5 Key Things to Know about China’s Personal Information Protection Law (PIPL)


The People’s Republic of China’s Personal Information Protection Law (China PIPL) is the country’s new data protection law. The law was adopted in August 2021 and came into force on 1 November 2021. PIPL protects the personal information held and processed by organisations operating in China and those established outside China. PIPL’s data protection principles include lawfulness, necessity, good faith, purpose limitation and data minimisation, transparency, accuracy and accountability and security accountability. Individuals have rights to be informed, access, copies, deletion, rectification, portability and rights to respond to automated decision-making. Businesses and organisations must be more accountable and act in good faith when collecting, using and storing personal information. China does not have an Independent data protection regulator. China’s PIPL enforcement is decentralised and the main government departments responsible for enforcement are the Cyberspace Administration of China (CAC) and the Ministry of Public Security. Each of these bodies has state-level and local organisations that can have rulemaking and enforcement powers. Enforcement starts on 1 November 2021, after a short implementation period.

  1. What types or organisations are covered by China PIPL?

The law applies to businesses and organisations, which PIPL calls Personal Information Processors. The term is very similar to Controllers in the European Union’s General Data Protection Regulation (GDPR). The law covers businesses that are based in China and those based outside China that collect, use and store personal information about individuals in China. Companies and organisations based outside of China fall within the scope of PIPL is they provide goods and services to people in China, analyse or assess the behaviour of people in China and where other Chinese laws and regulations specify. Entrusted Parties are organisations that process personal information on behalf of and under the instruction of Personal Information Processors. This role is similar to the function of Processors in GDPR, but there are less explicit legal responsibilities, under PIPL.

2. What types of data or information are covered by China PIPL?

China’s PIPL protects personal information. This is defined very broadly as all information related to identified and identifiable natural persons. Anonymised data are not personal information, if these cannot be used to identify specific natural persons and the personal information cannot be restored after processing. The law recognises sensitive personal information as that which disclosure or illegal use can easily lead to the infringement of an individual’s personal dignity or harm their person or property. Examples of these information includes biometrics, religious beliefs, specific identity information, medical health, financial accounts, individual location tracking / geolocation and any personal information about children under 14 years old. Processing sensitive personal information attracts actional requirements including clear and specific purpose, necessity, strict protective measures, additional consent, greater transparency measures and Personal Information Impact Assessments (PIIAs).  

3. What are the main obligations from China PIPL for businesses?

Businesses registered in China and international businesses and organisations with supply chains and links to China that fall within China PIPL’s scope must:

(a) Conduct regular China PIPL compliance audits.

(b) Formulate operating rules, internal management, data classification, data processing records and information management systems.

(c) Respond efficiently to personal information breaches with immediate remedies and notify Chinese authorities and affected individuals.

(d) Appoint a representative in China or create a specific legal entity in China to comply with PIPL’s requirements.

(e) Set up processes and tools to carry out Personal Information Impact Assessments (PIIAs) for international personal information transfers outside of China, using third parties to process personal information (such as other Personal Information Processors or Entrusted Parties) or when disclosing information.

(f) Allow individuals to easily give and withdraw consent.

(g) Follow the strict rules of personal information international transfers. Either, by passing a security assessment from the State Cybersecurity and Informationization Department (if critical information infrastructure, transferring a lot of personal information), gain a personal information protection certification from a specialised body authorised by the Sate Cybersecurity and Informationization department, agree a contract with the foreign receiving party based on the standard contractual clauses issued by the Cyberspace and Informationization department  or other methods specifies by Chinese law, administrative regulations or the State Cybersecurity and Informatization department.

(h) Appoint a Personal Information Protection Officer (PIPO), if required to do so by the State Cyberspace and Informationization department, to supervise data processing, register with the authorities and identify themselves to individuals whose personal information are being processed.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with China PIPL?

Yes, in large part, but not completely. GDPR and China PIPL have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. China PIPL was enacted to include provisions that mirror some of the EU’s GDPR requirements. GDPR data mapping and records of processing activities can help to identify personal information impacted by China PIPL. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist China PIPL compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Chinese-speaking Data Protection Officers (Personal Information Protection Officers) and Representatives based in China are also important.  

For fuller Chinese compliance, companies and organisation should also comply with other Chinese laws which are closely associated or aligned with China’s PIPL. These include:

China Cybersecurity Law (CSL) of 7 November 2016, in force 1 June 2017

China Data Security Law (DSL) of 10 June 2021, in force 1 September 2021

China Civil Code of 28 May 2020, in force 1 January 2021

5. Does China PIPL apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses are registered in China and process personal information in China, then China PIPL will apply. The law also applies to foreign-based businesses that provide goods and services to people in China and support China-based businesses and organisations. Foreign-based companies and organisations that analyse or assess the behaviour of people in China also fall within PIPL’s scope. China PIPL could also be extended by other Chinese laws and regulations at the national, regional, state or local level. This means that organisations must constantly review the scope and application of PIPL. 

Enforcement of China PIPL is multifaceted. There are criminal penalties, including imprisonment, if a violation of PIPL amounts to a breach of public security administration and criminal liability is proven. There are civil liability penalties for breaches of China’s Civil Code, including consumer law. Chinese state or regional consumer organisations can also conduct public interest litigation on behalf of a large group of people affected by breaches of PIPL. It is important to note that the burden of proof lies with the Personal Information Processor to demonstrate that no breach of China PIPL has taken place, because Personal Information Processor fault is presumed at the outset.

PIPL also has a system of administrative penalties, falling into two types of cases. In general cases, Personal Information Processors and Individuals can be given warnings, orders to rectify, confiscation of illegal gains and orders to suspend / terminate services that unlawfully process personal information. Failure to make corrections could result in fines up to £1 million RMB. Responsible Persons could receive fines from 10,000 RMB. In severe cases, Personal Information Processors and Individuals can be given, orders to rectify, confiscation of illegal gains, orders to suspend / terminate services, cessation of business for rectification or revocation of business licences or permits. Fines of up to 50 million RMB or 5% of annual turnover from the previous year could also be given. For Responsible Persons, fines ranging from 100,000 to 1 million RMB could be levied. Responsible Persons could also be prohibited from holding director, supervisor, senior manager or Personal Information Protection Officer positions, for a period of time.

China Resources

National People’s Congress of China, PIPL Official Chinese Translation

National People’s Congress of China, PIPL Official English Translation

National People’s Congress of China, DSL Official English Translation

Stanford University Cyber Policy Center: DigiChina

National Information Security Standardisation Technical Committee of China Guidelines on the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information (June 2022) – In Chinese

Cyberspace Administration of China (CAC) Data Protection PIPL Standard Contractual Clauses (SCCs) for International Data Transfers (June 2022) – Draft for Consultation, In Chinese

CAC Outbound Data Transfer Security Assessment Measures, effective 1 September 2022 (July 2022) – In Chinese

CAC Outbound Data Transfer Security Assessment Measures, effective 1 September 2022 (July 2022) – DigiChina English Translation


Tracking the Changes to UK Data, Data Protection, GDPR and AI

The United Kingdom’s departure from the European Union and the Coronavirus Covid-19 Pandemic have been dramatic episodes. There is now a clear political push to create “Global Britain,” to excel economically and to be a pioneer in innovation. The UK is starting to rethink its future path. A new National Data Strategy and an Artificial Intelligence Strategy have set the tone. An EU/UK Data Protection Adequacy Agreement, a consultation on UK International Data Transfers, new ideas for UK Standard Contractual Clauses (SCCs) and proposed reform of the UK General Data Protection Regulation (GDPR), the regulator, enforcement and regulatory priorities all strongly suggest significant future divergence. This is major change; with more to come.  Some changes will take place, while others, will fall away or transform into other outcomes. Change in UK data, GDPR, innovation, artificial intelligence strategy and regulation, is the only constant.

Companies and Organisations will need to track proposals, examine the details, participate in consultations, review legal developments and update their data governance outlook. Strategy and risk should also be reviewed and recalibrated. This resources page provides a dashboard of the most important changes to the UK landscape. It will be updated, as things develop, and as the bigger picture becomes clearer. 

UK National Data Strategy (December 2020)

Information Commissioner’s Office (ICO) Public Consultation on UK International Data Transfers (August 2021)

Department for Digital, Culture, Media and Sport (DCMS) Public Consultation on the UK Data Reforms “Data: A New Direction” (September 2021)

UK National Artificial Intelligence Strategy (September 2021)

ICO Response to DCMS Consultation “Data: A New Direction” (October 2021)

UK HMG Algorithmic Transparency Standard – Public Sector (November 2021)

UK National Cyber Strategy 2022 (December 2021)

New UK GDPR International Personal Data Transfers Scheme and Documents (February / March 2022)

The Queen’s Speech 2022, delivered by Prince Charles, and the UK Government’s Background Briefing Notes (May 2022)

UK Digital Strategy (June 2022)

UK DCMS Response to the Submissions received by the “Data: A New Direction” Public Consultation (June 2022)

ICO’s Statement to DCMS’ Response to the “Data: A New Direction” Submissions (June 2022)

UK DCMS AI Action Plan (July 2022)

UK Data Protection and Digital Information Bill [Updates UK GDPR] (July 2022)

UK ICO New Guidance, Forms and Documents for UK GDPR Binding Corporate Rules [BCRs] (July 2022)

PrivacySolved has years of expertise in UK and EU data protection, including with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

Cybersecurity: Focus on the Netherlands’ Information Security Outlook


The Netherlands has strong information technology capabilities. According to the World Economic Forum, the country ranks 6th in the world as one of the most advanced and technology-enabled nations. In 2018, the Netherlands imported €61.2 billion euros worth of ICT goods and services. In the same year, exports of ICT-related goods and services (including re-exports) stood at €74.6 billion euros. The Netherlands’ technological environment is anchored by a robust digital infrastructure. The Dutch rank 2nd in the world for online connectivity, with over 98% of households having broadband connection. The Netherlands is a leading cybersecurity hub in Europe, home to Europe’s largest security cluster, The Hague Security Delta (HSD). HSD is a national network of more than 300 public and private organisations working together to accelerate cybersecurity solutions. The Netherlands is home to one of the largest internet exchanges in the world, the Amsterdam Internet Exchange (AMS-IX), and has one of the highest rates of internet connectivity in the world.  The Amsterdam region houses nearly a third of Europe’s data centres, with growth expanding to Groningen and Middenmeer. The country is also home to Europol’s European Cyber Crime Center (EC3), NATO Communications and Information (NCI) Agency and the Global Forum for Cyber Expertise (GFCE) in The Hague.

The Netherlands ranks 4th out of 28 countries (27 EU member states and the UK), in the European Commission Digital Economy and Society Index (DESI) 2020. This ranking is based on pre-coronavirus pandemic analysis.  It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in the country, including key data centres. Demonstrating cybersecurity resilience in the country’s networks, information systems, private sector and public services is very important for national security, economic growth, investment, trust, and innovation. Companies and organisations can also use this information to set expectations and risk levels.

Putting Cybersecurity on the Agenda

In 2018, the Dutch National Cybersecurity Agenda was adopted to allow the Netherlands to benefit from the economic and social opportunities of digitalisation in a secure way and to protect national security in the digital world. Seven ambitions were outlined to allow the Netherlands to:

1. Have strong digital capabilities to detect, mitigate and respond decisively to cyber threats;

2. Contribute to international peace and security in the digital space;

3. Be at the forefront of digitally secure hardware and software;

4. Have resilient digital processes and a robust infrastructure;

5. Have successful barriers against cybercrime;

6. Lead the way in the field of cybersecurity knowledge development; and

7. Have an integrated and strong public-private approach to cybersecurity.

From Agenda to Reality: Key Points from Cyber Security Assessment Netherlands 2021

The Netherlands has moved from setting agendas and ambitions to becoming more proactive in European (and global) cybersecurity efforts. It also seeks to assess the national picture every year so that stakeholders can know the trends, risks, threats, strengths and areas for improvement. This shows both a proactive and transparent approach. The Cyber Security Assessment Netherlands 2021 (CSAN 2021 / CSAN) explains the active cyber threats, the likely impacts, resilience approaches and the risks. CSAN focuses on national security, which is defined annually by the National Coordinator for Security and Counterterrorism (NCTV) and the National Cyber Security Centre (NCSC NL).

The NCTV is the central government body responsible for counterterrorism, cybersecurity, national security, crisis management and state threats. NCTV’s core focus is to prevent and minimise social disruption. The NCSC NL is the central information hub and centre for expertise for cybersecurity in the Netherlands. NCSC NL helps to boost cyber resilience in society, specifically within central government and among critical providers.

  • Risks to National Security

Four risks to national security have been identified in CSAN:

1. Unauthorised access to information and its publication, particularly through espionage. For example, espionage targeting communications within the central government or the development of innovative technologies.

2. The inability to access processes, due to sabotage or the use of ransomware. For example, the infiltration of processes that ensure the distribution of electricity.

3. Major security breaches, such as through the abuse of global IT supply chains.

4. Large-scale outages: for example, where one or more processes are disrupted due to natural activity, technical interference or unintentional human action.

  • Differences in the Levels of Resilience

The CSAN reveals that there are significant differences in levels of resilience in the Netherlands. Large companies can invest in cybersecurity knowledge and skills. Suppliers of essential services and digital service providers also have a statutory duty of care, set out in the Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, Wbni). However, small businesses, including small and medium-sized enterprises (SMEs), often lack the expertise and resources to substantially upgrade their resilience efforts. SMEs are often targeted by sophisticated actors. This resilience gap has been identified as a work in progress to be solved, in part, by greater capacity building and information sharing.

  • Key Messages from CSAN

There is a clear acknowledgement that cyber incidents can paralyse society, and in particular:

  1. Cybersecurity is a precondition for the functioning of society.
  2. The digital threat is permanent.
  3. Digital resilience is not yet in order everywhere because of the lack of basic measures.
  4. Boosting resilience is the most important tool for managing cyber risks.
  5. A complete and accurate picture of the resilience of critical processes is still missing.
  6. Cyber risks are as great as ever and cannot be separated from other risks.
  7. The Netherlands’ dependence on countries with offensive cyber programmes is a risk-increasing factor.
  8. The main risks to national security are sabotage and espionage by states and the failure of systems. Also, cyberattacks by criminals (cybercrime).
  • The Covid-19 Effect

CSAN notes that since the start of the coronavirus pandemic, several COVID-19 themed cyberattacks have been observed, using a range of tool and tactics. Cyberattacks have been carried out on hospitals, research institutes and the World Health Organisation (WHO). Not only has the healthcare sector been targeted, but governments and companies had to deal with various attacks. The Police, the Public Prosecutor’s Office and Europol warned of the various forms of misuse, ranging from cybercriminal attacks to distribution of disinformation. COVID-19 also lends itself to social engineering attacks.

  • Disrupting Ransomware

CSAN sets out a robust strategy for dealing with all forms of ransomware. It suggests that the most promising solution lies in structurally increasing the costs to the criminals against the benefits gained from ransomware attacks. It suggests that this can only be done if the Police, NCSC NL, the Public Prosecution Service, the public services, private partners and potential victims, unite and stand together. These stakeholders should proactively work together and share information and insights in a targeted manner. Information sharing is the key.

  • Cloud Services and Virtualisation: Questions for Companies and Organisations

In a unique approach, CSAN directedly addresses companies and organisations with key questions about digital transformation and the emerging risks. It focuses on cloud services and the cybersecurity risks associated with virtualisation. The key questions it asks are:

  1. When designing your cloud environment, did you take the failure of this infrastructure into account (design for failure)?
  2. What activities does your organisation perform in the cloud environment and how sensitive are these processes to interruption?
  3. How is the data processed in the cloud environment stored? For complex or sensitive data processing, has replication at multiple data centre locations or ‘availability zones’ been considered? Note: Replication can ensure that important data are not lost in the event of disruption at one location but remains available at another location.
  4. Do you know the basis upon which your organisation chose a public, private or hybrid cloud environment? Does this include the complex data processing and sensitive or unique data that plays a role in your organisational processes?

By asking these questions of all companies and organisations, NCTV and NCSC NL spark a debate but also places the onus on each entity to actively reduce their cyber risks and build resilience. It asks questions of individual entities, so that collective and national data security resilience can be increased.

Action Plan: Monitor the Cybersecurity threat landscape, Participate in Public/Private Cybersecurity efforts and Review Annual Assessments to influence corporate strategy

Companies, organisations, the public sector and investors must monitor the development of the Cybersecurity Agenda and the annual Dutch CSAN analysis. The Netherlands is vital for European data flows, global information technology and international supply chains. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should also be constantly assessed as this has been highlighted in the CSAN. NCSC NL has a strong reputation at home and abroad, especially working with the UK, Germany, USA and bodies such and the European Union Agency for Cybersecurity (ENISA), EUROPOL and NATO.

The Netherland’s data protection approach should also be monitored in conjunction with the National Cyber Security Agenda and CSAN. This completes the information security and data governance picture. Autoriteit Persoonsgegevens (also called The Dutch DPA), is the data protection and General Data Protection Regulation (GDPR) regulator. It is relatively large, sufficiently funded, consistent and adopts an analytical risk-based approach. It leads with education, guidance and recommendations but will issue fines where it considers these are appropriate. Recently, it has used its strongest penalties to respond to data breaches, data about children, health data (including Covid-19 data), intrusive new technologies and surveillance.

The Netherlands stands as a good example of a transparent, effective and active cybersecurity strategy. The agenda and strategy have been operationalised and is assessed annually. The country has championed the multidisciplinary and cross-sector approach to building resilience. Its data protection regulatory system is also stable, consistent and set to expand to respond to new technology, European co-operation, global initiatives and the intensifying cybersecurity landscape. 

Adopting EU GDPR 2021 Data Protection Standard Contractual Clauses: The Insider’s Guide


On 4 June 2021, the European Commission published its new data protection Standard Contractual Clauses (SCCs) for General Data Protection Regulation (GDPR) international data transfer compliance. These clauses replace the pre-GDPR clauses published in 2010 and 2014. The new clauses are more fully aligned with the GDPR and the Court of Justice of the European Union’s decision in the Schrems II case of 2020. The clauses came into force on 27 June 2021. From 27 September 2021, all new data protection international transfer arrangements must use the new SCCs. By the end of December 2022, all contracts that transfer the personal data of individuals based in the EU must be updated to reflect the new SCCs. This means that comprehensive data protection updating will be required across a wide range of supply chains.

Key Things to Know about the New SCCs

The key purpose of the new SCCs is to imbed GDPR-compliant and legally binding contractual terms into supply chains and value chains, around the world. The key definitions to understand are Data Exporters (based in the EU) and Data Importers (based outside of the EU). The SCCs are organised into four modules: (a) Controller to Controller, (b) Controller to Processor, (c) Processor to Processor and (d) Processor to Controller.  Each module can be used as a stand-alone contract or the modules can be used together to form a more comprehensive agreement.

The new SCCs have a so-called docking clause, that allows Data Exporters and Data Importers to be added to the clauses over time. This allows maximum flexibility. There are clauses in the SCCs that limit and manage onward data transfers and ensure holistic data protection compliance. Another innovation is the need for Transfer Impact Assessments (TIAs), which must be performed and recorded for all personal data transfers from the EU to countries outside of the EU (third countries).

The UK is in a special position because of Brexit, its departure from the European Union. It is now a third country and so the new SCCs do not apply to it. All data transfers from the UK to third countries may still rely on the EU’s old SCCs and the additional requirement of TIAs. In the longer term, the UK will formulate its own guidance and standard clauses for international transfers.                                                                                                  

Inside the Standard Contractual Clauses (SCCs) Project

For the largest companies and organisations, similar contract remediation projects took place in 2010, 2014 and between 2015 and 2016 after the Schrems I case invalidated EU/US Safe Harbor.  Work may also have been done in the lead up to May 2018, when GDPR fully came into force. Lessons from these previous efforts can inform current and future SCC projects. However, current SCC implementation projects will be more complicated because of the detailed requirements of GDPR, more complex supply chains, modern cloud computing services, the presence of big data stores and the use of modern pseudonymisation, hashing and anonymisation techniques.

For SCC projects, here is the Insider’s Guide to effective planning and delivery:

  • The Data Strategy

Companies and organisations should adopt a clear strategy position about their data and international data flows. The new EU SCCs should not be implemented only as a “papering exercise.” The work should complement the strategy and seek savings, economies of scale and innovation. Supply chains could be simplified, international data flows trimmed and data processors audited and removed, if necessary.

  • Data Flows, Risks and Records of Processing Activities (ROPA)

Adopting the new SCCs could also allow organisations to put their global data protection compliance credentials to the test. It is an opportunity to mature Records of Processing Activities under Article 30 of the GDPR. Transfer Impact Assessments can be used to risk assess countries, sectors and organisations as a way of identifying, managing and reducing risks. The risk-based approach should be comprehensive and cover political, economic, human rights, regulatory, international sanctions and information security risks. With this information, companies and organisations could then seek to add contractual, organisational or technical safeguards to respond to these risks.

  • The Project Plan and The Multidisciplinary Team

Effective SCC implementation requires a clear project plan and resources, including a realistic and flexible financial budget. Even more important, is a multidisciplinary team including the Data Protection Office (or Data Protection Professionals), Information Security, procurement, the legal team, the service managers, audit and compliance teams. The combined knowledge of these teams, when well organised, can add detail and precision to the work. Service managers and procurement teams often know most about contracting partners, because of their day to day experience and often long-established relationships. External advisors and technology solutions may help to expand the expertise and improve benchmarking.

  • Communication, Patience and Dynamism

It is important to remember that the EU SCCs will test supply chains and the relationships between Data Exporters and Data Importers. Communication at every level within each organisation and between the contracting parties is vital. A recognition that each party may prioritise and timetable contractual changes differently, is important. The SCC project can also become a place where other important issues are contested. This includes existing contract performance issues, contractual warranties, indemnities, information security schedules, key performance indicators, insurance, price and audit rights. Patience is required and the ability to remember the key reasons for the data sharing and data transfers. Timetables may slip, but each party should retain enthusiasm and dynamism to gain the required signatures and move to contract performance.    

For assistance with EU/UK Standard Contractual Clauses Projects, Legal and Regulatory support, EU GDPR compliance, adopting data privacy certifications and Codes of Practice, contact  PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com


UAE ADGM GDPR Data Protection Laws

Five Key Things to Know about UAE ADGM Data Protection Law 2021

The Abu Dhabi Global Market (ADGM) Data Protection Law 2021 (DP Law) applies to the ADGM international financial centre free zone in Abu Dhabi, United Arab Emirates. The law was adopted on 14 February 2021. The new law updates and replaces the 2015 law. The ADGM DP Law protects the personal data held and processed by organisations that are registered in the ADGM as well as linked external organisations. New data protection principles include lawfulness, fairness, transparency and accountability. Individuals have new rights relating to data portability, automated decision-making and profiling. Businesses must be accountable and demonstrate compliance with expanded data protection principles. The ADGM Office of Data Protection, Commissioner of Data Protection, is the regulator. Enforcement starts on 14 August 2021, for organisations that registered at ADGM after 14 February 2021. ADGM organisations that were registered before 14 February 2021, must comply with the new law by 14 February 2022.

  1. What types or organisations are covered by ADGM DP Law?

The law applies to businesses (controllers) that are registered in the ADGM and that process personal data or sensitive personal data. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law. Personal data used and stored outside of ADGM, but concerning ADGM registered organisations are covered by the law. Processors registered in ADGM who process personal data for controllers outside the ADGM are also covered by the law, to a limited extent.

2. What types of data or information are covered by ADGM DP Law?

The ADGM DP Law protects personal data, which is defined as any data relating to an identified natural person or identifiable natural person. This also includes data containing opinions and intentions about identified or identifiable individuals. The ADGM DP law also applies to sensitive personal data which is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data (where used for identification purposes), data about health, data about a person’s sex life or sexual orientation, personal data relating to criminal convictions and offences or related security measures.

3. What are the main ADGM DP Law obligations for businesses?

ADGM registered businesses must:

  • Register as a Data Controller with ADGM Office of Data Protection ($300 USD) and renew the registration every year ($100 USD)
  • Apply for permits to process sensitive personal data ($100 USD), apply to transfer personal data ($100 USD) and to register data processors.
  • Comply with the ADGM DP Law data protection principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
  • Appoint a Data Protection Officer (DPO), if high risk data processing takes place on a systematic or regular basis.
  • Report personal data breaches to the Office of Data Protection within 72 hours of becoming aware of it
  • Complete Data Protection Impact Assessments (DPIAs) for high risk data processing and report these to the ADGM Office of Data Protection. Put in place an appropriate policy for processing sensitive personal data.
  • Respond to the exercise of data protection rights from individuals within 2 months of receiving these requests.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with ADGM DP Law?

Yes, in large part, but not completely. GDPR and ADGM DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. ADGM DP Law was enacted to include provisions that largely mirror the EU’s GDPR requirements. GDPR data mapping and records of processing activity logs can help to identify ADGM DP Law impacted personal data. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist ADGM DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. ADGM has published its own data protection standard contractual clauses, for personal data transfers outside of the ADGM.  

5. Does the ADGM DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses are registered in ADGM and process personal data in the ADGM then the ADGM DP Law will apply. The law also applies to foreign businesses that process data on behalf of organisations registered in the ADGM. The ADGM Commissioner of Data Protection can impose administrative fines of up to $28 million (USD).