The Abu Dhabi Global Market’s DPR, New Privacy Law
The ADGM Data Protection Regulations 2021 (DPR) refers to a data privacy and protection law that was recently passed in the United Arab Emirates (UAE) in February of 2021. As the Abu Dhabi Global Market (ADGM) is an “international financial free zone in Abu Dhabi,” the law was passed for the purpose of protecting the personal data and information of customers that engage in business with companies and organizations that operate within the zone. This being said, the DPR amended the previous data protection framework that governed business transactions within the ADGM by aligning said framework with the provisions of the EU’s General Data Protection Regulation (GPDR).
What is the scope and application of the law?
As it pertains to the scope and applicability of the DPR, the material scope of the law applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system. files or sets of files, as well as their cover pages, which are not structured according to specific criteria, do not fall within the scope of these regulations.” Alternatively, the scope of the law does not apply to data processing that occurs in the context of purely personal or household activities, as well as information that is collected by public authorities for the purpose of preventing, investigating, detecting, and prosecuting criminal offenses.
What data protection principles were established in the law?
As the DPR was established for the purpose of aligning the laws of the ADGM with the data privacy standards that were set forth in the EU’s GDPR law, the DPR mandates that businesses and organizations within the financial free zone collect and process personal information in accordance with several data protection principles. These data protection principles include:
- The lawfulness, fairness, and transparency principle.
- The purpose limitation principle.
- The data minimization principle.
- The data accuracy principle.
- The storage limitation principle.
- The data security principle.
- The data accountability principle.
What are the rights of data subjects under the law?
On the other hand, the DPR also affords data subjects a number of data protection and personal privacy rights. These rights include the following:
- The right to transparent information and communication.
- The right to be informed of the collection and processing of personal data.
- The right to access, rectify, and erase personal data.
- The right to object to the processing of personal data.
- The right to restrict the processing of personal data.
- The right to data portability.
- The right to be notified of any changes that are made to the data.
- The right to be provided with easy-to-use methods that can be utilized to exercise the other rights afforded to data subjects under the law.
What are the penalties for violating the law?
As it relates to the penalties that data controllers and processors within the ADGM stand to face should they fail to comply with the provisions set forth in the DPR, violators of the law are subject to monetary penalties of up to $28,000,000, “depending on the corresponding contraventions of the law.” Due to the severity of these penalties, the law also provided certain existing establishments within the ADGM with a 12-month transition period that would give businesses and organizations the time necessary to alter their data collection and processing practices to maintain compliance with the law.
As of 2022, the ADGM Data Protection Regulations 2021 is the primary data protection law that regulates the collection, processing, retention, transfer, disclosure, and dissemination of personal information with the UAE, in conjunction with The Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020. Due to massive amounts of data that are collected within the UAE on a daily basis to the prevalence of businesses and organizations that serve consumers within the numerous metropolitan areas in the country, laws such as the DIFC and DPR are pivotal to ensuring that data subjects can secure their information when purchasing products, goods, and services.