Part II – Personal Data Protection
A. Compliance with Applicable Data Protection Law
1. VASPs must comply with all applicable data protection and data privacy requirements in all relevant jurisdiction[s] as follows—
a. within the UAE, including the PDPL and any sectoral or free zone laws and regulations that may apply to the VASP; and b. any data protection laws outside of the UAE that may apply to the VASP’s activities wheresoever conducted.
2. Compliance with all applicable data protection and data privacy requirements under Rule II.A.1 of this Technology and Information Rulebook shall include, but not be limited to, where data may be stored or located and how such data is transferred.
B. Compliance Programme
1. VASPs shall produce and implement a written compliance programme to protect the privacy of Personal Data, in accordance with all applicable data protection laws. 2. Notwithstanding the requirements of any applicable data protection laws, VASPs shall at a minimum comply with the following VARA requirements—
a. appoint a Data Protection Officer who has the appropriate competencies and experience to perform the statutory duties and responsibilities associated with this role under applicable data protection laws [including under Article 11 of the PDPL] [Data Protection Officer]. The Data Protection Officer can be the same individual as the CISO of the VASP; and b. establish a function in their organisation that is responsible for the management and protection of Personal Data in accordance with all applicable law and is appropriate for the level of risk involved with such Personal Data, including responsibility for implementing and maintaining appropriate policies, procedures, systems and controls.
C. Provision of Information to VARA
1. Notwithstanding any other requirement elsewhere in the Regulations, Rulebooks or Directives, VASPs shall take all steps, including where applicable provide all notifications, contractual provisions and obtain all consents, that are necessary to enable VARA to have access to any information relating to the VASP’s compliance with this Part II of this Technology and Information Rulebook, regardless of where such information is stored. Access to such information shall be provided by VASPs in the manner and within the timelines communicated by VARA to the VASP. 2. VASPs shall notify VARA as soon as possible and in any event within twenty-four [24] hours following notification by them to either—
a. any data regulator, including in the UAE; or b. a Data Subject of any incident affecting, or potentially affecting, Personal Data and shall provide VARA with a summary of such report and, where the relevant data regulator is located in the UAE, a copy of such report, unless and to the extent prohibited by applicable law as demonstrated by the VASP to VARA’s satisfaction.