ADGM Data Protection Law 2021: New Regulations Businesses Need to Know

On February 11, 2021, the Abu Dhabi Global Market (ADGM) — an established international financial center located in Al Maryah Island, Abu Dhabi — enacted the ADGM Data Protection Regulations 2021 and published it a few days later, on February 14. ADGM DPR 2021 repeals ADGM DPR 2015 and its subsequent 2018 amendment.

If you are doing business in the ADGM, now is the time for a technology risk advisory to ensure that your business is ADGM DPR 2021 compliant. You don't have much time.

The new regulations take effect on February 14, 2022, for businesses existing in the free zone when DPR 2021 was published. For businesses established in the ADGM after February 14, 2021, compliance is expected by August 14, 2022.

The following are the key changes that DPR 2021 introduces to ADGM's data protection regulations.

1. Extension of Territorial Scope

DPR 2015 applied only to businesses registered in the ADGM. DPR 2021 still applies to all registered companies in the ADGM, but it may also apply to data processing activities outside the ADGM.

Specifically, the new regulations apply to all personal data processing activities of a business established in the ADGM, even if the actual processing is done by a processor or an establishment based outside the ADGM.

Moreover, suppose a business based in the ADGM is processing personal data for an entity registered outside the free zone. In that case, the ADGM-based entity must, as much as possible, fulfil its obligations under DPR 2021. It must also take account of whether or not the business entity he's processing data for has similar obligations in his home jurisdiction.

2. Material Scope Specification

DPR 2015 was silent on material scope, but DPR 2021 clearly specifies its material scope.

Specifically, data protection regulations apply to the processing of personal data by automated, partly automated or non-automated means as long as such personal data forms part of a filing system.

In other words, as long as the personal data is processed to form part of a structured dataset accessible according to specific criteria, that data is covered by DPR 2021.

3. Designation of a Data Protection Officer

DPR 2021 requires processors and controllers to appoint a data protection officer (DPO). DPR 2015 did not have such a requirement.

Controllers are natural or legal persons, public authorities, agencies, or bodies that determine solely or jointly with other entities the purposes and means of personal data processing. Processors, on the other hand, are the natural or legal persons, public authorities, agencies, or bodies that perform the personal data processing on behalf of or at the direction of the controller.

The DPO requirement does not apply if an establishment has fewer than five employees. However, this exemption is waived if the business entity performs processing activities classified as high-risk.

The following are a few of the DPR 2021 regulations regarding DPOs:

• A DPO doesn't need to be a resident of ADGM.
• One may be a DPO for a single entity or multiple entities, as long as he is easily accessible to such entities.
• A DPO may perform other roles besides the role of a data protection officer as long as his other functions do not conflict with his responsibilities as a DPO.
• A DPO does not need to be an employee of the controller or processor that appointed him as its DPO. However, there must be an agreement in writing to this effect.
• Processors and controllers must appoint their DPOs based on professional qualifications, expert knowledge on data protection law, and the ability to fulfill a DPO's tasks.

4. Requirement of a Data Protection Impact Assessment

Controllers in charge of high-risk processing activities must assess the impact of their data processing activities.

Personal data processing activities are deemed high-risk when they satisfy one or more of the following criteria:

• Involve a high volume of personal data.
• Pose a high risk to data subjects.
• Entail profiling or other such systematic and extensive evaluation of characteristics of natural persons that may have legal or otherwise significant effects on such persons.
• Involve the use of unproven or different technologies that might increase the data subjects' risks or negatively affect their rights.
• Include processing of special data categories such as religion, political opinions, biometrics and other personally identifiable data, sexual orientation, and criminal convictions, among others, the processing of which is generally prohibited in DPR 2021 unless mandated by law.

5. Provision for Data Subjects Rights

DPR 2021 specifies the rights of data subjects or the persons whose data is collected or processed. If a data subject would like to exercise his rights — say, his right to data access, rectification, erasure, and restriction to processing, among others — DPR 2021 mandates that the controller respond within two months of receiving the data subject's request.

However, under certain circumstances, controllers may be exempt from the requirement to comply with a data subject's request to exercise his right. For instance, if the exercise of a data subject's right would compromise national security or harm the interests of the public, the exemption would apply.

6. Data Breach Notification Requirement

DPR 2021 requires controllers to notify the ADGM Office of Data Protection's Commissioner of Data Protection within three days or 72 hours of becoming aware of a data breach.

7. Revised Cross-Border Transfer Regulations

DPR 2021 tightens control over cross-border data transfers. When data must be transferred outside ADGM for processing or after processing, certain conditions must be satisfied.

For instance, transfers are allowed if the Commissioner of Data Protection has decided that the receiving jurisdiction has adequate protection in place for personal data. Likewise, if the data subject has consented to the transfer or if the controller must perform the data transfer to fulfil a contract between itself and the data subject, that transfer is allowed.

8. Fines

Under DPR 2021, the Commissioner may levy up to USD 28 million fines for data breaches. DPR 2015 did not specify penalties.

DPR 2021 Compliance

DPR 2021 is extensive and multi-faceted. If you have an ADGM business, consult a technical risk management consultant to ensure your business's compliance with the new data protection regulations.

Likewise, if you plan to set up a business in the ADGM, consult a company formation consultant specialising in Abu Dhabi free zone business setup services to ensure compliance not only with DPR 2021, but all other relevant regulations.

Ready for your IT risk consulting or Abu Dhabi free zone company formation? Contact us to consult a technology risk consultant or a business setup Abu Dhabi specialist.