Applicability of Data Protection Law in UAE - ADGM: Filing System Criterion

The "Filing System Criterion" is used in data protection laws to determine whether manual processing of personal data is subject to the law. It considers whether personal data is structured in a manner that allows for easy retrieval. In the context of ADGM (Abu Dhabi Global Market), this factor is relevant under the ADGM Data Protection Regulations (DPR).

Text of Relevant Provisions

ADGM DPR s.62(1) Definition of ‘Filing System’:

"‘Filing System’ means any structured set of Personal Data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;"

Analysis of Provisions

The Filing System Criterion in ADGM DPR s.62(1) plays a critical role in determining the applicability of data protection regulations. According to this provision, a "Filing System" is defined as any structured set of personal data that is accessible according to specific criteria. This definition includes both centralized and decentralized systems, as well as those dispersed on a functional or geographical basis.

The key elements of this provision are:

• Structured set of Personal Data: This indicates that the personal data must be organized in a systematic way, rather than being random or unorganized.
• Accessible according to specific criteria: This means that the data can be retrieved or accessed based on certain defined parameters, making it functionally structured.

This provision ensures that manual records, which are systematically arranged and can be accessed based on specific criteria, fall within the scope of the ADGM DPR. This is significant because it extends the law's applicability beyond digital data processing to include manual filing systems, ensuring comprehensive data protection coverage.

Implications

For businesses operating within the ADGM, the inclusion of the Filing System Criterion means that they must ensure compliance with data protection regulations not only for digital data but also for manual records that are organized in a way that allows for specific retrieval. This broadens the scope of compliance requirements and underscores the importance of robust data management practices for all types of data storage systems.

Examples:

• Applies: A healthcare provider in ADGM maintains patient records in a centralized filing system that allows retrieval by patient name or ID number. This system would be subject to ADGM DPR.
• Does not apply: A small business keeps random notes about customers without any structured organization or specific criteria for retrieval. This would not meet the Filing System Criterion and thus fall outside the scope of ADGM DPR.

Understanding and adhering to the Filing System Criterion is crucial for data controllers and processors within ADGM to ensure that they are fully compliant with the data protection laws.