• PART VI PART VI Independent supervisory authority

    • 47. Commissioner of Data Protection

      (1) The Board will:
      (a) assign to the Registrar the competency to oversee the administration and operation of the Office for Data Protection as an independent data protection supervisory authority;
      (b) appoint a person to be the Commissioner of Data Protection in accordance with section 47(2).
      (2) The Board, when appointing the Commissioner of Data Protection, must:
      (a) ensure the person has appropriate experience and qualifications for the role;
      (b) make the selection based on the Registrar’s recommendation of at least two candidates;
      (c) publish its decision; and
      (d) specify the period of appointment which must not exceed 4 years.
      (3) The Board may reappoint the Commissioner of Data Protection for consecutive periods, which must not exceed in total 12 years.
      (4) The Commissioner of Data Protection may at any time resign as the Commissioner of Data Protection by giving three months’ written notice addressed to the Registrar.
      (5) The Commissioner of Data Protection may only be removed from office by written notice issued by the Board:
      (a) for reasons of serious misconduct; or
      (b) if the Commissioner of Data Protection no longer fulfils the conditions required for the performance of his or her duties.
      (6) The Commissioner of Data Protection is responsible for the monitoring and enforcing the application of these Regulations in order to protect the rights of natural persons in relation to Processing of Personal Data in ADGM.
      (7) The Commissioner of Data Protection is not personally liable for acts or omissions carried out as part of their powers, duties or functions.

    • 48. Independence

      (1) The Commissioner of Data Protection must act with complete independence (including from the other functions of the Registrar) in performing its duties and exercising its powers and functions in accordance with these Regulations.
      (2) In performing its duties and exercising its powers and functions the Commissioner of Data Protection must:
      (a) remain free from external influence, whether direct or indirect, and neither seek nor take instructions from anybody;
      (b) refrain from any action incompatible with their duties; and
      (c) not engage in any occupation that is incompatible with the role of the Commissioner of Data Protection, whether or not the role is remunerated.
      (3) The Commissioner of Data Protection:
      (a) may appoint other officers and Staff who will be, and remain, subject to the exclusive direction and authority of the Commissioner of Data Protection;
      (b) is to determine the remuneration and other conditions of service of individuals appointed under this subsection; and
      (c) may delegate any of its functions, duties or powers to be carried out by its officers or Staff provided that the Commissioner of Data Protection remains ultimately responsible for how they are carried out.
      (4) The Commissioner of Data Protection and other officers or Staff are collectively referred to as the Office of Data Protection.
      (5) The independence of the Commissioner of Data Protection is not affected by the financial or other controls and reporting obligations to which it is subject in accordance with sections 51 to 53.

    • 49. Functions and obligations of Staff of the Commissioner of Data Protection

      (1) The Commissioner of Data Protection has such powers, duties and functions as conferred on it under these Regulations and must exercise those powers and perform those duties and functions in pursuit of the objectives of these Regulations.
      (2) The Commissioner of Data Protection must:
      (a) monitor and enforce the application of these Regulations;
      (b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to Processing;
      (c) advise the Board, ADGM, Financial Services Regulatory Authority, ADGM Courts, the Registration Authority and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights with regard to Processing, in accordance with Applicable Law;
      (d) promote the awareness of Controllers and Processors of their obligations under these Regulations;
      (e) provide the public with opportunities to provide views on the activities of the Office of Data Protection;
      (f) handle complaints lodged by a Data Subject, and investigate, to the extent appropriate, the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation is necessary;
      (g) cooperate with, including sharing information and provide mutual assistance to, other data protection authorities with a view to facilitating the effective enforcement of legislation for the protection of Personal Data;
      (h) conduct investigations on the application of these Regulations;
      (i) monitor relevant developments insofar as they have an impact on the protection of Personal Data, in particular the development of information and communication technologies and business practices;
      (j) adopt or authorise standard contractual clauses referred to in section 26(6) and 42(2);
      (k) establish and maintain a list in relation to the requirement for Data Protection Impact Assessment pursuant to section 34(4);
      (l) take into account the specific needs of small and medium sized Establishments in the application of these Regulations;
      (m) approve codes of conduct which provide sufficient safeguards pursuant to section 38(1);
      (n) approve the criteria of certification pursuant to section 39(1);
      (o) authorise contractual clauses and provisions referred to in section 40(4);
      (p) approve Binding Corporate Rules pursuant to section 43;
      (q) keep internal records of contraventions of these Regulations and of measures taken in accordance with section 50(5);
      (r) collect Data Protection Fee and Renewal Fee payments and notifications by Controllers in accordance with section 24; and
      (s) fulfil any other tasks related to the protection of Personal Data within ADGM.
      (3) The Commissioner of Data Protection is not competent to supervise Processing operations of the Court acting in its judicial capacity.
      (4) The Commissioner of Data Protection and its officers and Staff:
      (a) are subject to a duty of professional secrecy or duty of confidentiality both during and after their term of office in respect of any confidential information which they become aware of in the course of the performance of their duties and functions or exercise of their powers; and
      (b) during their term of office must not engage in any political activity nor any activity which would create a conflict of interest with the work of the Office of Data Protection.

    • 50. General Powers

      (1) The investigative powers of the Commissioner of Data Protection include the powers to:
      (a) order, by notice in writing, Controllers and Processors to provide any information it reasonably requires for the performance of its duties and functions;
      (b) initiate investigations into a Controller’s or Processor’s compliance with these Regulations;
      (c) appoint one or more competent persons to conduct an investigation on its behalf into a Controller’s or Processor’s compliance with these Regulations. The Commissioner of Data Protection, and any person appointed under this section 49(1)(c) must give the Controller or Processor (as the case may be) written notice of the decision to investigate unless the Commissioner of Data Protection believes that would likely result in the investigation being frustrated;
      (d) carry out investigations in the form of data protection audits;
      (e) carry out a review on certifications issued pursuant to section 39;
      (f) notify Controllers and Processors of any alleged contravention of these Regulations;
      (g) obtain, by notice in writing, from Controllers and Processors, access to all Personal Data and to all information reasonably necessary for the performance of its duties and functions; and
      (h) subject to section 50(3) obtain access to any premises of Controllers and Processors, including to any data Processing equipment and means, in accordance with Applicable Law and to search and take possession of any relevant documents or information.
      (2) A statement made to the Commissioner of Data Protection or a person appointed under section 50(1)(c) during the course of an investigation is admissible in evidence in any proceedings, so long as it also complies with any requirements governing the admissibility of evidence in the circumstances in question.
      (3) The Court may issue a warrant for the Commissioner of Data Protection to exercise their powers under section 50(1)(h) if the Court is satisfied on information on oath given by or on behalf of the Commissioner of Data Protection or a person appointed under section 50(1)(c) that there are reasonable grounds for believing that:
      (a) a Controller or Processor has materially failed to meet the requirements of these Regulations; and
      (b) evidence of the failure is to be found on the premises specified in the information or is capable of being viewed using equipment on such premises.
      (4) Any document that is seized under section 50(1)(h) may be retained so long as it is necessary to retain it (rather than copies of it) in the circumstances. A person claiming to be the owner of the document may apply to the Court in accordance with section 38 of the Commercial Licensing Regulations 2015.
      (5) The corrective powers of the Commissioner of Data Protection include the power to:
      (a) issue and publish Directions and warnings and make recommendations to Controllers and Processors that intended Processing operations are likely to contravene provisions of these Regulations;
      (b) issue and publish Directions and reprimands to Controllers and Processors where Processing operations have contravened provisions of these Regulations;
      (c) order Controllers and Processors to comply with a Data Subject's requests to exercise his or her rights pursuant to these Regulations;
      (d) order Controllers and Processors to bring Processing operations into compliance with the provisions of these Regulations, where appropriate, in a specified manner and within a specified period;
      (e) order a Controller to communicate a Personal Data Breach to the Data Subject;
      (f) impose a temporary or permanent limitation (including a ban) on Processing;
      (g) order the rectification or erasure of Personal Data or restriction of Processing pursuant to sections 14, 15 and 16 and the notification of such actions to Recipients to whom the Personal Data has been disclosed pursuant to sections 15(2) and 17;
      (h) withdraw a certification if the requirements for the certification are not or are no longer met;
      (i) impose an administrative fine pursuant to section 55, in addition to, or instead of, measures referred to in this subsection, depending on the circumstances of the individual case;
      (j) order the suspension of data flows to a Recipient inside or outside of ADGM or to an International Organisation; and
      (k) where appropriate, refer contraventions of these Regulations to the attention of the Court and where appropriate, commence legal proceedings, in order to enforce the provisions of these Regulations.
      (6) The authorisation and advisory powers of the Commissioner of Data Protection include the powers to:
      (a) issue, on its own initiative or on request, opinions to the Board, the Registrar or, in accordance with Applicable Law, to other institutions and bodies as well as to the public on any issue related to the protection of Personal Data;
      (b) prepare and publish guidance on these Regulations;
      (c) prescribe forms to be used for any of the purposes of these Regulations;
      (d) approve draft codes of conduct in accordance with section 38;
      (e) issue certifications and approve criteria of certification in accordance with section 39;
      (f) adopt standard data protection clauses referred to in sections 26(6) and 42(2);
      (g) authorise contractual clauses referred to in section 42(4);
      (h) advise the Board in the course of the preparation of a legislative or regulatory measure which provides for the Processing of Personal Data, in order to ensure compliance of the intended Processing with these Regulations and in particular to mitigate the risk involved for the Data Subject;
      (i) prepare and publish a list (to be updated from time to time) of Processing activities that it considers require a Data Protection Impact Assessment in accordance with section 34; and
      (j) approve Binding Corporate Rules pursuant to section 43.

    • 51. Budget

      (1) The Commissioner of Data Protection must have its own annual budget. The Board must ensure that there is a provision of sufficient human, technical and financial resources to enable the Commissioner of Data Protection to effectively perform its duties and functions and exercise its powers in accordance with these Regulations.
      (2) To help inform the budget, before the end of the current financial year the Commissioner of Data Protection must submit to the Board for approval estimates (including for staffing costs) of the annual income and expenditure of the Commissioner of Data Protection for the next financial year.

    • 52. Accounts and audit

      (1) The Commissioner of Data Protection must keep proper accounts of its financial activities.
      (2) The Board must appoint auditors to conduct an audit in relation to each financial year of the Commissioner of Data Protection.
      (3) The Commissioner of Data Protection, must before the end of the first quarter of the financial year, prepare financial statements for the previous financial year in accordance with accepted accounting standards. The accounts prepared under this section must be submitted for the approval of the Board, who must, as soon as reasonably practicable, provide such statements to the relevant auditors for audit.
      (4) The auditors must prepare a report on the financial statements and send the report to the Board.
      (5) The auditors’ report must, where appropriate, include an opinion given by the auditors as to whether or not the financial statements to which the report relates give a true and fair view of the financial position of the Commissioner of Data Protection as at the end of the financial year to which the financial statements relate and of the results of its operations and cash flows in the financial year.
      (6) The auditors have the right to access at all reasonable times all information which is reasonably required by them for the purposes of preparing the report and which is held or controlled by any officer or member of Staff of the Commissioner of Data Protection.
      (7) The auditors are entitled to reasonably require from the officers and Staff of the Commissioner of Data Protection such information as they consider necessary for the performance of their duties.
      (8) A person must not without reasonable excuse intentionally engage in conduct that obstructs a person appointed under section 52(2) in the exercise of his or her powers.

    • 53. Annual report

      (1) As soon as practicable after 1 January each year, the Commissioner of Data Protection must deliver to the Board a report on the management of the administrative affairs of the Commissioner of Data Protection for the previous year. This report must include a list of types of contraventions addressed by the Commissioner of Data Protection in the previous year and the measures taken in response.
      (2) Such report must give a true and fair view of the state of the Commissioner of Data Protection’s regulatory operations in ADGM, and its financial statements as at the end of the relevant financial year.
      (3) This report must be made available to the public.