The New Abu Dhabi Global Market Data Protection Regulations (Data Protection Regulation, 2021)

Abu Dhabi Global Market (ADGM) is an internationally acclaimed free zone in the UAE. It is a separate entity having its own laws and can enact new laws whenever it is required to regulate matters in its jurisdiction. The Abu Dhabi Global Market has promulgated new data protection regulations, namely Data Protection Regulations 2021 (New Regulations), to protect the personal data processed or controlled from within the Abu Dhabi Global Market (ADGM) on the 14th of February 2021 by overriding the already existing Data Protection Regulations 2015. Another objective of the New Regulations is to promote lawful, fair, and transparent processing of Personal Data and bring the data protection laws in line with the European Union’s benchmark data protection laws, the General Data Protection Regulations (the GDPR). The New Regulations have adopted some definitions and provisions from the GDPR. The New Regulations are binding on the current establishments after twelve months and binding on the new establishments (establishments registered after the promulgation of the New Regulations;14th February 2021) after six months, from the publishing date of the New Regulations.

The New Regulations are business-friendly and proportionate according to the ADGM. The New Regulations have introduced a new independent Office of Data Protection, which will be headed by the Commissioner of Data Protection. The ADGM Board would appoint the Commissioner. The Commissioner will be responsible for promoting data protection within ADGM, maintaining a register of data controllers, enforcing obligations upon data controllers, and upholding the rights of individuals. Furthermore, a provision for a data protection fee is also included in the New Regulations. The Controller shall pay a stipulated amount (Shall be decided by the ADGM) of data protection fee to the Commissioner of Data Protection for 12 months from the date it commenced processing personal data under the New Regulations. This processing fee shall be liable to be renewed each year within one month of expiry of twelve months period. This obligation does not apply to the establishments having employees less than five unless that establishment carries out High-Risk Processing Activities.

The New Regulations have prohibited the processing of “Special Categories of Personal Data,” which includes genetic data, biometric data, racial, ethnicity, and religious beliefs revealing data, personal data related to criminal convictions for security measures, data concerning health or sexual orientation. This prohibition is exempted in some circumstances, such as when the Data Subject (person who is providing his/her data) explicitly gives consent for the processing of his/her data or if the processing of such data is in public interest or processing is necessary for research purposes and so on.

The New Regulations expressly incorporated provisions for the protection of rights of the Data Subject. When the data is collected from a Data Subject at that time, the controller is liable to inform and provide the Data Subject with all the relevant information regarding the controller and purpose of data collection and its use, the period for which such data is being collected for, etc. The Data Subject is conferred with the right to inquire from the Controller about the purpose of processing his/her data and other information regarding his/her data. He/she can request to obtain a copy of Personal Data undergoing processing. The Data Subject can rectify his personal data at any time by requesting rectification to the Controller for any incomplete data. The Data Subject has the right of erasure; he/she can request the Controller to erase any particular regarding him/her without any delay.

The right to restrict processing of data, the right to object to any action concerning data, and the right to portability of data provided by the Data Subject. Moreover, the Data Subject has the right to lodge a complaint with the Commissioner of Data Protection in case of any contravention happens regarding his/her personal data processing. He/ she shall be entitled to compensation in case of any infringement to his/her rights conferred under these regulations. The New Regulations have a set duration of two months (can be further extended for a month if necessary) for the Controller to respond to the Data Subjects’ requests. The New Regulations introduced significant fines for a data breach, with a strict cap not exceeding USD 28 million (US Dollars). Data Subjects also have direct rights under the New Regulations to claim compensation. The ADGM Board is authorized to make rules regarding matters within the New Regulations’ scope and objectives in the interest of the Abu Dhabi Global Market. If you have any queries regarding the new ADGM regulations visit our official website.