Processor obligations and accountability under the DPR 2021

Processor obligations under the DPR 2021 are addressed in guides listed below:

• Part 3: Data Protection by Design and Default, the data protection fees, the record of processing activities ('ROPAs'), the requirement for a Data Protection Officer ('DPO') and processor obligations ('the Part 3 Guidance'); and
• Part 5: Security of processing, the cessation of processing, and managing personal data breaches, which includes notification requirements ('the Part 5 Guidance').

The 2021 Regulations do not explicitly refer to or define the principle of accountability.

However, Section 1(e) outlines that the objects of the 2021 Regulations include establishing the primary responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf.

Furthermore, in terms of processor liability, Section 59(3) provides that a processor is liable for the damage caused by processing only where it has not complied with obligations of these Regulations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

Part 3 Guidance 

The Part 3 Guidance outlines requirements from the 2021 Regulations pertaining to respecting the principles of Data Protection by Design and Default, paying the data protection fee and renewal fee through the Registration Authority's platform, maintaining a ROPA, appointing a DPO, and engaging with processors.

Section 6.1 of the Part 3 Guidance outlines the key features that distinguish processors, including the following of another organisation's instructions in relation to processing and not making decisions regarding the purposes for which the organisation processes data.

Data Protection by Design or Default

Although Section 23 of the 2021 Regulations do not explicitly mention processors, Section 26 provides that when choosing a processor, controllers must, among other things, only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures in a manner that ensures processing will meet the requirements of the 2021 Regulations. The Part 3 Guidance specifies that this may also be considered by controllers as a way to implement the principle of Data Protection by Design.

Further details on the implementation of Privacy by Design or by Default can be found in the Part 2 of this Insight series.

Record of processing activities

Section 28 of the 2021 Regulations provides that a processor must maintain a ROPA in writing, which can, but does not need to be, in electronic form. Such a record must be available to the Commissioner of Data Protection ('the Commissioner') upon request.

In this regard, Section 28(2) of the 2021 Regulations outlines what should be included in a processor's ROPA

If acting as both processor and controller, an organisation could either:

• have two separate records, one which covers their activities as controllers and the other as controllers; or
• have on record which covers both but clearly distinguishes the capacity in which they are acting.

Section 4.4 of the Part 3 Guidance highlights that this will require organisations to have a clear understanding of the capacity in which they are processing data for different processing activities. Furthermore, Section 4.5 of the Part 3 Guidance outlines other aspects that can be useful to document as part of an organisation's records of processing activities. 

DPOs

As per Section 35(1) of the 2021 Regulations, processors must appoint a DPO where:

• processing is carried out by a public authority, except for courts acting in their judicial capacity;
• their core activities consist of processing operations which require regular and systematic monitoring of data subjects, on a large scale; or
• their core activities consist of processing on a large scale of special categories of personal data.

Notably, an assessment has been released by the ODP to help organisations understand whether they're required to appoint a DPO.

Moreover, processors must notify the Commissioner of the appointment or resignation of a DPO, and the notification must include:

• the contact details of the new DPO; and
• in the case of resignation, reasons for the resignation.

Further details on the requirements attached to the appointment of a DPO, including his/her expertise and location, can be found in the Controller's Obligations Insight.

Vendor management

In relation to contracts with processors, the Part 3 Guidance summarises what needs to be included in a written contract, or other legal act in writing, required between the controller and processor, and/or the processor and sub-processor under Section 26 of the 2021 Regulations.

Furthermore, Section 6.2 of the Part 3 Guidance notes that the contract or other legal act should include terms stating that:

• the processor must only act on the controller’s documented instructions, unless required by appliable ADGM, Abu Dhabi, or Federal UAE law to act without such instructions, in which case it must inform the controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest;
• the processor must ensure that people processing the data are subject to a duty of confidence, either contractually or under appliable ADGM, Abu Dhabi or Federal UAE law;
• the processor must take appropriate measures to ensure the security of processing;
• the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract;
• the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights;
• the processor must assist the controller in meeting its obligations in relation to the security of processing, the notification of personal data breaches, and DPIAs;
• the processor must delete or return all personal data to the controller, at the controller’s choice, at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and
• the processor must submit to audits and inspections and give the controller whatever information it needs to ensure they are both meeting their Section 26 obligations.

Notably, the Part 3 Guidance highlights that the standard contractual clauses issued by the Commissioner should be used by organisations as a template and populated with their particulars of processing to meet the requirements of the 2021 Regulations.

Controllers remain primarily responsible for demonstrating compliance with the 2021 Regulations, failure of which may lead to legal proceedings, fines, or other penalties (Section 6.3 of the Part 3 Guidance). Nonetheless, processors have contractual obligations to the controller, to which they remain liable even if any sub-processors are engaged, as well as responsibilities under the 2021 Regulations. Acting in contravention of either may lead to legal proceedings, fines, or other penalties (Sections 6.4 and 6.5 of the Part 3 Guidance).

Part 5 Guidance 

The Part 5 Guidance outlines obligations around security of processing personal data, cessation of processing, and personal data breaches.

Security of processing – technical and organisational measures

Section 30 of the 2021 Regulations provides that a processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which may include:

• pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Further to the above, Section 2.2 of the Part 5 Guidance further expands on the meanings of each of pseudonymisation, encryption, confidentiality, integrity, availability, resilience as well as regular testing and evaluating the effectiveness of measures.

In addition, Section 2.3 of the Part 5 Guidance outlines that technical measures encompass physical security measures and IT/cybersecurity measures and gives examples on each. These include access controls to the organisation's premises and how IT equipment is kept secure in relation to physical security measures, as well as security of network and information systems in relation to IT/cybersecurity measures.

Similarly, Section 2.4 of the Part 5 Guidance outlines that organisational measures include:

• carrying out information risk assessments, which may involve:
  • reviewing the personal data held by the organisation and considering the risks that could result if the data was compromised;
  • taking into account the nature and extent of the organisation's premises and systems;
  • assessing the number of staff and their access to personal data; or
  • the processing carried out on the organisation's behalf;
• appointing a person within the organisation and designating day to day responsibility for information security;
• building a culture of security awareness in the organisation e.g. via regular training and awareness-raising campaigns; and
• developing an information security policy.

Cessation of processing

Where the basis for processing changes, ceases to exist, or a controller is required to cease processing due to the exercise of a data subject's rights, controllers must ensure that all personal data, including that held by processors is (Section 31 of the 2021 Regulations):

• securely and permanently deleted;
• anonymised;
• pseudonymised; or
• securely encrypted.

If data cannot be deleted, anonymised, pseudonymised, or encrypted, the data should be put beyond further use as per the steps in Section 31(3) of the 2021 Regulations which is relevant to both controllers and any relevant processors.

Exceptions to this obligation, as well as the associated requirements, may be found in Article 31(4) of the 2021 Regulations.

Notably, in relation to DPIAs, although the 2021 Regulations do not explicitly mention that processors are required to undertake DPIAs, Section 31(5) provides that a processor relying on Sections 31(4)(b) or 31(4)(c) of the 2021 Regulations must conduct a DPIA pursuant to Section 34 before doing so.

Further information on DPIAs can be found in Part 2 of this series.

Personal data breach notifications           

A personal data breach is defined as a  breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (Part VIII of the 2021 Regulations).

An assessment has been released by the ODP to help organisations understand their notification requirements in relation to personal data breaches.

Processors must notify the controller whose personal data they are processing on its behalf without undue delay once they become aware of a breach but are not required to notify the Commissioner or data subjects (Section 32(2) of the 2021 Regulations).

Content of notification

Section 32(3) of the 2021 Regulations specifies what should be included in a personal data breach notification.

Alice Muasher Privacy Analyst
[email protected]