PART VIII PART VIII Final provisions
60. Power of the Board to make rules(1) The Board may make such rules applying to matters within the scope and objectives of these Regulations (as defined within sections 1 to 3) as appear to the Board to be in the interests of the Abu Dhabi Global Market.(2) Rules made by the Board in accordance with section 60(1):(a) may make different provision for different cases;(b) may make provision in relation to matters such as protection of Data Subjects rights and legitimate interests, procedural fairness and conduct of investigations by the Commissioner of Data Protection, provision of information to the Commissioner of Data Protection and provision of other assistance to the Commissioner of Data Protection to enable the Commissioner of Data Protection to discharge its functions; and(c) may contain such incidental, supplemental, consequential and transitional provision as the Board considers appropriate.
61. Previously concluded agreements
International agreements involving the transfer of Personal Data outside of ADGM or to International Organisations, which were concluded or adopted by ADGM or the United Arab Emirates prior to the commencement of these Regulations and which comply with Applicable Law as applicable prior to the commencement of these Regulations, remain in force until amended, replaced or revoked.
62. Definitions(1) For the purposes of these Regulations capitalised terms which are not defined in these Regulations have the meaning given to them in the Interpretation Regulations 2015, while the remaining capitalised terms have the following meanings:‘ADGM’ means the Abu Dhabi Global Market;‘Applicable Law’ means any enactment or subordinate legislation applicable in (i) ADGM; or (ii) under Abu Dhabi or Federal Law having application in ADGM, as it applies to Controllers and Processors that are within the scope of these Regulations;‘Archiving and Research Purposes’ means archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with section 9;‘Binding Corporate Rules’ means Personal Data protection policies which are adhered to by a Controller or Processor in ADGM for transfers or a set of transfers of Personal Data to a Controller or Processor outside ADGM within a Group;‘Biometric Data’ means Personal Data resulting from specific technical Processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data;‘Child’ means a natural person under the age of 18 years old;‘Commissioner of Data Protection’ means the person appointed by the Board in accordance with section 47 to be the head of the Office of Data Protection;‘Consent’ has the meaning given in section 6;‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;‘Court Procedure Rules’ has the meaning given under Part 7 of the ADGM Cour ts, Civil Evidence, Judgments, Enforcement and Judicial Appointments Regulations 2015;‘Data Concerning Health’ means Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status;‘Data Protection Fee’ means a fee to be paid by the Controller in respect of the first 12 months it Processes Personal Data in the amount specified by rules made by the Board as set out in section 24;‘Data Protection Impact Assessment’ has the meaning given in section 34(1);‘Data Protection Officer’ has the meaning given in section 35;‘Data Subject’ means an identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;‘Direction’ means a direction issued by the Commissioner of Data Protection in accordance with section 54;‘Establishment’ means any authority, body corporate, branch, representative office, institution entity, or project established, registered or licensed to operate or conduct any activity within the ADGM or exempt from being registered or licensed under the laws of the ADGM;‘Filing System’ means any structured set of Personal Data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;‘GDPR’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended from time to time;‘Genetic Data’ means Personal Data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or the health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question;‘Group’ has the meaning given to that term in the Commercial Licensing Regulations 2015;‘High Risk Processing Activities’ means the Processing of Personal Data where one or more of the following applies:(a) a considerable volume of Personal Data will be Processed;(b) the Processing is likely to result in a high risk to the rights of Data Subjects;(c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;(d) the Processing includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise their rights; or(e) the Processing includes Special Categories of Personal Data, except where Processing of such data is required by Applicable Law.‘International Organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;‘Office of Data Protection’ means the Commissioner of Data Protection, any deputy commissioners and other officers or Staff of the Commissioner of Data Protection;‘Penalty Notice’ has the meaning given in section 55(1);‘Personal Data’ means any information relating to a Data Subject;‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;‘Processor’ means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;‘Profiling’ means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;‘Pseudonymisation’ means the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data is not attributed to an identified or identifiable natural person;‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the Personal Data is disclosed, whether a Third Party or not;‘Renewal Fee’ means a fee to be paid by the Controller any 12 month period that is not the first 12 months it Processes Personal Data in the amount specified by rules made by the Board as set out in section 24;‘Requesting Authority’ has the meaning given in section 45(1);‘Special Categories of Personal Data’ means the categories of data listed in section 7(1);‘Staff’ includes past, existing or prospective employees, directors, partners, trustees, officers, office holders, temporary or casual workers, agents and volunteers;‘State Of The Art’ means the current state of technological development, as appropriate to the context in which the measures are being implemented, including industry practices, the type and scale of the processing and the availability of a product or solution in the market;‘Supervisory Authority’ means:(a) an independent authority which has been established pursuant to Article 51 of the GDPR, which includes, for these purposes, the United Kingdom’s Information Commissioner’s Office; or(b) an independent authority with responsibility for ensuring and enfor cing compliance with the data protection rules that is established in a jurisdiction which the Commissioner of Data Protection has decided ensures an adequate level of protection in accordance with section 41(3); and‘Third Party’ means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to Process Personal Data.
63. Repeal of Data Protection Regulations 2015(1) The Data Protection Regulations 2015 are repealed with effect from:(a) the date that is 6 months after the date of publication of these Regulations for any Establishment that is established in ADGM on or following the date of publication of these Regulations; and(b) the date that is 12 months after the date of publication of these Regulations for any Establishments established in ADGM prior to the date of entry into force of these Regulations.(2) Subject to section 63(1), these Regulations come into force and are binding from the date the Data Protection Regulations 2015 are repealed.(3) References to the Data Protection Regulations 2015 in Applicable Law will be construed as references to these Regulations.
64. Short title, scope and commencement(1) These Regulations may be cited as the Data Protection Regulations 2021.(2) These Regulations apply in the Abu Dhabi Global Market.(3) The Board may by rules make any transitional, transitory, consequential, saving, incidental or supplementary provision in relation to the commencement of these Regulations as the Board thinks fit.(4) Rules made under section 64(3) may amend any provision of any other enactment including subordinate legislation made under such enactment.