Privacy and protection: data in the ADGM
The Abu Dhabi Global Market (“ADGM”) continues to put its mark on the United Arab Emirates (“UAE”) with its unique combination of English and UAE laws and the data protection system is no different. Based mainly on English principles, the ADGM has created a sophisticated framework for data protection that fits in with UAE laws that apply to the free zones.
Scope of Data Protection in the ADGM
Any data processed by a company incorporated in the ADGM (the “Company”), whether the processing is as Controller or Processor (as defined below) or carried out within or outside the ADGM, will be subject to the applicable laws of the ADGM as well as certain the laws of mainland UAE that is applicable to the free zones (please see our article regarding data protection in mainland UAE).
The key consideration under ADGM laws is the rules and restrictions regarding personal data under the ADGM Data Protection Regulations 2021 (“DPR”), for which we note the following key definitions:
→ CDP: means the commissioner for data protection, the person appointed by the Board in accordance the DPR to be the head of the Office of Data Protection
→ Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
→ Data Subject: means an identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
→ International Organisation: means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
→ Personal Data: means any information relating to a Data Subject.
→ Processing: means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording,
organization, structuring, storage, adaptation or
the alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
→ Processor: means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
The Company will be obligated to comply with the DPR in relation to all Personal Data for which it is a Controller, that it is Processing on behalf of another Controller and where it is a joint Controller.
The Company does not need to Process the Personal Data inside the ADGM to be caught by the DPR, the fact that it is an ADGM company is sufficient to catch any Personal Data that they Control or Process.
Key Principles of Data Protection in the ADGM
The DPR governs how Personal Data must be treated, there are six principles for Processing Personal Data (as summarised below):
1. processed lawfully, fairly, and in a transparent manner in relation to the Data Subject;
2. collected for specified, explicit, and legitimate
purposes and not further processed in a manner
that is incompatible with those purposes;
3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are Processed;
4. accurate and, where necessary, kept up to date;
5. kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed; and
6. processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Principle two sets out six lawful purposes for Processing Personal Data (as summarised below):
1. consent;
2. performance of a contract;
3. compliance with the law;
4. to protect a person’s vital interest;
5. performance of tasks carried out by public
authorities; and
6. necessity of processing for legitimate interests.
One of the above purposes must apply to the processing of the Personal Data before it can be processed.
The DPR also provides the rights of the Data Subject, including, rights of access, rectification, and erasure. It places a number of obligations both on Processors and Controllers, the key obligations for the Controller govern the appropriate technical and organizational measures to ensure the security and protection of the data, maintaining the appropriate records, cessation of processing, and dealing with data breaches (which must be notified to the CDP within 72 hours of such breach). Processors are required to have a contract with the relevant Controller ensuring that it complies with the Controller’s instructions and carries out the necessary measures to ensure that the Personal Data processed by the Processor has the same protection as if it was processed by the Controller.
If the Company processes the Personal Data on behalf of another entity, it may be a Processor, however, if it determines the purposes and means of the processing of the Personal Data, the Company will either be (i) a Controller of itself; or (ii) a joint Controller with that entity, and its data protection obligations and restrictions will be different.
Transfer of Personal Data outside of the ADGM or
to International Organisations
Personal Data cannot be transferred outside of the ADGM or to an International Organisation other than as set out in Part V of the DPR. This will catch any Personal Data sent by FERTIL and any Personal Data sent to or stored by third parties outside of the ADGM, both transferring and storing Personal Data are Processing activities in their own right.
Personal Data can be transferred outside of the ADGM in the following circumstances:
without specific CDP authorization, where the CDP has determined that the receiving jurisdiction, specified sectors within the receiving jurisdiction or an International Organisation has an adequate level of protection of Personal Data (“Adequacy
Jurisdictions”), by way of example the United
Kingdom and DIFC are currently deemed as Adequate Jurisdictions;
without specific CDP authorization, where the
transferring company (whether Controller or Processor) determines that the receiving jurisdiction, specified sectors within the receiving jurisdiction, or an International Organisation has provided the appropriate safeguards and that it has effective legal remedies available for Data Subjects (this is limited to specific circumstances, such as contracts between public authorities, binding corporate rules within an international organization, adopted standard contractual clauses, an approved code of conduct, or an approved certification mechanism);
with specific CDP authorization, the transferring party and receiving party enter into certain contractual provisions governing the appropriate safeguards in place regarding the Personal Data; or
upon one of the following conditions applying to the transfer:
the Personal Data has been requested from a public the authority which has jurisdiction over the Controller or Processor;
the Data Subjects have consented to the transfer having been informed of the possible risks;
the transfer is necessary for the performance of a contract between the relevant Data Subject and the Controller (or the implementation of pre-contractual measures requested by the Data Subject);
the transfer is necessary for the performance or
conclusion of a contract in the interest of the Data The subject between the Controller and another person;
the transfer is necessary for reasons of public interest (in accordance with Law) or to protect the vital interests of the Data Subject or another person; and
the transfer is required by law enforcement agencies in the UAE or is necessary for the establishment, exercise or defence of legal claims.
Companies transferring Personal Data to jurisdictions outside those on the Adequate Jurisdiction list will typically try to utilise the necessity of transfer of Personal Data due to the performance of a contract with the Data
Subject and the performance of a contract in the interest of the Data Subject to transfer personal data outside the
ADGM.
The ADGM has a sophisticated data protection system, however, it was recently announced that a new UAE federal law regarding data protection was to be introduced, its implications on the ADGM’s European based data protection system is yet unknown.
Malack El Masry
Partner
(+971) 503977689
malack.elmasry@inp.legal
Charlotte Jackson
Senior Associate
(+971) 50 9910 387
charlotte.jackson@inp.legal
WHAT IS NEW