December 2024 

1. Governing Texts

The Data Protection Regulations 2021 (the 2021 Regulations) governs the processing of personal data by persons operating in the Abu Dhabi Global Market (ADGM). The 2021 Regulations apply to the processing of personal data by data controllers established in the ADGM. The 2021 Regulations also provide for limited obligations for data processors, which may be established outside the ADGM.

1.1. Key acts, regulations, directives, bills

The 2021 Regulations have repealed the 2015 Regulations to bring them more, although not wholly, in line with international standards (most notably the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)). They are adapted to the needs of ADGM and are intended to be proportionate and business-friendly, without undermining the key ambition of achieving a high standard of protection for personal data. One of the major changes is that the 2021 Regulations have introduced the establishment of an independent Office of Data Protection (ODP), headed by a Commissioner of Data Protection (the Commissioner). In addition, there have been a significant number of changes and additional responsibilities for controllers and processors. To ensure a smooth transition, the 2021 Regulations came into effect in two stages. For new entities established on or after February 14, 2021, the 2021 Regulations entered into effect six months after publication i.e. August 14, 2021. For existing entities, the 2021 Regulations entered into effect 12 months after publication i.e. February 14, 2022.

1.2. Guidelines

The Abu Dhabi Global Market Registration Authority's (the Registrar) ODP has issued a suite of guidance and materials (accessible here) which includes:

• Data Protection Guidance 2021 (Parts 1 to 8);
• Information for Individuals;
• Self-assessments including appointing a Data Protection Officer (DPO) and notification of personal data breaches;
• Guidance on completing Data Protection Registration in ADGM Registry Solution 2.0;
• Standard Contractual Clauses for Transfers;
• ADGM Addendum to the EU SCCs and Guidance Note;
• Circulars; and
• Privacy documentation templates.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The 2021 Regulations apply to any information that identifies a living person (Articles 2 and 62 of the 2021 Regulations).

2.2. Territorial scope

The 2021 Regulations apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in ADGM, regardless of whether the processing takes place in ADGM or not (Article 3 of the 2021 Regulations).

2.3. Material scope

The 2021 Regulations apply to the processing of personal data by automated means and to processing by non-automated means that forms part of a filing system or is intended to form part of a filing system (Article 2(1) of the 2021 Regulations).

They do not apply to the processing of personal data by a natural person for the purposes of purely personal or household activities or by public authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses, or the execution of criminal penalties, including the safeguarding against, and the prevention of threats to, national security (Article 2(2) of the 2021 Regulations).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Registrar is an independent body with the authority to oversee the administration and operation of the ODP as an independent data protection supervisory authority.

The Commissioner is responsible for the monitoring and enforcement of the 2021 Regulations in order to protect the rights of natural persons in relation to the processing of personal data in ADGM. The Board of Directors of the ADGM (the Board) is the body responsible for enacting the 2021 Regulations and has the authority to make further rules with respect to the processing of personal data, including new rules, forms, and procedures. The Board oversees the conduct of the Commissioner and its staff.

3.2. Main powers, duties and responsibilities

The Commissioner is an independent body with the authority to administer the 2021 Regulations and enforce its provisions. The Commissioner may access personal data processed by controllers and processors, collect information, issue warnings, and make recommendations to controllers.

4. Key Definitions

Data controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 62 of the 2021 Regulations).

Data processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller (Article 62 of the 2021 Regulations).

Personal data: Any information relating to an identified natural person or identifiable natural person (Article 62 of the 2021 Regulations).

Sensitive data: Personal data revealing or concerning (directly or indirectly) racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation and personal data relating to criminal convictions and offenses or related security measures (Article 7(1) of the 2021 Regulations).

Health data: Personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveals information about their health status (Article 62 of the 2021 Regulations).

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data (Article 62 of the 2021 Regulations).

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (Article 62 of the 2021 Regulations).

Data Protection Impact Assessment: An assessment of the impact of the envisaged processing operations on the protection of personal data which the controller must carry out, prior to processing that is likely to result in a high risk to the rights of natural persons (Article 34(1) of the 2021 Regulations).

5. Legal Bases

5.1. Consent

Processing of personal data is permitted if the data subject has given their written consent to the processing of personal data (Article 5(1)(a) of the 2021 Regulations). Consent under the 2021 Regulations means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they (whether in writing, electronically, or orally), by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them (Article 6(1) of the 2021 Regulations). For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes for which the personal data is intended to be processed (Article 6(3) of the 2021 Regulations).

5.2. Contract with the data subject

Processing of personal data is permitted if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 5(1)(b) of the 2021 Regulations).

5.3. Legal obligations

Processing of personal data is permitted if processing is necessary for compliance with any regulatory or legal obligation to which the controller is subject under applicable law (Article 5(1)(c) of the Regulations).

5.4. Interests of the data subject

Processing of personal data is permitted if processing is necessary to protect the vital interests of the data subject (Article 5(1)(d) of the Regulations).

5.5. Public interest

Processing of personal data is permitted if the processing is necessary for the performance of a task carried out in the interests of the ADGM or in the exercise of the ADGM's, financial services regulatory authority's, the court's, the Registrar's or the regulator's functions, or powers vested in the controller, or in a third party to whom the personal data are disclosed (Article 5(1)(e) of the 2021 Regulations).

5.6. Legitimate interests of the data controller

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the personal data is disclosed, except where such interests are overridden by compelling legitimate interests of the data subject relating to the data subject's particular situation e.g. where the data subject is a child (Article 5(1)(f) of the 2021 Regulations).

5.7. Legal bases in other instances

Not applicable.

6. Principles

Data controllers must ensure the personal data that they process is (Article 4(1) of the 2021 Regulations):

• processed fairly, lawfully, and securely;
• processed for specified, explicit, and legitimate purposes in accordance with the data subject's rights and not further processed in a way incompatible with those purposes or rights;
• adequate, relevant, and not excessive in relation to the purposes for which they are collected or further processed;
• accurate and where necessary, kept up to date;
• kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data was collected or for which they are further processed; and
• processed in a manner that ensures appropriate security of the personal data.

7. Controller and Processor Obligations

Controllers determine the purposes for which, and the manner in which, any personal data is processed and must ensure that any processing of personal data for which they are responsible complies with the 2021 Regulations. Failure to do so risks both regulatory enforcement action and compensation claims from individuals.

Controllers must implement appropriate technical and organizational measures to protect personal data against loss or unauthorized access and must only engage data processors providing sufficient guarantees in respect of technical security and organizational measures (Articles 22(1)(a) and 26(1) of the 2021 Regulations).

7.1. Data processing notification

A controller must notify the Commissioner, before or as soon as reasonably practicable after it starts processing personal data, its name, address, and the date it commenced processing personal data under the 2021 Regulations (Article 24(1)(b) of the 2021 Regulations). The controller must pay an annual data protection fee to the Commissioner from the date it commenced processing personal data (Articles 24(1)(a) and 24(2) of the 2021 Regulations). More specifically, each year, within one month of the expiry of the anniversary on which the controller commenced processing personal data under the 2021 Regulations, the controller must pay a 'renewal fee' (Article 24(2) of the 2021 Regulations).

Notably, the amounts for the data protection fee and renewal fee to be paid by controllers are specified by the Data Protection Regulations (Fees) Rules 2021 as amounting to $300 each (Article 62(1) of the 2021 Regulations).

In turn, the ODP will maintain a register of data controllers (the Data Controller Register) in the ADGM, as a part of its regulatory functions and publishes the register publicly in order to promote transparency and openness as noted in the Guidance Portal for Data Controllers. Furthermore, the Data Controller Register will be incorporated within the ADGM Public Register of Companies.

In practice, controllers initially submit their data protection information and data protection fees through the Registry Solution when registering a company in the ADGM. Renewal information and fees can also be subsequently submitted through the same portal.  In November 2023, the ODP published its Guidance on completing Data Protection Registration in ADGM Registry Solution 2.0 to clarify and provide instructions on this process.

Exemptions

The obligations referred to in Sections 24(1) and 24(2) of the 2021 Regulations do not apply to establishments employing fewer than five employees unless it carries out 'high risk processing activities' (Section 24(3) of the 2021 Regulations). See the section on Data Protection Impact Assessment (DPIA) below.

7.2. Data transfers

Unless the transfer is to a recipient in a jurisdiction designated by the Commissioner as providing an adequate level of protection for personal data as per Article 41(3) of the 2021 Regulations, personal data may only be transferred outside the ADGM on the basis of one of the conditions prescribed by the 2021 Regulations, including for example, where the data subject has given their written consent to the proposed transfer (Articles 42 and 43 of the 2021 Regulations. Please see our Data Transfer Restrictions Comparison for further information.

The ODP has issued Standard Contractual Clauses (SCCs), in accordance with Article 42(2) of the 2021 Regulations, to govern transfers of personal data made outside of the ADGM jurisdiction to third parties in jurisdictions that do not provide an adequate level of protection for personal data. While optional, the SCCs ensure a high level of protection of personal data because if adopted, the relevant parties may not amend or alter the SCCs. The SCCs are closely aligned with the EU's recently published SCCs for data transfers but go further by suggesting the following additions:

• reflects the enhanced requirements of the 2021 Regulations;
• promotes interoperability through consistency with international best practices;
• provides a more flexible approach in one document containing 'modular' provisions;
• covers a broad range of transfer scenarios; and
• makes it possible for more than two parties to accede to the SCCs.

In November 2023, the ODP issued an Addendum to the EU SCCs for personal data transfers, making it the first data protection authority in the Middle East to issue an addendum to the EU SCCs. This Addendum is an approved appropriate mechanism and safeguard under the 2021 Regulations, enabling organizations to legally export data internationally where they have adopted, or are adopting, the EU SCCs. This is a welcome development and should assist controllers by streamlining the process and reducing lengthy contractual clauses in agreements.

7.3. Data processing records

Controllers and processors are expected to maintain a record of processing activities. The records must contain information of (Article 28(1) of the 2021 Regulations):

• name and contact details of the controller;
• the purposes of the processing;
• description of the categories of data subjects and categories of personal data;
• transfers of personal data outside the ADGM or to international organizations;
• the time limits for the erasure of the different categories of personal data; and
• a general description of the technical and organizational security measures to protect the data.

The records must be in writing, maintained in electronic form, and are to be made available to the Commissioner upon its request (Articles 28(3) and (4) of the 2021 Regulations).

The ODP has released a standard-form template records of processing activity (available to download here).

7.4. Data protection impact assessment

Controllers must carry out an assessment of the impact of the processing operation on the protection of personal data for processing activities likely to result in a high risk to the rights of the data subjects (Article 34(1) of the 2021 Regulations). In this regard, Article 62(1) of the 2021 Regulations defines 'high risk processing activities' as the processing of personal data where one or more of the following applies:

• a considerable volume of personal data will be processed;
• the processing is likely to result in a high risk to the rights of data subjects;
• the processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• the processing includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise their rights; or
• the processing includes special categories of personal data, except where the processing of such data is required by applicable law.

The controller must seek the advice of the data protection officer (DPO) if designated when carrying out a DPIA (Article 34(3) of the 2021 Regulations).

Furthermore, the controller must notify the Commissioner prior to carrying out any processing where a DPIA indicates that the processing would be likely to result in a high risk to the rights of natural persons. The notification must contain the following information (Articles 34(5) and 34(7) of the 2021 Regulations):

• description of the nature, scope, context, and purpose of the processing;
• assessment of necessity, proportionality, and compliance measures;
• identification and assessment of risks to individuals; and
• identification of any additional measures to mitigate the risks identified.

Further to the above, Section 4.2 of the Guidance on the Data Protection Regulations 2021 (Part 4: Data Protection Impact Assessments) (DPIA Guidance) expands on the requirements above and provides a non-exhaustive list of possible risks to be included in organizations' DPIAs, including:

• a loss of opportunity;
• wider access to the data subjects' personal data within or outside the organization;
• data which had previously been pseudonymized now being identifiable; and
• risk of impersonation or fraud.

Furthermore, Section 4.2 of the DPIA Guidance sets out measures to mitigate such risks, including:

• seeking alternative technological solutions;
• educating internal stakeholders;
• holding personal data for shorter periods of time;
• collecting less personal data;
• increasing physical and IT security measures;
• strengthening contractual terms with third-party data recipients;
• making it easier for data subjects to exercise their rights; and
• updating privacy policies.

More specifically, Section 4.3 of the DPIA Guidance also outlines what a best practice DPIA would cover, including, among others:

• an explanation of why the controller needed a DPIA, detailing the types of intended processing that triggered the requirement;
• a clear and easily understandable structure for a reader not necessarily familiar with the data processing activity;
• makes clear the relationships between controllers, processors, data subjects, and any systems using both text and data-flow diagrams where appropriate;
• identifies all relevant risks to individuals' rights with an assessment of their likelihood and severity; and
• explain clearly and fully how any proposed mitigation steps will reduce any identified risks.

The Commissioner will publish a list of the kind of processing operations that would require a DPIA to be carried out (Article 34(4) of the 2021 Regulations).

This list has been published within the Guidance on the DPIA Guidance and is a non-exhaustive list of the types of processing activities that require a DPIA before their commencement (Section 3.5 of the DPIA Guidance):

• using profiling, automated decision-making, or special category data to help make decisions on someone's access to a service, opportunity, or benefit;
• systematically monitoring a publicly accessible place on a large scale;
• processing special-category data on a large scale;
• collecting biometric data on employees for the purposes of identifying them;
• carrying out profiling, as defined in Part VIII of the 2021 Regulations, on a large scale;
• combining, comparing, or matching data from multiple sources to compile a fuller picture around an individual; and
• processing personal data that could result in a risk of physical harm in the event of a security breach.

Notably, Article 31(4) of the 2021 Regulations, on the cessation of processing, further states that a controller or processor seeking to rely on Articles 31(4)(b) or 31(4)(c) of the 2021 Regulations, as exceptions to the requirement to securely and permanently delete, anonymize, pseudonymize, or encrypt personal data, or put it beyond further use, must conduct a DPIA before doing so. Moreover, a single DPIA may address a set of similar processing operations that present similar high risks. The outcome of the DPIA should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the 2021 Regulations (Section 34(2) of the 2021 Regulations).

Method

Section 5 of the DPIA Guidance outlines the following ways controllers may conduct DPIAs:

• the controller must seek the advice of their DPO, where one is designated, to advise on and monitor performance against the DPIA, in accordance with Article 34(3) of the 2021 Regulations; and
• different teams may be engaged (such as IT and security teams), particularly the ones that own the processing activity, to help understand how the processing operations will work and identify associated risks.

In addition to the DPIA Guidance, the ODP has released a standard-form template DPIA.

7.5. Data protection officer appointment

Controllers and processors are required to appoint a DPO for the following instances (Article 35(1) of the 2021 Regulations):

• processing is carried out by a public authority except for courts acting in their judicial capacity;
• core activities of the controller and processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or processor consist of a large scale of special categories of personal data.

In this regard, Section 5.2 of the Guidance on the Data Protection Regulations 2021, Part 3 clarifies that 'core activities' in this context refers to the primary business activities of an organization, so that if an organization needs to process personal data to achieve its key objectives, that is considered a core activity. Further clarification on 'regular and systematic monitoring of data subjects on a large scale' and on what is considered processing 'on a large scale' can be found in Sections 5.3 and 5.4 of the DPO Guidance.

The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 37 of the 2021 Regulation (Article 35(3) of the 2021 Regulations).

Furthermore, a DPO (Section 35(2) of the 2021 Regulations):

• may be appointed in respect of a single entity, a group, or multiple, independent entities;
• may perform additional roles in respect of a controller or processor in addition to performing the role of DPO;
• does not need to be an employee of the relevant controller or processor provided it enters into an agreement in writing with the controller, or processor, as the case may be; and
• does not need to be resident within ADGM, in each case, provided that the DPO is easily accessible by each entity it acts for, and no other role held by the DPO conflicts or is likely to conflict with the DPO's obligations under these regulations.

Notably, an assessment for the DPO requirement has been released by the DPO to help organizations understand whether they're required to appoint a DPO. In this regard, it should be noted that the obligations referred to in Article 35(1) and 35(2) of the 2021 Regulations do not apply to an establishment employing fewer than five employees unless it carries out high-risk processing activities (Article 35(5) of the 2021 Regulations).

Role

The tasks of the DPO include (Article 37(1) of the 2021 Regulations):

• to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to these regulations and to other data protection provisions under applicable law;
• to monitor compliance with these regulations, with other data protection provisions under applicable law, and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
• to provide advice where requested as regards the DPIA and monitor its performance pursuant to Article 34;
• to cooperate with the Commissioner; and
• to act as the contact point for the Commissioner on issues relating to processing and to consult with the Commissioner, where appropriate, with regard to any other matter.

The DPO must in the performance of their tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing (Article 37(2) of the 2021 Regulations).

Moreover, the controller and processor must ensure that the DPO (Article 36(1) of the 2021 Regulations):

• is involved, properly and in a timely manner, in all issues which relate to the protection of personal data;
• is provided with sufficient resources, access to personal data, and processing operations to carry out the role;
• is not dismissed or penalized for performing the tasks referred to in Article 36; and
• reports directly to the highest level of management in the controller or processor.

Data subjects may contact the DPO with regard to all issues related to the processing of their personal data and to the exercise of their rights under the 2021 Regulations (Article 36(2) of the 2021 Regulations).

The DPO must also be bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with applicable law and the confidentiality policies and procedures of the controller or processor (Article 36(3) of the 2021 Regulations).

Notification

The controller or processor must notify the Commissioner of the appointment or resignation of the DPO within one month of the happening of the event. The notification must include details of the new DPO and reasons for the resignation (Article 35(4) of the 2021 Regulations).

7.6. Data breach notification

Controllers must notify the Commissioner without undue delay, and where feasible, no later than 72 hours after becoming aware of any breach affecting personal data (Article 32(1) of the 2021 Regulations). Processors must notify the relevant controller without undue delay after becoming aware of the personal data breach (Article 32(2) of the 2021 Regulations).

Sector obligations

There are no sectoral obligations regarding data breach notification. Although, note that the jurisdiction in which this law, and its executive/administrative infrastructure, has been introduced, focuses on financial institutions.

7.7. Data retention

The controller is required to retain personal data no longer than is necessary for the purpose for which they obtained it. They must ensure that personal data is disposed of when no longer needed, to reduce the risk that it will become inaccurate, out of date, or irrelevant. In practice, it means that controllers will need to (Articles 4(1)(e) and 31 of the 2021 Regulations):

• review the length of time that personal data is kept;
• consider the purpose(s) they should hold the information for in deciding whether (and for how long) to retain it;
• securely delete information that is no longer needed for this purpose or these purposes; and
• update, archive, or securely delete information if it goes out of date.

7.8. Children's data

Processing that is necessary for the purposes of legitimate interests pursued by a controller will be overridden by the interests of data subjects, who are children, who require protection of their personal data (Article 5(1)(f) of the 2021 Regulations).

7.9. Special categories of personal data

The processing of special categories of personal data, which includes criminal conviction data, is not prohibited if (Article 7(2) of the 2021 Regulations):

• the data subject has given explicit consent to the processing of their special categories of personal data for one or more specified purposes;
• processing is necessary for the purposes of carrying out the obligations and specific rights of the controller or of the data subject in the field of employment law provided the controller has an appropriate policy document in place;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving their consent;
• processing is necessary for health purposes, including preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care or treatment, or the management of health care systems or services or pursuant to a contract with a health professional provided that processing is by or under the responsibility of a health professional subject to the obligation of professional secrecy or duty of confidentiality; or
• processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices.

Please refer to Article 7 of the 2021 Regulations for the definitive list.

7.10. Controller and processor contracts

Article 26 of the  2021 Regulations provides that processing by a processor must be governed by a contract or other legal act under applicable law, that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. 

8. Data Subject Rights

8.1. Right to be informed

Certain information must be provided to data subjects about the manner and purposes for which their data will be processed, including where data is not collected directly from the data subject (Articles 10 to 12 of the 2021 Regulations).

8.2. Right to access

Data subjects have the right to require controllers to provide information about how personal data relating to them are processed and access to the personal data and information relating to them such as the purposes of such processing (Article 13 of the 2021 Regulations). Other examples of information that the data subject is entitled to access can be found in Article 13(1) of the 2021 Regulations.

8.3. Right to rectification

Data subjects have the right to request and obtain from the controller the rectification of inaccurate personal data concerning them without undue delay (Article 14 of the 2021 Regulations).

8.4. Right to erasure

Data subjects have the right to the erasure of personal data concerning them without undue delay (Article 15 of the 2021 Regulations).

8.5. Right to object/opt-out

Data subjects have the right to object to the processing of their personal data at any time. In such cases where the data subject objects, the controller must not process the personal data unless the controller reasonably considers that there are legitimate grounds for the processing of data that override the interests of the data subject or the processing is necessary for the establishment or exercise of legal claims (Article 19 of the 2021 Regulations).

8.6. Right to data portability

Data subjects have the right to receive the personal data provided to the controller about them in a structured, readable format, and have the right to transmit that data to another controller without any hindrance from the controller to whom the personal data was initially provided (Article 18 of the 2021 Regulations).

8.7. Right not to be subject to automated decision-making

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or could significantly affect them (Article 20 of the 2021 Regulations).

8.8. Other rights

Right to restriction of processing

Data subjects have the right to require a controller to restrict processing to the extent that any of the circumstances stated in Article 16 of the 2021 Regulations apply.

9. Penalties

If the Commissioner is satisfied that a controller in the ADGM, or a processor or controller outside the ADGM, to which personal data have been transferred, has contravened or is contravening the 2021 Regulations, then the Commissioner may issue a direction to the ADGM controller requiring them to do or refrain from doing any act, and/or to refrain from processing certain personal data or from processing the data for a specified purpose or in a certain manner (Article 54(1) of the 2021 Regulations). A direction issued by the Commissioner is enforceable, on application in writing by the Commission, by an injunction that can be imposed by the ADGM courts (Article 54(3) of the 2021 Regulations).

The 2021 Regulations provide for a maximum of up to $28 million for failure to comply with the direction of the Commissioner, the 2021 Regulations themselves, or rules made pursuant to the 2021 Regulations (Article 55(1) of the 2021 Regulations).

Injured persons have a general right to compensation for damage suffered as a result of a contravention by the controller in the ADGM, or a processor or controller outside the ADGM to which personal data have been transferred (Article 59(1) of the 2021 Regulations).

9.1 Enforcement decisions

According to the ADGM's public register, to date the Commissioner appears to have only issued one direction at an organization in accordance with its powers under Article 54(1) of the 2021 Regulations. The Commissioner found that the breaching organization in question contravened the security principles under Articles 4(1)(f), 22(1), 22(2), 29, 30(1) and 30(2) of the 2021 Regulations. The direction dated June 23, 2023, required the breaching organization to implement remedial actions such as to implement certain technical and organizational measures within a four-month deadline.