business registered in the ADGM
- Any business established in the ADGM, but processing data through an establishment outside the ADGM
- Regulations apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data, which forms part of a filing system or is intended to form part of a filing system.
Changes in ADGM DPR 2021
Requirement of Data Protection Officer
- The ADGM proposes appointment of a DPO
- The DPO does not need to be present in the ADGM or be an employee of the data controller. This is to ensure business in the ADGM can leverage their global DPO role
- The DPO also can hold multiple roles in a business and/or operate with respect to multiple businesses, without conflict
- Obligation of appointment of a DPO does not apply to an establishment employing fewer than five employees, unless it carries out high-risk processing activities.
Accountability and Governance
The new law adds the accountability principle and requires:
- Data protection by design and by default
- Records of data processing
- Data protection impact assessments
- Data protection officers
- Binding corporate rules
- Data protection fee
Exemptions to data subject rights
The new regulation proposes the exemption to the data controllers in complying with data subject rights in certain limited cases, provided the exemption “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure” by which to achieve the relevant aim.
General principles for transfer include: High level of protection of personal data by incorporating safeguards such as:
- Receiving jurisdiction ensures an adequate level of protection of personal data.
- Binding corporate rules (BCRs) and model clauses.
- Transfer is necessary for important reasons of public interest in the ADGM – Transfer is required by law enforcement agencies of the UAE.
- Transfer is necessary to protect a person’s life.
- Data subject has explicitly consented to the proposed transfer.
- Transfer is necessary for the performance of a contract between the data subject and the controller.
Independent supervisory authority
- The board shall appoint a commissioner of data protection to oversee the administration and operation of the office for data protection as an independent data protection supervisory authority.
- The board may reappoint the commissioner of data protection for consecutive periods, which must not exceed in total 12 years.
- The commissioner of data protection and other officers or staff are collectively referred to as the office of data protection.
New Rules under Data Protection Law 2021
Adopted on 18th July 2021, the new DPR Fees Rules and DPR Fine Rules were made in accordance with Section 60 of the Data Protection Regulations 2021 and after taking into account the general provisions of sections 1, 2 and 3 of the Regulations to supplement DPR 2021. While ADGM proposes maintaining a flat fee structure of the existing regulations but applying it only to those data controllers that are required to engage a DPO. The Regulations themselves prescribe a maximum fine of USD 28 million for administrative breaches, with additional scope for larger fines (unlimited) for more serious violations.
- The new DPR Fees Rules prescribe a fee payable in data protection matter as per Section 24(1) of DPR 2021 to be USD 300. While the DPR Fine Rules lay down that a failure to pay the mentioned Data Protection fee will result in payment of fine of Up to a maximum of USD 750, as per section 56(1) and 56(2) of the Regulation.
- The fee payable in the matter of Renewal as per Section 24(2) of DPR 2021 will be USD 300. The failure to pay the mentioned Renewal fee will result in payment of fine of Up to a maximum of USD 250, as per section 56(1) and 56(2) of the Regulation.
Over to you…
Should you need any clarification or would like to discuss any query related to the said development or generally any aspect related to the Indian Law, please feel free to contact me: salman.waris[at]techlegis.com