Introduction
The Abu Dhabi Global Market (ADGM) recently issued the ADGM Data Protection Regulations 2021, “Regulations”, which will replace the prevailing ADGM Data Protection Regulations 2015 (as amended in 2018) the (“Former Law”). The new amendments provide a business-friendly approach for entities whilst offering a high-level benchmark of security towards personal data in line with the best international practice.
It is imperative to note that the regulations warrant a transitional period of 12 months for establishments in existence before 14 February 2021 and a transitional period of 6 months for entities registered on or after 14 February 2021 to be in accordance with the new law. This transitional period is to stimulate an amenable conversion and assimilation for the establishments. Additionally, during this transitional period, enterprises are urged to reassess their existing structures to make sure adequate steps are assumed to be complying with the new regulations.
The revised regulation offers controls that signify appreciation of the significance of personal data and essential protection of data subjects’ entitlements. The amendments to the ADGM Data Protection Regulations 2021 bring data regulation in the ADGM closer to the General Data Protection Regulation (GDPR) adopted in Europe. This, in turn, guarantees that foreign clients and enterprises establishing themselves in the ADGM can acclimate easily, which demonstrates a high level of protection when processing data.
Key amendments to the Data Protection law:
Scope
The former law was only applicable to establishments registered in the ADGM, however the as per Article 3 of the new regulations, mentions that the scope not only applies to establishments registered within the ADGM, but also entities registered in the ADGM, but processing data whether wholly or partly through an entity operating outside the ADGM. Where the Processor (means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller) is processing personal data for a controller (means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) outside of ADGM, the processor must comply with the conditions of these regulations to the amount probable, considering whether the controller is subject to parallel requirements under the laws of its home jurisdiction.
Modalities for the exercise of the rights of the Data Subject
As per article 13, A data subject (an identifiable living person to whom the personal data relate to) has the right to request for information to be provided by the controller with regards to whether the controller is processing the data and access to that data. The former law did not outline a specified time frame to respond to the data subjects request, however, as per Article 10(5) of the new regulation, the new deadline for responding to requests for the provision of information is two months. The two-month deadline may be extended by one month if the data is complex or if the volume of requests by the data subject is high. The controller must make the data subject aware of this extension and provide the data subject with reasons for the delay within two months of receiving the request.
Data Protection Fee
The former law did require a data protection fee to be paid upon registration and upon renewal of such registration of processing data. However, the new regulations are more rigorous in the implementation of such fee payment through the issuance of hefty fines for non-payment. Article 24 encompasses the payment of a fee (to be determined) by the controller “before, or as soon as reasonably practicable after, it starts processing personal data”. It is important to note that the payment of this fee only applies to controllers that appoint a DPO. The data controllers must also pay a renewal fee every year “within one month of the expiry of the anniversary” from the date on which it began processing the data.
Appointment of the Data Protection Officer (DPO)
The appointment of a DPO is a new addition to the Regulations that did not exist before. As per Article 35 of the Regulations, state that, the controller and Processor must appoint a Data Protection Officer (DPO) who is responsible for overlooking a corporation’s data protection policy and its execution to guarantee compliance with the regulatory requirements, including undertaking a Data Protection Impact Assessment, which is a procedure to aid a DPO to identify and curtail the data protection perils of a venture as cited per Article 34 of the new Regulations.
The DPO need not be an employee of the controller nor be present in the ADGM when conducting business. However, the DPO must have the explicit awareness of the data protection law and practices, hence being able to complete their responsibilities as per the regulations. Therefore, when an establishment assigns a DPO, they must ensure that the pertinent person is selected to meet the essential establishments. Furthermore, certain establishments such as those who fewer than five employees need not appoint a DPO unless the establishment carries out high-risk processing activities.
Data Protection Impact Assessment
The former law did not present requirements for an entity to undergo a data protection impact assessment to regulate the risks associated with processing high-risk data. However, the new law, Article 34, states that a Data Protection Impact Assessment (DPIA) must be carried out before the processing of data that raises the possibility of high-risk to natural persons by the controller. The Commissioner of Data Protection “must publish a list of the kind of Processing operations” which would require a DPIA. The purpose of such is that establishments keep a record of how they are processing their data in relation to data security and protection. The controller will seek the help of the DPO to carry out the DPIA. This is very important in respect of entities transferring personal data to other jurisdictions from the ADGM.
Independent Supervisory Authority
Prior to the recent Regulations, the former law delegated the ADGM office of Data Protection with the task of supervision of data protection. The amendments state that the board will now employ a commissioner of data protection as per Article 47. The commissioner may be reappointed by the board every four years, which must not exceed a consecutive period of 12 years. The commissioner will ensure that controllers and processors of data are performing their duties and functions and act as an independent data protection supervisory authority as per Article 48.
Fines/Penalty
The new regulations impose heavy fines on data breaches; as per Article 55, the commissioner of Data Protection, via written notice known as a penalty notice, may issue a maximum fine of USD 28 million for administrative breaches. The fine may exceed this amount in cases of serious violations.
As per Article 56, if the controller fails to pay the Data Protection Fee or the Renewal Fee in accordance with section 24, a fine may be imposed on the controller up to 150% of the Data Protection Fee, or Renewal fee. The implementation of penalties for non-payment of said Data Protection Fee is a new addition to the Regulations.
Conclusion
The Regulations place a more rigid responsibility on controllers and processors. Controllers are held to a greater standard of liability and authority. The severity is further augmented by the establishment of an Independent Supervisory Authority. With the new implementation, this can be seen as an alluring venture for establishments to set up in the ADGM, including providing more security to existing entities. The new regulations bids lawful, fair, and visible processing in line with the subjects’ rights regarding the safety and correctness of the data, and this delivers a legitimate basis for processing the data.
