ADGM Publishes Data Protection Guidance and Standard Contractual Clauses
On 14 August 2021 the Abu Dhabi Global Market (ADGM) Data Protection Regulations (the Regulations) became fully effective for businesses established in the ADGM on or after 14 February 2021. Businesses established before 14 February 2021 have just another six months to take all of the necessary steps towards compliance.
The ADGM Office for Data Protection (ODP) has published a suite of guidance documentation to help businesses understand and meet their compliance obligations under the Regulations. The ODP has also published standard contractual clauses to facilitate international transfers from the ADGM, as well as for entering into processing agreements with data processors.
The eight part guidance series published by the ODP (the Guidance) provides added context to the obligations under the Regulations. The Guidance covers a range of issues, including:
- key concepts, terms, scope, principles of processing and the lawful bases for processing personal data;
- data subject rights and the data controller’s obligations with regards to individual rights requests;
- data protection by design and default, the fees, the record of processing activity, the requirement of data protection officers and processor obligations;
- data protection impact assessments (DPIAs);
- security of processing, the cessation of processing and managing personal data breaches, which includes notification requirements;
- international transfers;
- the role of the ODP and the Commissioner of Data Protection; and
- individual rights and remedies.
Standard Contractual Clauses
Separately, the ODP has published two sets of standard contractual clauses (SCCs), which businesses can enter into with counterparties (either third parties or group entities, as applicable) to:
- lawfully transfer personal data out of the ADGM (using the International Transfer SCCs). The International Transfer SCCs take a modular approach catering to different transfer scenarios. On 4 August 2021 the ODP also issued a circular (see here) clarifying that, for new businesses required to comply with the Regulations by 14 August 2021, they can continue to rely on a permit previously issued by the Commissioner until 14 February 2022 to legitimise the international export of personal data (although all other provisions of the Regulations will apply from 14 August 2021); and
- ensure that any processors are bound by contractual obligations which meet the requirements set out under Section 26 of the Regulations (using the Processor SCCs).
Each of the SCCs are based largely on the equivalent templates recently published by the European Commission.
The ODP has also recently made available:
- A DPIA Template for business to leverage when considering engaging in any high risk processing activities (available here);
- a template Record of Processing Activities;
- a template Appropriate Policy Document for use when processing processing special categories of personal data under Section 7(2) (k) and 7(3) of the Regulations;
- a set of Fees Rules; and
- a set of Fines Rules.
For businesses in the ADGM yet to take any steps to put in place a programme of compliance around the Regulations, now is the time.
Businesses with limited experience in data protection compliance should find the clear explanations and industry specific examples instructive, whilst those with previous experience in implementing data protection compliance projects in Europe (or the UK) should find the ADGM’s interpretation and application of key concepts reassuringly familiar.
The alignment with European (and UK) standards should enable businesses with existing compliance programmes in Europe and the UK to leverage existing data protection policies, procedures and other documentation, subject to amendment to reflect the ADGM Regulations and the activities that they are conducting in the ADGM. This will allow them to take a largely consistent approach across their organization in the EU and/or UK and the ADGM.
- Conduct a gap analysis to identify those areas which are presently non-compliant and then putting in place a clear roadmap to close these gaps.
- Businesses that have already taken steps to comply with the Regulations should consider reviewing existing data protection policies, processes and / or procedures against the new Guidance.
- Businesses sending personal data out of the ADGM should review their international data transfer arrangements and consider whether the ADGM’s International Transfer SCCs should be incorporated within their existing agreements, or entered into separately to legitimise and exports of personal data.
- Equally, ADGM based businesses should review existing arrangements with service providers and consider supplementing or replacing their agreements with those service providers with relevant provisions of those with the Processor SCCs, in order to meet their obligations under Section 26 of the Regulations.
DLA Piper’s Middle East Data Protection team has in depth experience in assisting regional and international businesses with their compliance requirements.
If you would like to discuss any element of the Regulations, the Guidance or the SCCs, or your business’s data protection requirements through the GCC more generally, please contact Eamon Holley (Partner) orAlex Mackay (Associate).