February 27, 2021by Admin0
Data security

The Abu Dhabi Global Market (ADGM) launched new Data Protection Regulations (“the Regulations”) on 14th February 2020, replacing the 2015 version. The new regulations broadly align itself with the European Union’s General Data Protection Regulation (GDPR), which is considered to be the gold standard for data protection legislation.

Key Features of The Regulations

The new regulations aim to offer a higher standard of personal data protection and promotes lawful, fair and transparent processing of personal data.

Transition Period: The Regulations are expected to give additional responsibilities on data controllers and data processors. To ease their coping with the new changes, a transition period of 6 and 12 months respectively for new and current establishments is proposed.

Office of Data Protection and Commissioner: An independent Data Protection Office was established and a Commissioner was appointed with a four years tenure.

Controller or Processor: The processing of personal data is to be carried out by a Controller or Processor operating in ADGM. The Controller determines the purposes and means of processing and instructs the Processor to carry out the processing. The Personal Data Collection can be directly done by the Controller, or with the help of the Processor.

Territorial Scope: The Regulations apply to the processing done by a Controller/Processor operating in the ADGM. If the Controller is located outside the ADGM and the processing is carried out through a Processor located in the ADGM, then the Regulations will apply to the Processor.

Personal Data: It is defined as any information ‘relating’ to a Data Subject. The term can be given a broad interpretation in order to include unknown non-personal data.

Data Protection Officer (DPO) : Controllers or Processors are required to appoint a DPO in case of:

  • Processing by a public authority (except courts)
  • Large scale processing which requires monitoring of Data Subjects
  • Large scale processing on Special Categories of Personal Data.

Smaller organisations with employee count below 5 are exempted unless High Risk Processing Activities are involved.

DPO need not be an employee of the Controller/Processor, nor is his presence in the ADGM compulsory and the appointment is based on professional qualities and expertise in Data Protection Law.

High Risk Processing Activities (HRPA): If the Processing comes under any of the following categories, the activity can be regarded as a HRPA.

  1. Large volume of personal data
  2. High risk to the rights of Data Subjects;
  3. Evaluation of personal matters of natural persons including profiling. May have legal effects concerning or affecting the person;
  4. Use of new technologies or methods, which increases the risk to Data Subjects, thereby making the exercise of their rights difficult;
  5. Special categories of personal data, especially where required by law.

Data Protection Impact Assessment (DPIA): Obligation is cast on the Controller to conduct a DPIA prior to undertaking High Risk Processing Activities, after consulting with the DPO. The Assessment deals with:

  1. The nature, scope, context and purpose of processing;
  2. Necessity, proportionality and compliance measures;
  3. Risks to individuals;
  4. Measures to mitigate the risks.

The Controller must notify the Commissioner if the Assessment reveals that the processing may involve risk.

Fines: The New Regulations impose the highest penalties in the region for non-compliance and proposes significant fines for data breach. There is a cap of USD 28 million. Data Subjects can also claim compensation for breaches.

Time-line: The deadline for responding to the requests of Data Subjects is two months, and this period can be extended for another one month, if the request is complex.

Personal Data Breach: The Controller must notify the Commissioner within 72 hours of the knowledge about the breach, except when the breach is unlikely to risk the rights of natural persons. The Controller must also notify the Data Subject about the breach, and summarize the possible risks to his rights, without undue delay.

Principles of processing Personal data

One must follow a set of principles while processing personal data. They are:

  • Data should be handled lawfully and transparently in relation to the Data Subject.
  • Reason for collection should be specified and the purposes should be legitimate.
  • The data collected should be just enough to serve the purpose;
  • The data collected should be correct and measures must be taken to erase inaccurate data without delay.
  • The data should be kept in an easily identifiable form.
  • Data should be processed with utmost security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Relevance of Consent

A consent is the clear declaration of the Data Subject’s  wishes either in writing or orally, or any other affirmative action agreeing to the processing of personal data relating to them.

  • Silence, pre-ticked boxes or inactivity does not mark consent.
  • Data Subject should be aware of the Controller’s identity and the intention of the personal data to give a consent.
  • Controller should be able to prove that the Data Subject has consented for consent based data processing.
  • In instances of written consent where other matters are also presented, the consent should be clearly distinguishable from the rest.

The Data Subject should be made aware that he or she has the right to withdraw their consent at any time and that will not affect what happened prior to the withdrawal. The withdrawal process should be as easy as to give the Consent.

Rights of data Subject

The new Regulations includes eight individual data rights. They are

  • The right not to be subject to a decision based solely on automated processing.
  • The right to data portability i.e., to receive the personal data that is held by the controller in a structured, commonly used and machine-readable format;
  • The right to receive the data in a concise, transparent, intelligible, and easily accessible form, in writing, electronically or even orally.
  • The right to obtain confirmation as to the status of the personal data processing and also access to the data and information that follows.
  • The right to request and obtain the rectification of inaccurate personal data concerning him or her.
  • The right to erase the personal data
  • The right to restriction of Processing
  • The right to object at any time, on grounds relating to their particular situation, to the processing of their personal data.

To summarize, the new DPR2021 brings about significant changes to the ADGM’s existing data protection regime which was based on the OECD Privacy Guidelines and the European Data Protection Directive. The new regime introduces several additional responsibilities for both data controllers and data processors, and enhanced data subject rights for data subjects. It promotes the protection of individual’s personal data in a far effective way. The new Regulations as quoted by ADGM is “a world-class data protection framework that protects personal data, while also remaining balanced and business-friendly”. The new changes are expected to position ADGM as a regional leader in Data Protection.

About ATB Legal

ATB Legal is a full-service legal consultancy in the UAE providing services in dispute resolution (DIFC Courts, ADGM Courts, mainland litigation management and Arbitrations), corporate and commercial matters, IP, business set up and UAE taxation. We also have a personal law department providing advice on marriage, divorce and wills & estate planning for expats. Please feel free to reach out to us at for a non-obligatory initial consultation.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − 11 =