Abu Dhabi Global Market (“ADGM”) announced on 14 February 2021 that it has enacted the Data Protection Regulations 2021 (the “DPR 2021”), which will replace the current Data Protection Regulations 2015. The latter will be repealed, allowing for the DPR 2021 to come into force on the following dates:
- 14 February 2022, namely a 12-month transition period for existing establishments in ADGM; and
- 14 August 2021, namely a 6-month transition period for new establishments that are registered in ADGM on or after 14 February 2021.
The purpose of DPR 2021 is to align the ADGM’s legal framework for the processing of personal data with the European Union’s General Data Protection Regulation (the “GDPR”), regarded as the leading international standard and best practice in data protection legislation. In July 2020, Dubai International Financial Centre (“DIFC”) adopted its most recent DIFC Data Protection Law No. 5 of 2020 (the “DIFC DPL 2020”) in a similar effort to align its data protection legal framework with the GDPR.
A few key takeaways of the DPR 2021 include, among other things:
The DPR 2021 applies to the Processing of Personal Data carried out by a Controller or Processor in ADGM, regardless of whether the Processing takes place in ADGM or not.
(ii) Data Protection Officer
The appointment of a Data Protection Officer (“DPO”) will be mandatory where (a) the Processing is carried out by a public authority, except for courts acting in their judicial capacity; (b) the core activities of the Controller or Processor consist of Processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or (c) the core activities of the Controller or Processor consist of Processing on a large scale of Special Categories of Personal Data. This will not apply to the Controller or Processor having less than five (5) employees, unless conducting High Risk Processing Activities – a concept quite consistent with the one previously introduced in the GDPR and the DIFC DPL 2020.
(iii) Rights of Data Subjects
The rights of the Data Subjects are further expanded in the DPR 2021 and the Controller or Processor will be expected to respond to their requests within two (2) months of receipt, possibly extendable by one (1) month in some instances deemed as more complex.
Controllers will have to pay a registration fee to the Commissioner before undertaking any processing activities and subject to further annual renewal fees thereafter. The Board of ADGM may later vary the amounts which until now stands at USD 300 for the registration fee and USD 100 for the annual renewal fee.
The DPR 2021 grants broader powers on the part of the Commissioner to issue directions and/or fines in case of breach, while maintaining a cap on fines at maximum USD 28 million.