Abu Dhabi's ADGM boosts data protection for insurance and education

Abu Dhabi's financial hub ADGM has amended its data protection regulations, with clearer guidelines on a wider scale to protect sensitive personal data, especially for the most vulnerable.

The changes to Data Protection Guidelines 2021, called Substantial Public Interest Rules, define updated processes for special categories and are particularly aimed at the insurance and education sectors, ADGM's Registration Authority said in a statement on Tuesday.

Substantial public interest rules are among the main pillars of the EU's General Data Protection Regulation to protect personal data.

The new rules say insurance companies must process special categories of personal data for insurance purposes. They also introduce clear definitions of “insurance contract” and “insurance purpose” to ensure consistency across the sector, the authority said.

They also provide measures to “allow the processing of special categories of personal data without consent, when necessary, to protect children or individuals at risk of emotional or physical harm”.

People aged 18 years or more may be considered “at risk” and eligible for protection once the criteria is determined, the authority added.

At-risk people are those who need care and support, are experiencing, or at risk of, neglect or physical, mental or emotional harm, and are unable to protect themself against neglect or harm or the risk of it, according to the amendment.

“These new rules reinforce our commitment to protecting individuals, particularly the most vulnerable, while enabling responsible data use across sectors,” said Rashed Al Blooshi, chief executive of ADGM's Registration Authority. “We remain focused on ensuring our regulations evolve in line with both global standards and local needs."

Data protection has become a leading element in the digital age, where personal and sensitive information is widely shared and available for many purposes. However, with this rise also comes the heightened risks for its misuse.

The UAE's Federal Decree Law No 45 of 2021, regarding the protection of personal data, defines the controls for the processing of personal data and the general obligations of companies that have personal data to secure it and maintain its confidentiality and privacy.

It also prohibits the processing of personal data without the consent of its owner, except for some cases in which the processing is necessary to protect a public interest or to carry out any of the legal procedures and rights.

“These amendments mark a significant step forward in balancing the need for responsible data processing with the imperative to safeguard sensitive personal information,” the Registration Authority said. “By clearly defining the conditions under which special categories of data can be processed, ADGM is further strengthening protections that serve the public interest while supporting critical sectors such as insurance and education.”

ADGM continues to amend its laws to ensure transparency and compliance. In June, it changed its regulatory framework for digital assets to streamline the process through which virtual assets are accepted for use.