• PART IV PART IV Controller and Processor

    • 22. Responsibility of the Controller

      (1) Taking into account the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights of natural persons, the Controller must:
      (a) implement appropriate technical and organisational measures to ensure and to be able to demonstrate that Processing is performed in accordance with these Regulations; and
      (b) review and update those measures where necessary.
      (2) Where proportionate in relation to Processing activities, the measures referred to in section 22(1) must include the implementation of appropriate data protection policies by the Controller.

    • 23. Data protection by design and by default

      (1) The Controller must take appropriate steps to ensure that:
      (a) its systems, business processes and practices in respect of which Personal Data is Processed are designed taking into account compliance with the principles, rights and obligations in these Regulations (‘data protection by design’); and
      (b) only the Processing of Personal Data that is necessary for each specific purpose of the Processing is Processed (‘data protection by default’).

    • 24. Data Protection Fee

      (1) A Controller must, before, or as soon as reasonably practicable after, it starts Processing Personal Data under these Regulations:
      (a) pay a Data Protection Fee to the Commissioner of Data Protection in respect of the twelve months from the date it commenced Processing Personal Data under these Regulations; and
      (b) notify the Commissioner of Data Protection of:
      (i) its name and address (which, in the case of a registered company, will be its registered office); and
      (ii) the date it commenced Processing Personal Data under these Regulations.
      (2) Each year, within one month of the expiry of the anniversary on which it commenced Processing Personal Data under these Regulations, the Controller must pay a Renewal Fee in the amount specified by rules made by the Board to the Commissioner of Data Protection.
      (3) The obligations referred to in sections 24(1) and 24(2) do not apply to an Establishment employing fewer than five employees, unless it carries out High Risk Processing Activities.

    • 25. Joint Controllers

      (1) Where two or more Controllers jointly determine the purposes and means of Processing, they are joint Controllers. They must determine their respective responsibilities for compliance with the obligations under these Regulations in a transparent manner, in particular as regards the exercising of the rights of the Data Subject and their respective duties to provide the information referred to in sections 11 and 12, by means of an arrangement between them unless the respective responsibilities of the Controllers are determined by Applicable Law. The arrangement may designate a contact point for Data Subjects.
      (2) The arrangement referred to in section 25(1) must set out the respective roles and relationships of the joint Controllers with respect to the Data Subjects. The essence of the arrangement must be made available to the Data Subject.
      (3) Irrespective of the terms of the arrangement referred to in section 25(1), the Data Subject may exercise his or her rights under these Regulations in respect of and against each of the Controllers.

    • 26. Processor

      (1) Where Processing is to be carried out on behalf of a Controller, the Controller must use only Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of these Regulations and ensure the protection of the rights of the Data Subject.
      (2) The Processor must not engage another Processor without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor must inform the Controller of any intended changes concerning the addition or replacement of other Processors, thereby giving the Controller the opportunity to object to such changes.
      (3) Processing by a Processor must be governed by a contract or other legal act under Applicable Law, that is binding on the Processor with regard to the Controller and that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of the Controller. That contract or other legal act must stipulate, in particular, that the Processor:
      (a) Processes the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside of ADGM or to an International Organisation, unless required to do so by Applicable Law to which the Processor is subject; in such a case, the Processor must inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
      (b) ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate obligation of confidentiality under Applicable Law;
      (c) takes all measures required pursuant to section 30;
      (d) respects the conditions referred to in sections 26(2) and 26(5) for engaging another Processor;
      (e) taking into account the nature of the Processing, assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights in Part III;
      (f) assists the Controller in ensuring compliance with the obligations pursuant to sections 30 to 34 taking into account the nature of Processing and the information available to the Processor;
      (g) at the choice of the Controller, deletes or returns all the Personal Data to the Controller after the end of the provision of services relating to Processing, and deletes existing copies unless Applicable Law requires storage of the Personal Data; and
      (h) makes available to the Controller all information necessary to demonstrate compliance with the obligations in this section and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
      (4) With regard to section 26(3)(a), the Processor must immediately inform the Controller if, in its opinion, an instruction contravenes these Regulations or other data protection provisions contained in Applicable Law.
      (5) Where a Processor engages another Processor for carrying out specific Processing activities on behalf of the Controller, the same data protection obligations as set out in the contract or other legal act between the Controller and the Processor as referred to in section 26(3) must also be imposed on that other Processor by way of a contract or other legal act under Applicable Law, in particular, providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of these Regulations. The initial Processor remains fully liable to the Controller for the performance of that other Processor's obligations.
      (6) The Commissioner of Data Protection may adopt standard contractual clauses for the matters referred to in sections 26(3) and 26(5), including by approving the then current standard contractual clauses issued by the European Commission or adopted by a Supervisory Authority for the same purpose, upon which approval of such standard contractual clauses will be incorporated into these Regulations by reference.
      (7) The contract or the other legal act referred to in sections 26(3) and 26(5) may be based, in whole or in part, on standard contractual clauses referred to in section 26(6), including when they are part of a certification granted to the Controller or Processor pursuant to section 38.
      (8) The contract or the other legal act referred to in sections 26(3) and 26(5) must be in writing.
      (9) Without limiting the effect of sections 55, 56 and 60, if a Processor contravenes these Regulations by determining the purposes and means of Processing, the Processor will be a Controller in respect of that Processing.

    • 27. Processing under the authority of the Controller or Processor

      The Processor and any person acting under the authority of the Controller or of the Processor, who has access to Personal Data, must not Process that data except on instructions from the Controller, unless required to do so by Applicable Law.

    • 28. Records of Processing activities

      (1) Each Controller must maintain a record of Processing activities under its responsibility. That record must contain all of the following information:
      (a) the name and contact details of the Controller and, where applicable, the joint Controller and the Data Protection Officer;
      (b) the purposes of the Processing;
      (c) a description of the categories of Data Subjects and of the categories of Personal Data;
      (d) the categories of Recipients to whom the Personal Data has been or will be disclosed including Recipients outside of ADGM or in International Organisations;
      (e) where applicable, transfers of Personal Data outside of ADGM or to an International Organisation, including the identification of that location outside of ADGM or the International Organisation and, in the case of transfers referred to section 44(1)(b), the documentation of suitable safeguards;
      (f) where possible, the envisaged time limits for erasure of the different categories of Personal Data; and
      (g) where possible, a general description of the technical and organisational security measures referred to in section 30(1).
      (2) Each Processor must maintain a record of all categories of Processing activities carried out on behalf of a Controller, containing:
      (a) the name and contact details of the Processor or Processors and of each Controller on behalf of which the Processor is acting and the Data Protection Officer;
      (b) the categories of Processing carried out on behalf of each Controller;
      (c) where applicable, transfers of Personal Data outside of ADGM or to an International Organisation, including the identification of that location outside of ADGM or the International Organisation and, in the case of transfers referred to in section 44(1)(b), the documentation of suitable safeguards; and
      (d) where possible, a general description of the technical and organisational security measures referred to in section 30(1).
      (3) The records referred to in sections 28(1) and 28(2) must be in writing, including in electronic form.
      (4) The Controller or the Processor must make the record available to the Commissioner of Data Protection on request.

    • 29. Cooperation with the Commissioner of Data Protection

      The Controller and the Processor must cooperate, on request, with the Commissioner of Data Protection in the performance of their duties and functions.

    • 30. Security of Processing

      (1) Taking into account the State Of The Art , the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights of natural persons, the Controller and the Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
      (a) the Pseudonymisation and encryption of Personal Data;
      (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
      (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
      (2) In assessing the appropriate level of security the Controller and Processor must take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
      (3) The Controller and Processor must take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to Personal Data does not Process it except on instructions from the Controller, unless they are required to do so by Applicable Law.

    • 31. Cessation of Processing

      (1) Where the basis for Processing changes, ceases to exist or a Controller is required to cease Processing due to the exercise of a Data Subject’s rights under section 15, the Controller must ensure that all Personal Data, including Personal Data held by Processors is:
      (a) securely and permanently deleted;
      (b) anonymised so that the data is no longer Personal Data and no Data Subject can be identified from the data including where the data is lost, damaged or accidentally released;
      (c) pseudonymised; or
      (d) securely encrypted.
      (2) Where a Controller is unable to ensure that Personal Data is securely and permanently deleted, anonymised, pseudonynmised or securely encrypted, the Personal Data must be archived in a manner that ensures the data is put beyond further use.
      (3) "Put beyond further use" in section 31(2) means that:
      (a) a Controller and a relevant Processor is unable to use the Personal Data to inform any decision with respect of the Data Subject or in a manner that affects the Data Subject in any way, other than where such Personal Data needs to be cross-checked by automated means solely in order to prevent further Processing of Personal Data related to the Data Subject;
      (b) no party has access to the Personal Data other than the Controller and any relevant Processor;
      (c) Personal Data is protected by appropriate technical and organisational security measures that are equivalent to those afforded to live Personal Data; and
      (d) a Controller and any relevant Processor have in place and must comply with a strategy for the permanent deletion, anonymisation, pseudonymisation or secure encryption of the Personal Data, complies and can demonstrate compliance with such policy.
      (4) Notwithstanding section 31(1), a Controller and any relevant Processor is not required to securely and permanently delete, anonymise, pseudonymise or encrypt Personal Data or put it beyond further use, where such Personal Data:
      (a) is necessary for the establishment or defence of legal claims or must be retained for compliance with Applicable Law; or
      (b) is being used in scientific research activity conducted in the public interest or in the interests of the ADGM in accordance with all Applicable Laws, in a manner that does not present risks to the rights of Data Subjects; or
      (c) is part of a dataset used to lawfully train or refine an artificial intelligence system in a manner that does not present risks to a Data Subject’s rights.
      (5) A Controller or Processor seeking to rely on sections 31(4)(b) or 31(4)(c) must conduct a data protection impact assessment in accordance with section 34 before doing so. Any Processing of Personal Data in accordance with section 31(4) must be limited to the extent necessary for such purposes.
      (6) A Controller or Processor must have a policy and process for managing Personal Data that is subject to section 31(4) when the grounds for retention no longer apply, and must securely and permanently delete, anonymise, pseudonymise, encrypt Personal Data or to put it beyond further use when such grounds no longer apply.

    • 32. Notification of a Personal Data Breach to the Commissioner of Data Protection

      (1) In the case of a Personal Data Breach, the Controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the Commissioner of Data Protection, unless the Personal Data Breach is unlikely to result in a risk to the rights of natural persons. Where the notification to the Commissioner of Data Protection is not made within 72 hours, it must be accompanied by reasons for the delay.
      (2) The Processor must notify the Controller without undue delay after becoming aware of a Personal Data Breach.
      (3) The notification referred to in sections 32(1) and 32(2) must:
      (a) describe the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
      (b) communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
      (c) describe the likely consequences of the Personal Data Breach; and
      (d) describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
      (4) Where it is not possible to provide the information referred to in section 32(3) at the same time, the information may be provided in phases without undue further delay.
      (5) The Controller must document any Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken. The documentation must enable the Commissioner of Data Protection to verify compliance with this section.

    • 33. Communication of a Personal Data Breach to the Data Subject

      (1) When the Personal Data Breach is likely to result in a high risk to the rights of natural persons, the Controller must communicate the Personal Data Breach to the Data Subject without undue delay.
      (2) The communication to the Data Subject referred to in section 33(1) must describe in clear and plain language the nature of the Personal Data Breach and contain at least the information and measures referred to in sections 32(3)(b), 32(3)(c) and 32(3)(d). The communication must where practical make recommendations for the natural person concerned to mitigate potential adverse effects and contain sufficient detail to allow him or her to take the necessary precautions.
      (3) The communication to the Data Subject referred to in section 33(1) is not required if any of the following conditions are met:
      (a) the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the Personal Data affected by the Personal Data Breach, in particular those that render the Personal Data unintelligible to any person who is not authorised to access it, such as encryption;
      (b) the Controller has taken subsequent measures which ensure that the high risk to the rights of Data Subjects referred to in section 33(1) is no longer likely to materialise; or
      (c) it would involve disproportionate effort (having regard to the number of Data Subjects, the age of the data and any appropriate safeguards adopted) . In such a case, there must instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.
      (4) If the Controller has not already communicated the Personal Data Breach to the Data Subject, the Commissioner of Data Protection, having considered the likelihood of the Personal Data Breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in section 33(3) are met.

    • 34. Data Protection Impact Assessment

      (1) The Controller must, prior to Processing that is likely to result in a high risk to the rights of natural persons, carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (a ‘Data Protection Impact Assessment’).
      (2) A single Data Protection Impact Assessment may address a set of similar Processing operations that present similar high risks. The outcome of the Data Protection Impact Assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the Processing of Personal Data complies with these Regulations.
      (3) The Controller must seek the advice of the Data Protection Officer, where designated, when carrying out a Data Protection Impact Assessment.
      (4) The Commissioner of Data Protection must publish a list of the kind of Processing operations which are subject to the requirement for a Data Protection Impact Assessment pursuant to section 34(1) and may review this list from time to time.
      (5) The Data Protection Impact Assessment must:
      (a) describe the nature, scope, context and purpose of the Processing;
      (b) assess necessity, proportionality and compliance measures;
      (c) identify and assess risks to individuals; and
      (d) identify any additional measures to mitigate the risks identified.
      (6) Where necessary, the Controller must carry out a review to assess if Processing is performed in accordance with the Data Protection Impact Assessment including when there is a change of the risk represented by Processing operations.
      (7) The Controller must notify the Commissioner of Data Protection prior to carrying out any Processing where a Data Protection Impact Assessment indicates that the Processing would be likely to result in a high risk to the rights of natural persons. The notification must contain information in section 34(5).

    • 35. Designation of the Data Protection Officer

      (1) The Controller and the Processor must appoint a person to perform the tasks listed in section 37 (a ‘Data Protection Officer’) where:
      (a) the Processing is carried out by a public authority, except for courts acting in their judicial capacity;
      (b) the core activities of the Controller or the Processor consist of Processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
      (c) the core activities of the Controller or the Processor consist of Processing on a large scale of Special Categories of Personal Data.
      (2) A Data Protection Officer:
      (a) may be appointed in respect of a single entity, a Group or multiple, independent entities;
      (b) may perform additional roles in respect of a Controller or Processor in addition to performing the role of Data Protection Officer;
      (c) does not need to be an employee of the relevant Controller or Processor provided it enters into an agreement in writing with the Controller, or Processor, as the case may be; and
      (d) does not need to be resident within ADGM,
      in each case, provided that the Data Protection Officer is easily accessible by each entity it acts for, and no other role held by the Data Protection Officer conflicts or is likely to conflict with the Data Protection Officer’s obligations under these Regulations.
      (3) The Data Protection Officer must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in section 37.
      (4) The Controller or the Processor must notify the Commissioner of Data Protection within one month following the appointment or resignation of any Data Protection Officer. The notification must include the contact details of the new Data Protection Officer and, in the case of a resignation, reasons for the resignation.
      (5) The obligations referred to in sections 35(1) and 35(2) do not apply to an Establishment employing fewer than five employees, unless it carries out High Risk Processing Activities.

    • 36. Position of the Data Protection Officer

      (1) The Controller and the Processor must ensure that the Data Protection Officer:
      (a) is involved, properly and in a timely manner, in all issues which relate to the protection of Personal Data;
      (b) is provided with sufficient resources, access to Personal Data and Processing operations to carry out the role;
      (c) is not dismissed or penalised for performing the tasks referred to in section 36; and
      (d) reports directly to the highest level of management in the Controller or Processor.
      (2) Data Subjects may contact the Data Protection Officer with regard to all issues related to Processing of their Personal Data and to the exercise of their rights under these Regulations.
      (3) The Data Protection Officer must be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Applicable Law and the confidentiality policies and procedures of the Controller or Processor .

    • 37. Tasks of the Data Protection Officer

      (1) The tasks of the Data Protection Officer include:
      (a) to inform and advise the Controller or the Processor and the employees who carry out Processing of their obligations pursuant to these Regulations and to other data protection provisions under Applicable Law;
      (b) to monitor compliance with these Regulations, with other data protection provisions under Applicable Law and with the policies of the Controller or Processor in relation to the protection of Personal Data, including the assignment of responsibilities, awareness-raising and training of Staff involved in Processing operations, and the related audits;
      (c) to provide advice where requested as regards the Data Protection Impact Assessment and monitor its performance pursuant to section 34;
      (d) to cooperate with the Commissioner of Data Protection; and
      (e) to act as the contact point for the Commissioner of Data Protection on issues relating to Processing and to consult with the Commissioner of Data Protection, where appropriate, with regard to any other matter.
      (2) The Data Protection Officer must in the performance of their tasks have due regard to the risk associated with Processing operations, taking into account the nature, scope, context and purposes of Processing.

    • 38. Codes of conduct

      (1) The Commissioner of Data Protection may approve codes of conduct prepared by associations and other bodies representing categories of Controllers or Processors and intended to contribute to the proper application of these Regulations, if it finds that they provide appropriate safeguards.
      (2) The Commissioner of Data Protection must make available to the public a register of all codes of conduct that have been approved in accordance with section 38(1).
      (3) Adherence to an approved code of conduct may be used as an element by which to:
      (a) demonstrate compliance with the obligations of the Controller in accordance with section 22;
      (b) demonstrate sufficient guarantees as referred to in sections 26(1) and 26(5);
      (c) demonstrate compliance with the requirements set out in section 30(1); and
      (d) assess the impact of the Processing operations performed by Controllers or Processors, in particular for the purposes of a Data Protection Impact Assessment in accordance with section 34.

    • 39. Certification

      (1) The Commissioner of Data Protection may approve data protection certification mechanisms and data protection seals and marks, for the purpose of demonstrating compliance with these Regulations of Processing operations by Controllers and Processors.
      (2) The Commissioner of Data Protection must take into account the specific needs of micro, small and medium-sized Establishments when approving certification schemes under section 39(1).
      (3) The certification must be voluntary and available via a process that is transparent.
      (4) The Commissioner of Data Protection must collate all certification mechanisms and data protection seals and marks in a register and must make them publicly available by any appropriate means.
      (5) Adherence to an approved certification mechanism may be used as an element by which to demonstrate (among other things):
      (a) compliance with the obligations of the Controller in accordance with section 22;
      (b) the requirements set out in section 23;
      (c) sufficient guarantees as referred to in sections 26(1) and 26(5); and
      (d) compliance with the requirements set out in section 30(1).