The ADGM Data Protection Regulations Amendment 2022 – What you need to know

      The Abu Dhabi Global Market (“ADGM”) released its comprehensive data protection regulations in 2021 (the “Regulations”), repealing the Data Protection Regulations 2015, and in July 2022, released the Data Protection Regulations (No.1) of 2022 (the “Amendments”). The Amendments alter articles throughout the Regulation.

      The core changes include:

      • updating references from the data protection commissioner to the data protection office
      • the repeal of Article 24, which excluded firms of less than five employees who do not conduct “high-risk processing” from registering with the data protection office and paying the annual data protection fee
      • the repeal of Article 35, which excluded the obligation for a Data Protection Officer (“DPO”) where the firm is not considered a “high-risk processor” and is under five employees.

      The Amendment could substantially affect smaller firms, branches, and subsidiary’s obligations.

      What do I need to do now?

      Check that you are registered with the Data Protection Office

      Firms under five employees who have not registered with the Data Protection Office will now be obligated to register their processing intentions using a data protection notification and renew the firm’s intentions annually. The firm must keep its notification up to date using the ADGM portal and pay an annual personal data processing fee.

      Appoint a DPO if required

      Firms that are under five employees, irrelevant of whether they are acting on their authority as a controller of personal data or if they are instructed to process personal data, must appoint a DPO if they:

      1. process data as a public authority
      2. have core activities that, by virtue of their nature, scope and purposes, require regular and systematic monitoring of individuals on a large scale
      3. have core activities that consist of processing on a large scale of Special Categories of Data.

      Special Categories of Personal Data are defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data to identify a natural person uniquely, data concerning health, or data concerning a natural person’s sex life or sexual orientation, or personal data relating to criminal convictions and offenses or related security measures.

      Update your data protection policy

      The right to erasure restriction provided by Article 15(3)(a)(i) has been amended, which will need to be reflected in your data protection policy. The article now provides for a legal exemption to comply with an erasure request where the requested information is necessary for the Controller to comply with their legal obligations for the performance of a task carried out by a public authority in the interests of the ADGM Board, restricting the exclusion from the previous revision which read as any interest of the ADGM.

      Should I be concerned?

      The Amendments have been released to modify the data privacy practices in the ADGM to align with international best practices. Breaches for failing to comply with the Regulations are capped at US$28M, and firms may be subject to random compliance inspections.

      What can we do to help?

      Waystone Compliance Solutions has assisted with over 100 firms’ compliance with various UAE data protection laws and can provide guidance, implementation support and experienced outsourced data protection officers to help you meet your compliance obligations. We can also support your global data protection needs by giving you the assistance required to navigate the global data protection landscape with confidence.

      Previous post Next post
      Share

      More like this

      Regulatory Update: Middle East Edition – August 2022

      This edition includes - ADGM Registration Authority publishes priorities for 2022-2023, VARA issues regulations governing virtual assets marketing and DIFC…
      Read more

      Regulatory Update: Middle East Edition – July 2022

      This edition includes - DFSA issues consultation paper no.144 ‘Miscellaneous Changes’, ADGM issues white paper on sustainable finance, FATF issues…
      Read more

      Regulatory Update: Middle East Edition – June 2022

      This edition includes - DFSA holds educational cyber security seminar, DIFC Academy holds ERS, CRS and FATCA training, ADGM announced…
      Read more

      Are you prepared for FATCA and CRS Reporting?

      The UAE Ministry of Finance extends FATCA and CRS reporting submission deadline to no later than 20 July 2022 in…
      Read more

      FATCA and CRS Reporting Services

      The UAE Ministry of Finance (“MoF”) recently launched a new centralised portal for submitting the annual reporting and risk assessment…
      Read more

      UAE Outsourcing and Support:  Independent Non Executive Director Services

      Waystone Compliance Solutions offers its clients operating in the financial centres of the DIFC and the ADGM various outsourcing options.
      Read more