• Part 1 Part 1 General Rules on the Processing of Personal Data

    • 1. General requirements

      (1) Data Controllers shall ensure that Personal Data which they Process are —
      (a) Processed fairly, lawfully and securely;
      (b) Processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights;
      (c) adequate, relevant and not excessive in relation to the purposes for which they are collected or further Processed;
      (d) accurate and, where necessary, kept up to date; and
      (e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed.
      (2) Every reasonable step shall be taken by Data Controllers to ensure that Personal Data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further Processed, are erased or rectified.

    • 2. Requirements for legitimate Processing

      Personal Data may only be Processed if —

      (a) the Data Subject has given his written consent to the Processing of that Personal Data;
      (b) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
      (c) Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
      (d) Processing is necessary in order to protect the vital interests of the Data Subject;
      (e) Processing is necessary for the performance of a task carried out in the interests of the Abu Dhabi Global Market or in the exercise of the Board's, the Court's, the Registrar's or the Regulator's functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data are disclosed; or
      (f) Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party to whom the Personal Data are disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.

    • 3. Processing of Sensitive Personal Data

      (1) Sensitive Personal Data shall not be Processed unless —
      (a) the Data Subject has given an additional written consent to the Processing of this kind of Personal Data;
      (b) Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller;
      (c) Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent;
      (d) Processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data are not disclosed to a Third Party without the consent of the Data Subjects;
      (e) the Processing relates to Personal Data which are manifestly made public by the Data Subject, or is necessary for the establishment, exercise or defence of legal claims;
      (f) Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
      (g) Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided the Processing is undertaken in accordance with applicable standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation;
      (h) Processing is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller or for the prevention or detection of any crime; or
      (i) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where those Personal Data are Processed by a health professional subject under law or rules established by competent bodies to the obligation of confidence or by another person subject to an equivalent obligation.
      (2) Subsection (1) shall not apply if —
      (a) a permit has been obtained from the Registrar to Process Sensitive Personal Data; and
      (b) the Data Controller applies adequate safeguards with respect to the Processing of the Personal Data.

    • 4. Transfers out of the Abu Dhabi Global Market: adequate level of protection

      (1) Except as set out in section 5, a transfer of Personal Data to a Recipient located in a jurisdiction outside the Abu Dhabi Global Market may take place only if an adequate level of protection for those Personal Data are ensured by laws applicable to the Recipient.
      (2) The adequacy of the level of protection ensured by laws to which the Recipient is subject, as referred to in subsection (1), shall be assessed in the light of all the circumstances surrounding a Personal Data transfer operation or set of Personal Data transfer operations, including, but not limited to —
      (a) the nature of the Personal Data;
      (b) the purpose and duration of the proposed Processing operation or operations;
      (c) if the data do not emanate from the Abu Dhabi Global Market, the country of origin and country of final destination of the Personal Data; and
      (d) any relevant laws to which the Recipient is subject, including professional rules and security measures.
      (3) The jurisdictions which the Registrar has designated as providing an adequate level of protection for Personal Data for the purposes of subsection (1) are listed in Schedule 3 to these Regulations, and may be updated from time to time by a publication to such effect on the Registrar's website.

    • 5. Transfers out of the Abu Dhabi Global Market in the absence of an adequate level of protection

      A transfer or a set of transfers of Personal Data to a Recipient which is not subject to laws which ensure an adequate level of protection within the meaning of section 4(1) may take place on condition that —

      (a) the Registrar has granted a permit for the transfer or the set of transfers and the Data Controller applies adequate safeguards with respect to the protection of such Personal Data;
      (b) the Data Subject has given his written consent to the proposed transfer;
      (c) the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the implementation of pre-contractual measures taken in response to the Data Subject's request;
      (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and a Third Party;
      (e) the transfer is necessary for the establishment, exercise or defence of legal claims;
      (f) the transfer is necessary in order to protect the vital interests of the Data Subject;
      (g) the transfer is necessary in the interests of the Abu Dhabi Global Market;
      (h) the transfer is made at the request of a regulator, the police or other government agency;
      (i) the transfer is made from a register which according to law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
      (j) the transfer is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
      (k) the transfer is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that the transfer is carried out in accordance with applicable standards and except where such interests are overridden by legitimate interests of the Data Subject relating to the Data Subject's particular situation;
      (l) the transfer is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller which is established in the Abu Dhabi Global Market, or for the prevention or detection of any crime;
      (m) the transfer is made to a person established outside the Abu Dhabi Global Market who would be a Data Controller (if established in the Abu Dhabi Global Market) or who is a Data Processor, if, prior to the transfer, a legally binding agreement in the form set out in Schedule 1 or Schedule 2 respectively to these Regulations has been entered into between the transferor and Recipient; or
      (n) the transfer is made between one or more members of a Group of Companies in accordance with a global data protection compliance policy of that Group, under which all the members of such Group that are or will be transferring or receiving the Personal Data are bound to comply with all the provisions of these Regulations containing restrictions on the use of Personal Data and Sensitive Personal Data in the same way as if they would be if established in the Abu Dhabi Global Market.

    • 6. Providing information where Personal Data have been obtained from the Data Subject

      (1) Data Controllers shall provide a Data Subject whose Personal Data it collects from the Data Subject with at least the following information as soon as possible upon commencing to collect Personal Data in respect of that Data Subject —
      (a) the identity of the Data Controller;
      (b) the purposes of the Processing for which the Personal Data are intended; and
      (c) any further information in so far as such is necessary, having regard to the specific circumstances in which the Personal Data are collected, to guarantee fair Processing in respect of the Data Subject, such as —
      (i) the Recipients or categories of Recipients of the Personal Data;
      (ii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
      (iii) the existence of the right of access to and the right to rectify the Personal Data concerning him;
      (iv) whether the Personal Data will be used for direct marketing purposes; and
      (v) whether the Personal Data will be Processed on the basis of section 3(1)(g) or section 5(k).
      (2) A Data Controller need not provide that information otherwise required by subsection (1)(c)(i) to the Data Subject if the Data Controller reasonably expects that the Data Subject is already aware of that information.

    • 7. Providing information where Personal Data have not been obtained from the Data Subject

      (1) Where Personal Data have not been obtained from the Data Subject, a Data Controller or his representative shall at the time of undertaking the Processing of Personal Data or if a disclosure to a Third Party is envisaged, no later than the time when the Personal Data are first Processed or disclosed, provide the Data Subject with at least the following information —
      (a) the identity of the Data Controller;
      (b) the purposes of the Processing;
      (c) any further information in so far as such further information is necessary, having regard to the specific circumstances in which the Personal Data are Processed, to guarantee fair Processing in respect of the Data Subject, such as —
      (i) the categories of Personal Data concerned;
      (ii) the Recipients or categories of Recipients;
      (iii) the existence of the right of access to and the right to rectify the Personal Data concerning him;
      (iv) whether the Personal Data will be used for direct marketing purposes; and
      (v) whether the Personal Data will be Processed on the basis of section 3(1)(g) or section 5(k).
      (2) Subsection (1) shall not apply to require —
      (a) the Data Controller to provide information which the Data Controller reasonably expects the Data Subject to possess; or
      (b) the provision of such information if it is reasonably impracticable or would involve a disproportionate effort.

    • 8. Confidentiality

      Any person acting under a Data Controller or a Data Processor, including the Data Processor himself, who has access to Personal Data shall not Process them except on instructions from the Data Controller, unless he is required to do so by law.

    • 9. Security of Processing

      (1) The Data Controller shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss or destruction of, or damage to, such Personal Data.
      (2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected.
      (3) The Data Controller shall, where Processing is carried out on its behalf, choose a Data Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the Processing to be carried out, and shall ensure compliance with those measures.
      (4) In the event of an unauthorised intrusion (including any loss of devices containing Personal Data or unauthorised disclosures) whether physical, electronic or otherwise, to any Personal Data held by a Data Processor, the Data Processor shall inform the Data Controller of the incident as soon as reasonably practicable.
      (5) In the event of an unauthorised intrusion (including any loss of devices containing Personal Data or unauthorised disclosures) whether physical, electronic or otherwise, to any Personal Data, including by any of its Data Processors, the Data Controller shall inform the Registrar of the incident as soon as reasonably practicable.