Data Protection. Guidance Notes

Transcription

1 Data Protection Guidance Notes

2 Contents Introduction... 3 Registration Authority Office... 3 What are the Data Protection Regulations 2015?... 4 Key Definitions... 4 Role of Data Controller in relation to Personal Data... 7 Difference between Personal Data and Sensitive Personal Data... 9 Notification to the Registrar Appointment and Cessation of Data Processor Requirements for legitimate Processing of Personal Data Requirements for processing sensitive personal data at ADGM Transfers out of the Abu Dhabi Global Market: adequate level of protection Transfers out of the Abu Dhabi Global Market in the absence of an adequate level of protection Disclaimer Guidance Note Data Protection Page 2 of 15

3 Introduction Abu Dhabi Global Market ( ADGM ) was established pursuant to Abu Dhabi Law No. 4 of 2013 as a financial free zone in the Emirate of Abu Dhabi, with its own civil and commercial laws. ADGM will offer market participants a world-class legal system and regulatory regime. This document has been written to guide registered entities in ADGM in relation to ADGM s Data Protection Regulations. This Guidance Note explains: - The rights of the Data Subject in relation to their personal and sensitive data. - The role and obligations of Data Controller and Data Processor. - The process of transferring personal data and sensitive data outside Abu Dhabi Global Market. - The obligations to notify the Registrar. Registration Authority Office ADGM Registration Authority (the Registrar ) is one of the core pillars of ADGM. The Registrar is an independent body which has the powers to administer Data Protection Regulations and enforce its provisions. The Registrar s office is located on the 3rd floor, ADGM Building, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, United Arab Emirates. The Registrar s main functions under Data Protection Regulations 2015 To access personal data processed by data controllers or data processors; To collect all the information necessary for the performance of its supervisory duties; To prescribe forms to be used for any of the purposes of Data Protection Regulations; To issue warnings and make recommendations to data controllers. Opening Hours The Registrar s office is open from Sunday to Thursday, 9:00am to 3:00pm and may be contacted during normal working hours at or by at ra@adgm.com Guidance Note Data Protection Page 3 of 15

4 What are the Data Protection Regulations 2015? The Board of Directors of the Abu Dhabi Global Market, in exercise of its powers under Article 6(1) of Law No. 4 of 2013 concerning the Abu Dhabi Global Market issued by His Highness the Ruler of the Emirate of Abu Dhabi, enacted on October 4, 2015 the Data Protection Regulations 2015 (the Regulations ). The said Regulations make provision for the protection of personal data within the Abu Dhabi Global Market and for connected purposes. The Regulations control how personal information is used by organisations and businesses in Abu Dhabi Global Market. All companies registered in ADGM are responsible for using data and have to follow strict rules in processing such data. Key Definitions Data information that is held on computer or intended to be held on computer. This includes information recorded on paper. It means information which (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, (d) is recorded information held by a public authority. Personal Data any information relating to an identified natural person or Identifiable natural person. It means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, Guidance Note Data Protection Page 4 of 15

5 and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Identifiable Natural Person a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Data Controller any person in the Abu Dhabi Global Market (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the Processing of Personal Data. This is by default the entity registered in ADGM/ADGM entity under formation. Data Processor any person (excluding a natural person acting in his capacity as a staff member) who Processes Personal Data on behalf of a Data Controller and may include but are not limited to external service providers that have been appointed by the entity registered in ADGM and head offices of group companies. A data processor may be a non-adgm registered entity. The appointment of a data processor is optional. Data Processor must be a body corporate. Data Subject the natural person to whom Personal Data relate or whom particular personal data is about. For example this could be including but not limited to a staff member, client or customer. Processing any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and "Processed", "Processes" and "Process" shall be construed accordingly. Guidance Note Data Protection Page 5 of 15

6 in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data. Recipient any person to whom Personal Data are disclosed, whether a Third Party or not, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law. Sensitive Personal Data Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sex life; It means personal data consisting of information as to: I. the racial or ethnic origin of the data subject, II. his political opinions, III. his religious beliefs or other beliefs of a similar nature, IV. whether he is a member of a trade union, V. his physical or mental health or condition, Guidance Note Data Protection Page 6 of 15

7 VI. his sexual life, VII. the commission or alleged commission by him of any offence, or VIII. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceeding. Role of Data Controller in relation to Personal Data The Data Controller determines the purposes for which and the manner in which any personal data are processed and must ensure that any processing of personal data for which they are responsible complies with the Regulations. Failure to do so risks enforcement action and compensation claims from individuals or Data Subject. Data Controllers shall ensure that Personal Data, which they Process, are I. Processed fairly, lawfully and securely The Regulations requires the Data Controller to process personal data fairly and lawfully. The main purpose of this requirement is to protect the interests of the Data Subjects whose personal data is being processed. This principle applies to all actions they undertake with personal data. In practice, it means: a) To have legitimate grounds for collecting and using the personal data; b) Do not use the data in ways that have unjustified adverse effects on the individuals concerned; c) To be transparent about how they intend to use the data, and give individuals appropriate privacy notices when collecting their personal data; d) To handle people s personal data only in ways they would reasonably expect; and e) To make sure they do not commit any unlawful actions with the data. Guidance Note Data Protection Page 7 of 15

8 II. Processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights The Data Controller must be open about their reasons for obtaining personal data, and that what they undertake with the information is in line with the reasonable expectations of the individuals concerned. In practice, the Data Controller must: a) be clear from the outset about why they are collecting personal data and what they intend to do with it; b) comply with the Regulation s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal data; and c) ensure that if they wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair. III. Adequate, relevant and not excessive in relation to the purposes for which they are collected or further Processed; The Data Controller must ensure to collect only the personal data they need for the purposes that have been specified. They are also required to ensure that the personal data they collect is sufficient for the purpose for which it was collected. In practice, it means that the Data Controller should ensure that: a) They hold personal data about an individual that is sufficient for the purpose they are holding it for in relation to that individual; and b) They do not hold more information than they need for that purpose. IV. Accurate and, where necessary, kept up to date; To comply with this requirement, the Data Controller should: a) take reasonable steps to ensure the accuracy of any personal data they obtain; b) ensure that the source of any personal data is clear; c) carefully consider any challenges to the accuracy of information; and d) consider whether it is necessary to update the information Guidance Note Data Protection Page 8 of 15

9 V. Kept in a form, which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed. The Data Controller is required to retain personal data no longer than is necessary for the purpose that they obtained it for. They must ensure that personal data is disposed of when no longer needed to reduce the risk that it will become inaccurate, out of date or irrelevant. In practice, it means that Data Controller will need to: a) review the length of time you keep personal data; b) consider the purpose or purposes they should hold the information for in deciding whether (and for how long) to retain it; c) securely delete information that is no longer needed for this purpose or these purposes; and d) update, archive or securely delete information if it goes out of date. Difference between Personal Data and Sensitive Personal Data The difference between personal data and sensitive personal data may in certain instances be difficult to define. For example, names and surnames in connection with addresses and dates of birth are personal data rather than sensitive personal data. However, more sensitive details such as ethnicity or religion may be inferred from these details, as frequently particular surnames are associated with a certain religion or ethnicity, or possibly both. This does not necessarily mean that in order to maintain these names on client databases you would have to comply with the requirements for processing sensitive personal data. But where the data processor is processing such names due to the specific reason that they indicate a certain religion or ethnicity, e.g. to send advertising or marketing materials for items or services that are targeted specifically at persons of this particular religion or ethnicity, then this would constitute the processing of sensitive personal data. In all instances assumptions about data subjects should be made with caution as such assumptions may lead to the collection of inaccurate personal data. Guidance Note Data Protection Page 9 of 15

10 Notification to the Registrar I. Initial Registration The Registration of all data controllers with the Registrar is mandatory. If you are an entity applying to be registered / incorporated in ADGM and will be processing personal data, it is therefore essential for you to complete the Data Protection initial registration form and pay the applicable fee. A Data Controller shall establish and maintain records of any Personal Data Processing operations or set of such operations intended to secure a single purpose or several related purposes. II. Application for renewal of Registration An application to register a Data Controller is valid for year and can be renewed annually by submitting an Application for renewal of registration Data Protection through our Online Solution or paper form and by paying the applicable fee. Renewal must be done on every anniversary of the company s incorporation/registration. III. Change in Particulars The Data Controller must give notice to the Registrar of any changes in its particulars. Such notice can be done by completing a Notice of Change of Particulars of Data Controller through our Online Solution or paper form and by paying the applicable fee. Appointment and Cessation of Data Processor I. Appointment and Cessation The Data Controller must notify the Registrar of such appointment or cessation of Data Processor. Notification can done by completing a Notice of Appointment / Cessation of Data Processor through our Online Solution or paper form and by paying the applicable fee. II. Change in Particulars The Data Controller must give notice to the Registrar of any change in the particulars of Data Processor. Such notice can be done by completing a Notice of Change of Particulars of Data Processor through our Online Solution or paper form and by paying the applicable fee. Requirements for legitimate Processing of Personal Data Guidance Note Data Protection Page 10 of 15

11 The conditions for processing personal data are set out in the Regulations. At least one of the following conditions must be met whenever the Data Controller processes personal data. a) The Data Subject has given his written consent to the Processing of that Personal Data; b) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; c) Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject; d) Processing is necessary in order to protect the vital interests of the Data Subject; e) Processing is necessary for the performance of a task carried out in the interests of the Abu Dhabi Global Market or in the exercise of the Board's, the Court's, the Registrar's or the Regulator's functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data are disclosed; or f) Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party to whom the Personal Data are disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation. Requirements for processing sensitive personal data at ADGM Due to the private nature of sensitive personal data and its vulnerability to be misused in a discriminatory manner, section 3 of the ADGM Data Protection Regulations 2015 introduces additional more stringent requirements for the processing of sensitive personal data as set out below. In order to process sensitive personal data one or more of the following criteria must be satisfied: a) Additional written consent to the processing of this kind of personal data has been obtained from the Data Subject, i.e. the individual to whom the sensitive personal data relates; b) Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller; c) Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his/her consent; d) Processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data are not disclosed to a Third Party without the consent of the Data Subjects; e) The Processing relates to Personal Data which are manifestly made public by the Data Subject, or is necessary for the establishment, exercise or defence of legal claims; Guidance Note Data Protection Page 11 of 15

12 f) Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject; g) Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided the Processing is undertaken in accordance with applicable standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation; h) Processing is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller or for the prevention or detection of any crime; or i) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where those Personal Data are processed by a health professional subject under law or rules established by competent bodies to the obligation of confidence or by another person subject to an equivalent obligation. Transfers out of the Abu Dhabi Global Market: adequate level of protection Personal data shall not be transferred to a country of territory outside Abu Dhabi Global Market unless that country of territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The adequacy of the level of protection ensured by laws to which the Recipient is subject, shall be assessed in the light of all the circumstances surrounding a Personal Data transfer operation or set of Personal Data transfer operations, including, but not limited to: a) the nature of the Personal Data; b) the purpose and duration of the proposed Processing operation or operations; c) if the data do not emanate from the Abu Dhabi Global Market, the country of origin and country of final destination of the Personal Data; and d) any relevant laws to which the Recipient is subject, including professional rules and security measures. The following jurisdictions have been designated by the Registrar as providing an adequate level of protection. This list may be updated from time to time by a publication to such effect on the Registrar's website. Please fill the ADGM Form Application for permit to transfer data to the jurisdiction offering adequate protection in order to apply for the Registrar s approval to transfer personal data to one of the below mentioned jurisdictions. (1) Argentina (2) Austria (3) Belgium (4) Bulgaria (5) Canada (6) Cyprus (7) Czech Republic (8) Denmark (9) Estonia Guidance Note Data Protection Page 12 of 15

13 (10) Finland (11) France (12) Germany (13) Greece (14) Guernsey (15) Hungary (16) Jersey (17) Iceland (18) Ireland (19) Isle of Man (20) Italy (21) Latvia (22) Liechtenstein (23) Lithuania (24) Luxembourg (25) Malta (26) Netherlands (27) New Zealand (28) Norway (29) Poland (30) Portugal (31) Romania (32) Slovakia (33) Slovenia (34) Spain (35) Sweden (36) Switzerland (37) United Kingdom (38) Uruguay (39) United States of America, subject to compliance with the terms of the applicable US-EU or US-Switzerland Safe Harbours Transfers out of the Abu Dhabi Global Market in the absence of an adequate level of protection If an ADGM registered entity intends to transfer personal data to a recipient located in a jurisdiction other than the aforementioned, please fill the ADGM Form Application for permit to transfer data to a jurisdiction in the absence of adequate protection. Please note that a transfer of personal data to a recipient that is not subject to laws which ensure an adequate level of protection is only possible if the following conditions are met. a) the Registrar has granted a permit for the transfer or the set of transfers and the Data Controller applies adequate safeguards with respect to the protection of such Personal Data; b) the Data Subject has given his written consent to the proposed transfer; c) the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the implementation of pre-contractual measures taken in response to the Data Subject's request; d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and a Third Party; e) the transfer is necessary for the establishment, exercise or defence of legal claims; f) the transfer is necessary in order to protect the vital interests of the Data Subject; g) the transfer is necessary in the interests of the ADGM; h) the transfer is made at the request of a regulator, police or other government agency; i) the transfer is made from a register which according to law is intended to provide information to the public and which is open to consultation either by the public in general or by any Guidance Note Data Protection Page 13 of 15

14 person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case; j) the transfer is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject; k) the transfer is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that the transfer is carried out in accordance with applicable standards and except where such interests are overridden by legitimate interests of the Data Subject relating to the Data Subject's particular situation; l) the transfer is necessary to comply with any regulatory, auditing, accounting, anti-money laundering or counter terrorist financing obligations that apply to a Data Controller which is established in the Abu Dhabi Global Market, or for the prevention or detection of any crime; m) the transfer is made to a person established outside the Abu Dhabi Global Market who would be a Data Controller (if established in the Abu Dhabi Global Market) or who is a Data Processor, if, prior to the transfer, a legally binding agreement in the form set out in Error! Reference source not found. or Error! Reference source not found. respectively, to these Regulations has been entered into between the transferor and Recipient; or n) the transfer is made between one or more members of a Group of Companies in accordance with a global data protection compliance policy of that Group, under which all the members of such Group that are or will be transferring or receiving the Personal Data are bound to comply with all the provisions of these Regulations containing restrictions on the use of Personal Data and Sensitive Personal Data in the same way as if they would be if established in the Abu Dhabi Global Market. Disclaimer This Guidance Note (the Note ) provides answers to many frequently asked questions and provides information on company s filing obligations as required by the Data Protection Regulations This is only a guide and should be read together with the relevant legislation, in particular, ADGM Companies Regulations 2015, ADGM Commercial Licensing Regulations 2015 and any other relevant regulations and enabling rules. The Note only refers to the procedures that need to be completed in relation to the Registrar. It does not cover other requirements as set out in the relevant legislation (which includes contact with the court and other internal obligations that a company will need to carry out). Further advice from a specialist professional may be required. For more information, you may contact the Registrar: Guidance Note Data Protection Page 14 of 15

15 Telephone No.: ra@adgm.com Address: 3rd floor, ADGM Building, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, United Arab Emirates. Guidance Note Data Protection Page 15 of 15