Data Protection Guidance Note 

This guide is for ADGM registered entities that are subject to data protection obligations (‘Data Controllers’). It explains the purpose and effect of each of the general principles on processing personal data, gives practical examples and answers frequently asked questions.

Access the guidance note here

 

Data Protection Self Assessment Questionnaire

The Data Protection Self-Assessment Questionnaire has been developed to assist registered entities assess the level of compliance that currently exists within their organisation and to highlight those areas which are likely to require attention.

Access the Self Assessment Questionnaire here

 

Data Protection Frequently Asked Questions

The Board of Directors of the Abu Dhabi Global Market, in exercise of its powers under Article 6(1) of Law No. 4 of 2013 concerning the Abu Dhabi Global Market issued by His Highness the Ruler of the Emirate of Abu Dhabi, enacted on October 4, 2015 the Data Protection Regulations 2015 (the ‘Regulations’).  The said Regulations make provision for the protection of personal data within the Abu Dhabi Global Market and for connected purposes.

The Regulations control how personal information is used by organisations and businesses in Abu Dhabi Global Market. All companies registered in ADGM are responsible for using data and have to follow strict rules in processing such data.

This term refers to information that is held on computer or intended to be held on computer.  This includes information recorded on paper.

It means information which –

  • is being processed by means of equipment operating automatically in response to instructions given for that purpose,
  • is recorded with the intention that it should be processed by means of such equipment,
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
  • is recorded information held by a public authority.

The term Data Controller refers to any person in the Abu Dhabi Global Market (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the Processing of Personal Data. This is by default the entity registered in ADGM/ADGM entity under formation.

Data Processor is defined as any person (excluding a natural person acting in his capacity as a staff member) who processes Personal Data on behalf of a Data Controller. A Data Processor is a separate legal entity from the Data Controller. Data Processors may include but are not limited to external service providers that have been appointed by the entity registered in ADGM and head offices of group companies. A data processor may be a non-ADGM registered entity. The appointment of a data processor is optional.

Data Subject refers to the natural person to whom Personal Data relate or whom particular personal data is about. For example this could be including but not limited to a staff member, client or customer.

The term refers to any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and "Processed", "Processes" and "Process" shall be construed accordingly.

In relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

  • organisation, adaptation or alteration of the information or data,
  • retrieval, consultation or use of the information or data,
  • disclosure of the information or data by transmission, dissemination or otherwise making available, or
  • alignment, combination, blocking, erasure or destruction of the information or data.

A recipient is any person to whom Personal Data are disclosed, whether a Third Party or not, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.

Personal Data includes any information relating to an identified natural person or Identifiable Natural Person. 

It means data which relate to a living individual who can be identified –

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

This term refers to a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The Data Controller determines the purposes for which and the manner in which any personal data are processed and must ensure that any processing of personal data for which they are responsible complies with the Regulations. Failure to do so risks enforcement action and compensation claims from individuals or Data Subject.

  • Data Controllers shall ensure that Personal Data, which they Process, are–
  • Processed fairly, lawfully and securely;
  • Processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights;
  • Adequate, relevant and not excessive in relation to the purposes for which they are collected or further Processed;
  • Accurate and, where necessary, kept up to date; and
  • Kept in a form, which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed.

Personal data may only by processed in accordance with the requirements set forth in section 2 of the ADGM Data Protection Regulations 2015.

At least one of the following conditions must be met whenever the Data Controller process personal data.

  • The Data Subject has given his written consent to the Processing of that Personal Data;
  • Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
  • Processing is necessary in order to protect the vital interests of the Data Subject;
  • Processing is necessary for the performance of a task carried out in the interests of the Abu Dhabi Global Market or in the exercise of the Board's, the Court's, the Registrar's or the Regulator's functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data are disclosed; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party to whom the Personal Data are disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.

As per the ADGM Data Protection Regulations 2015, the term refers to Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade‐union membership and health or sex life.

Due to the privacy of its nature and the potential misuse in a discriminatory manner, it must be treated more carefully than other personal data. Consequently, more stringent requirements must be met by ADGM registered entities for processing sensitive personal data than for other types of personal data.

Sensitive personal data includes inter alia the following categories.

  • racial or ethnic origin,
  • political opinions,
  • religious beliefs,
  • other beliefs,
  • Physical or mental health (other than as kept in respect of your employees in the normal course of personnel administration and not to be used or disclosed for any of their purposes)
  • criminal convictions.

Example:

The classifications of sensitive personal data may include varying degrees of sensitivity of information. For example, the category health or sex life includes as sensitive personal data rather obvious information like the fact that a particular person has a broken arm (as this is clearly visible to anyone who sees the person given that the arm will be in plaster) but also more “sensitive” information relating to an individual’s mental health.

The difference between personal data and sensitive personal data may in certain instances be difficult to define. For example, names and surnames in connection with addresses and dates of birth are personal data rather than sensitive personal data. But where the data processor is processing such names due to the specific reason that these names and surnames indicate a certain religion or ethnicity, e.g. to send advertising or marketing materials for items or services that are targeted at individuals of this particular religion or ethnicity, then this would be sensitive personal data.

Personal data shall not be transferred to a country of territory outside Abu Dhabi Global Market unless that country of territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

 

For additional FAQs on the transfer of personal data, please click here

The adequacy of the level of protection ensured by laws to which the Recipient is subject,  shall be assessed in the light of all the circumstances surrounding a Personal Data transfer operation or set of Personal Data transfer operations, including, but not limited to: 

  • the nature of the Personal Data;
  • the purpose and duration of the proposed Processing operation or operations;
  • if the data do not emanate from the Abu Dhabi Global Market, the country of origin and country of final destination of the Personal Data; and
  • any relevant laws to which the Recipient is subject, including professional rules and security measures.

The following jurisdictions have been designated by the Registrar as providing an adequate level of protection. This list may be updated from time to time by a publication to such effect on the Registrar's website.

  1. Argentina
  2. Austria
  3. Belgium
  4. Bulgaria
  5. Canada
  6. Cyprus
  7. Czech Republic
  8. Denmark
  9. Estonia
  10. Finland
  11. France
  12. Germany
  13. Greece
  14. Guernsey
  15. Hungary
  16. Jersey
  17. Iceland
  18. Ireland
  19. Isle of Man
  20. Italy
  21. Latvia
  22. Liechtenstein
  23. Lithuania
  24. Luxembourg
  25. Malta
  26. Netherlands
  27. New Zealand
  28. Norway
  29. Poland
  30. Portugal
  31. Romania
  32. Slovakia
  33. Slovenia
  34. Spain
  35. Sweden
  36. Switzerland
  37. United Kingdom
  38. Uruguay
  39. United States of America, subject to compliance with the terms of the applicable US-EU or US-Switzerland Safe Harbours

Please note that a transfer of personal data to a recipient that is not subject to laws which ensure an adequate level of protection is only possible if the following conditions are met.

  • the Registrar has granted a permit for the transfer or the set of transfers and the Data Controller applies adequate safeguards with respect to the protection of such Personal Data;
  • the Data Subject has given his written consent to the proposed transfer;
  • the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the implementation of pre-contractual measures taken in response to the Data Subject's request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and a Third Party;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the Data Subject;
  • the transfer is necessary in the interests of the ADGM;
  • the transfer is made at the request of a regulator, police or other government agency;
  • the transfer is made from a register which according to law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
  • the transfer is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
  • the transfer is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that the transfer is carried out in accordance with applicable standards and except where such interests are overridden by legitimate interests of the Data Subject relating to the Data Subject's particular situation;
  • the transfer is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller which is established in the Abu Dhabi Global Market, or for the prevention or detection of any crime;
  • the transfer is made to a person established outside the Abu Dhabi Global Market who would be a Data Controller (if established in the Abu Dhabi Global Market) or who is a Data Processor, if, prior to the transfer, a legally binding agreement in the form set out in SCHEDULE 1 or SCHEDULE 2 respectively, to these Regulations has been entered into between the transferor and Recipient; or
  • the transfer is made between one or more members of a Group of Companies in accordance with a global data protection compliance policy of that Group, under which all the members of such Group that are or will be transferring or receiving the Personal Data are bound to comply with all the provisions of these Regulations containing restrictions on the use of Personal Data and Sensitive Personal Data in the same way as if they would be if established in the Abu Dhabi Global Market.

Initial Registration

As an ADGM entity that intends to process personal data and sensitive personal data you must obtain approval from the ADGM Registrar to do so. The relevant application is contained in our Data Protection Initial Registration Form (DP-01), which needs to be submitted by all applicants intending to establish a company or partnership within the

Annual Renewal

An application to register a Data Controller is valid for year and can be renewed annually by submitting an “Application for renewal of registration – Data Protection” through our Online Solution or paper form and by paying the applicable fee. Renewal must be done on every anniversary of the company’s incorporation/registration.

Change in the details of the Data Controller

The Data Controller must give notice to the Registrar of any changes in its particulars.  Such notice can be done by completing a Notice of Change of Particulars of Data Controller through our Online Solution or paper form and by paying the applicable fee.

Appoint a new Data Processor

The Data Controller must notify the Registrar of such appointment or cessation of Data Processor. The first appointment can be made in the initial registration form. Notification of any new appointments and cessations can done by completing a Notice of Appointment / Cessation of Data Processor through our Online Solution or paper form and by paying the applicable fee.

Change in the details of the Data Processor

The Data Controller must give notice to the Registrar of any change in the particulars of Data Processor.  Such notice can be done by completing a “Notice of Change of Particulars of Data Processor” through our Online Solution or paper form and by paying the applicable fee.

Tansfer personal data outside of the Abu Dhabi Global Market

Please fill the ADGM Form “Application for permit to transfer data to the jurisdiction offering adequate protection” in order to apply for the Registrar’s approval to transfer personal data to one of the jurisdictions mentioned in Schedule 3 to the Data Protection Regulations 2015.

If an ADGM registered entity intends to transfer personal data to a recipient located in a jurisdiction other than the aforementioned, please fill the ADGM Form “Application for permit to transfer data to a jurisdiction in the absence of adequate protection”.

Transaction Price in USD$
Initial Registration 300
DP Annual Renewal 100
Application for Permit to transfer personal data to another jurisdiction 100
Application for permit to process Sensitive Personal Data 100
Amendement to particulars  -
Notification of Breach  -
Notification of appointment / cessation of Data Controller  -
Amendement of business contract details  -
   

How to contact the Office of Data Protection

Email: Data.Protection@adgm.com

Telephone: +971 2 333 8888  

Opening hours: 9:00am to 3:00pm (Sunday to Thursday)