• PART III PART III Rights of the Data Subject

    • 10. Transparent information, communication and modalities for the exercise of the rights of the Data Subject

      (1) The Controller must take appropriate measures to provide any information referred to in sections 11 and 12 and any communication under sections 13 to 20 and section 32 relating to Processing to the Data Subject:
      (a) in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a Child; and
      (b) in writing, electronically or, if requested by the Data Subject, orally as long as that Data Subject has provided proof of their identity.
      (2) The Controller must facilitate the exercise of Data Subject rights under sections 13 to 20. In the cases referred to in section 8(3), the Controller must not refuse to act on the request of the Data Subject to exercise their rights under sections 13 to 20, unless the Controller demonstrates that it is not in a position to identify the Data Subject.
      (3) Subject to section 10(4), the Controller must provide information on action taken on a request under sections 13 to 20 to the Data Subject without undue delay and in any event within two months of receipt of the request. Where the Data Subject makes the request by means of an electronic form, the information may be provided by electronic means where possible, unless otherwise requested by the Data Subject.
      (4) The period referred to in section 10(3) may be extended by one month, where necessary, taking into account the complexity and number of the requests including any related requests received by the Controller whether or not from the same Data Subject. The Controller must inform the Data Subject of any such extension within two months of receipt of the request, together with the reasons for the delay.
      (5) If the Controller does not take action on the request of the Data Subject, the Controller must inform the Data Subject without delay and at the latest within two months of receipt of the request of:
      (a) the reasons for not taking action; and
      (b) their right to lodge a complaint with the Commissioner of Data Protection and the possibility of seeking a judicial remedy.
      (6) Information provided under sections 11 and 12 and any communication and any actions taken under sections 13 to 20 and section 33 must be provided free of charge. Where requests from a Data Subject are unreasonable or excessive, in particular because of their repetitive character, the Controller may either:
      (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
      (b) refuse to act on the request.
      The Controller bears the burden of demonstrating the unreasonable or excessive character of the request.
      (7) Without limiting section 8, where the Controller has reasonable doubts concerning the identity of the natural person making the request referred to in sections 13 to 19, the Controller may request the provision of additional information necessary to confirm the identity of the Data Subject. In such cases, the time period for complying with the Data Subject request does not begin until the Controller has received information or evidence sufficient to reasonably identify that the individual making the request is the Data Subject.
      (8) Public authorities to which Personal Data is disclosed for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as Recipients (or categories of Recipients) for the purposes of sections 11, 12, 13, 17, 28 and 50 if they receive Personal Data which is necessary to carry out an inquiry in accordance with Applicable Law.

    • 11. Information to be provided where Personal Data is collected from the Data Subject

      (1) Where Personal Data relating to a Data Subject is collected from the Data Subject, the Controller must, at the time when Personal Data is obtained, provide the Data Subject with all of the following information:
      (a) the identity and the contact details of the Controller;
      (b) the contact details of the Data Protection Officer, where applicable;
      (c) the purposes of the Processing for which the Personal Data is intended as well as the legal basis for the Processing;
      (d) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
      (e) the Recipients or categories of Recipients of the Personal Data, if any; and
      (f) where applicable, the fact that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
      (i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
      (ii) in the case of transfers referred to in sections 42, 43, or section 44(1)(b), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
      (2) In addition to the information referred to in section 11(1), the Controller must, at the time when Personal Data is obtained, provide the Data Subject with the following further information necessary to ensure fair and transparent Processing:
      (a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
      (b) the existence of the rights set out in sections 13 to 16, 18 and 19;
      (c) where the Processing is based on either of sections 5(1)(a) or 7(2)(a):
      (i) the existence of the right to withdraw Consent at any time; and
      (ii) that the lawfulness of any Processing based on Consent prior to that withdrawal will not be affected by the subsequent withdrawal of Consent;
      (d) the right to lodge a complaint with the Commissioner of Data Protection;
      (e) whether the provision of Personal Data is a requirement under Applicable Law, a contractual requirement, or a requirement necessary to enter into a contract;
      (f) whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide such data;
      (g) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject; and
      (h) if the Controller intends to Process Personal Data in a manner that will restrict or prevent the Data Subject from exercising their rights to request rectification or erasure of Personal Data in accordance with sections 14(1) or 15(1), or to object to the Processing of the Personal Data in accordance with section 19. In such cases, the Controller must:
      (i) include a clear and explicit explanation of the expected impact on such rights; and
      (ii) satisfy itself that the Data Subject understands and acknowledges the extent of any such restrictions.
      (3) Where the Controller intends to further Process the Personal Data for a purpose other than that for which the Personal Data was collected, the Controller must provide the Data Subject prior to that further Processing with information on that other purpose and with any relevant further information as referred to in section 11(2).
      (4) Sections 11(1), 11(2) and 11(3) do not apply to the extent that the Data Subject already has the information.

    • 12. Information to be provided where Personal Data has not been obtained from the Data Subject

      (1) Where Personal Data has not been obtained from the Data Subject, the Controller must provide the Data Subject with the following information:
      (a) the identity and the contact details of the Controller;
      (b) the contact details of the Data Protection Officer, where applicable;
      (c) the purposes of the Processing for which the Personal Data is intended as well as the legal basis for the Processing;
      (d) the categories of Personal Data concerned;
      (e) the Recipients or categories of Recipients of the Personal Data, if any; and
      (f) where applicable, that the Controller intends to transfer Personal Data to a Recipient outside of ADGM or to an International Organisation and:
      (i) the existence or absence of an adequacy decision by the Commissioner of Data Protection; or
      (ii) in the case of transfers referred to in sections 42, 43, or section 44(1)(b), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
      (2) In addition to the information referred to in section 12(1), the Controller must provide the Data Subject with the following information necessary to ensure fair and transparent Processing in respect of the Data Subject:
      (a) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
      (b) where the Processing is based on section 5(1)(f), the legitimate interests pursued by the Controller or by a Third Party;
      (c) the existence of the rights set out in sections 13 to 16, 18 and 19;
      (d) where Processing is based on either section 5(1)(a) or 7(2)(a),
      (i) the existence of the right to withdraw Consent at any time; and
      (ii) that the lawfulness of any Processing based on Consent prior to that withdrawal will not be affected by the subsequent withdrawal of Consent;
      (e) the right to lodge a complaint with the Commissioner of Data Protection;
      (f) from which source the Personal Data originates, and if applicable, whether it came from publicly accessible sources; and
      (g) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
      (3) The Controller must provide the information referred to in sections 12(1) and 12(2):
      (a) within a reasonable period after obtaining the Personal Data, but at the latest within two months, having regard to the specific circumstances in which the Personal Data is Processed;
      (b) if the Personal Data is to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject; or
      (c) if a disclosure to another Recipient is envisaged, at the latest when the Personal Data is first disclosed.
      (4) Where the Controller intends to further Process the Personal Data for a purpose other than that for which the Personal Data was obtained, the Controller must provide the Data Subject prior to that further Processing with information on that other purpose and with any relevant further information as referred to in section 12(2).
      (5) Sections 12(1) to 12(4) do not apply to the extent that:
      (a) the Data Subject already has the information;
      (b) the provision of such information proves impossible or would involve a disproportionate effort (having regard to the number of Data Subjects, the age of the data and any appropriate safeguards adopted) , in particular for processing for Archiving and Research Purposes or in so far as the obligation referred to in section 12(1) is likely to render impossible or seriously impair the achievement of the objectives of that Processing, provided that the Controller takes appropriate measures to protect the Data Subject's rights and legitimate interests, including making the information publicly available;
      (c) obtaining or disclosure is expressly required by Applicable Law which provides appropriate measures to protect the Data Subject's legitimate interests; or
      (d) where the Personal Data must remain confidential subject to an obligation of professional secrecy, or duty of confidentiality, regulated by Applicable Law.

    • 13. Right of access by the Data Subject

      (1) A Data Subject has the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her is being Processed, and, where that is the case, access to the Personal Data and the following information:
      (a) the purposes of the Processing;
      (b) the categories of Personal Data concerned;
      (c) the Recipients or categories of Recipient to whom the Personal Data has been or will be disclosed, in particular Recipients outside of ADGM or International Organisations;
      (d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
      (e) the existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing;
      (f) the right to lodge a complaint with the Commissioner of Data Protection;
      (g) where the Personal Data is not collected from the Data Subject, any available information as to its source; and
      (h) the existence of automated decision-making, including Profiling, referred to in sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
      (2) Where Personal Data is transferred outside of ADGM or to an International Organisation, the Data Subject has the right to be informed of the appropriate safeguards pursuant to section 41 relating to the transfer.
      (3) The Controller must provide a copy of the Personal Data undergoing Processing. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information must be provided in a commonly used electronic form.
      (4) The right to obtain a copy referred to in section 13(3) must not adversely affect the rights of others.
      (5) Where the Controller Processes a large quantity of information concerning the Data Subject, the Controller may request that, before the information is delivered, the Data Subject specify the information or Processing activities to which the request relates.

    • 14. Right to rectification

      (1) A Data Subject has the right to request and obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the Processing, the Data Subject has the right to have incomplete Personal Data completed, including by means of the Controller providing a supplementary statement.
      (2) Where rectification of Personal Data is not feasible for technical reasons, then the Controller is not in violation of these Regulations for failing to comply with a request for rectification of the Personal Data under section 14(1), if:
      (a) the Controller collected the Personal Data from the Data Subject; and
      (b) the information provided to the Data Subject under section 11(2)(h) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that rectification of the Personal Data at the request of the Data Subject would not be feasible.

    • 15. Right to erasure

      (1) The Data Subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay and the Controller has the obligation to erase Personal Data without undue delay where one of the following applies:
      (a) the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
      (b) the Data Subject withdraws Consent on which the Processing is based according to section 5(1)(a) or 7(2)(a), and where there is no other legal ground for the Processing;
      (c) the Data Subject objects to the Processing pursuant to section 19(1) and there are no overriding legitimate grounds for the Processing, or the Data Subject objects to the Processing pursuant to section 19(3);
      (d) the Personal Data has been unlawfully Processed; or
      (e) the Personal Data has to be erased for compliance with a legal obligation in Applicable Law to which the Controller is subject.
      (2) Where the Controller has made the Personal Data public and is obliged pursuant to section 15(1) to erase the Personal Data, the Controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform Controllers which are Processing the Personal Data that the Data Subject has requested the erasure by such Controllers of any links to, or copy or replication of, that Personal Data.
      (3) Sections 15(1) and 15(2) will not apply to the extent that Processing is necessary:
      (a) for compliance with a legal obligation which requires Processing under Applicable Law to which the Controller is subject or for the performance of a task carried out by a public authority in the interests of ADGM, or in the exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; and (iv) the Registration Authority’s functions or in the exercise of official authority vested in the Controller;
      (b) for reasons of public interest in the area of public health in accordance with sections 7(2)(d) and 7(2)(e);
      (c) for Archiving and Research Purposes to the extent that the right referred to in section 15(1) is likely to render impossible or seriously impair the achievement of the objectives of that Processing, or
      (d) for the establishment, exercise or defence of legal claims.
      (4) Where erasure of Personal Data is not feasible for technical reasons, then the Controller is not in violation of these Regulations for failing to comply with a request for erasure of the Personal Data under section 15(1), if:
      (a) the Controller collected the Personal Data from the Data Subject; and
      (b) the information provided to the Data Subject under section 11(2)(h) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that erasure of the Personal Data at the request of the Data Subject would not be feasible.

    • 16. Right to restriction of Processing

      (1) The Data Subject has the right to obtain from the Controller restriction of Processing where one of the following applies:
      (a) the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data;
      (b) the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of its use instead;
      (c) the Controller no longer needs the Personal Data for the purposes of the Processing, but it is required by the Data Subject for the establishment, exercise or defence of legal claims; or
      (d) the Data Subject has objected to Processing pursuant to section 19(1) pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
      (2) Where Processing has been restricted under section 16(1), such Personal Data must, with the exception of storage, only be Processed with the Data Subject's Consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
      (3) The Controller must inform a Data Subject who has obtained restriction of Processing pursuant to section 16(1) before the restriction of Processing is lifted.

    • 17. Notification obligation regarding rectification or erasure of Personal Data or restriction of Processing

      (1) The Controller must communicate any rectification or erasure of Personal Data or restriction of Processing carried out in accordance with sections 14, 15(1) and 16 to each Recipient to whom the Personal Data has been disclosed, unless this proves impossible or involves disproportionate effort (having regard to the number of Data Subjects, the age of the data and any appropriate safeguards adopted).
      (2) The Controller must inform the Data Subject about the Recipients referred to in section 17(1), if the Data Subject requests it.

    • 18. Right to data portability

      (1) The Data Subject has the right to receive the Personal Data that is held by, or on behalf of, the Controller concerning them, which they have provided to a Controller, in a structured, commonly used and machine-readable format and has the right to transmit that data to another Controller without hindrance from the Controller to which the Personal Data has been provided, where:
      (a) the Processing is based on Consent pursuant to section 5(1)(a) or 7(2)(a) or on a contract pursuant to section 5(1)(b); and
      (b) the Processing is carried out by automated means.
      (2) A Data Subject has the right to have the Personal Data transmitted directly from one Controller to another, where technically feasible.
      (3) Section 18(1) does not apply to any Processing that is carried out in reliance on section 5(1)(e).
      (4) The right in section 18(1) must not adversely affect the rights of others.

    • 19. Right to object

      (1) A Data Subject has the right to object at any time, on grounds relating to their particular situation, to the Processing of their Personal Data, which is based on sections 5(1)(e) and 5(1)(f), including Profiling based on those provisions
      (2) Where the Data Subject objects to the Processing of their Personal Data, the Controller must not Process the Personal Data unless the Controller reasonably considers that:
      (a) there are legitimate grounds for the Processing which override the interests or rights of the Data Subject; or
      (b) the Processing is necessary for the establishment, exercise or defence of legal claims.
      (3) Where Personal Data is Processed for direct marketing purposes, the Data Subject has the right to object at any time to the Processing, including Profiling, of their Personal Data for such direct marketing purposes.
      (4) Where the Data Subject objects to Processing for direct marketing purposes, the Personal Data must not be Processed for such purposes.
      (5) Where Personal Data is Processed for Archiving and Research Purposes the Data Subject has the right to object to Processing of their Personal Data, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.
      (6) No later than the time of the first communication with the Data Subject, the right referred to in sections 19(1) and 19(3) must be explicitly brought to the attention of the Data Subject and must be presented clearly and separately from any other information.

    • 20. Automated individual decision-making, including Profiling

      (1) The Data Subject has the right not to be subject to a decision based solely on automated Processing, including Profiling, which produces legal effects concerning him or her , or similarly significantly affects him or her.
      (2) Section 20(1) does not apply if the decision:
      (a) is necessary for entering into, or performance of, a contract between the Data Subject and a Controller;
      (b) is based on the Data Subject's explicit Consent; or
      (c) (not falling within section 20(2)(a) or 20(2)(b)) is required or authorised by Applicable Law (including for fraud prevention, anti-money laundering and security and integrity purposes) and in respect of which:
      (i) the Controller has, as soon as reasonably practicable, notified the Data Subject in writing that a decision has been taken based solely on automated Processing; and
      (ii) the Data Subject has not, before the end of a period of 1 month beginning with the receipt of the notification, requested the Controller to either reconsider the decision or take a new decision that is not based solely on automated decision making.
      (3) In the cases referred to in sections 20(2)(a) and 20(2)(b), the Controller must implement suitable measures to safeguard the Data Subject's rights and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
      (4) Decisions referred to in section 20(2) must not be based on Special Categories of Personal Data, unless section 7(2)(a) or 7(2)(k) applies and suitable measures to safeguard the Data Subject's rights and legitimate interests are in place.

    • 21. Restrictions

      (1) The obligations and rights provided for in sections 10 to 20 and 33, and section 4 (to the extent the provisions correspond to the rights and obligations provided for in sections 10 to 20), do not apply to the extent such obligations and rights:
      (a) would be likely to prejudice national security, national defence, the prevention or detection of crime, apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or an imposition of a similar nature;
      (b) relate to information required to be disclosed by Applicable Law (including by court order) or in connection with legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights, to the extent that the application of those provisions would prevent the Controller from complying with the obligations and rights;
      (c) would be likely to prejudice the discharge of public functions designed to protect the public against:
      (i) dishonesty, malpractice or other seriously improper conduct including, but not limited to, protection from financial loss by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or the management of bodies corporate;
      (ii) financial loss due to the conduct of insolvent body corporates or individuals; or
      (iii) business conduct that adversely affects the public;
      (d) would be likely to prejudice the proper discharge of public functions designed to:
      (i) secure workers’ health, safety and welfare or to protect others against health and safety risks in connection with (or arising from) someone at work; or
      (ii) regulate conduct (or agreements) preventing, restricting or distorting commercial competition, or to regulate undertakings abusing a dominant market position;
      (e) would be likely to prejudice ADGM’s ability to comply with international obligations and standards to which it is a signatory (including the International Organisation of Securities Commissions), where inspection of Personal Data is required;
      (f) would require the disclosure of information the disclosure of which is prohibited or restricted by Applicable Law;
      (g) would be likely to prejudice audit functions for supervising the quality of public accounting and financial reporting by a public authority;
      (h) would be likely to prejudice the regulatory functions of a public authority; or
      (i) would be likely to prejudice judicial appointments, independence and proceedings, including any individual or court acting in a judicial capacity.
      (2) The obligations and rights provided for in sections 13(1) to 13(3), and section 4 (to the extent the provisions correspond to the obligations and rights provided for in the provisions identified in sections 13(1) to 13(3)) do not oblige a Controller to disclose information to the Data Subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information, unless:
      (a) the Data Subject has Consented to the disclosure; or
      (b) it would be reasonable to disclose the information without the Consent of the individual.
      (3) The obligations and rights provided for in sections 11(1) to 11(3), sections 12(1) to 12(4) and sections 13(1) to 13(3), and section 4 (to the extent the provisions correspond to the rights and obligations identified in sections 11(1) to 11(3), sections 12(1) to 12(4) and sections 13(1) to 13(3)), do not apply to the extent such obligations and rights:
      (a) relate to information in respect of which a claim to legal professional privilege could be maintained in legal proceedings, or in respect of which a duty of confidentiality is owed by a professional legal advisor to his or her client;
      (b) would be likely to prejudice a natural person’s ability to protect themselves from self-incrimination, to the extent that compliance with these Regulations might expose that person to proceedings for committing an offence (excluding perjury or an offence under these Regulations);
      (c) relate to records of the intentions of the Controller in relation to any negotiations with the Data Subject to the extent that the application of those provisions would be likely to prejudice those negotiations;
      (d) would be likely to affect the price of a financial instrument or have a prejudicial effect on the orderly functioning of financial markets (or the efficient allocation of capital within the economy), provided that it is reasonable for the professional taking the decision to believe that complying with the provisions above could affect someone’s decision whether to:
      (i) deal in, subscribe for or issue a financial instrument; or
      (ii) act in a way likely to have an effect on a business activity (such as an effect on an undertaking’s capital structure, the legal or beneficial ownership of a business or asset or a person’s industrial strategy );
      (e) would be likely to prejudice management forecasting or planning in relation to business or other activity; or
      (f) relate to confidential references for the education, training or employment or appointment and retirement of the Data Subject, including, in the case of regulatory appointments and retirements, any related opinions or reasoning provided to the relevant regulator.
      (4) The obligations and rights provided for in sections 13(1) to 13(3), section 14, section 16(1), section 17, section 18(1), and section 19(1) will not apply to Personal Data processed for Archiving and Research Purposes:
      (a) to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes; and
      (b) provided that sections 13(1) to 13(3) will only not apply to Processing for scientific or historical research or statistical purposes where the results of the research or any resultant statistics are not made available in a form which identifies a Data Subject.