The New Data Protection Regulations in the Abu Dhabi Global Market (ADGM)

February 16, 2021
Download PDF

Abu Dhabi Global Market (“ADGM”) announced on 14 February 2021 that it has enacted the Data Protection Regulations 2021 (the “DPR 2021”), which will replace the current Data Protection Regulations 2015. The latter will be repealed, allowing for the DPR 2021 to come into force on the following dates:

  • 14 February 2022, namely a 12-month transition period for existing establishments in ADGM; and

  • 14 August 2021, namely a 6-month transition period for new establishments that are registered in ADGM on or after 14 February 2021.

The purpose of DPR 2021 is to align the ADGM’s legal framework for the processing of personal data with the European Union’s General Data Protection Regulation (the “GDPR”), regarded as the leading international standard and best practice in data protection legislation. In July 2020, Dubai International Financial Centre (“DIFC”) adopted its most recent DIFC Data Protection Law No. 5 of 2020 (the “DIFC DPL 2020”) in a similar effort to align its data protection legal framework with the GDPR.

A few key takeaways of the DPR 2021 include, among other things:

(i) Scope

The DPR 2021 applies to the Processing of Personal Data carried out by a Controller or Processor in ADGM, regardless of whether the Processing takes place in ADGM or not.

(ii) Data Protection Officer

The appointment of a Data Protection Officer (“DPO”) will be mandatory where (a) the Processing is carried out by a public authority, except for courts acting in their judicial capacity; (b) the core activities of the Controller or Processor consist of Processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or (c) the core activities of the Controller or Processor consist of Processing  on a large scale of Special Categories of Personal Data. This will not apply to the Controller or Processor having less than five (5) employees, unless conducting High Risk Processing Activities – a concept quite consistent with the one previously introduced in the GDPR and the DIFC DPL 2020.

(iii) Rights of Data Subjects

The rights of the Data Subjects are further expanded in the DPR 2021 and the Controller or Processor will be expected to respond to their requests within two (2) months of receipt, possibly extendable by one (1) month in some instances deemed as more complex.

(iv) Fees

Controllers will have to pay a registration fee to the Commissioner before undertaking any processing activities and subject to further annual renewal fees thereafter. The Board of ADGM may later vary the amounts which until now stands at USD 300 for the registration fee and USD 100 for the annual renewal fee.

(v) Fines

The DPR 2021 grants broader powers on the part of the Commissioner to issue directions and/or fines in case of breach, while maintaining a cap on fines at maximum USD 28 million.

No items found.

Related resources

Defamation Law in the UAE: offenders will get a fine of up to AED 1 million

Read article
Ethos
Practice & expertise
News
Insights
Team
Careers
Contact us
Locations
Brochure
Privacy Policy
LinkedIn
Twitter
Instagram

Geneva

Boutique Law Firm
Ave de la Gare des Eaux-Vives 28,
CH-1208 Geneva, Switzerland
t:
+41 22 707 9333
f:
+41 22 786 1468

Malta

Regulatory Advisory Practice
Swiss Urban Factory,
The Regulatory Suite
5, Saint Frederick Street,
Valletta VLT 1470 Malta
t:
+356 224 82910
f:
+356 224 82919

Dubai

Structuring Advisory Practice
Central Park Offices,
Office 15-32,
Dubai International Financial Centre
(DIFC), P.O.Box 506652, Dubai, UAE
t:
+971 4 242 7843
f:
+971 4 242 8081

Abu Dhabi

Legal Consultants
Al Sila Tower, Office 2478,
Al Maryah Island,
Abu Dhabi Global Market Square,
(ADGM), P.O.Box 128666, Abu Dhabi, UAE
t:
+971 2 694 8693
f:
Open cookie preferences