Abu Dhabi Global Market Consultation Paper No. 10 - Data Protection Regulations

CONSULTATION PAPER NO 10 OF 2015 13 JULY 2015 DATA PROTECTION REGULATIONS

2 INTRODUCTION

1. The Board of Directors (the "Board") of Abu Dhabi Global Market ("ADGM") have issued this Consultation Paper to invite public comment on the Board's proposals to issue regulations governing data protection to be called the Data Protection Regulations (the “Regulations”). A proposed draft of the Regulations is set out at Annex A to this Paper.
2. We have summarised the main provisions of the Regulations in this Consultation Paper. The summaries provided within should be read as an introduction to the provisions only – many of the precise details and specifics are contained in the draft Regulations themselves. Where terms are capitalised in this paper, they (unless context requires otherwise) should be taken to have the definitions ascribed to such terms in the Regulations. WHO SHOULD READ THIS PAPER?
3. The proposals in this Consultation Paper would be of interest to individuals, organisations and investors with an interest in establishing a presence in ADGM or otherwise doing business in ADGM, and their professional advisors. HOW TO PROVIDE COMMENTS
4. All comments should be in writing and sent to the address or email specified below. If sending your comments by email, please use the Consultation Paper number in the subject line. You may, if relevant, identify the organisation you represent in providing your comments. The Board reserves the right to publish, including on its website, any comments you provide, unless you expressly request otherwise at the time of making comments. Comments supported by reasoning and evidence will be given more weight by the Board. WHAT HAPPENS NEXT?
5. The deadline for providing comments on this proposal is 11 August 2015. Once we receive your comments, we will consider whether any modifications are required to this proposal. The Board will then proceed to enact the Regulations. You should not act on these proposals until the Regulations are issued. We shall issue a notice on our website telling you when this happens. COMMENTS TO BE ADDRESSED TO: Consultation Paper No. 10 of 2015 Abu Dhabi Global Market Abu Dhabi Global Market Square Al Maryah Island PO Box 111999 Abu Dhabi, UAE Email: consultation@adgm.com Telephone: +971 (0)2 333 0888

3 DATA PROTECTION REGULATIONS SCOPE AND APPROACH TO THE DATA PROTECTION REGULATIONS 6. This Consultation Paper aims to determine whether there is a need for a set of standalone data protection regulations in ADGM, as an alternative to the individual provisions currently legislating for some level of data protection in the Employment Regulations 2015. In this regard, we considered EU legislation as the most appropriate basis for preparing the draft standalone Regulations, and it is therefore the current EU Data Protection Directive 95/46/EC (the "EU Directive") on which the Regulations are based. Broadly speaking, this imposes standards on the collection, use and distribution of individual personal data to be met by those entities in control of such data. 7. The Board is aware of the current proposals by the European Commission for the adoption of a new "General Data Protection Regulation" to replace the current EU Directive. Although this has recently been approved by the European Council, tripartite discussions between the main EU authorities to agree its final text are yet to commence, with a final version of the proposed regulation expected at the end of 2015. It is then unlikely to come into force until two years following its publication, during which time the EU Directive will still be applicable. The draft Regulations have mot attempted to preempt any proposed modifications. 8. The Regulations will apply to any person based in the ADGM who, either alone or jointly with others, determines the purposes and processing methods of any Personal Data (collectively defined as "Data Controllers"). Personal Data is defined widely to include any information relating to a natural person or a natural person who can, either directly or indirectly, be identified by reference to an identification number or to one or more factors relating to that persons’ physical, physiological, mental, economic, cultural or social identity. 9. The Regulations contain provisions under the following Part headings: a. Part 1, General Rules on the Processing of Personal Data (e.g., requirements for secure and legitimate Processing of Personal Data, specific treatment of Sensitive Personal Data, governance of transfers of Personal Data outside the ADGM); b. Part 2, Rights of Data Subjects (e.g., rights to access, rectify, erase or block Personal Data or object to their Processing); c. Part 3, Notifications to the Registrar (e.g., specific notifications to be made to the Registrar, the Registrar’s maintenance of a register of such notifications); d. Part 4, The Registrar (e.g., powers of the Registrar to access and request information, issue warnings or make recommendations to Data Controllers); e. Part 5, The Board (e.g., the power of the Board to make rules to accompany the Regulations); f. Part 6, Remedies, Liability and Sanctions (e.g., directions imposed by the Registrar in instances of contraventions of the Regulations, lodging of claims with the Registrar by those adversely affected by such contraventions, and a right of compensation for those suffering damage by virtue of such contraventions); and

4 g. Part 7, General Exemptions (e.g., instances where the Board may make Rules to exempt certain Data Controllers from compliance with the Regulations). ISSUE FOR CONSIDERATION SHOULD THE BOARD ADOPT A SET OF STAND ALONE DATA PROTECTION REGULATIONS, OR SHOULD IT RELY UPON INDIVIDUAL DATA PROTECTION PROVISIONS IN EXISTING REGULATIONS?

5 ANNEX A: PROPOSED DATA PROTECTION REGULATIONS