PART II PART II Principles
4. Principles relating to Processing of Personal Data(1) Personal Data must be:(a) Processed lawfully, fairly and in a transparent manner in relation to the Data Subject;(b) collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes;(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed;(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are Processed, is erased or rectified without delay;(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed; and(f) Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.(2) The Controller is responsible for, and must be able to demonstrate compliance with, section 4(1).(3) Where Personal Data is Processed for Archiving and Research Purposes;(a) this Processing is deemed to be compatible with the initial purposes for which the Personal Data was collected as required by section 4(1)(b); and(b) it may be stored for longer periods than stated in section 4(1)(e) provided appropriate technical and organisational measures are used to safeguard the rights of the Data Subject.
5. Lawfulness of Processing(1) Processing is lawful only if and to the extent that:(a) the Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes;(b) Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;(c) Processing is necessary for compliance with a legal obligation to which the Controller is subject under Applicable Law;(d) Processing is necessary to protect the vital interests of the Data Subject or of another natural person;(e) Processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; or (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller under Applicable Law; or(f) Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or rights of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child.(2) Section 5(1)(f) does not apply if Processing is necessary for any of the purposes described in section 5(1)(e).(3) For the purposes of section 4(1)(b) the Controller must, in order to ascertain whether Processing for another purpose is compatible with the purpose for which the Personal Data is initially collected, take into account:(a) any link between the purposes for which the Personal Data has been collected and the purposes of the intended further Processing;(b) the context in which the Personal Data has been collected, in particular the relationship between Data Subjects and the Controller;(c) the nature of the Personal Data, in particular whether Special Categories of Personal Data are Processed, pursuant to section 7;(d) the possible consequences of the intended further Processing for Data Subjects; and(e) the existence of appropriate safeguards, which may include encryption or Pseudonymisation.
6. Conditions for Consent(1) Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they (whether in writing, electronically or orally), by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.(2) Silence, pre-ticked boxes or inactivity do not constitute Consent.(3) For Consent to be informed, the Data Subject should be aware at least of the identity of the Controller and the purposes for which it is intended the Personal Data will be Processed.(4) Where Processing is based on Consent, the Controller must be able to demonstrate that the Data Subject has consented to Processing of their Personal Data.(5) If the Data Subject's Consent is given in the context of a written declaration which also concerns other matters, the request for Consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.(6) Any part of such a declaration which constitutes a contravention of these Regulations will not be binding.(7) The Data Subject has the right to withdraw their Consent at any time. The withdrawal of Consent will not affect the lawfulness of Processing based on Consent before its withdrawal. The Data Subject must be informed of this before giving Consent.(8) It must be as easy to withdraw Consent as it is to give Consent.(9) When assessing if Consent is freely given the assessor must take into account whether:(a) the Data Subject has a genuine or free choice or is unable to refuse or withdraw Consent without detriment; and(b) the performance of a contract is conditional on Consent to the Processing of Personal Data that is not necessary for the performance of that contract.
7. Processing of Special Categories of Personal Data(1) Processing of:(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person's sex life or sexual orientation; and(c) Personal Data relating to criminal convictions and offences or related security measures,(together, ‘Special Categories of Personal Data’) is prohibited.(2) Section 7(1) does not apply if one of the following applies:(a) the Data Subject has given explicit Consent to the Processing of their Special Categories of Personal Data for one or more specified purposes;(b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment law, provided that when the Processing is carried out, the Controller has an appropriate policy document in place in accordance with section 7(3);(c) Processing is necessary to protect vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;(d) Processing is necessary for health purposes, including preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care or treatment or the management of health care systems or services or pursuant to a contract with a health professional provided that Processing is by or under the responsibility of a health professional subject to the obligation of professional secrecy or duty of confidentiality;(e) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;(f) Processing is necessary for Archiving and Research Purposes in accordance with Applicable Law;(g) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not -for-profit body including religious, cultural, educational, social or fraternal purposes or for other charitable purposes and on condition that the Processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed outside that body without the Consent of the Data Subjects;(h) Processing relates to Personal Data which is intentionally made public by the Data Subject;(i) Processing is required for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;(j) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or(k) Processing is necessary for reasons of substantial public interest, provided that (unless specified otherwise) the Controller has, when the Processing is carried out, an appropriate policy document in place in accordance with section 7(3), where it is necessary for:(i) the exercise of a function or requirement conferred on a person by Applicable Law;(ii) the exercise of a function of the Board, Abu Dhabi or United Arab Emirate government;(iii) the administration of justice;(iv) equality of opportunity or treatment provided that the Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual; and it does not relate to an individual who has given written notice to the Controller not to Process their Personal Data;(v) diversity at senior levels of organisations, where the Controller cannot reasonably be expected to obtain the Consent of the Data Subject and is not aware of the Data Subject withholding Consent provided that the Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual;(vi) the prevention or detection of an unlawful act or omission where the Processing must be carried out without the Consent of the Data Subject so as not to prejudice this purpose; and if the Processing relates to the disclosure of Personal Data to a relevant public authority an appropriate policy document in accordance with section 7(3) need not be in place for the Processing to be lawful under these Regulations;(vii) the protection of the members of the public against dishonesty, malpractice or other seriously improper conduct, unfitness or incompetence, mismanagement in the administration of a company, body or association, or failures in services provided by a company, body or association where the Processing must be carried out without the Consent of the Data Subject so as not to prejudice this purpose;(viii) compliance with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has committed an unlawful act or omission, or been involved in dishonesty, malpractice or other seriously improper conduct where the Controller cannot reasonably be expected to obtain the Consent of the Data Subject to the Processing;(ix) the prevention of fraud in connection with Processing of Personal Data as a member of, or in accordance with arrangements made by, an antifraud organisation;(x) the disclosure in good faith to an appropriate public authority regarding suspected terrorist financing, to identify terrorist property or in relation to suspected money laundering, in accordance with Applicable Law; or(xi) the publication of a judgment or other decision of a court or tribunal or if the Processing is necessary for the purposes of publishing such a judgment or decision.(3) Where it is specified that a condition in section 7(2) is met only if the Controller has an appropriate policy document in place, the Controller will have an appropriate policy document in place if:(a) the policy document (which may incorporate other documents by reference) explains, for Personal Data Processed in reliance on the condition:(i) how the Controller will comply with the principles in section 4; and(ii) the Controller’s policies regarding the retention and erasure of that Personal Data; and(b) from the date the Controller starts to Process Personal Data in reliance on the condition until 6 months after the Controller ceases to carry out such Processing, the policy document referred to in section 7(3)(a) is:(i) retained, reviewed and updated (as appropriate); and(ii) made available to the Commissioner of Data Protection on request.
8. Processing which does not require identification(1) If the purposes for which a Controller Processes Personal Data do not or no longer require the identification of a Data Subject by the Controller, the Controller is not obliged to maintain, acquire or Process additional information in order to identify the Data Subject for the sole purpose of complying with these Regulations.(2) Where, in cases referred to in section 8(1), the Controller is able to demonstrate that it is not in a position to identify the Data Subject, the Controller must inform the Data Subject accordingly, if possible.
9. Processing for Archiving and Research Purposes(1) Processing for Archiving and Research Purposes must be subject to the following safeguards:(a) technical and organisational measures must be in place, in particular to ensure compliance with section 4(1)(c), which may include Pseudonymisation or anonymisation;(b) the Processing must not cause, or be likely to cause, substantial damage or substantial distress to a Data Subject; and(c) the Processing must not be carried out for the purposes of measures or decisions with respect to a particular Data Subject, unless the purposes for which the Processing is necessary include the purpose of medical research that has been approved by a public authority or research institution.