On 14th February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021 thereby replacing the current Data Protection Regulations 2015 regime following a transition period of 12 months for current businesses established in ADGM prior to 14th February 2021 and 6 months for new businesses established in ADGM on or following 14th February 2021.
Key amendments to the Regulations
- Levying Data Protection Fee for all Controllers subject to the Regulations.
- In companies where Processing is conducted by a public authority or companies that process high volume of personal data and/or Special Categories of Personal Data may now be required to appoint a DPO.
- An obligation on the Controller to conduct a Data Protection Impact Assessment.
- 2 months period to retort to Data Subjects’ requests.
- Controllers are obliged to alert the Commissioner of the Data Protection of a Data Breach within 72 hours of becoming aware of it.
Companies governed by the Regulations must update or design policies and contractual documents, including and/or addressing a data protection policy to be circulated among employees setting out why and how personal data will be collected, as well as how long the personal data will be retained and a privacy policy setting out the company’s processing activities which must include the following information:
- The name and contact details of the company’s Controller and DPO;
- The type of personal data processed by the company; its purpose(s) and the company’s data retention policy;
- A narrative of the type of data subjects and the individuals who will have access to personal data;
- A narrative of the “technical and organizational measures” employed to warrant the security of personal data; and
- An account of all appropriate safeguards applied when sharing personal data abroad.
- The execution of a deletion strategy and process to securely and perpetually deleted Personal Data after the retention period has expired.
- The preparation of written agreement with suppliers, distributors and clients.
Implication:
Businesses must adhere to the new data protection norms established by the new Data Protection Regulations and ensure the smooth compliance to avoid any penalty for non-compliance.