Changes to the Regulations – what's new

The changes brought about by the 2021 Regulations feature as additions to the 2005 Legislation in the form of extensions of existing provisions under the 2005 Legislation and altogether new provisions adding to the substance of the law.

General application

A new article has been introduced in the 2021 Regulations that expressly states the purpose of the legislation is as follows (Article 5 of the 2021 Regulations):

• to protect the rights and legitimate interests of individuals in relation to their personal data; and
• to set out principles and rules about protecting and processing personal data.

Moreover, another new article, Article 32 of the 2021 Regulations, provides for the establishment of an independent body, the Data Protection Office ('the Office') and the Data Protection Commissioner ('the Commissioner'). More specifically, the Office will administer the 2021 Regulations and all aspects of data protection within the QFC, and will be managed by the Commissioner (Article 32(2) of the 2021 Regulations). In this regard, the Commissioner will determine the Office's procedures and management (Article 32(3) of the 2021 Regulations).

Scope

The newly introduced Article 6 of the 2021 Regulations limits the applicability of the 2021 Regulations to the processing of personal data, by automated or non-automated means, of living natural persons, and does not apply to deceased persons.

Furthermore, changes to Article 7 of the 2021 Regulations provide that the 2021 Regulations apply to (Article 7(1) and (2) of the 2021 Regulations):

• the processing of personal data by a controller or processor that is incorporated or registered in the QFC; and
• the processing of personal data by a controller or processor that is not incorporated or registered in the QFC, if as part of ongoing arrangements, either processes personal data through a controller or processor that is incorporated or registered in the QFC on a non-occasional basis.

Notably, the 2021 Regulations do not apply to natural persons in the course of their purely personal or household activities, and Articles 14 to 24 do not apply to QFC institutions in their capacity as controllers, only to the extent that compliance with those articles would likely prejudice the proper discharge of their powers and functions (Article 37(1) and (2) of the 2021 Regulations).

Principles of processing personal data

A specific article has been introduced to outline six data processing principles in Article 8 of the 2021 Regulations, which controllers are required to comply with as per Article 9 of the 2021 Regulations. Notably, the following principles have been included:

• lawfulness, fairness, and transparency;
• specific purpose;
• data minimisation;
• accuracy;
• storage limitation; and
• integrity and confidentiality of processing.

Legal basis for processing

Legal bases for processing are now outlined in Article 10 of the 2021 Regulations, which notes that processing of personal data is lawful only if at least one of the following applies (the legal bases remain unchanged from the 2005 Legislation):

• consent for specified purpose(s);
• processing is necessary to perform a contract to which the data subject is a party or in order to take steps at the data subject's request before entering into a contract;
• processing is necessary to comply with an obligation imposed on the data controller by law;
• processing is necessary to protect the vital interests of the data subject or another individual;
• processing is necessary to perform a task carried out in the public interest or by any of the public bodies listed in Article 10(1)(E)(ii) of the 2021 Regulations; or
• processing is necessary for the purposes of the legitimate interests of the controller or another person to whom the data is disclosed, unless those interests are overridden by those of the data subject.

Consent

Notably, Article 11 of the 2021 Regulations has been added to clarify how valid consent can be obtained as a legal basis for processing personal data pursuant to the lawful bases provided in Article 10 of the same. In particular, Article 11(1) of the 2021 Regulations highlights the following conditions in relation to obtaining effective consent from a data subject:

• it must be freely given;
• it must be specific, informed and an unambiguous indication by the data subject that they agree to the processing their personal data; and
• if it was given in a document that also concerns other matters:
• the consent must be clearly distinguishable from the other matters;
• the consent form must be intelligible and easily accessible; and
• the consent form must use clear, unambiguous, and plain language.

Additionally, Article 11 further notes the following in relation to relying on consent as a legal basis for processing:

• data subjects must be able to withdraw their consent as easily as it is given, at any time and in any form, and must be informed of this right before giving their consent;
• withdrawal of consent does not render unlawful any processing based on consent before it was withdrawn; and
• when considering whether consent had been freely given, consideration must be given to whether the performance of a contract was conditional on consent being given to processing personal data that is not necessary for the performance of the contract.

Data subject rights

The 2021 Regulations have expanded on some of the existing data subject rights under the 2005 Legislation and have also added articles to cater to new data subject rights.

The 2021 Regulations provides for the following data subject rights:

• the right to access (Article 16 of the 2021 Regulations);
• the right to rectification (Article 17 of the 2021 Regulations);
• the right to erasure (Article 18 of the 2021 Regulations);
• the right to object (Article 19 of the 2021 Regulations); and
• the right to restriction of processing (Article 20 of the 2021 Regulations);

In addition, the 2021 Regulations introduce the following new data subject rights:

• the right to data portability (Article 21 of the 2021 Regulations);
• the right not to be subject to automated decision-making (Article 22 of the 2021 Regulations); and
• the right to an effective judicial remedy enforceable against controllers and processors (Article 35 of the 2021 Regulations).

Right to rectification

Article 17 of the 2021 Regulations expands on data subjects' right to rectify inaccurate data and provides that a data subject has the right to have a data controller complete personal data that is incomplete, including by incorporating a supplementary statement made by the data subject (Article 17(2) of the Regulations).

Right to restriction of processing

Similarly, Article 20 of the 2021 Regulations expands on data subjects' right to restriction of processing. In this regard, Article 20(1) states that this right is available to data subjects when:

• the data subject contests the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of that data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests its restriction instead;
• the data controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise, or defence of legal claims; or
• the data subject has objected to processing, under Article 19(1) of the 2021 Regulations, pending the verification whether the legitimate grounds of the data controller override those of the data subject.

Furthermore, Article 20(2) of the 2021 Regulations notes that, with the exception of storage, where processing has been restricted, data can only be processed:

• with the data subject's consent;
• for the establishment, exercise, or defence of legal claims;
• for the protection of the rights of another natural or legal person; or
• for reasons of public interest.

Right to data portability

The newly introduced Article 21 of the 2021 Regulations provides that data subjects have the right to receive personal data about them, which they've provided to the controller, in a structured, commonly used, and machine-readable format if:

• the processing is based on consent or a contract in accordance with Articles 10(1)(A) and 10(1)(B) of the 2021 Regulations; and
• the processing is carried out by automated means.

Notably, the right to data portability must be exercised without prejudice to the right to erasure in Article 18 of the 2021 Regulations and must not adversely affect the rights and legitimate interests of others (Article 21(3)(A) and (4) of the 2021 Regulations).

Right not to be subject to automated decision making, including profiling

The newly introduced Article 22 of the 2021 Regulations provides that data subjects have the right not to be subjected to a decision that is based solely on automated processing, including profiling, if the decision would have a legal effect on them or would otherwise significantly affect them.

Notably, this right is not applicable if:

• such a decision is necessary to enter into or perform a contract between the data subject and a controller;
• the data subject has given their explicit consent to the decision being based solely on automated processing; or
• the decision is made pursuant to laws or regulations applicable to the data controller.

Attached to the first two exceptions to the application of this right is an obligation on the controller to implement suitable measures to safeguard the data subject's rights and legitimate interests, which should include rights for the data subject to (Article 22(3) of the 2021 Regulations:

• obtain human intervention by the controller;
• express their point of view; and
• contest the decision.

Moreover, with regards to sensitive personal data, Article 22(4) of the 2021 Regulations provides that exceptions to the right are not applicable if the decision in question is based on sensitive personal data, unless:

• the data subject has given their explicit written consent to the processing for one or more specified purposes; or
• the processing is necessary for substantial public interest reasons, on the basis of applicable laws and regulations.

Right to an effective judicial remedy

Article 35(1) of the 2021 Regulations provides that any person who has suffered material or non-material damage due to an infringement of the 2021 Regulations has the right to receive compensation from the controller or processor responsible for the damage suffered.

Transparency

The 2021 Regulations introduce new transparency obligations in Article 13. Particularly, Article 13(1) of the 2021 Regulations notes that in relation to the duty to inform data subjects under Articles 14 and 15 of the 2021 Regulations and any communication under Articles 16 to 22 regarding data subject rights, data controllers must give information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

Furthermore, Article 13(2) notes that any communication made must be given in writing, or by other means, including where appropriate, by electronic means.

Notably, Article 13(3) and (6) of the 2021 Regulations provides that the controller must respond to a request from data subjects under any of Articles 16 to 22 without undue delay and at least within 30 days from receiving the request.

Further details in relation to controllers' responses to data subject requests, extension of timeframe, identity verification of data subjects, and imposition of charges are provided in Articles 13(3) to (9) of the 2021 Regulations.

Security

Data Protection by Design and by Default

Article 26 of the 2021 Regulations introduces an obligation, both at the time of the determination of the means for processing and at the time of the processing itself, on controllers to implement appropriate technical and organisational measures to (Article 26(1) of the 2021 Regulations):

• integrate the necessary safeguards into the processing to meet the requirements of the 2021 Regulations;
• implement the data protection principles in Article 8 of the 2021 Regulations;
• protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, or access; and
• all other unlawful forms of processing.

Moreover, Article 26(2) of the 2021 Regulations highlights that the data controller must implement technical and security measures to ensure that, by default, only personal data that is necessary for each specific purpose is processed, noting that these must ensure that personal data:

• is not made accessible to an indefinite number of recipients; or
• is made accessible only to individuals who need to process the personal data for their role, functions, or tasks.

Data Protection Impact Assessment

Another newly introduced article is Article 27 of the 2021 Regulations, which introduces the requirement to undertake a Data Protection Impact Assessment ('DPIA') for controllers. In particular, Article 27(1) notes that a data controller must undertake a DPIA where processing is likely to result in a high risk to the rights and legitimate interests of data subjects. In this regard, the assessment must contain, as a minimum, the information set out in Article 6 of the 2021 Rules.

More specifically, Article 27(2) of the 2021 Regulations notes that DPIAs are required where:

• there is automated processing, including profiling, which leads to decisions that significantly affect the data subject;
• processing of sensitive personal data is on a large scale; or
• there is systematic monitoring of a publicly accessible area on a large scale.

In this regard, Article 27(5) of the 2021 Regulations notes that controllers must review their processing activities to assess whether they are performed in accordance with the DPIA, particularly when there is a change of risk presented by processing operations. In particular, the controller must do so when there is a change of the risk represented by processing operations.

Breach notification

Controllers are required to notify a personal data breach to the Office without undue delay and, where feasible, not later than 72 hours after having become aware of it, where it has determined that the personal data breach is likely to result in a risk to the rights and legitimate interests of data subjects (Article 31(1) and (2) of the 2021 Regulation). In this regard, Article 31(3) of the 2021 Regulations notes that such a notification should include at a minimum, the information set out in Article 9 of the 2021 Rules.

Moreover, Article 31(5) of the 2021 Regulations notes that the data controller must document any personal data breaches, including the facts relating to breach, its effects, and the remedial action taken to enable the Office to verify compliance with Article 31.

Article 31(6) of the 2021 Regulations further highlights the controller's obligation to consider notifying personal data breaches to affected data subjects, taking into account the risk to their rights and legitimate interests. Where such a notification is made it should contain at least:

• the nature of the breach;
• the likely consequences of the breach; and
• a description of the measures taken or proposed to be taken by the data controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Additionally, Article 31(7) of the 2021 Regulations provides that data processors must notify the data controller without undue delay after becoming aware of a personal data breach.

Data processors

Article 28(1) of the 2021 Regulations provides that in engaging processors to process personal data on their behalf, data controllers must only engage data processors that provide sufficient guarantees:

• to implement technical and organisational measures to comply with the 2021 Regulations; and
• to ensure that data subjects' rights are protected.

Notably, as per Article 28(3) of the 2021 Regulations, a written contract between the data controller and the data processor must be in place and should set out, at a minimum, the information contained in Article 7 of the 2021 Rules.

Moreover, the processor must immediately inform the controller if, in their opinion, an instruction contravenes the 2021 Regulations or any other applicable legal requirement, and/or if it is obliged by law to process personal data otherwise than on the written instructions of the controller (Articles 28(5) and (6) of the 2021 Regulations).

Further details relating to data processors' obligations are provided in Articles 28(4) and (7) to (9) of the 2021 Regulations, including obligations attached to engaging sub processors.

Penalties

Notably, the newly introduced Article 36 of the 2021 Regulations empowers the Office to impose financial penalties for breaches of the 2021 Regulations. Furthermore, Article 36 of the 2021 Regulations details the factors that may be considered by the Office in assessing the amount of the fine to be imposed, as well as further details in relation to imposing penalties. Notably, infringements of the 2021 Regulations will be subject to a maximum penalty of $1.5 million.

Changes to the Data Protection Rules – what's new?

The changes in the 2021 Rules are substantive in nature and correspond and supplement some of the changes introduced in the 2021 Regulations.

Transparency

The newly introduced Article 3 of the 2021 Rules highlights the information to be provided to data subjects pursuant to Articles 14 and 15 of the 2021 Regulations. In particular, the controller must provide:

• the name and contact details of the controller;
• the purposes of the intended processing and the legal basis for that processing, as set out in Article 10 of the 2021 Regulations;
• whether the data subject is obliged to provide the personal data and the possible consequences of failing to do so;
• the categories of personal data concerned;
• if the data is to be, or may be, disclosed to one or more other individuals or entities, their names or a description of their categories;
• if the data controller intends to transfer the data to another jurisdiction, a statement of that fact, setting out a description of the applicable safeguards put into place and, if applicable, how and where to obtain a copy;
• if the processing is based on the legitimate interests of the data controller or another person to whom the data is disclosed or to comply with an obligation imposed on the data controller by law, the data controller shall state clearly what those legitimate interests or compliance obligations are;
• the period for which the data will be retained, or how to determine that period;
• that the data subject has the right to:
• ask the data controller to give access to the data;
• rectify the data;
• erase the data;
• restrict the Processing of the data;
• object to the Processing of the data; and
• data portability;
• whether automated decision-making will be used, and if so:
• meaningful information about the logic applied; and
• the significance, and the likely consequences, of the automated decision-making for the data subject;
• if the processing is based on consent, that the data subject has the right to withdraw that consent at any time, but that withdrawing the consent does not affect the lawfulness of processing based on consent before the withdrawal; and
• that under Article 34 of the 2021 Regulations, the data subject has the right to lodge a complaint with the Office if the data subject considers that the processing of personal data relating to them infringes the Regulations.

Moreover, Article 4(2) of the 2021 Rules notes that a data controller must communicate any action carried out in accordance with Articles 17 and 18 of the 2021 Regulations to each recipient to whom the personal data has been disclosed, unless it is impossible or would involve disproportionate effort.

DPIAs

Corresponding to the newly introduced requirement for controllers to undertake DPIAs in Article 27 of the 2021 Regulations, Article 6 of the 2021 Rules details what should be included in DPIAs and notes that it must at least contain the following:

• a systematic description of the envisaged processing operations and the purposes of the processing, including:
• identification and consideration of the lawful basis for the processing;
• if the processing is necessary for the purposes of the legitimate interests of the data controller or another person in accordance with Article 10(6) of the 2021 Regulations, the reasoning according to which the data controller believes that the rights or legitimate interests of the data subject do not override its interests or those of the other person; and
• if processing is based on consent:
• validation that consents will be, or have been, validly obtained;
• the impact of the withdrawal of consent to that processing; and
• how the data controller will ensure that it can comply with any exercise by the data subject of their right to withdraw consent;
• an assessment as to how the processing operations are adequate, relevant, and limited to what is necessary in relation to the purposes for which the personal data is processed;
• an assessment of the risks to the rights and legitimate interests of data subjects; and
• the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance with the Regulations.

Contracts between controllers and processors

Corresponding to Article 28 of the 2021 Regulations, Article 7 of the 2021 Rules outlines that a contract between a controller and a processor must set out, at a minimum, the following:

• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and categories of data subjects; and
• the obligations and rights of the controller.

Furthermore, the contract must also set out that the processor:

• must not process the personal data, or transfer it outside the QFC, unless instructed in writing by the controller, or if required by law to do so;
• must ensure that persons authorised to process the data have undertaken to maintain its confidentiality or are under an appropriate statutory obligation of confidentiality;
• must take all the measures required by Article 29 of the 2021 Regulations;
• must comply with the conditions referred to in Article 28(2) and (6) of the 2021 Regulations for engaging another processor;
• taking into account the nature of the processing, must assist the controller to fulfil its obligation to respond to requests by data subjects to exercise their rights by implementing appropriate technical and organisational measures;
• must assist the controller to comply with its obligations under Articles 27, 29, and 31 of the 2021 Regulations, taking into account the nature of the processing and the information available to it;
• after completing the services relating to processing, must delete all the personal data or return it to the controller (at the controller's choice), and must delete any copy unless an applicable law requires it to be retained;
• must make available to the controller all information necessary to show that it has complied with the obligations laid down in the 2021 Regulations; and
• must allow for, and assist with, audits and inspections by the controller or an auditor appointed by the controller.

Notification of breaches

Article 9 of the 2021 Rules notes what must be included, as a minimum, in a controller's notification of personal data breaches to the Office as per Article 31 of the 2021 Regulations as the following:

• a description of the nature of the breach, including:
• the categories of data subjects affected;
• the approximate number of data subjects affected;
• the categories and approximate number of personal data records affected;
• the name and contact details of a person from whom more information can be obtained;
• a description of the likely consequences of the breach;
• a description of the measures that the controller has taken, or proposes to take, to address the consequences of the breach, including, if appropriate, measures to mitigate its possible adverse effects; and
• if the notification is not made within 72 hours of becoming aware of the breach, give reasons for the delay.

Lodging complaints

Article 10 of the 2021 Rules outlines a new provision on lodging complaints with the Office established by Article 32 of the 2021 Regulations. In particular, Article 10 outlines that a data subject, i.e. complainant, who makes a complaint to the Office must give the following information in the complaint:

• the complainant's full name and address;
• the full name and address of the controller whom the complainant believes has contravened the 2021 Regulations;
• a detailed statement of facts that the complainant believes gives rise to the relevant contravention of the 2021 Regulations;
• a statement of the relief that the complainant seeks; and
• a declaration that they have provided the Office with accurate information and that they understand that any information provided will be processed by the Office in accordance with Article 34 of the 2021 Regulations.

Alice Muasher Privacy Analyst
[email protected]