Privacy and protection: data in the Abu Dhabi Global Market
Malack El Masry and Charlotte Jackson of Ibrahim & Partners take a closer look at the sophisticated data protection system of the Abu Dhabi Global Market
The Abu Dhabi Global Market (ADGM) continues to put its mark on the United Arab Emirates (UAE) with its unique combination of English and UAE laws – and the data protection system is no different. Based mainly on English principles, the ADGM has created a sophisticated framework for data protection that fits in with UAE laws that apply to the free zones.
Scope of data protection in the ADGM
Any data processed by a company incorporated in the ADGM (the Company), whether the processing is as controller or processor (as defined below), or carried out within or outside the ADGM, will be subject to the applicable laws of the ADGM, as well as the certain laws of mainland UAE that are applicable to the free zones.
The key consideration under ADGM laws is the rules and restrictions regarding personal data under the ADGM Data Protection Regulations 2021 (DPR), for which the following key definitions are noted:
CDP: means the commissioner for data protection, the person appointed by the board in accordance with the DPR to be the head of the office of data protection
Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data subject: means an identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
International organisation: means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Personal data: means any information relating to a data subject.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The company will be obligated to comply with the DPR in relation to all personal data for which it is a controller, that it is processing on behalf of another controller and where it is a joint controller.
The company does not need to process the personal data inside the ADGM to be caught by the DPR, the fact that it is an ADGM company is sufficient to catch any personal data that they control or process.
Key principles of data protection in the ADGM
The DPR governs how personal data must be treated, there are six principles for processing personal data (as summarised below):
Processed lawfully, fairly and in a transparent manner in relation to the data subject;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and, where necessary, kept up to date;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Principle two, sets out six lawful purposes for processing personal data (as summarised below):
Performance of a contract;
Compliance with law;
To protect a persons vital interest;
Performance of tasks carried out by public authorities; and
Necessity of processing for legitimate interests.
One of the above purposes must apply to the processing of the personal data before it can be processed.
The DPR also provides the rights of the data subject, including, rights of access, rectification and erasure. It places a number of obligations both on processors and controllers, the key obligations for the controller govern the appropriate technical and organisational measures to ensure the security and protection of the data, maintaining the appropriate records, cessation of processing and dealing with data breaches (which must be notified to the CDP within 72 hours of such breach). Processors are required to have a contract with the relevant controller ensuring that it complies with the controller’s instructions and carries out the necessary measures to ensure that the personal data processed by the processor has the same protection as if it was processed by the controller.
If the company processes the personal data on behalf of another entity, it may be a processor, however, if it determines the purposes and means of the processing of the personal data, the company will either be (i) a controller of itself; or (ii) a joint controller with that entity, and its data protection obligations and restrictions will be different.
Transfer of personal data outside of the ADGM or to international organisations
Personal data cannot be transferred outside of the ADGM or to an international organisation other than as set out in Part V of the DPR. This will catch any personal data sent by companies and any personal data sent to or stored by third parties outside of the ADGM, both transferring and storing personal data are processing activities in their own right.
Personal data can be transferred outside of the ADGM in the following circumstances:
Without specific CDP authorisation, where the CDP has determined that the receiving jurisdiction, specified sectors within the receiving jurisdiction or an international organisation has an adequate level of protection of personal data (adequacy jurisdictions), by way of example the UK and the Dubai International Financial Centre (DIFC) are currently deemed as ‘adequate jurisdictions’;
Without specific CDP authorisation, where the transferring company (whether controller or processor) determines that the receiving jurisdiction, specified sectors within the receiving jurisdiction or an international organisation has provided the appropriate safeguards and that it has effective legal remedies available for data subjects (this is limited to specific circumstances, such as contracts between public authorities, binding corporate rules within an international organisation, adopted standard contractual clauses, an approved code of conduct or an approved certification mechanism);
With specific CDP authorisation, the transferring party and receiving party enter into certain contractual provisions governing the appropriate safeguards in place regarding the personal data; or
Upon one of the following conditions applying to the transfer:
The personal data has been requested from a public authority which has jurisdiction over the controller or processor;
The data subjects have consented to the transfer having been informed of the possible risks;
The transfer is necessary for the performance of a contract between the relevant data subject and the controller (or the implementation of pre-contractual measures requested by the data subject);
The transfer is necessary for the performance or conclusion of a contract in the interest of the data subject between the controller and another person;
The transfer is necessary for reasons of public interest (in accordance with law) or to protect the vital interests of the data subject or another person; and
The transfer is required by law enforcement agencies in the UAE or is necessary for the establishment, exercise or defence of legal claims.
Companies transferring personal data to jurisdictions outside those on the adequate jurisdiction list will typically try to utilise the necessity of transfer of personal data due to performance of a contract with the data subject and the performance of a contract in the interest of the data subject to transfer personal data outside the ADGM.
The ADGM has a sophisticated data protection system, however, it was recently announced that a new UAE federal law regarding data protection was to be introduced, its implications on the ADGM’s European-based data protection system is yet unknown.
Malack El Masry
Partner, Ibrahim & Partners
Senior associate, Ibrahim & Partners