The Abu Dhabi Global Market (ADGM) Data Protection Law 2021 (DP Law) applies to the ADGM international financial centre free zone in Abu Dhabi, United Arab Emirates. The law was adopted on 14 February 2021. The new law updates and replaces the 2015 law. The ADGM DP Law protects the personal data held and processed by organisations that are registered in the ADGM as well as linked external organisations. New data protection principles include lawfulness, fairness, transparency and accountability. Individuals have new rights relating to data portability, automated decision-making and profiling. Businesses must be accountable and demonstrate compliance with expanded data protection principles. The ADGM Office of Data Protection, Commissioner of Data Protection, is the regulator. Enforcement starts on 14 August 2021, for organisations that registered at ADGM after 14 February 2021. ADGM organisations that were registered before 14 February 2021, must comply with the new law by 14 February 2022.
- What types or organisations are covered by ADGM DP Law?
The law applies to businesses (controllers) that are registered in the ADGM and that process personal data or sensitive personal data. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law. Personal data used and stored outside of ADGM, but concerning ADGM registered organisations are covered by the law. Processors registered in ADGM who process personal data for controllers outside the ADGM are also covered by the law, to a limited extent.
2. What types of data or information are covered by ADGM DP Law?
The ADGM DP Law protects personal data, which is defined as any data relating to an identified natural person or identifiable natural person. This also includes data containing opinions and intentions about identified or identifiable individuals. The ADGM DP law also applies to sensitive personal data which is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data (where used for identification purposes), data about health, data about a person’s sex life or sexual orientation, personal data relating to criminal convictions and offences or related security measures.
3. What are the main ADGM DP Law obligations for businesses?
ADGM registered businesses must:
- Register as a Data Controller with ADGM Office of Data Protection ($300 USD) and renew the registration every year ($100 USD)
- Apply for permits to process sensitive personal data ($100 USD), apply to transfer personal data ($100 USD) and to register data processors.
- Comply with the ADGM DP Law data protection principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
- Appoint a Data Protection Officer (DPO), if high risk data processing takes place on a systematic or regular basis.
- Report personal data breaches to the Office of Data Protection within 72 hours of becoming aware of it
- Complete Data Protection Impact Assessments (DPIAs) for high risk data processing and report these to the ADGM Office of Data Protection. Put in place an appropriate policy for processing sensitive personal data.
- Respond to the exercise of data protection rights from individuals within 2 months of receiving these requests.
4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with ADGM DP Law?
Yes, in large part, but not completely. GDPR and ADGM DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. ADGM DP Law was enacted to include provisions that largely mirror the EU’s GDPR requirements. GDPR data mapping and records of processing activity logs can help to identify ADGM DP Law impacted personal data. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist ADGM DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. ADGM has published its own data protection standard contractual clauses, for personal data transfers outside of the ADGM.
5. Does the ADGM DP Law apply to foreign based companies and what are the penalties for breach of the law?
Yes, it can. If foreign businesses are registered in ADGM and process personal data in the ADGM then the ADGM DP Law will apply. The law also applies to foreign businesses that process data on behalf of organisations registered in the ADGM. The ADGM Commissioner of Data Protection can impose administrative fines of up to $28 million (USD).