Part 2: Part 2: General Provisions for the Processing of Personal Data
Article 6 - General requirements(1)
Data Controllersmust ensure that Personal Datawhich they process is:(A) processed fairly, lawfully and securely;(B) processed for specified, explicit and legitimate purposes in accordance with the Data Subject'srights and not further processed in a way incompatible with those purposes or rights;(C) adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;(D) accurate and, where necessary, kept up to date; and(E) kept in a form which permits identification of Data Subjectsfor no longer than is necessary for the purposes for which the Personal Datawas collected or for which they are further processed.(2) Every reasonable step must be taken by Data Controllersto ensure that Personal Datawhich is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.(3) A Data Controllermust establish and maintain systems and controls that enable it to satisfy itself that it complies with the requirements of this Article.
Article 7 - Requirements for legitimate Processing
Data Controllermay only Process Personal Dataif:(1) the Data Subjecthas unambiguously given his consent;(2) Processingis necessary for the performance of a contract to which the Data Subjectis party or in order to take steps at the request of the Data Subjectprior to entering into a contract;(3) Processingis necessary for compliance with any legal obligation to which the Data Controlleris subject;(4) Processingis necessary in order to protect the vital interests of the Data Subject;(5) Processingis necessary for the performance of a task carried out in the interests of the QFCor in the exercise of QFC Authority, Regulatory Authority, Tribunalor Appeals Bodyfunctions or powers vested in the Data Controlleror in a Third Partyto whom the Personal Datais disclosed; or(6) Processingis necessary for the purposes of the legitimate interests pursued by the Data Controlleror by the Third Partyor parties to whom the Personal Datais disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subjectrelating to the Data Subject'sparticular situation.
Article 8 - Processing of Sensitive Personal Data(1) A
Data Controllershall not process Sensitive Personal Dataunless:(A) the Data Subjecthas given his explicit consent to the Processingof that Personal Data;(B) Processingis necessary for the purposes of carrying out the obligations and specific rights of the Data Controllerin the field of employment law;(C) Processingis necessary to protect the vital interests of the Data Subjector of another person where the Data Subjectis physically or legally incapable of giving his consent;(D) the Processingis carried out by a foundation, association or any other non-profit seeking body in the course of its legitimate activities with appropriate guarantees that the Processingrelates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Datais not disclosed to a Third Partywithout the consent of the Data Subjects;(E) the Processingrelates to Personal Datawhich is manifestly made public by the Data Subjector is necessary for the establishment, exercise or defence of legal claims;(F) Processingis necessary for compliance with any legal obligation to which the Data Controlleris subject;(G) Processingis necessary to uphold the legitimate interests of the Data Controllerrecognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by compelling legitimate interests of the Data Subjectrelating to the data subject's particular situation;(H) Processingis necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controller; or(I) Processingis required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where that Personal Datais processed by a health professional subject under national laws or regulations established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.(2) Article 8(1) shall not apply if:(A) a permit has been obtained to process Sensitive Personal Datafrom the QFC Authority; and(B) the Data Controllerapplies adequate safeguards with respect to the processing of the Personal Data.(3) An appeal against a decision of the QFC Authorityto refuse to issue a permit to process Sensitive Personal Datamay be made to the Tribunal.
Article 9 - Transfers to jurisdictions with adequate levels of protection(1) Subject to Article 10, a
Data Controllermay only transfer Personal Datato a Recipientlocated in a jurisdiction outside the QFCif an adequate level of protection for that Personal Datais ensured by laws and regulations that are applicable to the Recipient.(2) The adequacy of the level of protection ensured by laws and regulations to which the Recipientis subject as referred to in Article 9(1) shall be assessed in the light of all the circumstances surrounding a Personal Datatransfer operation or set of Personal Datatransfer operations, including, but not limited to:(A) the nature of the data;(B) the purpose and duration of the proposed Processingoperation or operations;(C) if the data does not emanate from the QFC, the country of origin and country of final destination of the personal data; and(D) any relevant laws to which the recipient is subject, including professional rules and security measures.
Article 10 - Transfers to jurisdictions without adequate level of protection(1) A
Data Controllermay transfer Personal Datato a Recipientwhich is not subject to laws and regulations which ensure an adequate level of protection within the meaning of Article 9(1) on condition that:(A) the QFC Authorityhas granted a permit for the transfer or the set of transfers and the Data Controllerapplies adequate safeguards with respect to the protection of this Personal Data;(B) the Data Subjecthas given his unambiguous consent to the proposed transfer;(C) the transfer is necessary for the performance of a contract between the Data Subjectand the Data Controlleror the implementation of precontractual measures taken in response to the Data Subject'srequest;(D) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subjectbetween the Data Controllerand a Third Party;(E) the transfer is necessary or legally required on grounds important in the interests of the QFC, or for the establishment, exercise or defence of legal claims;(F) the transfer is necessary in order to protect the vital interests of the Data Subject;(G) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;(H) the transfer is necessary for compliance with any legal obligation to which the Data Controlleris subject;(I) the transfer is necessary to uphold the legitimate interests of the Data Controllerrecognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the data subject relating to the Data Subject'sparticular situation; or(J) the transfer is necessary to comply with auditing, accounting or anti money laundering obligations that apply to a Data Controllerwhich is established in the QFC.(2) An appeal against a decision by the QFC Authorityto refuse to issue a permit referred to in Article 10(1)(A) may be made to the Tribunal.
Article 11 - Providing information where data obtained from the Data Subject(1) A
Data Controllershall provide a Data Subjectwhose Personal Datait collects with at least the following information immediately upon commencing to collect Personal Datain respect of that Data Subject:(A) the identity of the Data Controller;(B) the purposes of the Processingfor which the Personal Dataare intended; and(C) any further information in so far as such is necessary, having regard to the specific circumstances in which the Personal Dataare collected, to guarantee fair Processingin respect of the Data Subject, such as:(i) the Recipientsor categories of Recipientsof the Personal Data;(ii) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply;(iii) the existence of the right of access to and the right to rectify the Personal Data;(iv) whether the Personal Datawill be used for direct marketing purposes; and(2) A Data Controllerneed not provide that information otherwise required by Article 11(1)(C)(i) to the Data Subjectif the Data Controllerreasonably expects that the Data Subjectis al aware of that information.
Article 12 - Providing information where data not obtained from the Data Subject(1) Where
Personal Datahas not been obtained from the Data Subject, a Data Controlleror his representative must at the time of undertaking the recording of Personal Dataor if a disclosure to a Third Partyis envisaged, no later than the time when the Personal Datais first recorded or disclosed provide the Data Subjectwith at least the following information:(A) the Personal Dataor categories of Personal Dataconcerned; and(B) the information set out in Article 11(1).(2) Article 12(1) shall not apply to require:(A) the Data Controllerto provide information which the Data Controllerreasonably expects that the Data Subjectal has; or(B) the provision of such information if it proves impossible or would involve a disproportionate effort.
Article 13 - Confidentiality
Any person acting under a
Data Controlleror a Data Processor, including the Data Processorhimself, who has access to Personal Datamust not process it except on instructions from the Data Controller, unless he is required to do so by law.
Article 14 - Security of Processing(1) The
Data Controllermust implement appropriate technical and organisational measures to protect Personal Dataagainst accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing, in particular where the Processingof Personal Datais performed pursuant to Article 8 or Article 10 above.(2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processingand the nature of the Personal Datato be protected.(3) The Data Controllermust, where Processingis carried out on its behalf, choose a Data Processorproviding sufficient guarantees in respect of the technical security measures and organisational measures governing the Processingto be carried out, and must ensure compliance with those measures.