United arab emirates – abu dhabi global market (adgm) introduces new data protection regulations 2021

On 14th February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021 thereby replacing the current Data Protection Regulations 2015 regime following a transition period of 12 months for current businesses established in ADGM prior to 14th February 2021 and 6 months for new businesses established in ADGM on or following 14th February 2021.

Key amendments to the Regulations

  • Levying Data Protection Fee for all Controllers subject to the Regulations. 
  • In companies where Processing is conducted by a public authority or companies that process high volume of personal data and/or Special Categories of Personal Data may now be required to appoint a DPO.
  • An obligation on the Controller to conduct a Data Protection Impact Assessment. 
  • 2 months period to retort to Data Subjects’ requests.
  • Controllers are obliged to alert the Commissioner of the Data Protection of a Data Breach within 72 hours of becoming aware of it.

Companies governed by the Regulations must update or design policies and contractual documents, including and/or addressing a data protection policy to be circulated among employees setting out why and how personal data will be collected, as well as how long the personal data will be retained and a privacy policy setting out the company’s processing activities which must include the following information:

  • The name and contact details of the company’s Controller and DPO;
  • The type of personal data processed by the company; its purpose(s) and the company’s data retention policy;
  • A narrative of the type of data subjects and the individuals who will have access to personal data;
  • A narrative of the “technical and organizational measures” employed to warrant the security of personal data; and
  • An account of all appropriate safeguards applied when sharing personal data abroad.
  • The execution of a deletion strategy and process to securely and perpetually deleted Personal Data after the retention period has expired.
  • The preparation of written agreement with suppliers, distributors and clients.

Implication:

Businesses must adhere to the new data protection norms established by the new Data Protection Regulations and ensure the smooth compliance to avoid any penalty for non-compliance.

Scroll to Top