• Part 2: Part 2: General Provisions for the Processing of Personal Data

    • Article 6 - General requirements

      (1) Data Controllers must ensure that Personal Data which they process is:
      (A) processed fairly, lawfully and securely;
      (B) processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further processed in a way incompatible with those purposes or rights;
      (C) adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;
      (D) accurate and, where necessary, kept up to date; and
      (E) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected or for which they are further processed.
      (2) Every reasonable step must be taken by Data Controllers to ensure that Personal Data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.
      (3) A Data Controller must establish and maintain systems and controls that enable it to satisfy itself that it complies with the requirements of this Article.

    • Article 7 - Requirements for legitimate Processing

      A Data Controller may only Process Personal Data if:

      (1) the Data Subject has unambiguously given his consent;
      (2) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
      (3) Processing is necessary for compliance with any legal obligation to which the Data Controller is subject;
      (4) Processing is necessary in order to protect the vital interests of the Data Subject;
      (5) Processing is necessary for the performance of a task carried out in the interests of the QFC or in the exercise of QFC Authority, Regulatory Authority, Tribunal or Appeals Body functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data is disclosed; or
      (6) Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by the Third Party or parties to whom the Personal Data is disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.

    • Article 8 - Processing of Sensitive Personal Data

      (1) A Data Controller shall not process Sensitive Personal Data unless:
      (A) the Data Subject has given his explicit consent to the Processing of that Personal Data;
      (B) Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller in the field of employment law;
      (C) Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent;
      (D) the Processing is carried out by a foundation, association or any other non-profit seeking body in the course of its legitimate activities with appropriate guarantees that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed to a Third Party without the consent of the Data Subjects;
      (E) the Processing relates to Personal Data which is manifestly made public by the Data Subject or is necessary for the establishment, exercise or defence of legal claims;
      (F) Processing is necessary for compliance with any legal obligation to which the Data Controller is subject;
      (G) Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the data subject's particular situation;
      (H) Processing is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controller; or
      (I) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where that Personal Data is processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
      (2) Article 8(1) shall not apply if:
      (A) a permit has been obtained to process Sensitive Personal Data from the QFC Authority; and
      (B) the Data Controller applies adequate safeguards with respect to the processing of the Personal Data.
      (3) An appeal against a decision of the QFC Authority to refuse to issue a permit to process Sensitive Personal Data may be made to the Tribunal.

    • Article 9 - Transfers to jurisdictions with adequate levels of protection

      (1) Subject to Article 10, a Data Controller may only transfer Personal Data to a Recipient located in a jurisdiction outside the QFC if an adequate level of protection for that Personal Data is ensured by laws and regulations that are applicable to the Recipient.
      (2) The adequacy of the level of protection ensured by laws and regulations to which the Recipient is subject as referred to in Article 9(1) shall be assessed in the light of all the circumstances surrounding a Personal Data transfer operation or set of Personal Data transfer operations, including, but not limited to:
      (A) the nature of the data;
      (B) the purpose and duration of the proposed Processing operation or operations;
      (C) if the data does not emanate from the QFC, the country of origin and country of final destination of the personal data; and
      (D) any relevant laws to which the recipient is subject, including professional rules and security measures.

    • Article 10 - Transfers to jurisdictions without adequate level of protection

      (1) A Data Controller may transfer Personal Data to a Recipient which is not subject to laws and regulations which ensure an adequate level of protection within the meaning of Article 9(1) on condition that:
      (A) the QFC Authority has granted a permit for the transfer or the set of transfers and the Data Controller applies adequate safeguards with respect to the protection of this Personal Data;
      (B) the Data Subject has given his unambiguous consent to the proposed transfer;
      (C) the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the implementation of precontractual measures taken in response to the Data Subject's request;
      (D) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and a Third Party;
      (E) the transfer is necessary or legally required on grounds important in the interests of the QFC, or for the establishment, exercise or defence of legal claims;
      (F) the transfer is necessary in order to protect the vital interests of the Data Subject;
      (G) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
      (H) the transfer is necessary for compliance with any legal obligation to which the Data Controller is subject;
      (I) the transfer is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the data subject relating to the Data Subject's particular situation; or
      (J) the transfer is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controller which is established in the QFC.
      (2) An appeal against a decision by the QFC Authority to refuse to issue a permit referred to in Article 10(1)(A) may be made to the Tribunal.

    • Article 11 - Providing information where data obtained from the Data Subject

      (1) A Data Controller shall provide a Data Subject whose Personal Data it collects with at least the following information immediately upon commencing to collect Personal Data in respect of that Data Subject:
      (A) the identity of the Data Controller;
      (B) the purposes of the Processing for which the Personal Data are intended; and
      (C) any further information in so far as such is necessary, having regard to the specific circumstances in which the Personal Data are collected, to guarantee fair Processing in respect of the Data Subject, such as:
      (i) the Recipients or categories of Recipients of the Personal Data;
      (ii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
      (iii) the existence of the right of access to and the right to rectify the Personal Data;
      (iv) whether the Personal Data will be used for direct marketing purposes; and
      (v) whether the Personal Data will be processed on the basis of Article 8(1)(G) or Article 10(1)(I).
      (2) A Data Controller need not provide that information otherwise required by Article 11(1)(C)(i) to the Data Subject if the Data Controller reasonably expects that the Data Subject is al aware of that information.

    • Article 12 - Providing information where data not obtained from the Data Subject

      (1) Where Personal Data has not been obtained from the Data Subject, a Data Controller or his representative must at the time of undertaking the recording of Personal Data or if a disclosure to a Third Party is envisaged, no later than the time when the Personal Data is first recorded or disclosed provide the Data Subject with at least the following information:
      (A) the Personal Data or categories of Personal Data concerned; and
      (B) the information set out in Article 11(1).
      (2) Article 12(1) shall not apply to require:
      (A) the Data Controller to provide information which the Data Controller reasonably expects that the Data Subject al has; or
      (B) the provision of such information if it proves impossible or would involve a disproportionate effort.

    • Article 13 - Confidentiality

      Any person acting under a Data Controller or a Data Processor, including the Data Processor himself, who has access to Personal Data must not process it except on instructions from the Data Controller, unless he is required to do so by law.

    • Article 14 - Security of Processing

      (1) The Data Controller must implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing, in particular where the Processing of Personal Data is performed pursuant to Article 8 or Article 10 above.
      (2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected.
      (3) The Data Controller must, where Processing is carried out on its behalf, choose a Data Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the Processing to be carried out, and must ensure compliance with those measures.