• Data Protection Regulations Data Protection Regulations

    • Data Protections Regulations 2015 (consolidated version – 01 February 2018)

      Click herehere to view PDF

    • Data Protection Regulations 2015

      Click herehere to view PDF

    • Data Protection Regulations 2021

      Regulations to make provision for the protection of personal data processed or controlled from within the Abu Dhabi Global Market.

      Date of Enactment: 11 February 2021

      The Board of Directors of the Abu Dhabi Global Market, in exercise of its powers under Article6(1) of the Law No.4 of 2013 concerning the Abu Dhabi Global Market issued by His Highness the Ruler of the Emirate of Abu Dhabi, enacts the following Regulations.

      • PART I PART I General provisions

        • 1. Subject-matter and objectives

          (1) The objects of these Regulations are
          (a) to promote the protection of individuals’ Personal Data;
          (b) to recognise that the right to the protection of Personal Data is not an absolute right; it must be considered in relation to its function and balanced against other rights;
          (c) to provide the basis for consistent regulation and Processing of Personal Data within ADGM;
          (d) to promote lawful, fair and transparent Processing of Personal Data;
          (e) to establish the primary responsibility and liability of the Controller for any processing of personal data carried out by the Controller or on the Controller’s behalf;
          (f) to facilitate the transfer of Personal Data across borders while ensuring that the rights of individuals are respected;
          (g) to provide a means for individuals to complain about an alleged infringement of their rights relating to their Personal Data and to receive an effective judicial remedy; and
          (h) to implement ADGM’s international commitments in relation to the Processing of Personal Data.

        • 2. Material scope

          (1) These Regulations apply to the Processing of Personal Data wholly or partly by automated means and to the Processing other than by automated means of Personal Data which forms part of a Filing System or is intended to form part of a Filing System. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria do not fall within the scope of these Regulations.
          (2) These Regulations do not apply to the Processing of Personal Data:
          (a) by a natural person for the purposes of purely personal or household activity; or
          (b) by public authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to national security.

        • 3. Territorial scope

          (1) These Regulations apply to the Processing of Personal Data in the context of the activities of an Establishment of a Controller or a Processor in ADGM, regardless of whether the Processing takes place in ADGM or not.
          (2) Where the Processor is Processing Personal Data for a Controller outside of ADGM, the Processor must comply with the requirements of these Regulations to the extent possible, taking into account whether the Controller is subject to similar obligations under the laws of its home jurisdiction.
          (3) These Regulations apply to natural persons whatever their nationality or place of residence.

      • PART II PART II Principles

        • 4. Principles relating to Processing of Personal Data

          (1) Personal Data must be:
          (a) Processed lawfully, fairly and in a transparent manner in relation to the Data Subject;
          (b) collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes;
          (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed;
          (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are Processed, is erased or rectified without delay;
          (e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed; and
          (f) Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
          (2) The Controller is responsible for, and must be able to demonstrate compliance with, section 4(1).
          (3) Where Personal Data is Processed for Archiving and Research Purposes;
          (a) this Processing is deemed to be compatible with the initial purposes for which the Personal Data was collected as required by section 4(1)(b); and
          (b) it may be stored for longer periods than stated in section 4(1)(e) provided appropriate technical and organisational measures are used to safeguard the rights of the Data Subject.

        • 5. Lawfulness of Processing

          (1) Processing is lawful only if and to the extent that:
          (a) the Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes;
          (b) Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
          (c) Processing is necessary for compliance with a legal obligation to which the Controller is subject under Applicable Law;
          (d) Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
          (e) Processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; or (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller under Applicable Law; or
          (f) Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or rights of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child.
          (2) Section 5(1)(f) does not apply if Processing is necessary for any of the purposes described in section 5(1)(e).
          (3) For the purposes of section 4(1)(b) the Controller must, in order to ascertain whether Processing for another purpose is compatible with the purpose for which the Personal Data is initially collected, take into account:
          (a) any link between the purposes for which the Personal Data has been collected and the purposes of the intended further Processing;
          (b) the context in which the Personal Data has been collected, in particular the relationship between Data Subjects and the Controller;
          (c) the nature of the Personal Data, in particular whether Special Categories of Personal Data are Processed, pursuant to section 7;
          (d) the possible consequences of the intended further Processing for Data Subjects; and
          (e) the existence of appropriate safeguards, which may include encryption or Pseudonymisation.

        • 6. Conditions for Consent

          (1) Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they (whether in writing, electronically or orally), by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.
          (2) Silence, pre-ticked boxes or inactivity do not constitute Consent.
          (3) For Consent to be informed, the Data Subject should be aware at least of the identity of the Controller and the purposes for which it is intended the Personal Data will be Processed.
          (4) Where Processing is based on Consent, the Controller must be able to demonstrate that the Data Subject has consented to Processing of their Personal Data.
          (5) If the Data Subject's Consent is given in the context of a written declaration which also concerns other matters, the request for Consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
          (6) Any part of such a declaration which constitutes a contravention of these Regulations will not be binding.
          (7) The Data Subject has the right to withdraw their Consent at any time. The withdrawal of Consent will not affect the lawfulness of Processing based on Consent before its withdrawal. The Data Subject must be informed of this before giving Consent.
          (8) It must be as easy to withdraw Consent as it is to give Consent.
          (9) When assessing if Consent is freely given the assessor must take into account whether:
          (a) the Data Subject has a genuine or free choice or is unable to refuse or withdraw Consent without detriment; and
          (b) the performance of a contract is conditional on Consent to the Processing of Personal Data that is not necessary for the performance of that contract.

        • 7. Processing of Special Categories of Personal Data

          (1) Processing of:
          (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
          (b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and
          (c) Personal Data relating to criminal convictions and offences or related security measures,
          (together, ‘Special Categories of Personal Data’) is prohibited.
          (2) Section 7(1) does not apply if one of the following applies:
          (a) the Data Subject has given explicit Consent to the Processing of their Special Categories of Personal Data for one or more specified purposes;
          (b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment law, provided that when the Processing is carried out, the Controller has an appropriate policy document in place in accordance with section 7(3);
          (c) Processing is necessary to protect vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;
          (d) Processing is necessary for health purposes, including preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care or treatment or the management of health care systems or services or pursuant to a contract with a health professional provided that Processing is by or under the responsibility of a health professional subject to the obligation of professional secrecy or duty of confidentiality;
          (e) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;
          (f) Processing is necessary for Archiving and Research Purposes in accordance with Applicable Law;
          (g) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not -for-profit body including religious, cultural, educational, social or fraternal purposes or for other charitable purposes and on condition that the Processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed outside that body without the Consent of the Data Subjects;
          (h) Processing relates to Personal Data which is intentionally made public by the Data Subject;
          (i) Processing is required for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
          (j) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
          (k) Processing is necessary for reasons of substantial public interest, provided that (unless specified otherwise) the Controller has, when the Processing is carried out, an appropriate policy document in place in accordance with section 7(3), where it is necessary for:
          (i) the exercise of a function or requirement conferred on a person by Applicable Law;
          (ii) the exercise of a function of the Board, Abu Dhabi or United Arab Emirate government;
          (iii) the administration of justice;
          (iv) equality of opportunity or treatment provided that the Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual; and it does not relate to an individual who has given written notice to the Controller not to Process their Personal Data;
          (v) diversity at senior levels of organisations, where the Controller cannot reasonably be expected to obtain the Consent of the Data Subject and is not aware of the Data Subject withholding Consent provided that the Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual;
          (vi) the prevention or detection of an unlawful act or omission where the Processing must be carried out without the Consent of the Data Subject so as not to prejudice this purpose; and if the Processing relates to the disclosure of Personal Data to a relevant public authority an appropriate policy document in accordance with section 7(3) need not be in place for the Processing to be lawful under these Regulations;
          (vii) the protection of the members of the public against dishonesty, malpractice or other seriously improper conduct, unfitness or incompetence, mismanagement in the administration of a company, body or association, or failures in services provided by a company, body or association where the Processing must be carried out without the Consent of the Data Subject so as not to prejudice this purpose;
          (viii) compliance with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has committed an unlawful act or omission, or been involved in dishonesty, malpractice or other seriously improper conduct where the Controller cannot reasonably be expected to obtain the Consent of the Data Subject to the Processing;
          (ix) the prevention of fraud in connection with Processing of Personal Data as a member of, or in accordance with arrangements made by, an antifraud organisation;
          (x) the disclosure in good faith to an appropriate public authority regarding suspected terrorist financing, to identify terrorist property or in relation to suspected money laundering, in accordance with Applicable Law; or
          (xi) the publication of a judgment or other decision of a court or tribunal or if the Processing is necessary for the purposes of publishing such a judgment or decision.
          (3) Where it is specified that a condition in section 7(2) is met only if the Controller has an appropriate policy document in place, the Controller will have an appropriate policy document in place if:
          (a) the policy document (which may incorporate other documents by reference) explains, for Personal Data Processed in reliance on the condition:
          (i) how the Controller will comply with the principles in section 4; and
          (ii) the Controller’s policies regarding the retention and erasure of that Personal Data; and
          (b) from the date the Controller starts to Process Personal Data in reliance on the condition until 6 months after the Controller ceases to carry out such Processing, the policy document referred to in section 7(3)(a) is:
          (i) retained, reviewed and updated (as appropriate); and
          (ii) made available to the Commissioner of Data Protection on request.

        • 8. Processing which does not require identification

          (1) If the purposes for which a Controller Processes Personal Data do not or no longer require the identification of a Data Subject by the Controller, the Controller is not obliged to maintain, acquire or Process additional information in order to identify the Data Subject for the sole purpose of complying with these Regulations.
          (2) Where, in cases referred to in section 8(1), the Controller is able to demonstrate that it is not in a position to identify the Data Subject, the Controller must inform the Data Subject accordingly, if possible.
          (3) In such cases, sections 13 to 18 will not apply except where the Data Subject, for the purpose of exercising their rights under those sections, provides additional information enabling their identification.

        • 9. Processing for Archiving and Research Purposes

          (1) Processing for Archiving and Research Purposes must be subject to the following safeguards:
          (a) technical and organisational measures must be in place, in particular to ensure compliance with section 4(1)(c), which may include Pseudonymisation or anonymisation;
          (b) the Processing must not cause, or be likely to cause, substantial damage or substantial distress to a Data Subject; and
          (c) the Processing must not be carried out for the purposes of measures or decisions with respect to a particular Data Subject, unless the purposes for which the Processing is necessary include the purpose of medical research that has been approved by a public authority or research institution.

      • PART III PART III Rights of the Data Subject

        • 10. Transparent information, communication and modalities for the exercise of the rights of the Data Subject

          (1) The Controller must take appropriate measures to provide any information referred to in sections 11 and 12 and any communication under sections 13 to 20 and section 32 relating to Processing to the Data Subject:
          (a) in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a Child; and
          (b) in writing, electronically or, if requested by the Data Subject, orally as long as that Data Subject has provided proof of their identity.
          (2) The Controller must facilitate the exercise of Data Subject rights under sections 13 to 20. In the cases referred to in section 8(3), the Controller must not refuse to act on the request of the Data Subject to exercise their rights under sections 13 to 20, unless the Controller demonstrates that it is not in a position to identify the Data Subject.
          (3) Subject to section 10(4), the Controller must provide information on action taken on a request under sections 13 to 20 to the Data Subject without undue delay and in any event within two months of receipt of the request. Where the Data Subject makes the request by means of an electronic form, the information may be provided by electronic means where possible, unless otherwise requested by the Data Subject.
          (4) The period referred to in section 10(3) may be extended by one month, where necessary, taking into account the complexity and number of the requests including any related requests received by the Controller whether or not from the same Data Subject. The Controller must inform the Data Subject of any such extension within two months of receipt of the request, together with the reasons for the delay.
          (5) If the Controller does not take action on the request of the Data Subject, the Controller must inform the Data Subject without delay and at the latest within two months of receipt of the request of:
          (a) the reasons for not taking action; and
          (b) their right to lodge a complaint with the Commissioner of Data Protection and the possibility of seeking a judicial remedy.
          (6) Information provided under sections 11 and 12 and any communication and any actions taken under sections 13 to 20 and section 33 must be provided free of charge. Where requests from a Data Subject are unreasonable or excessive, in particular because of their repetitive character, the Controller may either:
          (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
          (b) refuse to act on the request.
          The Controller bears the burden of demonstrating the unreasonable or excessive character of the request.
          (7) Without limiting section 8, where the Controller has reasonable doubts concerning the identity of the natural person making the request referred to in sections 13 to 19, the Controller may request the provision of additional information necessary to confirm the identity of the Data Subject. In such cases, the time period for complying with the Data Subject request does not begin until the Controller has received information or evidence sufficient to reasonably identify that the individual making the request is the Data Subject.
          (8) Public authorities to which Personal Data is disclosed for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as Recipients (or categories of Recipients) for the purposes of sections 11, 12, 13, 17, 28 and 50 if they receive Personal Data which is necessary to carry out an inquiry in accordance with Applicable Law.

        • 11. Information to be provided where Personal Data is collected from the Data Subject

          (1) Where Personal Data relating to a Data Subject is collected from the Data Subject, the Controller must, at the time when Personal Data is obtained, provide the Data Subject with all of the following information:
          (a) the identity and the contact details of the Controller;
          (b) the contact details of the Data Protection Officer, where applicable;
          (c) the purposes of the Processing for which the Personal Data is intended as well as the legal basis for the Processing;
          (d) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
          (e) the Recipients or categories of Recipients of the Personal Data, if any; and
          (f) where applicable, the fact that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
          (i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
          (ii) in the case of transfers referred to in sections 42, 43, or section 44(1)(b), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
          (2) In addition to the information referred to in section 11(1), the Controller must, at the time when Personal Data is obtained, provide the Data Subject with the following further information necessary to ensure fair and transparent Processing:
          (a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
          (b) the existence of the rights set out in sections 13 to 16, 18 and 19;
          (c) where the Processing is based on either of sections 5(1)(a) or 7(2)(a):
          (i) the existence of the right to withdraw Consent at any time; and
          (ii) that the lawfulness of any Processing based on Consent prior to that withdrawal will not be affected by the subsequent withdrawal of Consent;
          (d) the right to lodge a complaint with the Commissioner of Data Protection;
          (e) whether the provision of Personal Data is a requirement under Applicable Law, a contractual requirement, or a requirement necessary to enter into a contract;
          (f) whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide such data;
          (g) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject; and
          (h) if the Controller intends to Process Personal Data in a manner that will restrict or prevent the Data Subject from exercising their rights to request rectification or erasure of Personal Data in accordance with sections 14(1) or 15(1), or to object to the Processing of the Personal Data in accordance with section 19. In such cases, the Controller must:
          (i) include a clear and explicit explanation of the expected impact on such rights; and
          (ii) satisfy itself that the Data Subject understands and acknowledges the extent of any such restrictions.
          (3) Where the Controller intends to further Process the Personal Data for a purpose other than that for which the Personal Data was collected, the Controller must provide the Data Subject prior to that further Processing with information on that other purpose and with any relevant further information as referred to in section 11(2).
          (4) Sections 11(1), 11(2) and 11(3) do not apply to the extent that the Data Subject already has the information.

        • 12. Information to be provided where Personal Data has not been obtained from the Data Subject

          (1) Where Personal Data has not been obtained from the Data Subject, the Controller must provide the Data Subject with the following information:
          (a) the identity and the contact details of the Controller;
          (b) the contact details of the Data Protection Officer, where applicable;
          (c) the purposes of the Processing for which the Personal Data is intended as well as the legal basis for the Processing;
          (d) the categories of Personal Data concerned;
          (e) the Recipients or categories of Recipients of the Personal Data, if any; and
          (f) where applicable, that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
          (i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
          (ii) in the case of transfers referred to in sections 42, 43, or section 44(1)(b), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
          (2) In addition to the information referred to in section 12(1), the Controller must provide the Data Subject with the following information necessary to ensure fair and transparent Processing in respect of the Data Subject:
          (a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
          (b) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
          (c) the existence of the rights set out in sections 13 to 16, 18 and 19;
          (d) where Processing is based on either section 5(1)(a) or 7(2)(a),
          (i) the existence of the right to withdraw Consent at any time; and
          (ii) that the lawfulness of any Processing based on Consent prior to that withdrawal will not be affected by the subsequent withdrawal of Consent;
          (e) the right to lodge a complaint with the Commissioner of Data Protection;
          (f) from which source the Personal Data originates, and if applicable, whether it came from publicly accessible sources; and
          (g) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
          (3) The Controller must provide the information referred to in sections 12(1) and 12(2):
          (a) within a reasonable period after obtaining the Personal Data, but at the latest within two months, having regard to the specific circumstances in which the Personal Data is Processed;
          (b) if the Personal Data is to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject; or
          (c) if a disclosure to another Recipient is envisaged, at the latest when the Personal Data is first disclosed.
          (4) Where the Controller intends to further Process the Personal Data for a purpose other than that for which the Personal Data was obtained, the Controller must provide the Data Subject prior to that further Processing with information on that other purpose and with any relevant further information as referred to in section 12(2).
          (5) Sections 12(1) to 12(4) do not apply to the extent that:
          (a) the Data Subject already has the information;
          (b) the provision of such information proves impossible or would involve a disproportionate effort (having regard to the number of Data Subjects, the age of the data and any appropriate safeguards adopted) , in particular for processing for Archiving and Research Purposes or in so far as the obligation referred to in section 12(1) is likely to render impossible or seriously impair the achievement of the objectives of that Processing, provided that the Controller takes appropriate measures to protect the Data Subject's rights and legitimate interests, including making the information publicly available;
          (c) obtaining or disclosure is expressly required by Applicable Law which provides appropriate measures to protect the Data Subject's legitimate interests; or
          (d) where the Personal Data must remain confidential subject to an obligation of professional secrecy, or duty of confidentiality, regulated by Applicable Law.

        • 13. Right of access by the Data Subject

          (1) A Data Subject has the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her is being Processed, and, where that is the case, access to the Personal Data and the following information:
          (a) the purposes of the Processing;
          (b) the categories of Personal Data concerned;
          (c) the Recipients or categories of Recipient to whom the Personal Data has been or will be disclosed, in particular Recipients outside of ADGM or International Organisations;
          (d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
          (e) the existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing;
          (f) the right to lodge a complaint with the Commissioner of Data Protection;
          (g) where the Personal Data is not collected from the Data Subject, any available information as to its source; and
          (h) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
          (2) Where Personal Data is transferred outside of ADGM or to an International Organisation, the Data Subject has the right to be informed of the appropriate safeguards pursuant to section 41 relating to the transfer.
          (3) The Controller must provide a copy of the Personal Data undergoing Processing. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information must be provided in a commonly used electronic form.
          (4) The right to obtain a copy referred to in section 13(3) must not adversely affect the rights of others.
          (5) Where the Controller Processes a large quantity of information concerning the Data Subject, the Controller may request that, before the information is delivered, the Data Subject specify the information or Processing activities to which the request relates.

        • 14. Right to rectification

          (1) A Data Subject has the right to request and obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the Processing, the Data Subject has the right to have incomplete Personal Data completed, including by means of the Controller providing a supplementary statement.
          (2) Where rectification of Personal Data is not feasible for technical reasons, then the Controller is not in violation of these Regulations for failing to comply with a request for rectification of the Personal Data under section 14(1), if:
          (a) the Controller collected the Personal Data from the Data Subject; and
          (b) the information provided to the Data Subject under section 11(2)(h) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that rectification of the Personal Data at the request of the Data Subject would not be feasible.

        • 15. Right to erasure

          (1) The Data Subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay and the Controller has the obligation to erase Personal Data without undue delay where one of the following applies:
          (a) the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
          (b) the Data Subject withdraws Consent on which the Processing is based according to section 5(1)(a) or 7(2)(a), and where there is no other legal ground for the Processing;
          (c) the Data Subject objects to the Processing pursuant to section 19(1) and there are no overriding legitimate grounds for the Processing, or the Data Subject objects to the Processing pursuant to section 19(3);
          (d) the Personal Data has been unlawfully Processed; or
          (e) the Personal Data has to be erased for compliance with a legal obligation in Applicable Law to which the Controller is subject.
          (2) Where the Controller has made the Personal Data public and is obliged pursuant to section 15(1) to erase the Personal Data, the Controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform Controllers which are Processing the Personal Data that the Data Subject has requested the erasure by such Controllers of any links to, or copy or replication of, that Personal Data.
          (3) Sections 15(1) and 15(2) will not apply to the extent that Processing is necessary:
          (a) for compliance with a legal obligation which requires Processing under Applicable Law to which the Controller is subject or for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; and (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller;
          (b) for reasons of public interest in the area of public health in accordance with sections 7(2)(d) and 7(2)(e);
          (c) for Archiving and Research Purposes to the extent that the right referred to in section 15(1) is likely to render impossible or seriously impair the achievement of the objectives of that Processing, or
          (d) for the establishment, exercise or defence of legal claims.
          (4) Where erasure of Personal Data is not feasible for technical reasons, then the Controller is not in violation of these Regulations for failing to comply with a request for erasure of the Personal Data under section 15(1), if:
          (a) the Controller collected the Personal Data from the Data Subject; and
          (b) the information provided to the Data Subject under section 11(2)(h) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that erasure of the Personal Data at the request of the Data Subject would not be feasible.

        • 16. Right to restriction of Processing

          (1) The Data Subject has the right to obtain from the Controller restriction of Processing where one of the following applies:
          (a) the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data;
          (b) the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of its use instead;
          (c) the Controller no longer needs the Personal Data for the purposes of the Processing, but it is required by the Data Subject for the establishment, exercise or defence of legal claims; or
          (d) the Data Subject has objected to Processing pursuant to section 19(1) pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
          (2) Where Processing has been restricted under section 16(1), such Personal Data must, with the exception of storage, only be Processed with the Data Subject's Consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
          (3) The Controller must inform a Data Subject who has obtained restriction of Processing pursuant to section 16(1) before the restriction of Processing is lifted.

        • 17. Notification obligation regarding rectification or erasure of Personal Data or restriction of Processing

          (1) The Controller must communicate any rectification or erasure of Personal Data or restriction of Processing carried out in accordance with sections 14, 15(1) and 16 to each Recipient to whom the Personal Data has been disclosed, unless this proves impossible or involves disproportionate effort (having regard to the number of Data Subjects, the age of the data and any appropriate safeguards adopted).
          (2) The Controller must inform the Data Subject about the Recipients referred to in section 17(1), if the Data Subject requests it.

        • 18. Right to data portability

          (1) The Data Subject has the right to receive the Personal Data that is held by, or on behalf of, the Controller concerning them, which they have provided to a Controller, in a structured, commonly used and machine-readable format and has the right to transmit that data to another Controller without hindrance from the Controller to which the Personal Data has been provided, where:
          (a) the Processing is based on Consent pursuant to section 5(1)(a) or 7(2)(a) or on a contract pursuant to section 5(1)(b); and
          (b) the Processing is carried out by automated means.
          (2) A Data Subject has the right to have the Personal Data transmitted directly from one Controller to another, where technically feasible.
          (3) Section 18(1) does not apply to any Processing that is carried out in reliance on section 5(1)(e).
          (4) The right in section 18(1) must not adversely affect the rights of others.

        • 19. Right to object

          (1) A Data Subject has the right to object at any time, on grounds relating to their particular situation, to the Processing of their Personal Data, which is based on sections 5(1)(e) and 5(1)(f), including Profiling based on those provisions
          (2) Where the Data Subject objects to the Processing of their Personal Data, the Controller must not Process the Personal Data unless the Controller reasonably considers that:
          (a) there are legitimate grounds for the Processing which override the interests or rights of the Data Subject; or
          (b) the Processing is necessary for the establishment, exercise or defence of legal claims.
          (3) Where Personal Data is Processed for direct marketing purposes, the Data Subject has the right to object at any time to the Processing, including Profiling, of their Personal Data for such direct marketing purposes.
          (4) Where the Data Subject objects to Processing for direct marketing purposes, the Personal Data must not be Processed for such purposes.
          (5) Where Personal Data is Processed for Archiving and Research Purposes the Data Subject has the right to object to Processing of their Personal Data, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.
          (6) No later than the time of the first communication with the Data Subject, the right referred to in sections 19(1) and 19(3) must be explicitly brought to the attention of the Data Subject and must be presented clearly and separately from any other information.

        • 20. Automated individual decision-making, including Profiling

          (1) The Data Subject has the right not to be subject to a decision based solely on automated Processing, including Profiling, which produces legal effects concerning him or her , or similarly significantly affects him or her.
          (2) Section 20(1) does not apply if the decision:
          (a) is necessary for entering into, or performance of, a contract between the Data Subject and a Controller;
          (b) is based on the Data Subject's explicit Consent; or
          (c) (not falling within section 20(2)(a) or 20(2)(b)) is required or authorised by Applicable Law (including for fraud prevention, anti-money laundering and security and integrity purposes) and in respect of which:
          (i) the Controller has, as soon as reasonably practicable, notified the Data Subject in writing that a decision has been taken based solely on automated Processing; and
          (ii) the Data Subject has not, before the end of a period of 1 month beginning with the receipt of the notification, requested the Controller to either reconsider the decision or take a new decision that is not based solely on automated decision making.
          (3) In the cases referred to in sections 20(2)(a) and 20(2)(b), the Controller must implement suitable measures to safeguard the Data Subject's rights and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
          (4) Decisions referred to in section 20(2) must not be based on Special Categories of Personal Data, unless section 7(2)(a) or 7(2)(k) applies and suitable measures to safeguard the Data Subject's rights and legitimate interests are in place.

        • 21. Restrictions

          (1) The obligations and rights provided for in sections 10 to 20 and 33, and section 4 (to the extent the provisions correspond to the rights and obligations provided for in sections 10 to 20), do not apply to the extent such obligations and rights:
          (a) would be likely to prejudice national security, national defence, the prevention or detection of crime, apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or an imposition of a similar nature;
          (b) relate to information required to be disclosed by Applicable Law (including by court order) or in connection with legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights, to the extent that the application of those provisions would prevent the Controller from complying with the obligations and rights;
          (c) would be likely to prejudice the discharge of public functions designed to protect the public against:
          (i) dishonesty, malpractice or other seriously improper conduct including, but not limited to, protection from financial loss by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or the management of bodies corporate;
          (ii) financial loss due to the conduct of insolvent body corporates or individuals; or
          (iii) business conduct that adversely affects the public;
          (d) would be likely to prejudice the proper discharge of public functions designed to:
          (i) secure workers’ health, safety and welfare or to protect others against health and safety risks in connection with (or arising from) someone at work; or
          (ii) regulate conduct (or agreements) preventing, restricting or distorting commercial competition, or to regulate undertakings abusing a dominant market position;
          (e) would be likely to prejudice ADGM’s ability to comply with international obligations and standards to which it is a signatory (including the International Organisation of Securities Commissions), where inspection of Personal Data is required;
          (f) would require the disclosure of information the disclosure of which is prohibited or restricted by Applicable Law;
          (g) would be likely to prejudice audit functions for supervising the quality of public accounting and financial reporting by a public authority;
          (h) would be likely to prejudice the regulatory functions of a public authority; or
          (i) would be likely to prejudice judicial appointments, independence and proceedings, including any individual or court acting in a judicial capacity.
          (2) The obligations and rights provided for in sections 13(1) to 13(3), and section 4 (to the extent the provisions correspond to the obligations and rights provided for in the provisions identified in sections 13(1) to 13(3)) do not oblige a Controller to disclose information to the Data Subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information, unless:
          (a) the Data Subject has Consented to the disclosure; or
          (b) it would be reasonable to disclose the information without the Consent of the individual.
          (3) The obligations and rights provided for in sections 11(1) to 11(3), sections 12(1) to 12(4) and sections 13(1) to 13(3), and section 4 (to the extent the provisions correspond to the rights and obligations identified in sections 11(1) to 11(3), sections 12(1) to 12(4) and sections 13(1) to 13(3)), do not apply to the extent such obligations and rights:
          (a) relate to information in respect of which a claim to legal professional privilege could be maintained in legal proceedings, or in respect of which a duty of confidentiality is owed by a professional legal advisor to his or her client;
          (b) would be likely to prejudice a natural person’s ability to protect themselves from self-incrimination, to the extent that compliance with these Regulations might expose that person to proceedings for committing an offence (excluding perjury or an offence under these Regulations);
          (c) relate to records of the intentions of the Controller in relation to any negotiations with the Data Subject to the extent that the application of those provisions would be likely to prejudice those negotiations;
          (d) would be likely to affect the price of a financial instrument or have a prejudicial effect on the orderly functioning of financial markets (or the efficient allocation of capital within the economy), provided that it is reasonable for the professional taking the decision to believe that complying with the provisions above could affect someone’s decision whether to:
          (i) deal in, subscribe for or issue a financial instrument; or
          (ii) act in a way likely to have an effect on a business activity (such as an effect on an undertaking’s capital structure, the legal or beneficial ownership of a business or asset or a person’s industrial strategy );
          (e) would be likely to prejudice management forecasting or planning in relation to business or other activity; or
          (f) relate to confidential references for the education, training or employment or appointment and retirement of the Data Subject, including, in the case of regulatory appointments and retirements, any related opinions or reasoning provided to the relevant regulator.
          (4) The obligations and rights provided for in sections 13(1) to 13(3), section 14, section 16(1), section 17, section 18(1), and section 19(1) will not apply to Personal Data processed for Archiving and Research Purposes:
          (a) to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes; and
          (b) provided that sections 13(1) to 13(3) will only not apply to Processing for scientific or historical research or statistical purposes where the results of the research or any resultant statistics are not made available in a form which identifies a Data Subject.

      • PART IV PART IV Controller and Processor

        • 22. Responsibility of the Controller

          (1) Taking into account the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights of natural persons, the Controller must:
          (a) implement appropriate technical and organisational measures to ensure and to be able to demonstrate that Processing is performed in accordance with these Regulations; and
          (b) review and update those measures where necessary.
          (2) Where proportionate in relation to Processing activities, the measures referred to in section 22(1) must include the implementation of appropriate data protection policies by the Controller.

        • 23. Data protection by design and by default

          (1) The Controller must take appropriate steps to ensure that:
          (a) its systems, business processes and practices in respect of which Personal Data is Processed are designed taking into account compliance with the principles, rights and obligations in these Regulations (‘data protection by design’); and
          (b) only the Processing of Personal Data that is necessary for each specific purpose of the Processing is Processed (‘data protection by default’).

        • 24. Data Protection Fee

          (1) A Controller must, before, or as soon as reasonably practicable after, it starts Processing Personal Data under these Regulations:
          (a) pay a Data Protection Fee to the Commissioner of Data Protection in respect of the twelve months from the date it commenced Processing Personal Data under these Regulations; and
          (b) notify the Commissioner of Data Protection of:
          (i) its name and address (which, in the case of a registered company, will be its registered office); and
          (ii) the date it commenced Processing Personal Data under these Regulations.
          (2) Each year, within one month of the expiry of the anniversary on which it commenced Processing Personal Data under these Regulations, the Controller must pay a Renewal Fee in the amount specified by rules made by the Board to the Commissioner of Data Protection.
          (3) The obligations referred to in sections 24(1) and 24(2) do not apply to an Establishment employing fewer than five employees, unless it carries out High Risk Processing Activities.

        • 25. Joint Controllers

          (1) Where two or more Controllers jointly determine the purposes and means of Processing, they are joint Controllers. They must determine their respective responsibilities for compliance with the obligations under these Regulations in a transparent manner, in particular as regards the exercising of the rights of the Data Subject and their respective duties to provide the information referred to in sections 11 and 12, by means of an arrangement between them unless the respective responsibilities of the Controllers are determined by Applicable Law. The arrangement may designate a contact point for Data Subjects.
          (2) The arrangement referred to in section 25(1) must set out the respective roles and relationships of the joint Controllers with respect to the Data Subjects. The essence of the arrangement must be made available to the Data Subject.
          (3) Irrespective of the terms of the arrangement referred to in section 25(1), the Data Subject may exercise his or her rights under these Regulations in respect of and against each of the Controllers.

        • 26. Processor

          (1) Where Processing is to be carried out on behalf of a Controller, the Controller must use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of these Regulations and ensure the protection of the rights of the Data Subject.
          (2) The Processor must not engage another Processor without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor must inform the Controller of any intended changes concerning the addition or replacement of other Processors, thereby giving the Controller the opportunity to object to such changes.
          (3) Processing by a Processor must be governed by a contract or other legal act under Applicable Law, that is binding on the Processor with regard to the Controller and that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of the Controller. That contract or other legal act must stipulate, in particular, that the Processor:
          (a) Processes the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside of ADGM or to an International Organisation, unless required to do so by Applicable Law to which the Processor is subject; in such a case, the Processor must inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
          (b) ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate obligation of confidentiality under Applicable Law;
          (c) takes all measures required pursuant to section 30;
          (d) respects the conditions referred to in sections 26(2) and 26(5) for engaging another Processor;
          (e) taking into account the nature of the Processing, assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights in Part III;
          (f) assists the Controller in ensuring compliance with the obligations pursuant to sections 30 to 34 taking into account the nature of Processing and the information available to the Processor;
          (g) at the choice of the Controller, deletes or returns all the Personal Data to the Controller after the end of the provision of services relating to Processing, and deletes existing copies unless Applicable Law requires storage of the Personal Data; and
          (h) makes available to the Controller all information necessary to demonstrate compliance with the obligations in this section and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
          (4) With regard to section 26(3)(a), the Processor must immediately inform the Controller if, in its opinion, an instruction contravenes these Regulations or other data protection provisions contained in Applicable Law.
          (5) Where a Processor engages another Processor for carrying out specific Processing activities on behalf of the Controller, the same data protection obligations as set out in the contract or other legal act between the Controller and the Processor as referred to in section 26(3) must also be imposed on that other Processor by way of a contract or other legal act under Applicable Law, in particular, providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of these Regulations. The initial Processor remains fully liable to the Controller for the performance of that other Processor's obligations.
          (6) The Commissioner of Data Protection may adopt standard contractual clauses for the matters referred to in sections 26(3) and 26(5), including by approving the then current standard contractual clauses issued by the European Commission or adopted by a Supervisory Authority for the same purpose, upon which approval of such standard contractual clauses will be incorporated into these Regulations by reference.
          (7) The contract or the other legal act referred to in sections 26(3) and 26(5) may be based, in whole or in part, on standard contractual clauses referred to in section 26(6), including when they are part of a certification granted to the Controller or Processor pursuant to section 38.
          (8) The contract or the other legal act referred to in sections 26(3) and 26(5) must be in writing.
          (9) Without limiting the effect of sections 55, 56 and 60, if a Processor contravenes these Regulations by determining the purposes and means of Processing, the Processor will be a Controller in respect of that Processing.

        • 27. Processing under the authority of the Controller or Processor

          The Processor and any person acting under the authority of the Controller or of the Processor, who has access to Personal Data, must not Process that data except on instructions from the Controller, unless required to do so by Applicable Law.

        • 28. Records of Processing activities

          (1) Each Controller must maintain a record of Processing activities under its responsibility. That record must contain all of the following information:
          (a) the name and contact details of the Controller and, where applicable, the joint Controller and the Data Protection Officer;
          (b) the purposes of the Processing;
          (c) a description of the categories of Data Subjects and of the categories of Personal Data;
          (d) the categories of Recipients to whom the Personal Data has been or will be disclosed including Recipients outside of ADGM or in International Organisations;
          (e) where applicable, transfers of Personal Data outside of ADGM or to an International Organisation, including the identification of that location outside of ADGM or the International Organisation and, in the case of transfers referred to section 44(1)(b), the documentation of suitable safeguards;
          (f) where possible, the envisaged time limits for erasure of the different categories of Personal Data; and
          (g) where possible, a general description of the technical and organisational security measures referred to in section 30(1).
          (2) Each Processor must maintain a record of all categories of Processing activities carried out on behalf of a Controller, containing:
          (a) the name and contact details of the Processor or Processors and of each Controller on behalf of which the Processor is acting and the Data Protection Officer;
          (b) the categories of Processing carried out on behalf of each Controller;
          (c) where applicable, transfers of Personal Data outside of ADGM or to an International Organisation, including the identification of that location outside of ADGM or the International Organisation and, in the case of transfers referred to in section 44(1)(b), the documentation of suitable safeguards; and
          (d) where possible, a general description of the technical and organisational security measures referred to in section 30(1).
          (3) The records referred to in sections 28(1) and 28(2) must be in writing, including in electronic form.
          (4) The Controller or the Processor must make the record available to the Commissioner of Data Protection on request.

        • 29. Cooperation with the Commissioner of Data Protection

          The Controller and the Processor must cooperate, on request, with the Commissioner of Data Protection in the performance of their duties and functions.

        • 30. Security of Processing

          (1) Taking into account the State Of The Art , the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights of natural persons, the Controller and the Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
          (a) the Pseudonymisation and encryption of Personal Data;
          (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
          (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
          (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
          (2) In assessing the appropriate level of security the Controller and Processor must take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
          (3) The Controller and Processor must take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to Personal Data does not Process it except on instructions from the Controller, unless they are required to do so by Applicable Law.

        • 31. Cessation of Processing

          (1) Where the basis for Processing changes, ceases to exist or a Controller is required to cease Processing due to the exercise of a Data Subject’s rights under section 15, the Controller must ensure that all Personal Data, including Personal Data held by Processors is:
          (a) securely and permanently deleted;
          (b) anonymised so that the data is no longer Personal Data and no Data Subject can be identified from the data including where the data is lost, damaged or accidentally released;
          (c) pseudonymised; or
          (d) securely encrypted.
          (2) Where a Controller is unable to ensure that Personal Data is securely and permanently deleted, anonymised, pseudonynmised or securely encrypted, the Personal Data must be archived in a manner that ensures the data is put beyond further use.
          (3) "Put beyond further use" in section 31(2) means that:
          (a) a Controller and a relevant Processor is unable to use the Personal Data to inform any decision with respect of the Data Subject or in a manner that affects the Data Subject in any way, other than where such Personal Data needs to be cross-checked by automated means solely in order to prevent further Processing of Personal Data related to the Data Subject;
          (b) no party has access to the Personal Data other than the Controller and any relevant Processor;
          (c) Personal Data is protected by appropriate technical and organisational security measures that are equivalent to those afforded to live Personal Data; and
          (d) a Controller and any relevant Processor have in place and must comply with a strategy for the permanent deletion, anonymisation, pseudonymisation or secure encryption of the Personal Data, complies and can demonstrate compliance with such policy.
          (4) Notwithstanding section 31(1), a Controller and any relevant Processor is not required to securely and permanently delete, anonymise, pseudonymise or encrypt Personal Data or put it beyond further use, where such Personal Data:
          (a) is necessary for the establishment or defence of legal claims or must be retained for compliance with Applicable Law; or
          (b) is being used in scientific research activity conducted in the public interest or in the interests of the ADGM in accordance with all Applicable Laws, in a manner that does not present risks to the rights of Data Subjects; or
          (c) is part of a dataset used to lawfully train or refine an artificial intelligence system in a manner that does not present risks to a Data Subject’s rights.
          (5) A Controller or Processor seeking to rely on sections 31(4)(b) or 31(4)(c) must conduct a data protection impact assessment in accordance with section 34 before doing so. Any Processing of Personal Data in accordance with section 31(4) must be limited to the extent necessary for such purposes.
          (6) A Controller or Processor must have a policy and process for managing Personal Data that is subject to section 31(4) when the grounds for retention no longer apply, and must securely and permanently delete, anonymise, pseudonymise, encrypt Personal Data or to put it beyond further use when such grounds no longer apply.

        • 32. Notification of a Personal Data Breach to the Commissioner of Data Protection

          (1) In the case of a Personal Data Breach, the Controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the Commissioner of Data Protection, unless the Personal Data Breach is unlikely to result in a risk to the rights of natural persons. Where the notification to the Commissioner of Data Protection is not made within 72 hours, it must be accompanied by reasons for the delay.
          (2) The Processor must notify the Controller without undue delay after becoming aware of a Personal Data Breach.
          (3) The notification referred to in sections 32(1) and 32(2) must:
          (a) describe the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
          (b) communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
          (c) describe the likely consequences of the Personal Data Breach; and
          (d) describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
          (4) Where it is not possible to provide the information referred to in section 32(3) at the same time, the information may be provided in phases without undue further delay.
          (5) The Controller must document any Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken. The documentation must enable the Commissioner of Data Protection to verify compliance with this section.

        • 33. Communication of a Personal Data Breach to the Data Subject

          (1) When the Personal Data Breach is likely to result in a high risk to the rights of natural persons, the Controller must communicate the Personal Data Breach to the Data Subject without undue delay.
          (2) The communication to the Data Subject referred to in section 33(1) must describe in clear and plain language the nature of the Personal Data Breach and contain at least the information and measures referred to in sections 32(3)(b), 32(3)(c) and 32(3)(d). The communication must where practical make recommendations for the natural person concerned to mitigate potential adverse effects and contain sufficient detail to allow him or her to take the necessary precautions.
          (3) The communication to the Data Subject referred to in section 33(1) is not required if any of the following conditions are met:
          (a) the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the Personal Data affected by the Personal Data Breach, in particular those that render the Personal Data unintelligible to any person who is not authorised to access it, such as encryption;
          (b) the Controller has taken subsequent measures which ensure that the high risk to the rights of Data Subjects referred to in section 33(1) is no longer likely to materialise; or
          (c) it would involve disproportionate effort (having regard to the number of Data Subjects, the age of the data and any appropriate safeguards adopted) . In such a case, there must instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.
          (4) If the Controller has not already communicated the Personal Data Breach to the Data Subject, the Commissioner of Data Protection, having considered the likelihood of the Personal Data Breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in section 33(3) are met.

        • 34. Data Protection Impact Assessment

          (1) The Controller must, prior to Processing that is likely to result in a high risk to the rights of natural persons, carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (a ‘Data Protection Impact Assessment’).
          (2) A single Data Protection Impact Assessment may address a set of similar Processing operations that present similar high risks. The outcome of the Data Protection Impact Assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the Processing of Personal Data complies with these Regulations.
          (3) The Controller must seek the advice of the Data Protection Officer, where designated, when carrying out a Data Protection Impact Assessment.
          (4) The Commissioner of Data Protection must publish a list of the kind of Processing operations which are subject to the requirement for a Data Protection Impact Assessment pursuant to section 34(1) and may review this list from time to time.
          (5) The Data Protection Impact Assessment must:
          (a) describe the nature, scope, context and purpose of the Processing;
          (b) assess necessity, proportionality and compliance measures;
          (c) identify and assess risks to individuals; and
          (d) identify any additional measures to mitigate the risks identified.
          (6) Where necessary, the Controller must carry out a review to assess if Processing is performed in accordance with the Data Protection Impact Assessment including when there is a change of the risk represented by Processing operations.
          (7) The Controller must notify the Commissioner of Data Protection prior to carrying out any Processing where a Data Protection Impact Assessment indicates that the Processing would be likely to result in a high risk to the rights of natural persons. The notification must contain information in section 34(5).

        • 35. Designation of the Data Protection Officer

          (1) The Controller and the Processor must appoint a person to perform the tasks listed in section 37 (a ‘Data Protection Officer’) where:
          (a) the Processing is carried out by a public authority, except for courts acting in their judicial capacity;
          (b) the core activities of the Controller or the Processor consist of Processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
          (c) the core activities of the Controller or the Processor consist of Processing on a large scale of Special Categories of Personal Data.
          (2) A Data Protection Officer:
          (a) may be appointed in respect of a single entity, a Group or multiple, independent entities;
          (b) may perform additional roles in respect of a Controller or Processor in addition to performing the role of Data Protection Officer;
          (c) does not need to be an employee of the relevant Controller or Processor provided it enters into an agreement in writing with the Controller, or Processor, as the case may be; and
          (d) does not need to be resident within ADGM,
          in each case, provided that the Data Protection Officer is easily accessible by each entity it acts for, and no other role held by the Data Protection Officer conflicts or is likely to conflict with the Data Protection Officer’s obligations under these Regulations.
          (3) The Data Protection Officer must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in section 37.
          (4) The Controller or the Processor must notify the Commissioner of Data Protection within one month following the appointment or resignation of any Data Protection Officer. The notification must include the contact details of the new Data Protection Officer and, in the case of a resignation, reasons for the resignation.
          (5) The obligations referred to in sections 35(1) and 35(2) do not apply to an Establishment employing fewer than five employees, unless it carries out High Risk Processing Activities.

        • 36. Position of the Data Protection Officer

          (1) The Controller and the Processor must ensure that the Data Protection Officer:
          (a) is involved, properly and in a timely manner, in all issues which relate to the protection of Personal Data;
          (b) is provided with sufficient resources, access to Personal Data and Processing operations to carry out the role;
          (c) is not dismissed or penalised for performing the tasks referred to in section 36; and
          (d) reports directly to the highest level of management in the Controller or Processor.
          (2) Data Subjects may contact the Data Protection Officer with regard to all issues related to Processing of their Personal Data and to the exercise of their rights under these Regulations.
          (3) The Data Protection Officer must be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Applicable Law and the confidentiality policies and procedures of the Controller or Processor .

        • 37. Tasks of the Data Protection Officer

          (1) The tasks of the Data Protection Officer include:
          (a) to inform and advise the Controller or the Processor and the employees who carry out Processing of their obligations pursuant to these Regulations and to other data protection provisions under Applicable Law;
          (b) to monitor compliance with these Regulations, with other data protection provisions under Applicable Law and with the policies of the Controller or Processor in relation to the protection of Personal Data, including the assignment of responsibilities, awareness-raising and training of Staff involved in Processing operations, and the related audits;
          (c) to provide advice where requested as regards the Data Protection Impact Assessment and monitor its performance pursuant to section 34;
          (d) to cooperate with the Commissioner of Data Protection; and
          (e) to act as the contact point for the Commissioner of Data Protection on issues relating to Processing and to consult with the Commissioner of Data Protection, where appropriate, with regard to any other matter.
          (2) The Data Protection Officer must in the performance of their tasks have due regard to the risk associated with Processing operations, taking into account the nature, scope, context and purposes of Processing.

        • 38. Codes of conduct

          (1) The Commissioner of Data Protection may approve codes of conduct prepared by associations and other bodies representing categories of Controllers or Processors and intended to contribute to the proper application of these Regulations, if it finds that they provide appropriate safeguards.
          (2) The Commissioner of Data Protection must make available to the public a register of all codes of conduct that have been approved in accordance with section 38(1).
          (3) Adherence to an approved code of conduct may be used as an element by which to:
          (a) demonstrate compliance with the obligations of the Controller in accordance with section 22;
          (b) demonstrate sufficient guarantees as referred to in sections 26(1) and 26(5);
          (c) demonstrate compliance with the requirements set out in section 30(1); and
          (d) assess the impact of the Processing operations performed by Controllers or Processors, in particular for the purposes of a Data Protection Impact Assessment in accordance with section 34.

        • 39. Certification

          (1) The Commissioner of Data Protection may approve data protection certification mechanisms and data protection seals and marks, for the purpose of demonstrating compliance with these Regulations of Processing operations by Controllers and Processors.
          (2) The Commissioner of Data Protection must take into account the specific needs of micro, small and medium-sized Establishments when approving certification schemes under section 39(1).
          (3) The certification must be voluntary and available via a process that is transparent.
          (4) The Commissioner of Data Protection must collate all certification mechanisms and data protection seals and marks in a register and must make them publicly available by any appropriate means.
          (5) Adherence to an approved certification mechanism may be used as an element by which to demonstrate (among other things):
          (a) compliance with the obligations of the Controller in accordance with section 22;
          (b) the requirements set out in section 23;
          (c) sufficient guarantees as referred to in sections 26(1) and 26(5); and
          (d) compliance with the requirements set out in section 30(1).

      • PART V PART V Transfers of Personal Data outside of ADGM or to International Organisations

        • 40. General principle for transfers

          (1) All provisions in this Part must be applied to ensure that the high level of protection of Personal Data guaranteed by these Regulations is not undermined.
          (2) Any transfer of Personal Data that is undergoing Processing or is intended for Processing after transfer to a jurisdiction outside of ADGM or to an International Organisation can only take place if, subject to the other provisions of these Regulations, the conditions in this Part are complied with by the Controller and Processor, including for further onward transfers of Personal Data.

        • 41. Transfers on the basis of an adequacy decision

          (1) A transfer of Personal Data outside of ADGM or to an International Organisation may take place where the Commissioner of Data Protection has decided that the receiving jurisdiction, one or more specified sectors within that jurisdiction, or the International Organisation in question ensures an adequate level of protection of Personal Data. Such a transfer will not require any specific authorisation.
          (2) When assessing the adequacy of the level of protection of Personal Data, the Commissioner of Data Protection must, in particular, take account of the following elements:
          (a) the rule of law, respect for individuals’ rights, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to Personal Data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of Personal Data to another jurisdiction, sector or International Organisation which are complied with in that jurisdiction, sector or International Organisation, case-law, as well as effective and enforceable Data Subject rights and effective administrative and judicial redress for the Data Subjects whose Personal Data is being transferred;
          (b) the existence and effective functioning of one or more independent supervisory authorities in the receiving jurisdiction or sector or to which an International Organisation is subject, with responsibility for ensuring and enforcing compliance with adequate data protection rules described in section 41(2)(a), including adequate enforcement powers, for assisting and advising the Data Subjects in exercising their rights and for cooperation with the Commissioner of Data Protection; and
          (c) the international commitments the receiving jurisdiction, sector or International Organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of Personal Data.
          (3) The Commissioner of Data Protection, after assessing the adequacy of the level of protection, may decide that a jurisdiction outside of ADGM, or one or more specified sectors within a jurisdiction outside of ADGM, or an International Organisation ensures an adequate level of protection:
          (a) within the meaning of section 41(2); or
          (b) on the basis that the jurisdiction, sector or International Organisation has received an adequacy decision by the European Commission in accordance with Article 45(3) of the GDPR.
          In each case the Commissioner of Data Protection must provide for a review of the decision within four years, which must take into account all relevant developments in the jurisdiction outside of ADGM or International Organisation.
          (4) The Commissioner of Data Protection must, on an ongoing basis, monitor developments in jurisdictions outside of ADGM and International Organisations that could affect the functioning of decisions adopted pursuant to section 41(3).
          (5) The Commissioner of Data Protection must, where available information reveals, in particular following the review referred to in section 41(3), that a jurisdiction outside of ADGM or one or more specified sectors within a jurisdiction outside of ADGM, or an International Organisation no longer ensures an adequate level of protection within the meaning of section 41(2), to the extent necessary, repeal, amend or suspend the decision referred to in section 41(3) without retroactive effect.
          (6) The Commissioner of Data Protection must publish a list of the jurisdictions outside of ADGM and specified sectors within jurisdictions outside of ADGM and International Organisations for which it has decided that an adequate level of protection is or is no longer ensured.
          (7) Jurisdictions designated as providing an adequate level of protection for Personal Data under section 4 of the ADGM Data Protection Regulations 2015 will remain valid until amended, replaced or repealed by the Commissioner of Data Protection.

        • 42. Transfers subject to appropriate safeguards

          (1) In the absence of a decision pursuant to sections 41(3) or 41(7), a Controller or Processor may transfer Personal Data to a Controller or Processor outside of ADGM or to an International Organisation only if the Controller or Processor has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available.
          (2) The Commissioner of Data Protection may adopt standard contractual clauses that contain appropriate safeguards for the rights of Data Subjects whose Personal Data is being transferred, including by approving the then current standard contractual clauses issued by the European Commission, or adopted by a Supervisory Authority for the same purpose, upon which approval such standard contractual clauses will be incorporated into these Regulations by reference.
          (3) The appropriate safeguards referred to in section 42(1) may be provided for, without requiring any specific authorisation from the Commissioner of Data Protection, by:
          (a) a legally binding and enforceable instrument between public authorities;
          (b) Binding Corporate Rules in accordance with section 43;
          (c) standard data protection clauses adopted by the Commissioner of Data Protection in accordance with section 42(2);
          (d) an approved code of conduct pursuant to section 37 together with binding and enforceable commitments of the Controller or Processor in the jurisdiction outside of ADGM to apply the appropriate safeguards, including as regards Data Subjects' rights; or
          (e) an approved certification mechanism pursuant to section 39 together with binding and enforceable commitments of the Controller or Processor in the jurisdiction outside of ADGM to apply the appropriate safeguards, including as regards Data Subjects' rights.
          (4) Subject to the authorisation from the Commissioner of Data Protection, the appropriate safeguards referred to in section 42(1) may also be provided for by:
          (a) contractual clauses between the Controller or Processor and the Controller, Processor or the Recipient of the Personal Data outside of ADGM or the international organisation; or
          (b) provisions to be inserted into administrative arrangements, including regulatory memorandums of understanding between public authorities or domestic or international bodies which include enforceable and effective data subject rights.
          (5) Permits issued under section 5(1)(a) of the Data Protection Regulations 2015 will remain valid as evidence of compliance with this section until amended, replaced or revoked, if necessary, by the Commissioner of Data Protection.

        • 43. Binding Corporate Rules

          (1) The Commissioner of Data Protection may approve Binding Corporate Rules, provided that they:
          (a) have the following features:
          (i) are legally binding and apply to and are enforced by every member concerned of the Group, including their employees;
          (ii) expressly confer enforceable rights on Data Subjects with regard to the Processing of their Personal Data; and
          (iii) fulfil the requirements in section 43(2), or
          (b) have already been approved by a Supervisory Authority for the same purpose.
          (2) The Binding Corporate Rules referred to in section 43(1) must specify at least:
          (a) the structure and contact details of the Group and of each of its members;
          (b) the details of the data transfers, including the categories of Personal Data, the type of Processing and its purposes, the type of Data Subjects affected and the identification of the relevant jurisdiction(s) outside of ADGM;
          (c) their legally binding nature, both internally and externally;
          (d) the application of the general data protection principles, including purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for Processing, Processing of Special Categories of Personal Data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the Binding Corporate Rules;
          (e) the rights of Data Subjects and the means to exercise those rights, including the right to obtain redress and, where appropriate, compensation for a breach of the Binding Corporate Rules;
          (f) how the information on the Binding Corporate Rules, in particular on the provisions referred to in sections 43(2)(d) and 43(2)(e) are provided to the Data Subjects in addition to sections 11 and 12;
          (g) the tasks of any Data Protection Officer designated in accordance with section 35 or any other person or entity in charge of monitoring compliance with the Binding Corporate Rules within the Group;
          (h) the complaint procedures;
          (i) the mechanisms within the Group for monitoring compliance with the Binding Corporate Rules and cooperating with the Commissioner of Data Protection to ensure compliance. Such mechanisms must include data protection audits and methods for ensuring corrective actions to protect the rights of Data Subjects. Results of such monitoring activities should be communicated to the board of the parent company of a Group, and should be made available to the Commissioner of Data Protection upon request;
          (j) the procedures for reporting and recording changes to the rules and reporting those changes to the Commissioner of Data Protection;
          (k) the reporting mechanisms for notifying the Commissioner of Data Protection of any legal requirements to which a member of the Group, is subject outside of ADGM and which are likely to have a substantial adverse effect on the protections provided by the Binding Corporate Rules; and
          (l) the data protection training provided to personnel with permanent or regular access to Personal Data.

        • 44. Derogations for specific situations

          (1) In the absence of an adequacy decision pursuant to sections 41(3) or 41(7), or of appropriate safeguards pursuant to section 42, including Binding Corporate Rules, a transfer or a set of transfers of Personal Data outside of ADGM or to an International Organisation, must take place only on one of the following conditions:
          (a) the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards;
          (b) the transfer is necessary for the performance of a contract between the Data Subject and the Controller or the implementation of pre-contractual measures taken at the Data Subject's request;
          (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person;
          (d) the transfer is necessary for important reasons of public interest;
          (e) the transfer is required by law enforcement agencies of the UAE in accordance with Applicable Law;
          (f) the transfer is necessary for the establishment, exercise or defence of legal claims (including judicial, administrative, regulatory and out-of-court procedures); or
          (g) the transfer is necessary in order to protect the vital interests of the Data Subject or of another person, where the Data Subject is physically or legally incapable of giving Consent.
          (2) Sections 44(1)(a), 44(1)(b) and 44(1)(c) do not apply to activities carried out by public authorities in the exercise of their public powers.
          (3) The public interest referred to in section 44(1)(d) must be recognised in Applicable Law to which the Controller is subject.

        • 45. Data sharing with public authorities

          (1) In addition to a Controller or Processor’s other obligations under these Regulations, where a Controller or Processor receives a request for Personal Data from any public authority outside of ADGM which has jurisdiction over the Controller or Processor or any part of its Group (a ‘Requesting Authority’) the Controller or Processor should:
          (a) exercise reasonable diligence to determine the validity and proportionality of the request, including to ensure that any disclosure of Personal Data is necessary for the purpose of meeting the objectives of the Requesting Authority identified in the request;
          (b) assess the impact of the proposed transfer in light of the potential risks to the rights and legitimate interests of any affected Data Subject and, where appropriate, implement measures to minimise such risks, including by redacting or minimising the Personal Data transferred or utilising appropriate measures to safeguard the transfer; and
          (c) where reasonably practicable, obtain appropriate assurances from the Requesting Authority that it will respect the rights of Data Subjects and take appropriate steps to safeguard the Personal Data.
          (2) A Controller or Processor may consult with the Commissioner of Data Protection in relation to any matter in connection with this section 45.

        • 46. International cooperation for the protection of Personal Data

          (1) In relation to jurisdictions outside of ADGM and International Organisations, the Commissioner of Data Protection may:
          (a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of Personal Data;
          (b) provide international mutual assistance in the enforcement of legislation for the protection of Personal Data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of Personal Data and other rights;
          (c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of Personal Data; and
          (d) promote the exchange and documentation of Personal Data protection legislation and practice, including on jurisdictional conflicts with jurisdictions outside of ADGM.

      • PART VI PART VI Independent supervisory authority

        • 47. Commissioner of Data Protection

          (1) The Board will:
          (a) assign to the Registrar the competency to oversee the administration and operation of the Office for Data Protection as an independent data protection supervisory authority;
          (b) appoint a person to be the Commissioner of Data Protection in accordance with section 47(2).
          (2) The Board, when appointing the Commissioner of Data Protection, must:
          (a) ensure the person has appropriate experience and qualifications for the role;
          (b) make the selection based on the Registrar’s recommendation of at least two candidates;
          (c) publish its decision; and
          (d) specify the period of appointment which must not exceed 4 years.
          (3) The Board may reappoint the Commissioner of Data Protection for consecutive periods, which must not exceed in total 12 years.
          (4) The Commissioner of Data Protection may at any time resign as the Commissioner of Data Protection by giving three months’ written notice addressed to the Registrar.
          (5) The Commissioner of Data Protection may only be removed from office by written notice issued by the Board:
          (a) for reasons of serious misconduct; or
          (b) if the Commissioner of Data Protection no longer fulfils the conditions required for the performance of his or her duties.
          (6) The Commissioner of Data Protection is responsible for the monitoring and enforcing the application of these Regulations in order to protect the rights of natural persons in relation to Processing of Personal Data in ADGM.
          (7) The Commissioner of Data Protection is not personally liable for acts or omissions carried out as part of their powers, duties or functions.

        • 48. Independence

          (1) The Commissioner of Data Protection must act with complete independence (including from the other functions of the Registrar) in performing its duties and exercising its powers and functions in accordance with these Regulations.
          (2) In performing its duties and exercising its powers and functions the Commissioner of Data Protection must:
          (a) remain free from external influence, whether direct or indirect, and neither seek nor take instructions from anybody;
          (b) refrain from any action incompatible with their duties; and
          (c) not engage in any occupation that is incompatible with the role of the Commissioner of Data Protection, whether or not the role is remunerated.
          (3) The Commissioner of Data Protection:
          (a) may appoint other officers and Staff who will be, and remain, subject to the exclusive direction and authority of the Commissioner of Data Protection;
          (b) is to determine the remuneration and other conditions of service of individuals appointed under this subsection; and
          (c) may delegate any of its functions, duties or powers to be carried out by its officers or Staff provided that the Commissioner of Data Protection remains ultimately responsible for how they are carried out.
          (4) The Commissioner of Data Protection and other officers or Staff are collectively referred to as the Office of Data Protection.
          (5) The independence of the Commissioner of Data Protection is not affected by the financial or other controls and reporting obligations to which it is subject in accordance with sections 51 to 53.

        • 49. Functions and obligations of Staff of the Commissioner of Data Protection

          (1) The Commissioner of Data Protection has such powers, duties and functions as conferred on it under these Regulations and must exercise those powers and perform those duties and functions in pursuit of the objectives of these Regulations.
          (2) The Commissioner of Data Protection must:
          (a) monitor and enforce the application of these Regulations;
          (b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to Processing;
          (c) advise the Board, ADGM, Financial Services Regulatory Authority, ADGM Courts, the Registration Authority and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights with regard to Processing, in accordance with Applicable Law;
          (d) promote the awareness of Controllers and Processors of their obligations under these Regulations;
          (e) provide the public with opportunities to provide views on the activities of the Office of Data Protection;
          (f) handle complaints lodged by a Data Subject, and investigate, to the extent appropriate, the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation is necessary;
          (g) cooperate with, including sharing information and provide mutual assistance to, other data protection authorities with a view to facilitating the effective enforcement of legislation for the protection of Personal Data;
          (h) conduct investigations on the application of these Regulations;
          (i) monitor relevant developments insofar as they have an impact on the protection of Personal Data, in particular the development of information and communication technologies and business practices;
          (j) adopt or authorise standard contractual clauses referred to in section 26(6) and 42(2);
          (k) establish and maintain a list in relation to the requirement for Data Protection Impact Assessment pursuant to section 34(4);
          (l) take into account the specific needs of small and medium sized Establishments in the application of these Regulations;
          (m) approve codes of conduct which provide sufficient safeguards pursuant to section 38(1);
          (n) approve the criteria of certification pursuant to section 39(1);
          (o) authorise contractual clauses and provisions referred to in section 40(4);
          (p) approve Binding Corporate Rules pursuant to section 43;
          (q) keep internal records of contraventions of these Regulations and of measures taken in accordance with section 50(5);
          (r) collect Data Protection Fee and Renewal Fee payments and notifications by Controllers in accordance with section 24; and
          (s) fulfil any other tasks related to the protection of Personal Data within ADGM.
          (3) The Commissioner of Data Protection is not competent to supervise Processing operations of the Court acting in its judicial capacity.
          (4) The Commissioner of Data Protection and its officers and Staff:
          (a) are subject to a duty of professional secrecy or duty of confidentiality both during and after their term of office in respect of any confidential information which they become aware of in the course of the performance of their duties and functions or exercise of their powers; and
          (b) during their term of office must not engage in any political activity nor any activity which would create a conflict of interest with the work of the Office of Data Protection.

        • 50. General Powers

          (1) The investigative powers of the Commissioner of Data Protection include the powers to:
          (a) order, by notice in writing, Controllers and Processors to provide any information it reasonably requires for the performance of its duties and functions;
          (b) initiate investigations into a Controller’s or Processor’s compliance with these Regulations;
          (c) appoint one or more competent persons to conduct an investigation on its behalf into a Controller’s or Processor’s compliance with these Regulations. The Commissioner of Data Protection, and any person appointed under this section 49(1)(c) must give the Controller or Processor (as the case may be) written notice of the decision to investigate unless the Commissioner of Data Protection believes that would likely result in the investigation being frustrated;
          (d) carry out investigations in the form of data protection audits;
          (e) carry out a review on certifications issued pursuant to section 39;
          (f) notify Controllers and Processors of any alleged contravention of these Regulations;
          (g) obtain, by notice in writing, from Controllers and Processors, access to all Personal Data and to all information reasonably necessary for the performance of its duties and functions; and
          (h) subject to section 50(3) obtain access to any premises of Controllers and Processors, including to any data Processing equipment and means, in accordance with Applicable Law and to search and take possession of any relevant documents or information.
          (2) A statement made to the Commissioner of Data Protection or a person appointed under section 50(1)(c) during the course of an investigation is admissible in evidence in any proceedings, so long as it also complies with any requirements governing the admissibility of evidence in the circumstances in question.
          (3) The Court may issue a warrant for the Commissioner of Data Protection to exercise their powers under section 50(1)(h) if the Court is satisfied on information on oath given by or on behalf of the Commissioner of Data Protection or a person appointed under section 50(1)(c) that there are reasonable grounds for believing that:
          (a) a Controller or Processor has materially failed to meet the requirements of these Regulations; and
          (b) evidence of the failure is to be found on the premises specified in the information or is capable of being viewed using equipment on such premises.
          (4) Any document that is seized under section 50(1)(h) may be retained so long as it is necessary to retain it (rather than copies of it) in the circumstances. A person claiming to be the owner of the document may apply to the Court in accordance with section 38 of the Commercial Licensing Regulations 2015.
          (5) The corrective powers of the Commissioner of Data Protection include the power to:
          (a) issue and publish Directions and warnings and make recommendations to Controllers and Processors that intended Processing operations are likely to contravene provisions of these Regulations;
          (b) issue and publish Directions and reprimands to Controllers and Processors where Processing operations have contravened provisions of these Regulations;
          (c) order Controllers and Processors to comply with a Data Subject's requests to exercise his or her rights pursuant to these Regulations;
          (d) order Controllers and Processors to bring Processing operations into compliance with the provisions of these Regulations, where appropriate, in a specified manner and within a specified period;
          (e) order a Controller to communicate a Personal Data Breach to the Data Subject;
          (f) impose a temporary or permanent limitation (including a ban) on Processing;
          (g) order the rectification or erasure of Personal Data or restriction of Processing pursuant to sections 14, 15 and 16 and the notification of such actions to Recipients to whom the Personal Data has been disclosed pursuant to sections 15(2) and 17;
          (h) withdraw a certification if the requirements for the certification are not or are no longer met;
          (i) impose an administrative fine pursuant to section 55, in addition to, or instead of, measures referred to in this subsection, depending on the circumstances of the individual case;
          (j) order the suspension of data flows to a Recipient inside or outside of ADGM or to an International Organisation; and
          (k) where appropriate, refer contraventions of these Regulations to the attention of the Court and where appropriate, commence legal proceedings, in order to enforce the provisions of these Regulations.
          (6) The authorisation and advisory powers of the Commissioner of Data Protection include the powers to:
          (a) issue, on its own initiative or on request, opinions to the Board, the Registrar or, in accordance with Applicable Law, to other institutions and bodies as well as to the public on any issue related to the protection of Personal Data;
          (b) prepare and publish guidance on these Regulations;
          (c) prescribe forms to be used for any of the purposes of these Regulations;
          (d) approve draft codes of conduct in accordance with section 38;
          (e) issue certifications and approve criteria of certification in accordance with section 39;
          (f) adopt standard data protection clauses referred to in sections 26(6) and 42(2);
          (g) authorise contractual clauses referred to in section 42(4);
          (h) advise the Board in the course of the preparation of a legislative or regulatory measure which provides for the Processing of Personal Data, in order to ensure compliance of the intended Processing with these Regulations and in particular to mitigate the risk involved for the Data Subject;
          (i) prepare and publish a list (to be updated from time to time) of Processing activities that it considers require a Data Protection Impact Assessment in accordance with section 34; and
          (j) approve Binding Corporate Rules pursuant to section 43.

        • 51. Budget

          (1) The Commissioner of Data Protection must have its own annual budget. The Board must ensure that there is a provision of sufficient human, technical and financial resources to enable the Commissioner of Data Protection to effectively perform its duties and functions and exercise its powers in accordance with these Regulations.
          (2) To help inform the budget, before the end of the current financial year the Commissioner of Data Protection must submit to the Board for approval estimates (including for staffing costs) of the annual income and expenditure of the Commissioner of Data Protection for the next financial year.

        • 52. Accounts and audit

          (1) The Commissioner of Data Protection must keep proper accounts of its financial activities.
          (2) The Board must appoint auditors to conduct an audit in relation to each financial year of the Commissioner of Data Protection.
          (3) The Commissioner of Data Protection, must before the end of the first quarter of the financial year, prepare financial statements for the previous financial year in accordance with accepted accounting standards. The accounts prepared under this section must be submitted for the approval of the Board, who must, as soon as reasonably practicable, provide such statements to the relevant auditors for audit.
          (4) The auditors must prepare a report on the financial statements and send the report to the Board.
          (5) The auditors’ report must, where appropriate, include an opinion given by the auditors as to whether or not the financial statements to which the report relates give a true and fair view of the financial position of the Commissioner of Data Protection as at the end of the financial year to which the financial statements relate and of the results of its operations and cash flows in the financial year.
          (6) The auditors have the right to access at all reasonable times all information which is reasonably required by them for the purposes of preparing the report and which is held or controlled by any officer or member of Staff of the Commissioner of Data Protection.
          (7) The auditors are entitled to reasonably require from the officers and Staff of the Commissioner of Data Protection such information as they consider necessary for the performance of their duties.
          (8) A person must not without reasonable excuse intentionally engage in conduct that obstructs a person appointed under section 52(2) in the exercise of his or her powers.

        • 53. Annual report

          (1) As soon as practicable after 1 January each year, the Commissioner of Data Protection must deliver to the Board a report on the management of the administrative affairs of the Commissioner of Data Protection for the previous year. This report must include a list of types of contraventions addressed by the Commissioner of Data Protection in the previous year and the measures taken in response.
          (2) Such report must give a true and fair view of the state of the Commissioner of Data Protection’s regulatory operations in ADGM, and its financial statements as at the end of the relevant financial year.
          (3) This report must be made available to the public.

      • PART VII PART VII Fines and Remedies

        • 54. Directions

          (1) If the Commissioner of Data Protection is satisfied, after duly conducting all reasonable and necessary inspections and investigations, that a Controller or Processor has contravened or is contravening these Regulations or any rules made under these Regulations, the Commissioner of Data Protection may issue a direction requiring the Controller or Processor to do any of the measures referred to in sections 50(5)(a) to 50(5)(h) and section 50(5)(j) (a ‘Direction’).
          (2) A Direction issued under section 54(1) must contain:
          (a) a statement of the contravention of these Regulations or rules which the Commissioner of Data Protection is satisfied is being or has been committed; and
          (b) a statement to the effect that the Controller or Processor may refer the decision of the Commissioner of Data Protection to the Court for review.
          (3) A Direction issued under section 54(1) is enforceable, on the application of the Commissioner of Data Protection or any person authorised in writing by the Commissioner of Data Protection, by an injunction that can be imposed by the Court.
          (4) A Controller or Processor may ask the Commissioner of Data Protection to review the Direction within 21 days of receiving a Direction under this section. The Commissioner of Data Protection may receive further submissions and amend or discontinue the Direction.
          (5) If a Direction is amended or discontinued in accordance with section 54(4), the Commissioner of Data Protection must provide the Controller or Processor with reasons for the amendment or discontinuance.

        • 55. General conditions for imposing administrative fines

          (1) Where a Controller or Processor (i) does an act or thing that it is prohibited from doing; or (ii) omits to do an act or thing that it must do by or under:
          (a) any Direction issued by the Commissioner of Data Protection under section 54;
          (b) these Regulations; or
          (c) any rules made pursuant to these Regulations,
          the Commissioner of Data Protection, by written notice (a ‘Penalty Notice’) to the Controller or Processor, may impose a fine in respect of the contravention of such amount as the Commissioner of Data Protection determines to be appropriate, taking into account the factors in section 55(3). The amount determined by the Commissioner of Data Protection must not exceed USD 28 million.
          (2) Any fine imposed by the Commissioner of Data Protection under section 55(1) may, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in sections 50(5)(a) to 50(5)(h) and section 50(5)(j).
          (3) When deciding whether to impose a fine and deciding on the amount of the fine in each individual case, the Commissioner of Data Protection may consider the following factors:
          (a) the nature, gravity and duration of the contravention taking into account the nature scope or purpose of the Processing concerned as well as the number of Data Subjects affected, and the level of damage suffered by them;
          (b) the intentional or negligent character of the contravention;
          (c) any action taken by the Controller or Processor to mitigate the damage suffered by Data Subjects;
          (d) the degree of responsibility of the Controller or Processor taking into account technical and organisational measures implemented by them pursuant to sections 23 and 30;
          (e) any relevant previous contraventions of these Regulations or the Data Protection Regulations 2015 by the Controller or Processor;
          (f) degree of cooperation with the Commissioner of Data Protection, in order to remedy the contravention and mitigate its possible adverse effects;
          (g) the categories of Personal Data affected by the contravention;
          (h) the manner in which the contravention became known to the Commissioner of Data Protection, in particular whether, and if so to what extent, the Controller or Processor notified the Commissioner of Data Protection of the contravention;
          (i) where measures referred to in section 50(5) have previously been ordered against the Controller or Processor concerned in relation to the same subjectmatter, compliance with those measures;
          (j) adherence to approved codes of conduct pursuant to section 38 or approved certification mechanisms pursuant to section 39; and
          (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the contravention.
          (4) Before giving a Controller or Processor a Penalty Notice the Commissioner of Data Protection must, by written notice (a ‘Notice of Intent’) inform the Controller or Processor that the Commissioner of Data Protection intends to give a Penalty Notice.
          (5) The Notice of Intent must set out:
          (a) the reasons why the Commissioner of Data Protection considers it appropriate to issue a Penalty Notice;
          (b) an indication of the amount of the penalty;
          (c) the period in which a Controller or Processor may make written representations about the Commissioner of Data Protection’s intention to issue a Penalty Notice (which must be at least 21 days from the date of the Notice of Intent); and
          (d) whether the Commissioner of Data Protection considers it appropriate for the person to have an opportunity to make oral representations about the Commissioner of Data Protection’s intention to issue a Penalty Notice.
          (6) If a Controller or Processor intentionally or negligently, for the same or linked Processing operations, contravenes several provisions of these Regulations, the total amount of the administrative fine must not exceed USD 28 million.
          (7) If, within the period specified in the Penalty Notice, the Controller or Processor (as applicable):
          (a) pays the fine specified in the Penalty Notice to the Commissioner of Data Protection, then no proceedings or action may be commenced, whether in the Court or otherwise, by the Commissioner of Data Protection against the Controller or Processor in respect of the relevant contravention, provided that neither the imposition nor payment of a fine restricts the Commissioner of Data Protection from taking any action against a Controller or Processor, or refrain from doing any act or thing, in respect of any continuing contravention;
          (b) has not paid the prescribed fine to the Commissioner of Data Protection, then the obligation of the Controller or Processor to pay the fine is enforceable as a debt payable to the Commissioner of Data Protection and the Commissioner of Data Protection may apply to the Court for the recovery of the debt, plus such interest, costs of enforcement (including legal costs) and other expenses directly arising from the failure to pay as the Court sees fit to order; or
          (c) has appealed to the Court in accordance with section 57, then the provisions of section 57 apply.

        • 56. Fixed penalty for non-payment of the Data Protection Fee or Renewal Fee

          (1) If a Controller fails to pay the Data Protection Fee or the Renewal Fee in accordance with section 24, the Commissioner of Data Protection may issue a monetary penalty, imposing a fine on the Controller of up to 150 per cent of the Data Protection Fee, or Renewal Fee, in addition to the Data Protection Fee, or Renewal Fee, as the case may be.
          (2) The amount of the penalty for a failure to pay the Data Protection Fee in accordance with section 24 must be specified by rules made by the Board.
          (3) If a Controller has not paid the prescribed fine under section 56(1) to the Commissioner of Data Protection within the period specified in the monetary penalty, then the obligation of the Controller to pay the fine is enforceable as a debt payable to the Commissioner of Data Protection and the Commissioner of Data Protection may apply to the Court for the recovery of the debt, plus such interest, costs of enforcement (including legal costs) and other expenses directly arising from the failure to pay as the Court sees fit to order.

        • 57. Right to lodge a complaint with the Commissioner of Data Protection

          (1) Without prejudice to any other administrative or judicial remedy, a Data Subject has the right to lodge a complaint with the Commissioner of Data Protection if the Data Subject considers that the Processing of Personal Data relating to him or her contravenes these Regulations.
          (2) Where multiple Data Subjects are affected by the same alleged contravention, they may raise such complaint collectively, including via a representative body. The Commissioner of Data Protection may choose to deal collectively with multiple allegations which relate to the same contravention, whether or not such allegations are brought collectively.
          (3) The Commissioner of Data Protection must assess the complaint and inform the complainant on the progress and the outcome of the complaint.
          (4) Upon completion of the assessment, the Commissioner of Data Protection may, as appropriate:
          (a) dismiss the complaint;
          (b) uphold the complaint and take further action including under sections 54 or 55; or
          (c) uphold the complaint and take no further action.

        • 58. Application to the Court

          (1) Notwithstanding any other administrative or non-judicial remedy:
          (a) a Controller or Processor in respect of whom a Penalty Notice or Direction is issued may refer the matter to the Court for review within three months of the Penalty Notice or Direction being issued;
          (b) a Controller, Processor or affected Data Subject who considers the Commissioner of Data Protection has failed to handle a complaint under section 57 in accordance with these Regulations may refer the matter to the Court for review within three months immediately following the date that the complaint was made.
          (2) The Court may make any orders that the Court may think just and appropriate in the circumstances, including remedies for damages, penalties or compensation, imposition of administrative fines and findings of fact in relation to whether or not these Regulations have been contravened.
          (3) Court Procedure Rules may make provision for any reference to the Court under this section.

        • 59. Rights against a Controller and/or Processor

          (1) Any person who has suffered material or non-material damage as a result of a contravention of these Regulations is entitled to compensation from the Controller or Processor for the damage suffered. Any compensation is in addition to, and will not limit, any fine imposed on the same Controller or Processor under section 55.
          (2) Any Controller involved in Processing is liable for the damage caused by Processing which contravenes these Regulations.
          (3) A Processor is liable for the damage caused by Processing only where it has not complied with obligations of these Regulations specifically directed to Processors or where it has acted outside or contrary to lawful instructions of the Controller.
          (4) A Controller or Processor is exempt from liability under section 59(2) and 59(3) if it proves that it is not in any way responsible for the event giving rise to the damage.
          (5) It is a defence to a claim brought under section 59(2) for the Controller or Processor to prove that it had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
          (6) Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same Processing and where they are responsible for any damage caused by Processing, each Controller or Processor will be held jointly and severally liable for the entire damage in order to ensure effective compensation of the Data Subject.
          (7) Where a Controller or Processor has, in accordance with section 59(6), paid full compensation for the damage suffered, that Controller or Processor is entitled to claim back from the other Controllers or Processors involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in section 59(2) and 59(3).
          (8) Proceedings for exercising the right to receive compensation must be brought before the Court.
          (9) A Data Subject may apply to the Court for an order that is binding on the Controller, or Processor, to take, or refrain from taking, specified steps in order to comply with these Regulations.

      • PART VIII PART VIII Final provisions

        • 60. Power of the Board to make rules

          (1) The Board may make such rules applying to matters within the scope and objectives of these Regulations (as defined within sections 1 to 3) as appear to the Board to be in the interests of the Abu Dhabi Global Market.
          (2) Rules made by the Board in accordance with section 60(1):
          (a) may make different provision for different cases;
          (b) may make provision in relation to matters such as protection of Data Subjects rights and legitimate interests, procedural fairness and conduct of investigations by the Commissioner of Data Protection, provision of information to the Commissioner of Data Protection and provision of other assistance to the Commissioner of Data Protection to enable the Commissioner of Data Protection to discharge its functions; and
          (c) may contain such incidental, supplemental, consequential and transitional provision as the Board considers appropriate.

        • 61. Previously concluded agreements

          International agreements involving the transfer of Personal Data outside of ADGM or to International Organisations, which were concluded or adopted by ADGM or the United Arab Emirates prior to the commencement of these Regulations and which comply with Applicable Law as applicable prior to the commencement of these Regulations, remain in force until amended, replaced or revoked.

        • 62. Definitions

          (1) For the purposes of these Regulations capitalised terms which are not defined in these Regulations have the meaning given to them in the Interpretation Regulations 2015, while the remaining capitalised terms have the following meanings:
          ADGM’ means the Abu Dhabi Global Market;
          Applicable Law’ means any enactment or subordinate legislation applicable in (i) ADGM; or (ii) under Abu Dhabi or Federal Law having application in ADGM, as it applies to Controllers and Processors that are within the scope of these Regulations;
          Archiving and Research Purposes’ means archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with section 9;
          Binding Corporate Rules’ means Personal Data protection policies which are adhered to by a Controller or Processor in ADGM for transfers or a set of transfers of Personal Data to a Controller or Processor outside ADGM within a Group;
          Biometric Data’ means Personal Data resulting from specific technical Processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data;
          Child’ means a natural person under the age of 18 years old;
          Commissioner of Data Protection’ means the person appointed by the Board in accordance with section 47 to be the head of the Office of Data Protection;
          Consent’ has the meaning given in section 6;
          Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
          Court Procedure Rules’ has the meaning given under Part 7 of the ADGM Cour ts, Civil Evidence, Judgments, Enforcement and Judicial Appointments Regulations 2015;
          Data Concerning Health’ means Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status;
          Data Protection Fee’ means a fee to be paid by the Controller in respect of the first 12 months it Processes Personal Data in the amount specified by rules made by the Board as set out in section 24;
          Data Protection Impact Assessment’ has the meaning given in section 34(1);
          Data Protection Officer’ has the meaning given in section 35;
          Data Subject’ means an identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
          Direction’ means a direction issued by the Commissioner of Data Protection in accordance with section 54;
          Establishment’ means any authority, body corporate, branch, representative office, institution entity, or project established, registered or licensed to operate or conduct any activity within the ADGM or exempt from being registered or licensed under the laws of the ADGM;
          Filing System’ means any structured set of Personal Data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
          GDPR’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended from time to time;
          Genetic Data’ means Personal Data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or the health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question;
          Group’ has the meaning given to that term in the Commercial Licensing Regulations 2015;
          High Risk Processing Activities’ means the Processing of Personal Data where one or more of the following applies:
          (a) a considerable volume of Personal Data will be Processed;
          (b) the Processing is likely to result in a high risk to the rights of Data Subjects;
          (c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
          (d) the Processing includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise their rights; or
          (e) the Processing includes Special Categories of Personal Data, except where Processing of such data is required by Applicable Law.
          ‘International Organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
          Office of Data Protection’ means the Commissioner of Data Protection, any deputy commissioners and other officers or Staff of the Commissioner of Data Protection;
          Penalty Notice’ has the meaning given in section 55(1);
          Personal Data’ means any information relating to a Data Subject;
          Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
          Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
          Processor’ means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;
          Profiling’ means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
          Pseudonymisation’ means the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data is not attributed to an identified or identifiable natural person;
          Recipient’ means a natural or legal person, public authority, agency or another body, to which the Personal Data is disclosed, whether a Third Party or not;
          Renewal Fee’ means a fee to be paid by the Controller any 12 month period that is not the first 12 months it Processes Personal Data in the amount specified by rules made by the Board as set out in section 24;
          Requesting Authority’ has the meaning given in section 45(1);
          Special Categories of Personal Data’ means the categories of data listed in section 7(1);
          Staff’ includes past, existing or prospective employees, directors, partners, trustees, officers, office holders, temporary or casual workers, agents and volunteers;
          State Of The Art’ means the current state of technological development, as appropriate to the context in which the measures are being implemented, including industry practices, the type and scale of the processing and the availability of a product or solution in the market;
          Supervisory Authority’ means:
          (a) an independent authority which has been established pursuant to Article 51 of the GDPR, which includes, for these purposes, the United Kingdom’s Information Commissioner’s Office; or
          (b) an independent authority with responsibility for ensuring and enfor cing compliance with the data protection rules that is established in a jurisdiction which the Commissioner of Data Protection has decided ensures an adequate level of protection in accordance with section 41(3); and
          Third Party’ means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to Process Personal Data.

        • 63. Repeal of Data Protection Regulations 2015

          (1) The Data Protection Regulations 2015 are repealed with effect from:
          (a) the date that is 6 months after the date of publication of these Regulations for any Establishment that is established in ADGM on or following the date of publication of these Regulations; and
          (b) the date that is 12 months after the date of publication of these Regulations for any Establishments established in ADGM prior to the date of entry into force of these Regulations.
          (2) Subject to section 63(1), these Regulations come into force and are binding from the date the Data Protection Regulations 2015 are repealed.
          (3) References to the Data Protection Regulations 2015 in Applicable Law will be construed as references to these Regulations.

        • 64. Short title, scope and commencement

          (1) These Regulations may be cited as the Data Protection Regulations 2021.
          (2) These Regulations apply in the Abu Dhabi Global Market.
          (3) The Board may by rules make any transitional, transitory, consequential, saving, incidental or supplementary provision in relation to the commencement of these Regulations as the Board thinks fit.
          (4) Rules made under section 64(3) may amend any provision of any other enactment including subordinate legislation made under such enactment.

    • Data Protection Regulations 2015

      Regulations to make provision for the protection of personal data within the Abu Dhabi Global Market and for connected purposes.

      Date of Enactment: 4 October 2015

      The Board of Directors of the Abu Dhabi Global Market, in exercise of its powers under Article 6(1) of Law No. 4 of 2013 concerning the Abu Dhabi Global Market issued by His Highness the Ruler of the Emirate of Abu Dhabi, hereby enacts the following Regulations —

      • Data Protection Regulations 2015

        • Part 1 Part 1 General Rules on the Processing of Personal Data

          • 1. General requirements

            (1) Data Controllers shall ensure that Personal Data which they Process are —
            (a) Processed fairly, lawfully and securely;
            (b) Processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights;
            (c) adequate, relevant and not excessive in relation to the purposes for which they are collected or further Processed;
            (d) accurate and, where necessary, kept up to date; and
            (e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed.
            (2) Every reasonable step shall be taken by Data Controllers to ensure that Personal Data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further Processed, are erased or rectified.

          • 2. Requirements for legitimate Processing

            Personal Data may only be Processed if —

            (a) the Data Subject has given his written consent to the Processing of that Personal Data;
            (b) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
            (c) Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
            (d) Processing is necessary in order to protect the vital interests of the Data Subject;
            (e) Processing is necessary for the performance of a task carried out in the interests of the Abu Dhabi Global Market or in the exercise of the Board's, the Court's, the Registrar's or the Regulator's functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data are disclosed; or
            (f) Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party to whom the Personal Data are disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.

          • 3. Processing of Sensitive Personal Data

            (1) Sensitive Personal Data shall not be Processed unless —
            (a) the Data Subject has given an additional written consent to the Processing of this kind of Personal Data;
            (b) Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller;
            (c) Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent;
            (d) Processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data are not disclosed to a Third Party without the consent of the Data Subjects;
            (e) the Processing relates to Personal Data which are manifestly made public by the Data Subject, or is necessary for the establishment, exercise or defence of legal claims;
            (f) Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
            (g) Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided the Processing is undertaken in accordance with applicable standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation;
            (h) Processing is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller or for the prevention or detection of any crime; or
            (i) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where those Personal Data are Processed by a health professional subject under law or rules established by competent bodies to the obligation of confidence or by another person subject to an equivalent obligation.
            (2) Subsection (1) shall not apply if —
            (a) a permit has been obtained from the Registrar to Process Sensitive Personal Data; and
            (b) the Data Controller applies adequate safeguards with respect to the Processing of the Personal Data.

          • 4. Transfers out of the Abu Dhabi Global Market: adequate level of protection

            (1) Except as set out in section 5, a transfer of Personal Data to a Recipient located in a jurisdiction outside the Abu Dhabi Global Market may take place only if an adequate level of protection for those Personal Data are ensured by laws applicable to the Recipient.
            (2) The adequacy of the level of protection ensured by laws to which the Recipient is subject, as referred to in subsection (1), shall be assessed in the light of all the circumstances surrounding a Personal Data transfer operation or set of Personal Data transfer operations, including, but not limited to —
            (a) the nature of the Personal Data;
            (b) the purpose and duration of the proposed Processing operation or operations;
            (c) if the data do not emanate from the Abu Dhabi Global Market, the country of origin and country of final destination of the Personal Data; and
            (d) any relevant laws to which the Recipient is subject, including professional rules and security measures.
            (3) The jurisdictions which the Registrar has designated as providing an adequate level of protection for Personal Data for the purposes of subsection (1) are listed in Schedule 3 to these Regulations, and may be updated from time to time by a publication to such effect on the Registrar's website.

          • 5. Transfers out of the Abu Dhabi Global Market in the absence of an adequate level of protection

            A transfer or a set of transfers of Personal Data to a Recipient which is not subject to laws which ensure an adequate level of protection within the meaning of section 4(1) may take place on condition that —

            (a) the Registrar has granted a permit for the transfer or the set of transfers and the Data Controller applies adequate safeguards with respect to the protection of such Personal Data;
            (b) the Data Subject has given his written consent to the proposed transfer;
            (c) the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the implementation of pre-contractual measures taken in response to the Data Subject's request;
            (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and a Third Party;
            (e) the transfer is necessary for the establishment, exercise or defence of legal claims;
            (f) the transfer is necessary in order to protect the vital interests of the Data Subject;
            (g) the transfer is necessary in the interests of the Abu Dhabi Global Market;
            (h) the transfer is made at the request of a regulator, the police or other government agency;
            (i) the transfer is made from a register which according to law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
            (j) the transfer is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
            (k) the transfer is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that the transfer is carried out in accordance with applicable standards and except where such interests are overridden by legitimate interests of the Data Subject relating to the Data Subject's particular situation;
            (l) the transfer is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller which is established in the Abu Dhabi Global Market, or for the prevention or detection of any crime;
            (m) the transfer is made to a person established outside the Abu Dhabi Global Market who would be a Data Controller (if established in the Abu Dhabi Global Market) or who is a Data Processor, if, prior to the transfer, a legally binding agreement in the form set out in Schedule 1 or Schedule 2 respectively to these Regulations has been entered into between the transferor and Recipient; or
            (n) the transfer is made between one or more members of a Group of Companies in accordance with a global data protection compliance policy of that Group, under which all the members of such Group that are or will be transferring or receiving the Personal Data are bound to comply with all the provisions of these Regulations containing restrictions on the use of Personal Data and Sensitive Personal Data in the same way as if they would be if established in the Abu Dhabi Global Market.

          • 6. Providing information where Personal Data have been obtained from the Data Subject

            (1) Data Controllers shall provide a Data Subject whose Personal Data it collects from the Data Subject with at least the following information as soon as possible upon commencing to collect Personal Data in respect of that Data Subject —
            (a) the identity of the Data Controller;
            (b) the purposes of the Processing for which the Personal Data are intended; and
            (c) any further information in so far as such is necessary, having regard to the specific circumstances in which the Personal Data are collected, to guarantee fair Processing in respect of the Data Subject, such as —
            (i) the Recipients or categories of Recipients of the Personal Data;
            (ii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
            (iii) the existence of the right of access to and the right to rectify the Personal Data concerning him;
            (iv) whether the Personal Data will be used for direct marketing purposes; and
            (v) whether the Personal Data will be Processed on the basis of section 3(1)(g) or section 5(k).
            (2) A Data Controller need not provide that information otherwise required by subsection (1)(c)(i) to the Data Subject if the Data Controller reasonably expects that the Data Subject is already aware of that information.

          • 7. Providing information where Personal Data have not been obtained from the Data Subject

            (1) Where Personal Data have not been obtained from the Data Subject, a Data Controller or his representative shall at the time of undertaking the Processing of Personal Data or if a disclosure to a Third Party is envisaged, no later than the time when the Personal Data are first Processed or disclosed, provide the Data Subject with at least the following information —
            (a) the identity of the Data Controller;
            (b) the purposes of the Processing;
            (c) any further information in so far as such further information is necessary, having regard to the specific circumstances in which the Personal Data are Processed, to guarantee fair Processing in respect of the Data Subject, such as —
            (i) the categories of Personal Data concerned;
            (ii) the Recipients or categories of Recipients;
            (iii) the existence of the right of access to and the right to rectify the Personal Data concerning him;
            (iv) whether the Personal Data will be used for direct marketing purposes; and
            (v) whether the Personal Data will be Processed on the basis of section 3(1)(g) or section 5(k).
            (2) Subsection (1) shall not apply to require —
            (a) the Data Controller to provide information which the Data Controller reasonably expects the Data Subject to possess; or
            (b) the provision of such information if it is reasonably impracticable or would involve a disproportionate effort.

          • 8. Confidentiality

            Any person acting under a Data Controller or a Data Processor, including the Data Processor himself, who has access to Personal Data shall not Process them except on instructions from the Data Controller, unless he is required to do so by law.

          • 9. Security of Processing

            (1) The Data Controller shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss or destruction of, or damage to, such Personal Data.
            (2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected.
            (3) The Data Controller shall, where Processing is carried out on its behalf, choose a Data Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the Processing to be carried out, and shall ensure compliance with those measures.
            (4) In the event of an unauthorised intrusion (including any loss of devices containing Personal Data or unauthorised disclosures) whether physical, electronic or otherwise, to any Personal Data held by a Data Processor, the Data Processor shall inform the Data Controller of the incident as soon as reasonably practicable.
            (5) In the event of an unauthorised intrusion (including any loss of devices containing Personal Data or unauthorised disclosures) whether physical, electronic or otherwise, to any Personal Data, including by any of its Data Processors, the Data Controller shall inform the Registrar of the incident as soon as reasonably practicable.

        • Part 2 Part 2 Rights of Data Subjects

          • 10. Right to access to and rectification, erasure or blocking of Personal Data

            A Data Subject has the right to require and obtain from the Data Controller upon request, at reasonable intervals and without excessive delay or expense —

            (a) confirmation in writing as to whether or not Personal Data relating to him are being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the Recipients or categories of Recipients to whom the Personal Data are disclosed;
            (b) communication to him in an intelligible form of the Personal Data undergoing Processing and of any available information as to their source; and
            (c) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of these Regulations.

          • 11. Right to object to Processing

            (1) A Data Subject has the right —
            (a) to object, at any time on reasonable grounds relating to his particular situation, to the Processing of Personal Data relating to him; and
            (b) to be informed before Personal Data are disclosed for the first time to Third Parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.
            (2) Where there is a justified objection, the Processing instigated by the Data Controller shall no longer include those Personal Data.

        • Part 3 Part 3 Notifications to the Registrar

          • 12. Requirement to notify the Registrar

            (1) In order to be entitled to operate in such a capacity, a Data Controller must first be registered as a data controller with the Registrar. A data controller shall notify the Registrar of its intention to become a Data Controller in the required form. A Data Controller shall establish and maintain records of any Personal Data Processing operations or set of such operations intended to secure a single purpose or several related purposes.
            (2) The Registrar may by written notification prescribe —
            (a) the information in relation to Personal Data Processing operations that shall be recorded for the purposes of subsection (1);
            (b) the circumstances in which a Data Controller shall notify the Registrar of any operations referred to in subsection (1); and
            (c) the content of any such notification and any fees to be paid on such notification.
            (3) A Data Controller must also notify the Registrar of —
            (a) an intention to renew its annual registration as a Data Controller;
            (b) an intention to change any appointed Data Processor;
            (c) any change in the particulars of any appointed Data Processor; and
            (d) any change in its business contact details.
            (4) Natural persons acting in their capacity as staff for a Data Controller or Data Processor are not subject to any personal obligations to register or make notifications under these Regulations.

          • 13. Register of notifications

            The Registrar shall keep a register of Personal Data Processing operations and other information notified in accordance with section 12 available for inspection during normal business hours by any person.

        • Part 4 Part 4 The Registrar

          • 14. General Powers of the Registrar

            (1) The Registrar has such functions and powers as may be conferred on it by or under these Regulations and any other enactment.
            (2) The Registrar shall administer these Regulations and enforce its provisions.
            (3) Without limiting the generality of subsection (1), such powers and functions of the Registrar include the powers and functions, so far as are reasonably practicable, to —
            (a) access Personal Data Processed by Data Controllers or Data Processors;
            (b) collect all the information necessary for the performance of its supervisory duties;
            (c) prescribe forms to be used for any of the purposes of these Regulations; and
            (d) issue warnings and make recommendations to Data Controllers.

          • 15. Production of information

            (1) The Registrar may require a Data Controller by written notice to —
            (a) give specified information; or
            (b) produce specified documents which relate to the Processing of Personal Data.
            (2) The Data Controller in respect of whom a requirement is made pursuant to subsection (1) shall comply with that requirement.

        • Part 5 Part 5 The Board

          • 16. Power to make rules

            (1) The Board may make rules in respect of any matters related to the Processing of Personal Data.
            (2) In particular, the Board when exercising the power in subsection (1) may make rules in respect of —
            (a) forms, procedures and requirements under these Regulations (including any fees to be paid in connection with any application or notification in addition to those fees outlined in Schedule 4 to these Regulations);
            (b) the keeping of the register of notifications established under section 13; and
            (c) the conduct of the Registrar and its staff in relation to the exercise of powers and performance of functions under these Regulations.
            (3) Where the Board issues a standard or code of practice, the Board may incorporate such a standard or code into the rules by reference and in such circumstances, except to the extent that the rules otherwise provide, a person who is subject to the provisions of any such standard or code shall comply with such provisions as if they were provisions of the rules.
            (4) Where any rules made for the purpose of these Regulations purport to be made in exercise of a particular power or powers, they shall be taken also to be made in the exercise of all powers under which they may be made.

        • Part 6 Part 6 Remedies, Liability and Sanctions

          • 17. Directions and compensation

            (1) If the Registrar is satisfied that a Data Controller, Data Processor or data controller established outside the Abu Dhabi Global Market has contravened or is contravening these Regulations or any rules made under these Regulations, the Registrar may issue a direction to the Data Controller requiring him to do either or both of the following:
            (a) to do or refrain from doing any act or thing within such time as may be specified in the direction; or
            (b) to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal Data for a purpose or in a manner specified in the direction.
            (2) A direction issued under subsection (1) shall contain —
            (a) a statement of the contravention of these Regulations or rules which the Registrar is satisfied is being or has been committed; and
            (b) a statement to the effect that the Data Controller may seek a review by the Court of the decision of the Registrar to issue the direction.
            (3) A Data Controller, who fails, without reasonable excuse, to comply with any direction issued by the Registrar under this section shall be liable to a fine of up to USD 15,000.
            (4) A Data Controller, who receives a direction under this section may seek a review by the Court of the decision of the Registrar to issue the direction.
            (5) A direction issued under subsection (1) is enforceable, on the application of the Registrar or any person authorised in writing by the Registrar, by injunction.
            (6) Any person who suffers damage by reason of any contravention by a Data Controller, Data Processor or data controller established outside the Abu Dhabi Global Market of any of the requirements of these Regulations or any rules made under these Regulations is entitled to compensation from the Data Controller, Data Processor or data controller for that damage.
            (7) In proceedings brought against a person by virtue of subsection (6), it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

          • 18. Lodging claims and mediation

            (1) A person who believes on reasonable grounds that he has been adversely affected by a contravention of these Regulations or any rules made under these Regulations in respect of the Processing of their Personal Data and as regards the exercise of their rights under sections 10 and 11 may lodge a claim with the Registrar.
            (2) Without prejudice to any of its powers under these Regulations, the Registrar may mediate between the affected Data Subject referred to in subsection (1) and the relevant Data Controller and may refer the dispute to the Court where it deems necessary.

        • Part 7 Part 7 General Exemptions

          • 19. General exemptions

            (1) The Board may make rules exempting Data Controllers from compliance with these Regulations or any parts of these Regulations.
            (2) Without prejudice to subsection (1) above, section 12 shall not apply to the Board, the Court, the Regulator or the Registrar, except that the Registrar is still required to maintain records per section 12(1) and where necessary, prescribe written notifications per section 12(2).
            (3) Without prejudice to subsection (1) above, sections 4, 5, 6, 7, 10, 11 and 17 shall not apply to the Board, the Court, the Regulator or the Registrar if the application of these sections would be likely to prejudice the proper discharge by those entities of their powers or functions in so far as such powers or functions are designed for protecting members of the public against —
            (a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons carrying on any Controlled Activities; or
            (b) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons carrying on Regulated Activities.

          • 20. Interpretation

            In these Regulations, unless the context indicates otherwise, the defined terms listed below shall have the following meanings —

            "Company" has the meaning given to that term in the Financial Services and Markets Regulations 2015;

            "Controlled Activities" means controlled activities as defined in the Commercial Licensing Regulations 2015.

            "Court" means the Court of First Instance;

            "Data Controller" means any person in the Abu Dhabi Global Market (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the Processing of Personal Data;

            "Data Processor" means any person (excluding a natural person acting in his capacity as as a staff member) who Processes Personal Data on behalf of a Data Controller;

            "Data Subject" shall mean the natural person to whom Personal Data relate;

            "Group" has the meaning given to that term in the Financial Services and Markets Regulations 2015;

            "Identifiable Natural Person" means a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

            "Personal Data" means any information relating to an identified natural person or Identifiable Natural Person;

            "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and "Processed", "Processes" and "Process" shall be construed accordingly;

            "Recipient" means any person to whom Personal Data are disclosed, whether a Third Party or not, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;

            "Regulated Activities" has the meaning given to it in the Financial Services and Markets Regulations 2015;

            "Sensitive Personal Data" means Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sex life;

            "Staff" include past, existing or prospective employees, directors, partners, trustees, officers, office holders, temporary or casual workers, agents and volunteers; and

            "Third Party" means any person other than the Data Subject, the Data Controller, the Data Processor and the persons who, under the direct control of the Data Controller or the Data Processor, are authorised to Process the Personal Data.

          • 21. Short title, extent and commencement

            (1) These Regulations may be cited as the Data Protection Regulations 2015.
            (2) These Regulations shall apply in the Abu Dhabi Global Market.
            (3) These Regulations shall come into force on the date of their publication. The Board may by rules make any transitional, transitory, consequential, saving, incidental or supplementary provision in relation to the commencement of these Regulations as the Board thinks fit.
            (4) Rules made under subsection (3) may amend any provision of any other enactment (including subordinate legislation made under such enactment).

        • SCHEDULE 1 SCHEDULE 1 Data Transfer Agreement (Data Controller to Data Controller transfers)

          For the purposes of section 5 of the Data Protection Regulations 2015 (the "Regulations") for the transfer of Personal Data to data controllers established in jurisdictions outside the Abu Dhabi Global Market which do not ensure an adequate level of data protection ("Non-Abu Dhabi Global Market Data Controllers")

          between

          ..................................................... (name)

          ..................................................... (address)

          hereinafter, the "Data Exporter"

          and

          ....................................................... (name)

          ....................................................... (address and jurisdiction of establishment)

          hereinafter, the "Data Importer"

          each a "Party"; together "the Parties",

          The Parties agree as follows with respect to the transfer by the Data Exporter to the Data Importer of the Personal Data specified in Annex B.

          • 1. Definitions and interpretation

            For the purposes of the Clauses:

            (a) "Personal Data", "Sensitive Personal Data", "Processing", "Data Controller", "Data Processor", "Data Subject", "Third Party" and "Court" shall have the same meaning as in the Regulations;
            (b) "Automated Decision" shall mean a decision by the Data Exporter or the Data Importer which produces legal effects concerning a Data Subject or significantly affects a Data Subject and which is based solely on automated Processing of Personal Data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.;
            (c) "Clauses" shall mean the contractual clauses set out in this agreement, which constitute a free-standing agreement that does not incorporate commercial business terms established by the Parties under separate commercial arrangements, or rely or depend upon the same for its validity;
            (d) "Data Exporter" shall mean the Data Controller who transfers the Personal Data;
            (e) "Data Importer" shall mean the Non-Abu Dhabi Global Market Data Controller who agrees to receive from the Data Exporter Personal Data for further Processing in accordance with the terms of these Clauses and who is not subject to a system outside the jurisdiction of the Abu Dhabi Global Market ensuring adequate protection within the meaning of section 4 of the Regulations;
            (f) "Third Parties Act" shall mean the Contracts (Rights of Third Parties Act) 1999 as applied in the Abu Dhabi Global Market by virtue of the Application of English Law Regulations 2015.

            The details of the transfer (as well as the Personal Data covered) are specified in Annex B, which forms an integral part of the Clauses.

          • 2. Obligations of the Data Exporter

            The Data Exporter warrants and undertakes that —

            (a) the Personal Data have been collected, Processed and transferred in accordance with the Regulations;
            (b) it has used reasonable efforts to determine that the Data Importer is able to satisfy its legal obligations under these Clauses;
            (c) it will provide the Data Importer, when so requested, with copies of the Regulations or references to them (where relevant, and not including legal advice);
            (d) if the transfer involves Sensitive Personal Data the Data Exporter is in compliance with section 3 of the Regulations in respect of the transfer to the Data Importer; and
            (e) it will respond to enquiries from Data Subjects and the Registrar concerning Processing of the Personal Data by the Data Importer, unless the Parties have agreed that the Data Importer will so respond, in which case the Data Exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the Data Importer is unwilling or unable to respond. Such responses will be made within a reasonable time.

          • 3. Obligations of the Data Importer

            (1) The Data Importer warrants and undertakes that —
            (a) it will have in place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss or destruction or damage, and which provide a level of security appropriate to the risk represented by the Processing and the nature of the data to be protected;
            (b) it will have in place procedures so that any Third Party it authorises to have access to the Personal Data, including Data Processors, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Importer, including a Data Processor, shall be obligated to Process the Personal Data only on instructions from the Data Importer. This provision does not apply to persons authorised or required by the Regulations to have access to the Personal Data;
            (c) it has no reason to believe in the existence of any non-Abu Dhabi Global Market laws that would have a substantial adverse effect on the enforceability of these Clauses, and it will promptly inform the Data Exporter (which will pass such notification on to the Registrar where required) if it becomes aware of any such laws or any changes in such laws which have such a substantial adverse effect;
            (d) it will Process the Personal Data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these Clauses;
            (e) it will identify to the Data Exporter a contact point within its organisation authorised to respond to enquiries concerning Processing of the Personal Data, and will cooperate in good faith with the Data Exporter, the Data Subject and the Registrar concerning all such enquiries within a reasonable time;
            (f) at the request of the Data Exporter, it will provide the Data Exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause 4 (which may include insurance coverage);
            (g) upon reasonable request of the Data Exporter, it will submit its data Processing facilities, data files and documentation needed for Processing to reviewing, auditing and/or certifying by the Data Exporter (or any independent or impartial inspection agents or auditors, selected by the Data Exporter and not reasonably objected to by the Data Importer) to ascertain compliance with the warranties and undertakings in these Clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the Data Importer, which the Data Importer will attempt to obtain in a timely fashion;
            (h) it will Process the Personal Data, at its option, in accordance with —
            (i) the Regulations, or
            (ii) the data Processing principles set forth in Annex A,

            Data Importer to indicate which option it selects: ...................

            Initials of Data Importer: ...................................; and
            (i) it will promptly notify the Data Exporter about —
            (i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under the criminal law of any jurisdiction outside the Abu Dhabi Global Market to preserve the confidentiality of a law enforcement investigation;
            (ii) any accidental or unauthorised access; and
            (iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so.
            (2) The Data Importer warrants and undertakes that it will not disclose or transfer the Personal Data to a third party data controller located outside the Abu Dhabi Global Market unless it notifies the Data Exporter about the transfer and —
            (i) the third party data controller processes the Personal Data in accordance with a Registrar decision finding that a jurisdiction outside the Abu Dhabi Global Market provides adequate protection;
            (ii) the third party data controller becomes a signatory to these Clauses or another data transfer agreement approved by the Registrar;
            (iii) Data Subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the jurisdictions to which data is exported may have different data protection standards; or
            (iv) with regard to onward transfers of Sensitive Personal Data, Data Subjects have given their consent to the onward transfer.

          • 4. Third Party rights

            (1) Unless expressly provided to the contrary in these Clauses, a person who is not a Party has no right under the Third Parties Act to enforce or to enjoy the benefit of any provision of these Clauses.
            (2) Notwithstanding any provision of these Clauses, the consent of any person who is not a Party is not required to rescind or vary these Clauses at any time.
            (3) Any Data Subject may rely on and enforce any provision of these Clauses which expressly confers rights on it against the Data Importer or Data Exporter.
            (4) The Parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by relevant national law.

          • 5. Liability

            (5) Each Party shall be liable to the other Parties for damages it causes by any breach of these Clauses. Liability as between the Parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a Party for its outrageous conduct) are specifically excluded.
            (6) Each Party shall be liable to Data Subjects for damages it causes by any breach of Third Party rights under these Clauses. This does not affect the liability of the Data Exporter under the Regulations.
            (7) In cases involving allegations of breach by the Data Importer, the Data Subject must first request the Data Exporter to take appropriate action to enforce his rights against the Data Importer; if the Data Exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the Data Subject may then enforce his rights against the Data Importer directly. A Data Subject is entitled to proceed directly against a Data Exporter that has failed to use reasonable efforts to determine that the Data Importer is able to satisfy its legal obligations under these Clauses (the Data Exporter shall have the burden to prove that it took reasonable efforts).

          • 6. Law applicable to the Clauses

            These clauses shall be governed by the law of the Abu Dhabi Global Market.

          • 7. Resolution of disputes with Data Subjects or the Registrar

            (1) In the event of a dispute or claim brought by a Data Subject or the Registrar concerning the Processing of the Personal Data against either or both of the Parties, the Parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
            (2) The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Registrar. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
            (3) Each Party shall abide by a decision of the Court.
            (4) The Parties agree that the Registrar has the right to exercise its functions and powers outlined in section 14 of the Regulations in respect of the Data Importer, in the same scope and subject to the same conditions as would apply the to Data Exporter under the Regulations.

          • 8. Termination

            (1) In the event that the Data Importer is in breach of its obligations under these Clauses, then the Data Exporter may temporarily suspend the transfer of Personal Data to the Data Importer until the breach is repaired or the contract is terminated.
            (2) In the event that —
            (a) the transfer of Personal Data to the Data Importer has been temporarily suspended by the Data Exporter for longer than one month pursuant to sub-clause (1);
            (b) compliance by the Data Importer with these Clauses would put it in breach of its legal or regulatory obligations in the jurisdiction of import;
            (c) the Data Importer is in substantial or persistent breach of any warranties or undertakings given by it under these Clauses;
            (d) a final decision of the Court or a decision of the Registrar rules that there has been a breach of the Clauses by the Data Importer or the Data Exporter; or
            (e) a petition is presented for the administration or winding-up of the Data Importer, which is not dismissed within the applicable period for such dismissal under the Insolvency Regulations 2015, a winding-up order is made, a receiver is appointed over any of its assets, a trustee in bankruptcy is appointed, a company voluntary arranagement is commenced by it, or any equivalent event in any jurisdiction occurs,
            then the Data Exporter, without prejudice to any other rights which it may have against the Data Importer, shall be entitled to terminate these Clauses, in which case the Registrar shall be informed where required. In cases covered by (a), (b), or (d) above, the Data Importer may also terminate these Clauses.
            (3) Either Party may terminate these Clauses if either (i) the Registrar makes a designation under section 4 of the Regulations in relation to each jurisdiction in which the Data Importer is incorporated or operates or uses the Personal Data; or (ii) each such jurisdiction not so designated is added to the list in Schedule 3 to the Regulations.
            (4) The Parties agree that the termination of these Clauses at any time, in any circumstances and for whatever reason (except for termination under sub-clause (3)) does not exempt them from the obligations and/or conditions under the Clauses as regards the Processing of the Personal Data transferred.

          • 9. Variation of these Clauses

            The Parties may not modify these Clauses except to update any information in Annex B. This does not preclude the Parties from adding additional commercial clauses where required as long as they do not contradict the Clauses.

          • 10. Description of the Transfer

            The details of the transfer and of the Personal Data are specified in Annex B. The Parties agree that Annex B may contain confidential business information which they will not disclose to Third Parties, except as required by the Regulations or in response to a competent regulatory or government agency. The Parties may execute additional annexes to cover additional transfers, which will be submitted to the Registrar where required. Annex B may, in the alternative, be drafted to cover multiple transfers.

            Dated:

            On behalf of the Data Exporter:

            Name (in full):

            Position:

            Address:

            Signature...............................

            [stamp of organisation]

            On behalf of the Data Importer:

            Name (in full):

            Position:

            Address:

            Signature...............................

            [stamp of organisation]

          • ANNEX A DATA PROCESSING PRINCIPLES

            1. Purpose limitation: Personal Data may be Processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the Data Subject.
            2. Data quality and proportionality: Personal Data must be accurate and, where necessary, kept up to date. The Personal Data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further Processed.
            3. Transparency: Data Subjects must be provided with information necessary to ensure fair Processing (such as information about the purposes of Processing and about the transfer), unless such information has already been given by the Data Exporter.
            4. Security and confidentiality: Technical and organisational security measures must be taken by the Data Controller that are appropriate to the risks, such as against unlawful or unauthorised Processing of Personal Data and against accidental loss or destruction of, or damage to, such Personal Data. Any person acting under the authority of the Data Controller, including a Data Processor, must provide sufficient guarantees that such technical measures shall be complied with.
            5. Rights of access, rectification, erasure or blocking: Data Subjects have the right to be provided with written confirmation as to whether Personal Data relating to them are being Processed, provided that such requests are made at reasonable intervals. Data Subjects must also be able to have their Personal Data rectified, erased or blocked, as appropriate, where it is Processed against the requirements of the Regulations. A Data Subject must also be able to object to the Processing of the Personal Data relating to him if there are reasonable grounds for such an objection, and such grounds relate to his particular situation.
            6. Sensitive Personal Data: The Data Importer shall take such additional measures (e.g. relating to security) as are necessary to protect Sensitive Personal Data in accordance with its obligations under Clause 3 or the Data Exporter's obligations under the Regulations.
            7. Data used for marketing purposes: Where data are Processed for the purposes of direct marketing, effective procedures should exist allowing the Data Subject at any time to object to having his data used for such purposes.
            8. Automated Decisions: The Data Importer shall not make any Automated Decisions concerning Data Subjects, except when —
            (a)
            (i) such decisions are made by the Data Importer in entering into or performing a contract with the Data Subject; and
            (ii) the Data Subject is given an opportunity to discuss the results of a relevant Automated Decision with a representative of the parties making such decision or otherwise to make representations to those parties; or
            (b) where otherwise provided by the Regulations.

          • ANNEX B DESCRIPTION OF THE TRANSFER

            This Annex forms part of the Clauses and must be completed and signed by the Parties.

            Data Subjects
            The Personal Data transferred concern the following categories of Data Subjects:
            ................................................................................................................................................................................. ................................................................................................................................................................................. ......................................................................................................

            Purposes of the transfer(s)
            The transfer is made for the following purposes:
            ................................................................................................................................................................................. ................................................................................................................................................................................. ......................................................................................................

            Categories of data
            The Personal Data transferred concern the following categories of data:
            ................................................................................................................................................................................. ................................................................................................................................................................................. ......................................................................................................

            Recipients
            The Personal Data transferred may be disclosed only to the following recipients or categories of recipients:
            ................................................................................................................................................................................. ................................................................................................................................................................................. ......................................................................................................

            Sensitive Personal Data (if appropriate)
            The Personal Data transferred concern the following categories of Sensitive Personal Data:
            ................................................................................................................................................................................. ................................................................................................................................................................................. ......................................................................................................

            Additional useful information (storage limits and other relevant information)
            ................................................................................................................................................................................. ................................................................................................................................................................................. ......................................................................................................

            Contact points for data protection enquiries:

            Data Importer Data Exporter
            .............................
            ..............................
            .............................
            ...........................

            ILLUSTRATIVE COMMERCIAL CLAUSES (OPTIONAL)

            Indemnification between the Data Exporter and Data Importer:

            "The Parties will indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of these Clauses. Indemnification hereunder is contingent upon (a) the Party(ies) to be indemnified (the "Indemnified Party(ies)") promptly notifying the other Party(ies) (the "Indemnifying Party(ies)") of a claim; (b) the Indemnifying Party(ies) having sole control of the defence and settlement of any such claim; and (c) the Indemnified Party(ies) providing reasonable cooperation and assistance to the Indemnifying Party(ies) in defence of such claim.".

            Allocation of costs:

            "Each Party shall perform its obligations under these Clauses at its own cost."

            Extra termination clause:

            "In the event of termination of these Clauses, the Data Importer must return all Personal Data and all copies of the Personal Data subject to these Clauses to the Data Exporter forthwith or, at the Data Exporter's choice, will destroy all copies of the same and certify to the Data Exporter that it has done so, unless the Data Importer is prevented by its national law or local regulator from destroying or returning all or part of such data, in which event the data will be kept confidential and will not be actively Processed for any purpose. The Data Importer agrees that, if so requested by the Data Exporter, it will allow the Data Exporter, or an inspection agent selected by the Data Exporter and not reasonably objected to by the Data Importer, access to its establishment to verify that this has been done, with reasonable notice and during business hours."

        • SCHEDULE 2 SCHEDULE 2 Data Transfer Agreement (Data Controller to Data Processor transfers)

          For the purposes of section 5 of the Data Protection Regulations 2015 (the "Regulations") for the transfer of Personal Data to Data Processors established in jurisdictions outside the Abu Dhabi Global Market which do not ensure an adequate level of data protection

          between

          ................................................... (name)

          ................................................... (address)

          hereinafter, the "Data Exporter"

          and

          .................................................... (name)

          .................................................... (address)

          hereinafter, the "Data Importer"

          each a "Party"; together "the Parties",

          The Parties agree as follows with respect to the transfer by the Data Exporter to the Data Importer of the Personal Data specified in Annex A.

          • 1. Definitions and interpretation

            For the purposes of the Clauses —

            (a) "Personal Data", "Processing", "Data Controller", "Data Processor", "Data Subject", "Third Party" and "Court" shall have the same meaning as in the Regulations;
            (b) "Clauses" shall mean the contractual clauses set out in this agreement which constitute a free-standing agreement that does not incorporate commercial business terms established by the Parties under separate commercial arrangements, or rely or depend upon the same for its validity;
            (c) "Data Exporter" means the Data Controller who transfers the Personal Data;
            (d) "Data Importer" means the data processor who agrees to receive from the Data Exporter Personal Data intended for Processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a legal system in a jurisdiction outside the Abu Dhabi Global Market ensuring adequate protection within the meaning of section 4 of the Regulations;
            (e) "Subprocessor" means any Data Processor engaged by the Data Importer or by any other subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other subprocessor of the Data Importer Personal Data exclusively intended for Processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
            (f) "Third Parties Act" shall mean the Contracts (Rights of Third Parties Act) 1999 as applied in the Abu Dhabi Global Market by virtue of the Application of English Law Regulations 2015.

          • 2. Details of the transfer

            The details of the transfer and in particular the categories of Personal Data subject to the transfer are specified in Annex A which forms an integral part of the Clauses.

          • 3. Third Party rights

            (1) Unless expressly provided to the contrary in these Clauses, a person who is not a Party has no right under the Third Parties Act to enforce or enjoy the benefit of any provision of these Clauses.
            (2) Notwithstanding any provision of these Clauses, the consent of any person who is not a Party is not required to rescind or vary these Clauses at any time.
            (3) Any Data Subject may rely on and enforce any provision of these Clauses which expressly confers rights on it against any of the Parties or a Subprocessor.
            (4) The Parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by relevant national law.

          • 4. Obligations of the Data Exporter

            The Data Exporter agrees and warrants —

            (a) that the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the Regulations (and, where applicable, has been notified to the Registrar) and does not violate those Regulations;
            (b) that it has instructed, and throughout the duration of the Personal Data Processing services will instruct, the Data Importer to Process the Personal Data transferred only on the Data Exporter's behalf and in accordance with the Regulations and the Clauses;
            (c) that the Data Importer will provide sufficient guarantees in respect of the technical and organisational measures specified in Annex B to these Clauses;
            (d) that after assessment of the requirements of the Regulations, the security measures are appropriate to protect Personal Data against unauthorised or unlawful Processing and against accidental loss or destruction or damage, particularly where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
            (e) that it will ensure compliance with the security measures specified in paragraph (d);
            (f) that, if the transfer involves Sensitive Personal Data, the Data Exporter is in compliance with section 3 of the Regulations in respect of the transfer to the Data Importer;
            (g) that, in the event of subprocessing, the Processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the Personal Data and the rights of the Data Subject as the Data Importer under the Clauses; and
            (h) that it will ensure compliance with Clause 4(a) to (g).

          • 5. Obligations of the Data Importer

            The Data Importer agrees and warrants —

            (a) to Process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reason, it agrees to inform the Data Exporter promptly of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the Clauses;
            (b) that it has no reason to believe in the existence of any non-Abu Dhabi Global Market laws that would have a substantial adverse effect on the enforceability of these Clauses, and it will promptly inform the Data Exporter (which will pass such notification on to the Registrar where required) if it becomes aware of any such laws or any changes in such laws which have such a substantial adverse effect;
            (c) that it has implemented the technical and organisational measures specified in Annex B before Processing the Personal Data transferred;
            (d) that it will promptly notify the Data Exporter about —
            (i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under the criminal law of any jurisdiction outside the Abu Dhabi Global Market to preserve the confidentiality of a law enforcement investigation;
            (ii) any accidental or unauthorised access; and
            (iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;
            (e) to deal promptly and properly with all inquiries from the Data Exporter relating to its Processing of the Personal Data subject to the transfer and to abide by the advice of the Registrar with regard to the Processing of the data transferred;
            (f) at the request of the Data Exporter to submit its data Processing facilities for audit of the Processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the Registrar;
            (g) to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may redact such commercial information, with the exception of Annex B which shall minimally be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;
            (h) that, in the event of subprocessing, it has previously informed the Data Exporter and obtained its prior written consent;
            (i) that the Processing services by the Subprocessor will be carried out in accordance with Clause 11; and
            (j) to send promptly a copy of any Subprocessor agreement it concludes under the Clauses to the Data Exporter.

          • 6. Liability and termination

            (1) The Parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any Party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered.
            (2)
            (a) If a Data Subject is not able to bring a claim for compensation in accordance with sub-clause (1) against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity.
            (b) The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.
            (3) If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in sub-clauses (1) and (2), arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the Data Subject may issue a claim against the data Subprocessor with regard to its own Processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own Processing operations under the Clauses.
            (4) In addition to the Data Exporter's entitlement to terminate the Clauses in accordance with Clause 5(a), either Party may terminate these Clauses if: (i) the Registrar makes a designation under section 4 of the Regulations which remains in force, in relation to each jurisdiction in which the Data Importer and each of its Subprocessors is incorporated or operates or uses the Personal Data; or (ii) each such jurisdiction not so designated is added to the list in Schedule 3 to the Regulations.
            (5) The Parties agree that the termination of these Clauses at any time, in any circumstances and for whatever reason (except for termination under sub-clause (4)) does not exempt them from the obligations and/or conditions under the Clauses as regards the Processing of the Personal Data transferred.

          • 7. Mediation and jurisdiction

            (1) The Data Importer agrees that if the Data Subject invokes against it Third Party beneficiary rights and/or claims of compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject —
            (a) to refer the dispute to mediation, by an independent person or, where applicable, by the Registrar; and
            (b) to refer the dispute to the Court.
            (2) The Parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

          • 8. Cooperation with the Registrar

            (1) The Data Exporter shall be entitled to deposit a copy of these Clauses with the Registrar if the Registrar so requests or if such deposit is required under the Regulations.
            (2) The Parties agree that the Registrar has the right to exercise its functions and powers outlined in section 14 of the Regulations in respect of the Data Importer and any Subprocessor, in the same scope and subject to the same conditions as would apply to a Data Processor of the Data Exporter under the Regulations.

          • 9. Governing Law

            The Clauses shall be governed by the law of the Abu Dhabi Global Market.

          • 10. Variation of the clauses

            The Parties undertake not to vary or modify the Clauses except to update any information in Annex A. This does not preclude the Parties from adding clauses on business related issues where required, as long as they do not contradict the Clauses.

          • 11. Subprocessing

            (1) The Data Importer shall not subcontract any of its Processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses. This may be satisfied by the Subprocessor executing and becoming bound contractually by the Clauses as entered into between the Data Exporter and the Data Importer. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement, the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor's obligations under such agreement.
            (2) The prior written contract between the Data Importer and the Subprocessor shall also provide for a Third Party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in Clause 6(1) against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent, and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third party liability of the Subprocessor shall be limited to its own Processing operations under the Clauses.
            (3) The provisions relating to data protection aspects for subprocessing of the contract referred to in sub-clause (1) shall be governed by the law of the Abu Dhabi Global Market.
            (4) The Data Exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be made available to the Registrar.

          • 12. Obligation after the termination of Personal Data Processing services

            (1) The Parties agree that on the termination of the provision of data Processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the Personal Data transferred and the copies thereof to the Data Exporter or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred any further.
            (2) The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the Registrar, it will submit its data Processing facilities for an audit of the measures referred to in sub-clause (1).

            Dated:

            On behalf of the Data Exporter:

            Name (in full):

            Position:

            Address:

            Signature...........................

            [stamp of organisation]

            On behalf of the Data Importer:

            Name (in full):

            Position:

            Address:

            Signature.........................

            [stamp of organisation]

          • ANNEX A

            This Annex forms part of the Clauses and must be completed and signed by the Parties.

            The Registrar may complete or specify any additional necessary information to be contained in this Appendix.

            Data Exporter
            The Data Exporter is (please specify briefly your activities relevant to the transfer):
            .................................................................................................................................................................................
            ..............................................................

            Data Importer
            The Data Importer is (please specify briefly activities relevant to the transfer):
            .................................................................................................................................................................................
            ..............................................................

            Data Subjects
            The Personal Data transferred concern the following categories of Data Subjects (please specify):
            .................................................................................................................................................................................
            ..............................................................

            Categories of data
            The Personal Data transferred concern the following categories of data (please specify):
            .................................................................................................................................................................................
            ..............................................................

            Sensitive Personal Data (if appropriate)
            The Personal Data transferred concern the following sensitive Personal Data (please specify):
            .................................................................................................................................................................................
            ..............................................................

            Processing operations
            The Personal Data transferred will be subject to the following basic Processing activities (please specify):
            .................................................................................................................................................................................
            ..............................................................

            DATA EXPORTER

            Name:...................

            Authorised Signature ...................

            DATA IMPORTER

            Name:....................

            Authorised Signature .................

          • ANNEX B

            This Annex forms part of the Clauses and must be completed and signed by the Parties.

            Description of the technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing, and against accidental loss or destruction of, or damage to, Personal Data, implemented by the Data Importer in accordance with Clauses 4(d) and 5(c):

            ......................................................................................................................................................
            .........................................................................................................................................................
            ...................................................

            ILLUSTRATIVE INDEMNIFICATION CLAUSE (OPTIONAL)

            Liability:

            The Parties agree that if one Party is held liable for a violation of the Clauses committed by the other Party, the latter will, to the extent to which it is liable, indemnify the first Party for any cost, charge, damages, expenses or loss it has incurred.

            Indemnification is contingent upon —

            (a) the Data Exporter promptly notifying the Data Importer of a claim; and
            (b) the Data Importer being given the possibility to cooperate with the Data Exporter in the defence and settlement of the claim.

        • SCHEDULE 3 Jurisdictions With An Adequate Level Of Protection

          The following jurisdictions have been designated by the Registrar as providing an adequate level of protection in accordance with section 4

          (1) Argentina
          (2) Austria
          (3) Belgium
          (4) Bulgaria
          (5) Canada
          (6) Cyprus
          (7) Czech Republic
          (8) Denmark
          (9) Estonia
          (10) Finland
          (11) France
          (12) Germany
          (13) Greece
          (14) Guernsey
          (15) Hungary
          (16) Jersey
          (17) Iceland
          (18) Ireland
          (19) Isle of Man
          (20) Italy
          (21) Latvia
          (22) Liechtenstein
          (23) Lithuania
          (24) Luxembourg
          (25) Malta
          (26) Netherlands
          (27) New Zealand
          (28) Norway
          (29) Poland
          (30) Portugal
          (31) Romania
          (32) Slovakia
          (33) Slovenia
          (34) Spain
          (35) Sweden
          (36) Switzerland
          (37) United Kingdom
          (38) Uruguay
          (39) United States of America, subject to compliance with the terms of the applicable US-EU or US-Switzerland Safe Harbours

        • SCHEDULE 4 Fees

          The following fees are payable by a Data Controller or Data Processor in respect of the applications and notifications made in accordance with the Regulations —

          Application or notification Fee payable (USD)
          Application for initial registration as a Data Controller or Data Processor 300
          Annual renewal of registration as a Data Controller or Data Processor 100
          Application to obtain a permit to transfer Personal Data or Sensitive Personal Data 100
          Notification of amendment to the particulars of an appointed Data Controller or Data Processor 0
          Notification of new appointment or removal of an appointed Data Controller or Data Processor 0
          Notification of a change in the contact details of a Data Controller or Data Processor 0

        • Data Protection (Amendment) Regulations 2018

          Click herehere to view PDF

        • Data Protection (Amendment No 1) Regulations 2020

          Click here to view PDF.

        • Data Protection Regulations (Amendment No. 2) 2020

          Click here to view PDF.