Operating within the free zone requires compliance with it.
ADGM’s positioning as an international financial centre means the entities operating within it are held to a high standard. The Registration Authority has made clear that data protection compliance is not a formality — it is an expectation of entities that benefit from ADGM’s international credibility and the access to global markets that comes with it.
ADGM is a financial free zone established on Al Maryah Island in Abu Dhabi. It operates as a separate jurisdiction with its own legal system — based on English common law — its own courts, its own regulatory authorities, and its own legislative framework. UAE federal law, including the UAE Federal Data Protection Law (Federal Law No. 45 of 2021), does not apply within ADGM. Entities registered in ADGM are subject to ADGM law, not UAE federal law. This is a point that causes genuine confusion for businesses and advisors unfamiliar with the UAE's free zone structure. An entity that is compliant with the UAE PDPL is not thereby compliant with the ADGM Data Protection Regulations — and vice versa. They are parallel frameworks operating in separate jurisdictions, and compliance with one does not satisfy the other. For groups with entities both inside and outside ADGM — a common structure for financial services firms, family offices, and professional services businesses operating in Abu Dhabi — this means managing compliance across two distinct data protection regimes. We advise on both.
Personal data may only be processed on one of the Regulations’ lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The legitimate interests basis — the most commonly used basis for commercial data processing in GDPR jurisdictions — requires a balancing test and carries specific documentation obligations under the ADGM framework. Consent must be freely given, specific, informed, and unambiguous, with the same standard of withdrawal as GDPR.
Individuals have the right to access their personal data, to rectification of inaccurate data, to erasure in defined circumstances, to restriction of processing, to data portability, and to object to processing — including automated decision-making. Controllers must respond to rights requests within one month, with a possible extension of a further two months for complex requests. The Regulations require that rights request procedures are accessible and that responses are provided free of charge in most circumstances.
Controllers must implement appropriate technical and organisational measures to protect personal data — the security obligation is principles-based, requiring measures proportionate to the risk. Controllers must implement data protection by design and by default, maintain records of processing activities, and designate a Data Protection Officer where required. The DPO requirement under the ADGM Regulations applies to controllers whose core activities involve large-scale systematic monitoring of individuals, or large-scale processing of special categories of data — broadly consistent with GDPR.
Where a controller engages a processor to process personal data on its behalf, a written contract is required that meets the Regulations’ minimum requirements — covering the subject matter, duration, nature and purpose of processing, the type of personal data, and the obligations and rights of the controller. Processors may only process data on documented instructions from the controller and must implement appropriate security measures.
Personal data may only be transferred outside ADGM to countries, territories, or organisations that provide an adequate level of protection, or where one of the Regulations’ transfer mechanisms applies including appropriate safeguards such as standard contractual clauses, binding corporate rules, or specific derogations for individual transfers. The ADGM Registration Authority maintains guidance on adequacy determinations. Transfers to the UAE mainland and other UAE free zones are treated as international transfers under the ADGM framework and require appropriate mechanisms.
Controllers must notify the ADGM Registration Authority of personal data breaches without undue delay and where feasible within 72 hours of becoming aware of the breach — consistent with GDPR’s timeline. Where the breach is likely to result in high risk to individuals, the controller must also notify the affected individuals without undue delay. Processors must notify their controller of a breach without undue delay.
The Regulations identify special categories of personal data including health data, genetic data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data relating to criminal convictions that require a higher standard of protection and may only be processed on more restricted bases.
Controllers must be able to demonstrate compliance with the Regulations the accountability principle. This requires maintaining records of processing activities, documenting the legal bases relied upon, recording consent, maintaining data protection impact assessments where required, and implementing policies and procedures that reflect how data is actually handled.
Entities registered with ADGM the Regulations apply to all ADGM-registered entities that process personal data in the course of their activities, regardless of size or sector
Financial services firms, asset managers, and private equity businesses operating through ADGM structures financial services entities process significant volumes of client and counterparty personal data and face heightened scrutiny
Family offices and private wealth structures registered in ADGM increasingly common for high-net-worth individuals and families with Abu Dhabi connections
Professional services firms law firms, accounting firms, consultancies operating within ADGM
Technology and fintech businesses using ADGM as a base for GCC or international operations
Businesses establishing ADGM entities as part of a group structure that includes entities subject to GDPR or other data protection regimes the interaction between frameworks requires careful management
• Entities that have registered in ADGM but have not yet addressed the Regulations a common situation for businesses that established their ADGM presence for commercial or licensing reasons without focusing on the data protection obligations that came with it
This is one of the most practically important distinctions for businesses operating in Abu Dhabi and across the UAE. The UAE Federal Personal Data Protection Law (Federal Law No. 45 of 2021, as amended) applies to entities and activities in mainland UAE and most UAE free zones. It is administered by the UAE's competent authorities and reflects the UAE's approach to data protection as a federal matter. The ADGM Data Protection Regulations 2021 apply exclusively to entities registered and operating within ADGM. They are administered by the ADGM Registration Authority. They are modelled on GDPR rather than on the UAE PDPL, which means the two frameworks have meaningful structural differences — in the treatment of legitimate interests, in the scope of data subject rights, in the documentation requirements, and in the enforcement architecture. For groups with both ADGM and non-ADGM entities in the UAE, this means operating under two distinct legal frameworks simultaneously. A group-level data protection policy that was designed for one regime may not satisfy the other. We advise on both frameworks and help groups build compliance programmes that work across the boundary.
Whether you are establishing a new ADGM entity, reviewing an existing compliance framework, or navigating cross-border data flows between ADGM and the wider group, we can help. A compliance gap assessment is the right place to start.
The Regulations apply to personal data processed by ADGM-registered entities in the context of their activities including activities carried out outside the ADGM geographic boundary. The jurisdictional trigger is the entity's registration, not the physical location of processing. An ADGM-registered entity processing personal data in connection with its business operations wherever those operations physically take place is subject to the Regulations. This is consistent with how GDPR applies to EU-established controllers regardless of where processing occurs.
It covers significant ground, but not everything. The ADGM Regulations are closely modelled on GDPR, so a business with a mature GDPR compliance programme will find most of its documentation, policies, and processes applicable or adaptable. However, the Regulations are a distinct legal instrument — the enforcement authority is different, the transfer mechanism framework has ADGM-specific dimensions (including treatment of transfers to the UAE mainland), and the DPO requirement has its own formulation. A GDPR compliance programme needs to be reviewed and adapted for ADGM, not simply assumed to apply.
The ADGM Registration Authority is the supervisory authority for data protection within ADGM — it is responsible for receiving breach notifications, investigating complaints, and taking enforcement action. The ADGM Courts are the judicial authority for the free zone and can hear civil claims, including claims by individuals for compensation for data protection breaches. The two operate in parallel: the Registration Authority handles regulatory enforcement; the Courts handle civil litigation. Both are part of the ADGM legal ecosystem and distinct from UAE federal courts and authorities.