DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

Similar documents
SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Data Protection Act 1998

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

LNDOCS01/ COMMERCIAL LICENSING REGULATIONS 2015

DATA PROTECTION (JERSEY) LAW 2005

ARTICLE 29 Data Protection Working Party

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

Personal Data Protection Act

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

The Profits of Criminal Notoriety Act

Protection of the Environment Legislation Amendment Act 2014 No 65

Data Protection Bill [HL]

BERMUDA TRUSTS (REGULATION OF TRUST BUSINESS) ACT : 22

Data Protection Bill [HL]

Chapter 22:05 EXCHANGE CONTROL ACT Acts 62/1964, 8/1967, 15/1970, 43/1975, 42/1977 (s. 3), 22/2001, 14/2002; R.G.N 1135/1975. ARRANGEMENT OF SECTIONS

THE PERSONAL DATA (PROTECTION) BILL, 2013

CANADIAN ANTI-SPAM LAW [FEDERAL]

Replaced by 2018 version

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

DATA PROTECTION (JERSEY) LAW 2018

THE CO-OPERATIVE SOCIETIES (AMENDMENT) BILL, 2014 EXPLANATORY NOTE

Number 12 of Energy Act 2016

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

EXCHANGE CONTROL ACT

Lord Howe Island Amendment Act 2004 No 12

Telekom Austria Group Standard Data Processing Agreement

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

Supplement No. 12 published with Gazette No. 22 of 24th October, DORMANT ACCOUNTS LAW. (2011 Revision)

GOVERNMENT OF RAS AL KHAIMAH

TRUSTS (REGULATION OF TRUST BUSINESS) ACT 2001 BERMUDA 2001 : 22 TRUSTS (REGULATION OF TRUST BUSINESS) ACT 2001

PART 1 SCOPE AND INTERPRETATION...

Child Protection (Offenders Prohibition Orders) Act 2004 No 46

2017 No. ENVIRONMENTAL PROTECTION. Environmental Authorisations (Scotland) Regulations 2018

ARTICLE 29 Data Protection Working Party

A BILL. entitled PROCEEDS OF CRIME REGULATIONS (SUPERVISION AND ENFORCEMENT) AMENDMENT ACT 2010

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

BERMUDA PROCEEDS OF CRIME (ANTI-MONEY LAUNDERING AND ANTI-TERRORIST FINANCING SUPERVISION AND ENFORCEMENT) ACT : 49

A BILL. entitled CORPORATE SERVICE PROVIDER BUSINESS ACT 2012

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Registration Authority Registration & Licensing Handbook

2007 No COMPANIES AUDITORS. The Statutory Auditors and Third Country Auditors Regulations 2007

Capital Markets and Services (Amendment) 1 A BILL. i n t i t u l e d. An Act to amend the Capital Markets and Services Act 2007.

Table of Contents PART 1 ESTABLISHMENT OF THE COURTS The Courts Seal of Courts... 16

CHAPTER 370 INVESTMENT SERVICES ACT

INVESTMENT BUSINESS ACT 2003 BERMUDA 2003 : 20 INVESTMENT BUSINESS ACT 2003

STATUTORY INSTRUMENTS. S.I. No. 644 of 2017

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

The Data Protection (Commencement, Amendment and. Transitional) (Bailiwick of Guernsey) Ordinance, 2018

BERMUDA COMPANIES AND LIMITED LIABILITY COMPANY (BENEFICIAL OWNERSHIP) AMENDMENT ACT : 41

BERMUDA BANKS AND DEPOSIT COMPANIES ACT : 40

BERMUDA COMPANIES AND LIMITED LIABILITY COMPANY (BENEFICIAL OWNERSHIP) AMENDMENT ACT : 41

Singapore: Mutual Assistance In Criminal Matters Act

8557/16 SHO/ra 1 DGD 2

OTrack Data Processing Terms

OBJECTS AND REASONS. Arrangement of Sections PART I. Preliminary PART II. Licensing Requirements for International Service Providers

The Act on Processing of Personal Data

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Antisocial Behaviour etc. (Scotland) Bill

DATA MATCHING AGREEMENTS ACT 1 B I L L

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Agricultural Compounds and Veterinary Medicines Amendment Act 2007

PROJET DE LOI ENTITLED. The Protection of Investors. (Bailiwick of Guernsey) Law, 2018 ARRANGEMENT OF SECTIONS

2014 Bill 12. Second Session, 28th Legislature, 63 Elizabeth II THE LEGISLATIVE ASSEMBLY OF ALBERTA BILL 12 STATUTES AMENDMENT ACT, 2014

2017 Bill 214. Third Session, 29th Legislature, 66 Elizabeth II THE LEGISLATIVE ASSEMBLY OF ALBERTA BILL 214

Data Protection Bill [HL]

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

Commercial Agents and Private Inquiry Agents Act 2004 No 70

Number 31 of 2001 STANDARDS IN PUBLIC OFFICE ACT 2001 REVISED. Updated to 13 April 2017

2006 No (N.I. 15) NORTHERN IRELAND. The Water and Sewerage Services (Miscellaneous Provisions) (Northern Ireland) Order 2006

INSOLVENCY REGULATIONS 2015

VIRGIN ISLANDS BVI BUSINESS COMPANIES (AMENDMENT) ACT, 2015 ARRANGEMENT OF SECTIONS

The Speech-Language Pathologists and Audiologists Act

Number 3 of 2012 ENERGY (MISCELLANEOUS PROVISIONS) ACT 2012 ARRANGEMENT OF SECTIONS. PART 1 Preliminary and General

Second Session Eleventh Parliament Republic of Trinidad and Tobago. REPUBLIC OF TRINIDAD AND TOBAGO Act No. 9 of 2017

EMERGENCY HEALTH SERVICES ACT

1. Delete the words and registration. 3. Delete the word person and substitute therefor the word individual.

VIRGIN ISLANDS BVI BUSINESS COMPANIES (AMENDMENT) ACT, 2015 ARRANGEMENT OF SECTIONS

COMPANIES BILL Unofficial version. As amended in Report Stage (Dáil) on 25 th March and 2 nd April 2014

CHAPTER 308B ELECTRONIC TRANSACTIONS

BERMUDA INVESTMENT FUNDS ACT : 37

BERMUDA INVESTMENT BUSINESS ACT : 20

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Entertainment Industry Act 2013 No 73

COMMUNAL PROPERTY ASSOCIATIONS AMENDMENT BILL

Data Processing Addendum

The Sale of Training Courses Act

This Bill would amend the Magistrate s Courts Act, Cap. 116A to (a)

Social Workers Act CHAPTER 12 OF THE ACTS OF as amended by. 2001, c. 19; 2005, c. 60; 2012, c. 48, s. 40; 2015, c. 52

THE LIMITED LIABILITY PARTNERSHIP BILL, 2008

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

Private Higher Educational Institutions (Amendment) 1 A BILL. i n t i t u l e d [ ]

FINANCIAL SERVICES AND MARKETS REGULATIONS 2015

Industrial Relations Further Amendment Act 2006 No 97

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

BERMUDA CREDIT UNIONS ACT : 43

Terms and Conditions GDPR Ready Data

Transcription:

DATA PROTECTION (AMENDMENT) REGULATIONS 2018

DATA PROTECTION (AMENDMENT) REGULATIONS 2018 1. Amendments to the Data Protection Regulations 2015... 2 2. Insertion of new sections... 9 3. Short title, extent and commencement... 11

DATA PROTECTION (AMENDMENT) REGULATIONS 2018 Regulations to amend the Data Protection Regulations 2015. Date of Enactment: 1 February 2018 The Board of Directors of the Abu Dhabi Global Market, in exercise of its powers under Article 6(1) of Law No. 4 of 2013 concerning the Abu Dhabi Global Market issued by His Highness the Ruler of the Emirate of Abu Dhabi, hereby enacts the following Regulations 1. Amendments to the Data Protection Regulations 2015 (1) The Data Protection Regulations 2015 are amended as follows. (2) All references to "data" in those regulations shall be substituted by references to "Data", except where indicated below: in the sentence stating Regulations to make provision for the protection of personal data within the Abu Dhabi Global Market and for connected purposes in the recitals to the Data Protection Regulations 2015; in subsections 5(1)(n), 17(1) and 17(6); (c) (d) in the sentence stating For the purposes of section 5 of the Data Protection Regulations 2015 (the "Regulations") for the transfer of Personal Data to data controllers established in jurisdictions outside the Abu Dhabi Global Market which do not ensure an adequate level of data protection ("Non-Abu Dhabi Global Market Data Controllers") in Schedule 1; in the terms third party data controller, data transfer agreement or data protection standards in subparagraph (2) of paragraph 3 of Schedule 1; (e) in subparagraph (2) of paragraph 7 of Schedule 1; (f) (g) in the sentence stating For the purposes of section 5 of the Data Protection Regulations 2015 (the "Regulations") for the transfer of Personal Data to Data Processors established in jurisdictions outside the Abu Dhabi Global Market which do not ensure an adequate level of data protection in Schedule 2; and in the terms data processor, data protection obligations or data protection aspects in subparagraphs 1(d), 11(1) and 11(3) of Schedule 2. (3) For subsection (1) of section 4, the following shall be substituted "Except as set out in section 5, a transfer of Personal Data to a Recipient located in a jurisdiction outside the Abu Dhabi Global Market may take place only if the jurisdiction is listed in Schedule 3 or has been designated by the Registrar under subsection (3)." (4) For paragraph (c) of subsection (2) of section 4, the following shall be substituted if the Personal Data do not emanate from the Abu Dhabi Global Market, the country of origin and country of final destination of the Personal Data; and. (5) For subsection (3) of section 4, the following shall be substituted 2

Certain jurisdictions are hereby designated as providing an adequate level of protection for Personal Data for the purposes of subsection (1). These are listed in Schedule 3 to these Regulations. Additional jurisdictions may be designated by the Registrar from time to time to the list of jurisdictions considered to fall under subsection (1) which shall be deemed to be part of Schedule 3 by a publication to such effect on the Registrar's website. (6) In section 4, a new subsection (4) shall be inserted as follows The Registrar may also, by publication to such effect on the Registrar s website, withdraw a designation from a jurisdiction designated under subsection (3) or listed in Schedule 3 if the Registrar considers that: the relevant jurisdiction no longer provides an adequate level of protection for Personal Data for the purposes of subsection (1); and such removal is warranted in order to further the protection of Personal Data. (7) In section 5, the number "(1)" shall be inserted before the words "A transfer or a set of transfers of Personal Data to a Recipient" and any existing references to paragraphs to (n) of section 5 of the Data Protection Regulations 2015 prior to the date of commencement of these Regulations shall be construed as references to the corresponding paragraphs to (n) of subsection (1) of section 5 of the Data Protection Regulations 2015 accordingly. (8) In section 5, a new subsection (2) shall be inserted as follows (2) A transfer or set of transfers of Personal Data to a Recipient which is not subject to laws which ensure an adequate level of protection within the meaning of section 4(1) shall still be regarded as having been made pursuant to subsection 5(1)(m) if a legally binding agreement had been entered into between the transferor and Recipient prior to the date of commencement of the Data Protection (Amendment) Regulations 2018 (being 1 February 2018); and the agreement mentioned in subsection above is in the form previously contained in Schedule 1 or 2 of the Data Protection Regulations 2015 prior to the amendments made by the Data Protection (Amendment) Regulations 2018, regardless of whether such transfer occurs prior to or after the effective date of the Data Protection (Amendment) Regulations 2018 (being 1 February 2018). (9) In subparagraph (v) of paragraph (c) of subsection (1) of section 6, for the words "5(k)", the words "5(1)(k)" shall be substituted. (10) In subparagraph (v) of paragraph (c) of subsection (1) of section 7, for the words "5(k)", the words "5(1)(k)" shall be substituted. (11) In subsection (5) of section 9, for the words as soon as reasonably practicable, the words without undue delay, and where feasible, not later than 72 hours after becoming aware of it. shall be substituted. (12) In subsection (1) of section 12, for the words "data controller", the words "Data Controller" shall be substituted. (13) For subsection (3) of section 12, the following shall be substituted (3) A Data Controller must also notify the Registrar of the appointment of a Data Processor, within one month of the appointment; 3

(c) (d) the cessation of a Data Processor, within one month of the cessation; any change in the particulars of any Data Processor, within one month of the change; and any change in its business contact details, within one month of the change. (14) Subsection (4) of section 12 shall be renumbered 12(6) and new subsections (4) and (5) shall be inserted as follows (4) The notifications required by subsections 12(1) and 12(3) must be submitted to the Registrar on an annual basis where the Personal Data Processing is to continue in the subsequent year. (5) The annual notification in subsection 12(4) must be submitted to the Registrar, with payment of such fee(s) as prescribed by Schedule 4 of these Regulations, within one month of the previous annual notification expiring." (15) In paragraph (c) of subsection (3) of section 14 the word and shall be omitted. (16) For paragraph (d) of subsection (3) of section 14, the following shall be substituted (d) issue directions or warnings and make recommendations to Data Controllers; (17) In subsection (3) of section 14, new paragraphs (e) and (f) shall be inserted as follows (e) (f) impose fines in the event of non-compliance with its direction; and impose fines in the event of non-compliance with these Regulations and any rules made pursuant to these Regulations. (18) For subsection (2) of section 16, the following shall be substituted (2) In particular, the Board when exercising the power in subsection (1) may make rules in respect of forms, procedures and requirements under these Regulations; the keeping of the register of notifications established under section 13; (c) (d) (e) (f) the conduct of the Registrar and its staff in relation to the exercise of powers and performance of functions under these Regulations; the procedures relating to the imposition of sanctions or fines and the recovery of fines under Part 6; the level of fees payable for any matter listed in Schedule 4 to these Regulations or the level of fees payable for any other matter or step, and shall be entitled to amend any of the amounts specified in Schedule 4; and requiring any other fees to be paid in connection with any application or notification. (19) For subsection (1) of section 17, the following shall be substituted 4

(1) If the Registrar is satisfied that a Data Controller, Data Processor or data controller established outside the Abu Dhabi Global Market has contravened or is contravening these Regulations or any rules made under these Regulations, the Registrar may issue a direction to the Data Controller requiring him to do either or both of the following to do or refrain from doing any act or thing within such time as may be specified in the direction; or to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal Data for a purpose or in a manner specified in the direction. (20) For paragraph of subsection (2) of section 17, the following shall be substituted a statement to the effect that the Data Controller may refer the matter to the Court for review. (21) For subsection (3) of section 17, the following shall be substituted (3) A Data Controller, who fails, without reasonable excuse, to comply with (c) any direction issued by the Registrar under this section; these Regulations; or any rules made pursuant to these Regulations, commits a contravention of these Regulations and shall be liable to a fine of up to USD 25,000. (22) For subsection (4) of section 17, the following shall be substituted (4) A Data Controller, who receives a direction under this section may refer the matter to the Court for review within three (3) months of the issuing of the direction. (23) In section 17, a new subsection (8) shall be inserted as follows (8) Court Procedure Rules may make provision for any reference to the Court under subsection (4). (24) In section 17, a new subsection (9) shall be inserted as follows (9) A Data Controller may ask the Registrar to review the direction within fourteen (14) days of receiving a direction under this part of the Regulations. The Registrar may receive further submissions and amend or discontinue the direction. (25) For subsection (3) of section 19, the following shall be substituted (3) Without prejudice to subsection (1) above, none of sections 4, 5, 6, 7, 10, 11, 17 or 17A shall apply to the Board, the Court, the Regulator or the Registrar if the application of these sections would be likely to prejudice the proper discharge by those entities of their powers or functions in so far as such powers or functions are designed for protecting members of the public against financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons carrying on any Controlled Activities; or 5

dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons carrying on Regulated Activities. (26) In section 19, a new subsection (4) shall be inserted as follows (4) The restrictions in these Regulations relating to the transfer of Personal Data and Sensitive Personal Data do not apply to the Board, the Court, the Regulator or the Registrar if disclosures are made pursuant to any memorandum of understanding or other arrangements for information exchange to any other governmental or other regulatory body or authority whether in the Abu Dhabi Global Market or otherwise for the purpose of assisting the performance by any such person of its functions and powers or made in good faith for the purposes of the exercise of the functions and powers of the Board, the Court, the Regulator, or the Registrar or in order to further the Court s, the Board s, the Regulator s or the Registrar s objectives. (27) For section 20, the following shall be substituted In these Regulations, unless the context indicates otherwise, the defined terms listed below shall have the following meanings Abu Dhabi Global Market has the meaning given to Abu Dhabi Global Market in the Interpretation Regulations 2015; ADGM Founding Law means Law No. 4 of 2013 concerning the Abu Dhabi Global Market issued by His Highness the Ruler of the Emirate of Abu Dhabi; Board has the meaning given to Board in the Interpretation Regulations 2015; "Company" has the meaning given to that term in the Financial Services and Markets Regulations 2015; "Controlled Activities" means controlled activities as defined in the Commercial Licensing Regulations 2015; "Court" has the meaning given to Courts in the Interpretation Regulations 2015; Court Procedure Rules has the meaning given under Part 7 of the ADGM Courts, Civil Evidence, Judgments, Enforcement and Judicial Appointments Regulations 2015; "Data" means any information which (c) is being processed by means of equipment operating automatically in response to instructions given for that purpose; is recorded with the intention that it should be processed by means of such equipment; or is recorded as part of a Relevant Filing System or with the intention that it should form part of a Relevant Filing System; "Data Controller" means any person in the Abu Dhabi Global Market (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the Processing of Personal Data; "Data Processor" means any person (excluding a natural person acting in his capacity as a staff member) who Processes Personal Data on behalf of a Data Controller; 6

"Data Subject" shall mean the natural person to whom Personal Data relate; "Group" has the meaning given to that term in the Financial Services and Markets Regulations 2015; "Identifiable Natural Person" means a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity; "Personal Data" means any Data relating to an identified natural person or Identifiable Natural Person; "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and "Processed", "Processes" and "Process" shall be construed accordingly; "Recipient" means any person to whom Personal Data are disclosed, whether a Third Party or not, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law; Registrar means the Registration Authority as that term is defined in the Interpretation Regulations 2015; "Regulated Activities" has the meaning given to it in the Financial Services and Markets Regulations 2015; Regulator means the Financial Services Regulator as that term is defined in the Interpretation Regulations 2015; "Relevant Filing System" means any set of information relating to an Identifiable Natural Person to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible; "Sensitive Personal Data" means Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life; "Staff" include past, existing or prospective employees, directors, partners, trustees, officers, office holders, temporary or casual workers, agents and volunteers; and "Third Party" means any person other than the Data Subject, the Data Controller, the Data Processor and the persons who, under the direct control of the Data Controller or the Data Processor, are authorised to Process the Personal Data. (28) In subparagraph of paragraph 1 of Schedule 1 the word ""Data"," is to be inserted before the words "Personal Data". (29) For subparagraph (i) of paragraph (2) of section 3 of Schedule 1, the following shall be substituted 7

"the third party data controller processes the Personal Data in accordance with the laws of a jurisdiction outside the Abu Dhabi Global Market that has been designated under the Regulations or by the Registrar as providing adequate protection for Personal Data;". (30) Subparagraphs (5) to (7) of section 5 of Schedule 1 shall be renumbered as paragraphs (1) to (3). All references to subparagraphs (5) to (7) of section 5 of Schedule 1 shall be construed as references to the corresponding subparagraphs (1) to (3) of section 5 of Schedule 1 of the Data Protection Regulations 2015 accordingly. (31) For subparagraph (3) of paragraph 8 of Schedule 1, the following shall be substituted (3) Either Party may terminate these Clauses if each jurisdiction in which the Data Importer is incorporated or operates or uses the Personal Data is either: subject to a designation under section 4 of the Regulations by the Registrar; or is or becomes listed in Schedule 3 to the Regulations. (32) In subparagraph of paragraph 1 of Schedule 2, the word ""Data"," is to be inserted before the words "Personal Data". (33) For subparagraph (4) of paragraph 6 of Schedule 2 the following shall be substituted (4) In addition to the Data Exporter's entitlement to terminate the Clauses in accordance with Clause 5, either Party may terminate these Clauses if each jurisdiction in which the Data Importer and each of its Subprocessors is incorporated or operates or uses the Personal Data is either: subject to a designation under section 4 of the Regulations by the Registrar; or is or becomes listed in Schedule 3 to the Regulations. (34) In Schedule 3, for the words "by the Registrar", the word "herein" shall be substituted. (35) In Schedule 3, insert new subparagraph (1) Andorra and renumber the remaining subparagraphs accordingly. (36) In Schedule 3, at subparagraph (6) after Canada, insert (provided the recipient is subject to the Canadian Personal Information Protection and Electronic Documents Act [PIPED Act]). (37) In Schedule 3, after subparagraph (9) insert new subparagraph (10) Dubai International Financial Centre and renumber the remaining subparagraphs accordingly. (38) In Schedule 3, insert new subparagraph (12) Faeroe Islands and renumber the remaining subparagraphs accordingly. (39) In Schedule 3, at subparagraph (42) for the words applicable US-EU or US-Switzerland Safe Harbours, the words EU-US Privacy Shield shall be substituted. (40) For Schedule 4, the following shall be substituted FEES The following fees are payable by a Data Controller or Data Processor in respect of the applications and notifications made in accordance with the Regulations 8

Application or notification Application for initial registration as a Data Controller Application for initial appointment of a Data Processor (per appointment if more than one Data Processor) Annual renewal of registration as a Data Controller Annual renewal of appointment of a Data Processor (per appointment if more than one Data Processor) Notification of Data Controller no longer Processing Personal Data and/or removal of a Data Processor Notification of change in the particulars of an appointed Data Processor Notification of a change in the contact details of a Data Controller Application to obtain a permit to process Sensitive Personal Data Application to obtain a permit to transfer Personal Data Fee payable (USD) 300 Nil 100 Nil Nil Nil Nil 100 100 2. Insertion of new sections (1) Following section 17, new sections 17A,17B and 17C shall be inserted as follows 17A. Fines (1) The Board may make rules in respect of the procedures relating to the imposition and recovery of fines under this Part. (2) Where the Registrar considers that a Data Controller has contravened any direction issued by the Registrar under section 17, (c) these Regulations; or any rules made pursuant to these Regulations, the Registrar, by written notice (a monetary penalty notice ) to the Data Controller, may impose a fine in respect of the contravention. 9

(3) A monetary penalty notice is a written notice requiring the Data Controller to pay to the Registrar a fine of an amount determined by the Registrar as the Registrar may consider appropriate. (4) The amount determined by the Registrar must not exceed the maximum fine specified in section 17(3). (5) The fine must be paid to the Registrar within the period specified in the monetary penalty notice. (6) The monetary penalty notice must contain such information as may be prescribed. (7) A Data Controller, who receives a monetary penalty notice under this section, may refer the matter to the Court for review of the issue of the monetary penalty notice; the amount of the fine specified in the notice. (8) Court Procedure Rules may make provision for any reference to the Court under subsection (7). (9) If, within the period specified in the monetary penalty notice the Data Controller pays the fine specified in the notice to the Registrar (i) (ii) subject to paragraph (ii) below, no proceedings or actions pursuant to this Part may be commenced, whether in the Court or otherwise, by the Registrar against the Data Controller in respect of the relevant contravention; and without prejudice to paragraph (i) above, neither the imposition nor payment of a fine shall restrict the Registrar from taking any action against a Data Controller or refrain from doing any act or thing in relation to any continuing contravention; or if all or any portion of a fine has not been paid at the end of the period stated in a monetary penalty notice, the obligation of the Data Controller to pay the fine is enforceable as a debt payable to the Registrar. The Registrar may apply to the Court for the recovery of the debt. (10) In this section prescribed means prescribed by rules made by the Board pursuant to these Regulations. 17B. Certificates A certificate that is signed by the Registrar and states that a direction under section 17 was issued to, or a monetary penalty notice prescribing a fine under section 17A was imposed on, a Data Controller is conclusive evidence of the giving of the direction or the imposition of the notice to the Data Controller; and prima facie evidence of the facts contained in the direction or the notice, 10

in any proceedings commenced under sections 17(4), 17(5), 17(6) or sections 17A(7) and 17A(9). 17C. Referral to the Court (1) Any Data Controller who is found to contravene these Regulations or a direction of the Registrar may refer the matter to the Court for review of the issuing of the finding or direction within three (3) months. (2) The Court Procedure Rules may make provision for any reference under subsection (1)." 3. Short title, extent and commencement (1) These Regulations may be cited as the Data Protection (Amendment) Regulations 2018. (2) These Regulations shall apply in the Abu Dhabi Global Market. (3) These Regulations come into force on 1 February 2018. 11

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback