Abu Dhabi Global Market Updates Data Protection Regulations
Several amendments to the ADGM data protection Regulations, effective last February 1st, prescribe new obligations and timings to data controllers.
Abu Dhabi General Market, the financial free zone in the Emirate of Abu Dhabi with its own judicial
and legislative infrastructure based on Common Law, has recently amended its data protection. Regulations, introducing updated defined terms, data breach notification timeframes and more extensive enforcement provisions.
The amendments follow the establishment of the ADGM Office of Data Protection in December 2017.
By way of background, while there is currently no formal legal framework tackling data protection at a federal level in UAE, since October 4th, 2015 ADGM has in place its own data protection regime, consistent with EU and
international standards.
Under the regime, ADGM registered companies are imposed with specific obligations when collecting, storing, processing and transferring individuals’ personal data, with the aim of protecting the right to privacy of
the individuals to whom personal data relates.
As a general principle, a duty to Abu Dhabi General Market, the financial free zone in the Emirate of Abu Dhabi with its own judicial and legislative infrastructure based on Common Law, has recently amended its data protection
Regulations, introducing updated defined terms, data breach notification timeframes and more extensive enforcement provisions. The amendments follow the establishment of the ADGM Office of Data Protection in December 2017.
By way of background, while there is currently no formal legal framework tackling data protection at a federal level in UAE, since October 4th, 2015 ADGM has in place its own data protection regime, consistent with EU and international standards.
Under the regime, ADGM registered companies are imposedwith specific obligations when collecting, storing, processing and transferring individuals’ personal data, with the aim of protecting the right to privacy of the individuals to whom personal data relates.
As a general principle, a duty to any information which is being processed by means of equipment operating automatically or is recorded with the intention that it should be processed by means of such equipment. Likewise,
the definition of “sensitive personal data” has been refined to explicitly include individual’s criminal record, making it more consistent with the similar definition in force under EU legislation.
Data export provisions have been rephrased, on the one hand by expanding the list of jurisdictions offering an adequate level of protection (which now includes Andorra, the Faroe Islands, and most notably the Dubai International Financial Centre), on the other hand by providing the Registrar with the power to delist
a foreign jurisdiction in case it no longer assures an adequate level of
protection. A more pressing breach notification timeframe has been adopted, as data controllers are now expected to inform the Registrar of an unauthorized intrusion to any personal data “without undue delay, and where feasible, not later than 72 hours after becoming aware of it”, says the provision (while previously the notice was due “as soon as
reasonably practicable”).
The new provisions 14.3.e and 14.3.f extend the Registrar’s authority to impose fines in the event of non-compliance with its direction or with the Regulations, with the maximum fine for non-compliance now being increased from 15,000 USD to 25,000 USD. Moreover, it is now explicitly granted the Registrar the power to make rules in respect of the procedures relating to the imposition of sanctions or fines and to amend any of the related amounts.
Affected companies are advised to consider the exact wording of the amended Regulations and conduct a thorough audit of processes in place especially in respect of breach notification timeframe where existing processes may now
reveal a compliance gap.
Closely monitoring any furtherdevelopments seems appropriate as with EU General Data Protection Regulation being only a couple of months away, additional modifications to the existing ADGM Regulations would not come as a surprise.
KEY FACTS
ADGM OFFICE OF DATA PROTECTION: was established in
December 2017 within the ADGM Registration Authority with the
aim of overseeing data protection compliance in the financial
center.
SENSITIVE PESONAL DATA: means data revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life.
DATA CONTROLLER AND DATA PROCESSOR: The former is any subject that determines the purposes and means of the processing of personal data, the latter is any subject that processes personal data on behalf of a data controller.