Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Abu Dhabi Global Market: An overview of Vendor Privacy Contracts

Xanya69 / Essentials collection / istockphoto.com

1. Governing Texts

1.1. Legislation

The Abu Dhabi Global Market ('ADGM') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone, UAE federal civil and commercial law does not apply, and the ADGM is able to create its own legal and regulatory framework for all civil and commercial matters.

In the ADGM, the Board of Directors of the ADGM enacted, on 11 February 2021, the Data Protection Regulations 2021 ('the 2021 Regulations') which make provision for the protection of personal data processed or controlled from within the ADGM, and thus govern the processing of personal data by persons operating in the Free Zone. In particular, the Regulations provide for a 12-month transition period for current establishments, as well as for a six months transition period for new establishments, being enforceable from 14 August 2021 and 14 February 2022. Up until these dates, the Data Protection Regulations 2015, as amended by Data Protection (Amendment) Regulations 2018 ('Data Protection Regulations 2015') will continue to apply.

1.2. Regulatory authority guidance

2015 Regulations

The Office of Data Protection ('the ODP') of the Registration Authority ('the Registration Authority') has issued the following guidance:

Following the 2021 Regulations, the ODP will serve as the independent supervisor responsible for, among other things, maintaining the register of data controllers.

The ODP has released, on 11 August 2021, eight detailed guides to aid establishments in compliance with the 2021 Regulations, and so far, has published and updated the following guidance relevant to vendor contracts:

1.3. Regulatory authority templates

The ODP has released the following template for the data protection agreement required by controllers when appointing processors to conduct activities on their behalf:

2. Definitions

Data controller:The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Section 62(1) of the 2021 Regulations).

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Section 62(1) of the 2021 Regulations).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Processing by a processor must be governed by a contract or other legal act under applicable law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller (Section 26(3) of the 2021 Regulations).

Furthermore, under Section 26(9) of the 2021 Regulations, without limiting the effect of Sections 55, 56 and 60 of the 2021 Regulations, if a processor contravenes the 2021 Regulations by determining the purposes and means of processing, the processor will be a controller in respect of that Processing.

In addition, Section 27 of the 2021 Regulations highlights that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, must not process that data except on instructions from the controller, unless required to do so by applicable law.

3.2. What content should be included?

The contract required under Section 26(3) of the 2021 Regulations must stipulate, in particular, that the processor:

  • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data outside of ADGM or to an international organisation, unless required to do so by applicable law to which the processor is subject; in such a case, the processor must inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate obligation of confidentiality under applicable law;
  • takes all measures required pursuant to Section 30 of the 2021 Regulations regarding technical and organisational measures;
  • respects the conditions referred to in Sections 26(2) and 26(5) of the 2021 Regulations for engaging another processor;
  • taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights in Part III of the 2021 Regulations;
  • assists the controller in ensuring compliance with the obligations pursuant to Sections 30 to 34 of the 2021 Regulations taking into account the nature of processing and the information available to the processor;
  • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless applicable law requires storage of the personal data; and
  • makes available to the controller all information necessary to demonstrate compliance with the obligations in this section and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Section 26(8) of the 2021 Regulations requires the contract or legal act to be in writing.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Section 26(3)(e) of the 2021 Regulations highlights that, taking into account the nature of the processing, the contract must require the processor to assist the controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights in Part III of the 2021 Regulations.

For further information see Abu Dhabi Global Market – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Section 26(3)(h) of the 2021 Regulations requires, within the contract, processors to make available to the controller all information necessary to demonstrate compliance with the obligations in this section and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Section 28(2) of the 2021 Regulations requires each processor to maintain a record of all categories of processing activities carried out on behalf of a controller.

Furthermore, Section 4.5 of the Part 3 Guidance outlines other aspects that can be useful to document as part of an organisation's records of processing activities.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Section 26(3)(c) of the 2021 Regulations requires the relevant contract or legal act to state that processors will take all measures required pursuant to Section 30 of the 2021 Regulations of the same regulations, which pertains to measures to ensure the security of processing, and Section 26(3)(f) of the 2021 Regulations further requests that processors assist the controller in ensuring compliance with the obligations of Sections 30 to 34 of the 2021 Regulations taking into account the nature of processing and the information available to the processor.

Details on the implementation of privacy by Design or by Default can be found in Section 2 of the Part 3 Guidance.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

The processor must notify the controller without undue delay after becoming aware of a personal data breach (Section 32(2) of the 2021 Regulations).

This notification to the controller must (Section 32(3) of the 2021 Regulations):

  • describe the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach; and
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide the aforementioned required information at the same time, the information may be provided in phases without undue further delay (Section 32(4) of the 2021 Regulations).

For further information see Abu Dhabi Global Market – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

Section 26(2) and 26(5) of the 2021 Regulations provide requirements regarding the engagement of a processor by a processor, supported by the requirement in Section 26(3)(d) to include the aforementioned subsections within the contract between the controller and processor.

According to Section 26(2) of the. 2021 Regulations, the processor must not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in Section 26(3) of the 2021 Regulations must also be imposed on that other processor by way of a contract or other legal act under applicable law, in particular, providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the 2021 Regulations. The initial processor remains fully liable to the controller for the performance of that other processor's obligations (Section 26(5) of the 2021 Regulations).

Moreover, the Part 3 Guidance highlights that such a contract between the processor and sub-processor must offer an equivalent level of protection for the personal data as that in the contract between the controller and processor (Section 6.5 Of the Part 3 Guidance).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Under Section 26(6) of the 2021 Regulations, the Commissioner of Data Protection ('the Commissioner') may adopt Standard Contractual Clauses ('SCCs') for the matters referred to in Sections 26(3) and 26(5).

It may also approve SCCs issued by the or adopted by an EU Member State supervisory authority for the same purpose, upon which approval of such SCCs will be incorporated into these Regulations by reference.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

Processors must make available to the controller all information necessary to demonstrate compliance with the obligations in this section and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller (Section 26(3)(h) of the 2021 Regulations).

In general, the controller and the processor must cooperate, on request, with the Commissioner of Data Protection in the performance of their duties and functions (Section 29 of the 2021 Regulations).

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

The controller and the processor must appoint a person to perform the tasks listed in Section 37 (Section 35(1) of the 2021 Regulations).

For further information see Abu Dhabi Global Market - Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

The emphasis is on the processor to make available to the controller all information necessary to demonstrate compliance with the obligations in this section and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller (Section 26(h) of the 2021 Regulations).

With regard to Section 26(3)(a) of the 2021 Regulations, the processor must immediately inform the controller if, in its opinion, an instruction contravenes the 2021 Regulations or other data protection provisions contained in applicable law.

Section 27 of the 2021 Regulations highlights that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, must not process that data except on instructions from the controller, unless required to do so by applicable law.


Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.

Feedback