• PART V PART V Transfers of Personal Data outside of ADGM or to International Organisations

    • 40. General principle for transfers

      (1) All provisions in this Part must be applied to ensure that the high level of protection of Personal Data guaranteed by these Regulations is not undermined.
      (2) Any transfer of Personal Data that is undergoing Processing or is intended for Processing after transfer to a jurisdiction outside of ADGM or to an International Organisation can only take place if, subject to the other provisions of these Regulations, the conditions in this Part are complied with by the Controller and Processor, including for further onward transfers of Personal Data.

    • 41. Transfers on the basis of an adequacy decision

      (1) A transfer of Personal Data outside of ADGM or to an International Organisation may take place where the Commissioner of Data Protection has decided that the receiving jurisdiction, one or more specified sectors within that jurisdiction, or the International Organisation in question ensures an adequate level of protection of Personal Data. Such a transfer will not require any specific authorisation.
      (2) When assessing the adequacy of the level of protection of Personal Data, the Commissioner of Data Protection must, in particular, take account of the following elements:
      (a) the rule of law, respect for individuals’ rights, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to Personal Data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of Personal Data to another jurisdiction, sector or International Organisation which are complied with in that jurisdiction, sector or International Organisation, case-law, as well as effective and enforceable Data Subject rights and effective administrative and judicial redress for the Data Subjects whose Personal Data is being transferred;
      (b) the existence and effective functioning of one or more independent supervisory authorities in the receiving jurisdiction or sector or to which an International Organisation is subject, with responsibility for ensuring and enforcing compliance with adequate data protection rules described in section 41(2)(a), including adequate enforcement powers, for assisting and advising the Data Subjects in exercising their rights and for cooperation with the Commissioner of Data Protection; and
      (c) the international commitments the receiving jurisdiction, sector or International Organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of Personal Data.
      (3) The Commissioner of Data Protection, after assessing the adequacy of the level of protection, may decide that a jurisdiction outside of ADGM, or one or more specified sectors within a jurisdiction outside of ADGM, or an International Organisation ensures an adequate level of protection:
      (a) within the meaning of section 41(2); or
      (b) on the basis that the jurisdiction, sector or International Organisation has received an adequacy decision by the European Commission in accordance with Article 45(3) of the GDPR.
      In each case the Commissioner of Data Protection must provide for a review of the decision within four years, which must take into account all relevant developments in the jurisdiction outside of ADGM or International Organisation.
      (4) The Commissioner of Data Protection must, on an ongoing basis, monitor developments in jurisdictions outside of ADGM and International Organisations that could affect the functioning of decisions adopted pursuant to section 41(3).
      (5) The Commissioner of Data Protection must, where available information reveals, in particular following the review referred to in section 41(3), that a jurisdiction outside of ADGM or one or more specified sectors within a jurisdiction outside of ADGM, or an International Organisation no longer ensures an adequate level of protection within the meaning of section 41(2), to the extent necessary, repeal, amend or suspend the decision referred to in section 41(3) without retroactive effect.
      (6) The Commissioner of Data Protection must publish a list of the jurisdictions outside of ADGM and specified sectors within jurisdictions outside of ADGM and International Organisations for which it has decided that an adequate level of protection is or is no longer ensured.
      (7) Jurisdictions designated as providing an adequate level of protection for Personal Data under section 4 of the ADGM Data Protection Regulations 2015 will remain valid until amended, replaced or repealed by the Commissioner of Data Protection.

    • 42. Transfers subject to appropriate safeguards

      (1) In the absence of a decision pursuant to sections 41(3) or 41(7), a Controller or Processor may transfer Personal Data to a Controller or Processor outside of ADGM or to an International Organisation only if the Controller or Processor has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available.
      (2) The Commissioner of Data Protection may adopt standard contractual clauses that contain appropriate safeguards for the rights of Data Subjects whose Personal Data is being transferred, including by approving the then current standard contractual clauses issued by the European Commission, or adopted by a Supervisory Authority for the same purpose, upon which approval such standard contractual clauses will be incorporated into these Regulations by reference.
      (3) The appropriate safeguards referred to in section 42(1) may be provided for, without requiring any specific authorisation from the Commissioner of Data Protection, by:
      (a) a legally binding and enforceable instrument between public authorities;
      (b) Binding Corporate Rules in accordance with section 43;
      (c) standard data protection clauses adopted by the Commissioner of Data Protection in accordance with section 42(2);
      (d) an approved code of conduct pursuant to section 37 together with binding and enforceable commitments of the Controller or Processor in the jurisdiction outside of ADGM to apply the appropriate safeguards, including as regards Data Subjects' rights; or
      (e) an approved certification mechanism pursuant to section 39 together with binding and enforceable commitments of the Controller or Processor in the jurisdiction outside of ADGM to apply the appropriate safeguards, including as regards Data Subjects' rights.
      (4) Subject to the authorisation from the Commissioner of Data Protection, the appropriate safeguards referred to in section 42(1) may also be provided for by:
      (a) contractual clauses between the Controller or Processor and the Controller, Processor or the Recipient of the Personal Data outside of ADGM or the international organisation; or
      (b) provisions to be inserted into administrative arrangements, including regulatory memorandums of understanding between public authorities or domestic or international bodies which include enforceable and effective data subject rights.
      (5) Permits issued under section 5(1)(a) of the Data Protection Regulations 2015 will remain valid as evidence of compliance with this section until amended, replaced or revoked, if necessary, by the Commissioner of Data Protection.

    • 43. Binding Corporate Rules

      (1) The Commissioner of Data Protection may approve Binding Corporate Rules, provided that they:
      (a) have the following features:
      (i) are legally binding and apply to and are enforced by every member concerned of the Group, including their employees;
      (ii) expressly confer enforceable rights on Data Subjects with regard to the Processing of their Personal Data; and
      (iii) fulfil the requirements in section 43(2), or
      (b) have already been approved by a Supervisory Authority for the same purpose.
      (2) The Binding Corporate Rules referred to in section 43(1) must specify at least:
      (a) the structure and contact details of the Group and of each of its members;
      (b) the details of the data transfers, including the categories of Personal Data, the type of Processing and its purposes, the type of Data Subjects affected and the identification of the relevant jurisdiction(s) outside of ADGM;
      (c) their legally binding nature, both internally and externally;
      (d) the application of the general data protection principles, including purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for Processing, Processing of Special Categories of Personal Data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the Binding Corporate Rules;
      (e) the rights of Data Subjects and the means to exercise those rights, including the right to obtain redress and, where appropriate, compensation for a breach of the Binding Corporate Rules;
      (f) how the information on the Binding Corporate Rules, in particular on the provisions referred to in sections 43(2)(d) and 43(2)(e) are provided to the Data Subjects in addition to sections 11 and 12;
      (g) the tasks of any Data Protection Officer designated in accordance with section 35 or any other person or entity in charge of monitoring compliance with the Binding Corporate Rules within the Group;
      (h) the complaint procedures;
      (i) the mechanisms within the Group for monitoring compliance with the Binding Corporate Rules and cooperating with the Commissioner of Data Protection to ensure compliance. Such mechanisms must include data protection audits and methods for ensuring corrective actions to protect the rights of Data Subjects. Results of such monitoring activities should be communicated to the board of the parent company of a Group, and should be made available to the Commissioner of Data Protection upon request;
      (j) the procedures for reporting and recording changes to the rules and reporting those changes to the Commissioner of Data Protection;
      (k) the reporting mechanisms for notifying the Commissioner of Data Protection of any legal requirements to which a member of the Group, is subject outside of ADGM and which are likely to have a substantial adverse effect on the protections provided by the Binding Corporate Rules; and
      (l) the data protection training provided to personnel with permanent or regular access to Personal Data.

    • 44. Derogations for specific situations

      (1) In the absence of an adequacy decision pursuant to sections 41(3) or 41(7), or of appropriate safeguards pursuant to section 42, including Binding Corporate Rules, a transfer or a set of transfers of Personal Data outside of ADGM or to an International Organisation, must take place only on one of the following conditions:
      (a) the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards;
      (b) the transfer is necessary for the performance of a contract between the Data Subject and the Controller or the implementation of pre-contractual measures taken at the Data Subject's request;
      (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person;
      (d) the transfer is necessary for important reasons of public interest;
      (e) the transfer is required by law enforcement agencies of the UAE in accordance with Applicable Law;
      (f) the transfer is necessary for the establishment, exercise or defence of legal claims (including judicial, administrative, regulatory and out-of-court procedures); or
      (g) the transfer is necessary in order to protect the vital interests of the Data Subject or of another person, where the Data Subject is physically or legally incapable of giving Consent.
      (2) Sections 44(1)(a), 44(1)(b) and 44(1)(c) do not apply to activities carried out by public authorities in the exercise of their public powers.
      (3) The public interest referred to in section 44(1)(d) must be recognised in Applicable Law to which the Controller is subject.

    • 45. Data sharing with public authorities

      (1) In addition to a Controller or Processor’s other obligations under these Regulations, where a Controller or Processor receives a request for Personal Data from any public authority outside of ADGM which has jurisdiction over the Controller or Processor or any part of its Group (a ‘Requesting Authority’) the Controller or Processor should:
      (a) exercise reasonable diligence to determine the validity and proportionality of the request, including to ensure that any disclosure of Personal Data is necessary for the purpose of meeting the objectives of the Requesting Authority identified in the request;
      (b) assess the impact of the proposed transfer in light of the potential risks to the rights and legitimate interests of any affected Data Subject and, where appropriate, implement measures to minimise such risks, including by redacting or minimising the Personal Data transferred or utilising appropriate measures to safeguard the transfer; and
      (c) where reasonably practicable, obtain appropriate assurances from the Requesting Authority that it will respect the rights of Data Subjects and take appropriate steps to safeguard the Personal Data.
      (2) A Controller or Processor may consult with the Commissioner of Data Protection in relation to any matter in connection with this section 45.

    • 46. International cooperation for the protection of Personal Data

      (1) In relation to jurisdictions outside of ADGM and International Organisations, the Commissioner of Data Protection may:
      (a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of Personal Data;
      (b) provide international mutual assistance in the enforcement of legislation for the protection of Personal Data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of Personal Data and other rights;
      (c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of Personal Data; and
      (d) promote the exchange and documentation of Personal Data protection legislation and practice, including on jurisdictional conflicts with jurisdictions outside of ADGM.