COVID 19 Implication for Data Protection
Introduction to Abu Dhabi Global Market
Abu Dhabi Global Market (ADGM) is a broad based international financial centre, established pursuant to Abu Dhabi Law No. 4 of 2013 in the Emirate of Abu Dhabi. With its own civil and commercial laws based on the English common law, ADGM offers the local, regional and international business community a world-class legal system and regulatory regime.
ADGM Office of Data Protection
The Registrar of the ADGM Registration Authority, together with the Office of Data Protection (ODP), is responsible for supervising and ensuring the effective compliance of the obligations of Data Controllers under the Data Protection Regulations 2015 (as amended) (DP Regulations).
The ODP also provides guidance to registered entities and receives complaints from individuals.
For more information and data protection resources, please go to the ODP micro-site available at: https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance.
For further information or enquiries, please contact us via email at: Data.Protection@adgm.com.
Frequently Asked Questions
The ODP recognises that Data Controllers are facing unexpected challenges during the Coronavirus COVID-19 pandemic.
The ODP is aware that Data Controllers may need to share Personal Data rapidly or collect the Personal Data of visitors to their premises for such purposes as contact tracing and other response measures.
The DP Regulations do not prevent a Data Controller from processing Personal Data in cases of emergency, provided that the Personal Data is processed fairly, lawfully and securely, and it is adequate, relevant and proportionate for the purposes for which it is being processed.
The ODP is here to help and clarify frequently asked questions received in this regard:
1. What is the ODP’s position if a Data Controller does not meet certain regulatory requirements or experiences a delay in responding to Data Subject rights requests during the current COVID-19 situation?
Data Controllers should always seek to comply with their obligations under the DP Regulations. However, during these uncertain times, the ODP understands that Data Controllers might be distracted and there may be delays in responding to Data Subject requests and other compliance requirements under the DP Regulations. The ODP will take a pragmatic approach to regulation during these uncertain times and will take into consideration any mitigating circumstances before deciding what regulatory action to take (if any) against Data Controllers for non-compliance.
2. Can a Data Controller inform employees that a member of their team has contracted COVID-19?
Employers have a legal obligation to ensure the health and safety of all their employees. Accordingly, Data Controllers should keep employees informed about any cases of COVID-19 in their organization and take the necessary measures to keep employees safe. However, employers should avoid naming individuals, if possible, and should not provide any more information than is necessary.
3. Is a Data Controller, that is a public entity or healthcare provider, permitted to contact individuals in relation to COVID-19 without having prior consent?
The DP Regulations do not prevent any health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing.
Public bodies may also require additional collection and sharing of Personal Data for the purpose of protection against serious threats to public health. This is a legitimate purpose for collecting and processing such Personal Data.
4. Can a Data Controller collect health data in relation to COVID-19 about employees or visitors of ADGM entities?
As an employer, Data Controllers have a duty to ensure employees’ health and safety, but that does not necessarily mean they may gather unnecessary information about their employees.
For example, it may be reasonable in the current circumstances to ask an employee or a visitor if they have visited a particular country or are experiencing COVID-19 symptoms. On the other hand, it would be unreasonable to ask an employee or visitor if they or any of their family members have ever been diagnosed with any other contagious disease.
If additional health data is required, employers must ensure that they do not collect any more Personal Data or Sensitive Personal Data than is necessary (note: Sensitive Personal Data includes health information). In addition, employers must ensure that any Person Data or Sensitive Personal Data that is collected is treated with the appropriate safeguards, as specified under the DP Regulations.
5. Can a Data Controller share employees’ health information to the relevant Health Authorities for public health purposes?
It is unlikely that a company will be required by Health Authorities to share information about specific individuals. However, if this does happen, the DP Regulations do not prevent employers from sharing such information, provided there is a legal basis for the processing of the Personal or Sensitive Personal Data and appropriate safeguards have been met.
6. Can employees work from home during this period?
The DP Regulations do not restrict a Data Controller’s employees from working from home, provided the appropriate safeguards have been met (e.g. appropriate IT security is made available to employees) to protect any Personal Data that may be processed during that period.
ADGM Data Controllers and their employees are responsible for ensuring robust security measures are in place and adhered to at all times.
7. Who can I contact for more info?
For further information, please do not hesitate to contact the ODP via e-mail: Data.Protection@adgm.com.
The object of Frequently Asked Questions (FAQs) is to provide guidance to ADGM Data Controllers during the unforeseen challenges caused by COVID-19. This is only a non-binding indicative guide and should be read together with the DP Regulations and any other relevant regulations and enabling rules, which may change over time without notice. Further advice from a specialist professional may be required. The Registration Authority makes no representations as to accuracy, completeness, correctness or suitability of any information and will not be liable for any error or omission. Information in this FAQ is not to be deemed, considered or relied upon as legal advice and should not be treated as a substitute for a specific advice concerning any individual situation. Any action taken upon the information provided in this FAQ is strictly at your own risk and ADGM RA will not be liable for any losses and damages in connection with the use of or reliance on information provided in this FAQ.