Substantial Public Interest Conditions Rules 2025: A New Step in ADGM’s Data Protection Framework

2 min 32 sec December 3, 2025 (Edited)

On September 9, 2025, the Abu Dhabi Global Market (“ADGM”) took a significant step in advancing its data protection framework with the adoption of the Data Protection Regulations (Substantial Public Interest Conditions) Rules 2025 (the “Rules”). These new provisions build on the Data Protection Regulations 2021 and introduce targeted conditions that permit the processing of special categories of personal data, commonly known as “sensitive personal data”, in circumstances where doing so is necessary for reasons of substantial public interest. 

The Rules mark a further evolution of ADGM’s data protection regime, reinforcing its ambition to create a regulatory environment that both protects individuals and enables innovation-driven businesses to thrive. 

 Why These Rules Matter 

 Sensitive personal data, such as medical records, financial details, and data relating to children or vulnerable adults, requires heightened protection. In practice, strict consent requirements can sometimes present obstacles to essential services, such as insurance claims processing or safeguarding at-risk individuals, where waiting for or obtaining consent is either impractical or could compromise protection. 

 Key Developments 

By introducing clear conditions under which such personal data may be processed without explicit consent, ADGM has created a framework that balances individual rights with the operational needs of critical sectors. 

Insurance sector alignment 

The Rules create a new legal basis for the insurance industry to process sensitive personal data in the public interest. This covers activities such as: 

• advising on, arranging, underwriting, or administering an insurance contract; 

• managing claims under an insurance contract; and 

• exercising rights or complying with obligations arising under insurance contracts, including statutory or common law obligations. 

Importantly, processing must still meet strict safeguards, whereby it must be necessary for the insurance purpose, proportionate, and not carried out where consent could reasonably be obtained and has been withheld. 

Clarification through defined terms:

The Rules introduce precise definitions to reduce ambiguity: 

• “insurance contract” means a contract of general insurance, long-term insurance, or reinsurance; and 

• “insurance purpose” covers the full spectrum of insurance-related activity, from advice to claims handling to compliance with legal obligations. 

This definitional clarity is expected to give regulated firms greater certainty in their compliance obligations, particularly when processing special categories of personal data.  

Safeguarding children and at-risk individuals

The Rules also provide a specific condition allowing the processing of sensitive personal data to protect children and vulnerable adults where it is necessary to prevent neglect or physical, mental, or emotional harm, or to safeguard an individual’s overall well-being. For those aged 18 or over, the definition of “at risk” is deliberately broad, covering individuals with care or support needs who are unable to protect themselves against harm.

Importantly, consent is not required where:

• the data subject cannot give consent;
• it would be unreasonable to expect the controller to obtain consent; or
• obtaining consent would prejudice the protection of the individual concerned.

Mandatory safeguards

Even where reliance on these substantial public interest conditions is permitted, organisations must still demonstrate accountability by:

• documenting their reliance on the relevant condition;
• ensuring that any processing is strictly necessary and proportionate; and
• implementing appropriate organisational and technical safeguards to protect the data.