1. DIFC DATA PROTECTION POLICY
The Dubai International Financial Centre and/or its affiliates and entities (collectively "DIFC",
"we" or
"us")
values your security and privacy. DIFC has its own Data Protection Law, DIFC
Law No. 5 of 2020 (the
"DP
Law"), and may for certain types of personal data processing, be
subject to laws from other
jurisdictions.
As such, it is the policy of the DIFC to respect the privacy of our DIFC website services and app
users. In
accordance with DIFC DP Law and as applicable our
Terms of Use, DIFC
collects
information about you when you use or access our websites, use DIFC email addresses for
contact
purposes, or you avail of other web-based products, information or services such as the
DIFC public wifi
(collectively, the "Website Services") as well as through other interactions and
communications you have
with
us, such as through the DIFC Connect App (the "App" or
"Apps").
This online data protection policy (the "Policy") sets out the basis on which any information,
including
any
personal data, we collect from you, or you provide to us, will be processed by
DIFC. Each time you access or
use
the Website Services or provide us with information, by
doing so you acknowledge the practices described in
this
Policy. For use of specific services,
i.e., the DIFC public wifi, you may be asked to opt-in to our use of
the
information you submit
there. Your rights described herein apply in these instances as well.
1. Scope and Application
This Policy applies to persons anywhere in the world who access or use DIFC’s Website
Services or the App
("Users").
2. Collection of Information
Information you give us
This is personal data you give us by providing information or filling in forms on the App or any
DIFC-owned
Website Services, or by corresponding with us (for example, by telephone, e-mail
or any other digital or
electronic form). It includes for example information you provide when
you register using the DIFC-provided
online client portal, or download and register to use the
App, search for the App in app stores (including
but
not limited to Apple App Store and Google
Play Store), share data via the App's social media functions, and
when
you report a problem with
the App, or any of our Website Services. If you contact us, we will keep at least
an
electronic
record of such correspondence, including personal information shared at that time, in order to
reply or process it as per your request. The personal information you give us may include your
name, address, e-mail address and phone number, certain device information, username,
password, residential
building, work address, photograph, and other registration information you
choose to provide ("Personal
Information" or "Personal Data").
The Website Services or App collect and process Personal Data for specific, lawful purposes
only, or for the
performance of tasks carried out in your interests or the interests of the DIFC.
The Website Services or App are not targeted, intended, or expected to be of use to children.
Apart from
providing information for specific services or purposes, as directed by DIFC
processes, User-provided
contributions of content or contact information regarding or about
children are expressly prohibited.
Information we collect about you and your device
Each time you use our Website Services or App we may and often will automatically collect the
following
information:
• personally identifiable information including details required for accessing Website
Services or Apps, such as name, email address, profile information, user name, password,
or cookies, based
on
your preferences and settings;
• technical information, including the type of mobile device you use, a unique device
identifier (for example, mobile network information, your mobile operating system, the
type of mobile
browser
you use, device token, device type, time zone setting ("Device
Information");
• details of your use of our Website Services or Apps including, but not limited to traffic
data, weblogs and other communication data, and the resources that you access ("Log
Information");
• location information if the Website Services or Apps uses GPS technology to determine
your current location. If you wish to use this particular feature, you may be asked to opt-
in to your data
being
used for this purpose.
If you do not wish to share certain data with us or do not want us to use / share it for certain
purposes
(to
the extent possible, in accordance with applicable laws and information in this
notice), you can alter your
preferences at any time. Where applicable, please check with your
device provider's instructions for further
information about how to do this.
Other Information We May Collect Through Your Use of the Website Services or the App
When you use any Website Services or the App, we may collect Personal Data including
demographic
information,
collect, which may include, but is not limited to, post code, age/birth date, current residence,
hometown,
gender, username, mobile network information, your mobile operating system, the
type of mobile browser you
use,
time zone setting, device location, IP address, SMS data,
transaction information, business activities and
services / distribution locations, browsing history
information, searching history information, and
registration
history information ("Demographic
Information").
3. Use of Personal Data
We may use Personal Data that you provide to us or we collect from you to:
• Provide, maintain, and improve our App and Website Services, including, for example, to
facilitate payments, send receipts, provide products and services you request (and send
related information
about them), develop new features that will enhance your user
experience and our efficiency, provide
customer
support to Users, authenticate users, and
send administrative messages, whether information-only or required
by
applicable law;
• Provide the Website Services or App functionality that you lawfully and validly request
access to, whether temporarily or for the life of any relevant Terms or User Agreement
agreed between you
and
a
DIFC entity responsible for the Website or App;
• Perform internal regulatory, administrative and operational requirements, including, for
example, to prevent fraud or abuse of our Website Services; to troubleshoot software
bugs and operational
problems; to conduct data analysis, testing, and research; to ensure
you and DIFC are complying with
internal
or
external legal requirements, including those
that necessitate use of digital systems; and to monitor and
analyze
usage and activity
trends;
• Send you communications we think will be of interest to you based on your preferences
and previous interactions with us, including information about products, services,
promotions, news, and
DIFC
events, where permissible under DIFC Laws and according
to any other applicable laws; and to process
contest,
sweepstake, or other promotion
entries and fulfill any related awards;
• Notify you about changes to this Policy, or our App and Website Services;
• Allow you to participate in
any
interactive features of our App or Website Services;
• Keep our App and Website Services safe and secure; or
• Personalize and improve the Website Services, including to provide or recommend
features, content, social connections, referrals, and advertisements, in accordance with
your preferences,
to
the extent permissible by law.
4. Processing, Storage and Transfer of Personal Data
We will take all steps reasonably necessary to ensure your data is processed fairly and lawfully,
in
accordance
with the DP Law, other applicable laws and this Policy. By submitting your
Personal Data (including Log,
Device
and / or Demographic Information), we expect you to
understand that such transfer, storing or processing is
necessary for performance of tasks carried
out by a DIFC Body (or its subsidiaries or affiliates) in the
interests of DIFC or in order for
DIFC to perform its general administrative and regulatory functions will
be
done in a
proportionate, lawful manner, including but not limited to responding to enquiries you raise via
the App or Website Services, oversight of the business entities registered in DIFC’s jurisdiction
and
maintaining contacts for future informational or promotional activities. Unless otherwise
notified, DIFC
does
not ordinarily rely solely on automated decision making when processing
your Personal Data.
In order to conduct our operations or fulfil regulatory obligations, we must transfer the Personal
Data
described in this Policy to and from, and process and store it in, the United Arab Emirates
and (where
applicable or required) with processors in other countries, some of which may have
less protective privacy
laws
than those where you reside. In all such cases, and generally for any
processing operations, we take
appropriate
technical and security measures to protect your
Personal Data and other information in accordance with this
Policy. DIFC is ISO 27001 certified
and all information security policies are strictly enforced. Please see
section 7 below for further
details.
To preserve the integrity of our databases, to carry out on-going Website Services or provide the
App on
behalf
of all Users, for research, analytics and statistics purposes and to ensure
compliance with applicable laws
and
regulations, we retain Personal Data submitted by Users for
a reasonable length of time unless otherwise
prescribed by applicable law.
DIFC is not responsible for the accuracy of the information you provide, and will modify or
update your
Personal
Data in our databases when you provide updated information or ad hoc
upon your request, as further outlined
below. We will erase or put beyond active use your
Personal Data upon request, unless we are required to
retain
it in accordance with DIFC or other
applicable laws or to perform agreed services, in which case we align
with
applicable principles
such as purpose specification and data minimization.
If it is not disproportionate or prejudicial, and required beyond this policy’s notices, we’ll
contact you
to
let you know we are processing your personal information.
As part of the Commissioner’s statutory and corporate functions, we process special category
data and, in
some
cases, criminal conviction data that you share with us for application to receive
a business license. Our
internal privacy policy instructs our team how to responsibly handle this
information in accordance with the
DP
Law and other applicable laws.
By accessing or using the App or Website Services to which this Policy applies, we can
reasonably expect
that
you understand that all information submitted by you through the App or
Website Services or otherwise to
DIFC
may be used by DIFC to support these processing
operations, in accordance with applicable laws and its
policies.
5. Sharing of Personal Data
We may share Personal Data which we collect about you as described in this Policy or as
described at the
time
of
collection or sharing, including as follows:
Through Our Website Services or the App
We may share Personal Data which we collect about you as described in this Policy or as
described at the
time
of
collection or sharing, including as follows:
• With third parties to provide you a service you requested through a partnership or
promotional offering made by a third party or us; or
• With third parties with whom you choose to let us share your Personal Data, for example
other apps or websites that integrate with our API or Website Services, or those with an
API or Service with
which we integrate
Other Types of Data Sharing
We may share your Personal Data:
• With DIFC subsidiaries and affiliated entities, to the extent permissible by law;
• On the DIFC Public
Register, in accordance with Article 153 of
the
Companies
Law,
DIFC Law
No.
5 of 2018, and Section 9.2 of the Companies Regulations;
• With vendors, consultants, marketing and advertising partners, and other service
providers who need access to such Personal Data to carry out work on our behalf or to
perform a contract or
other agreement we enter into with them or with you;
• If we otherwise notify you and you provide your affirmative opt-in to share your data,
where needed;
• In response to a request for information by a competent authority or government entities
if we determine that such disclosure is in accordance with, or is otherwise required by
any applicable law,
regulation, or legal process;
• With law enforcement officials, government entities or authorities, or other third parties
as required by applicable law;
• With third parties in connection with, or during negotiations of, any merger, sale of
company assets, consolidation or restructuring, financing, or acquisition of all or a
portion of our
business
by
or into another company; or
• With third parties in an aggregated and/or anonymized or pseudonymized form that
cannot reasonably be used to identify you
Government Data Sharing
In some circumstances we are legally obliged to share information with public authorities or law
enforcement.
For example, we may be required to provide information related to a court order or
where we must cooperate
with
other supervisory authorities in handling complaints or
investigations. We might also share information with
other regulatory bodies in order to further
their, or our, objectives. In any scenario, we’ll satisfy
ourselves
that we have a lawful basis on
which to share the information, document our decision making, and satisfy
ourselves we have a
legal basis on which to share the information.
We may also share information in the event of the non-payment of a monetary penalty or fine. If
the debt
remains
outstanding after the specified timeframe for payment, no payment plan is in
place or an agreed payment plan
is
not being adhered to, we may initiate formal proceedings to
recover the full amount of the unpaid penalty.
As a result, the relevant DIFC registrar or commissioner will share Personal Data with the
litigation and
recovery specialists it instructs in order for them to identify assets and undertake
recovery action through
the
courts.
All sharing of Personal Data aligns to the extent possible with the DIFC Government Data
Sharing Policy,
which
is an internal DIFC policy that governs fair and lawful sharing of Personal
Data requested by government
entities within the UAE and elsewhere.
6. Your Rights and Choices
Marketing and Preferences
DIFC supports Users’ legal rights to opt-in or subsequently opt-out of receiving communications
from us and
our
partners. You have the option to ask us not to process your Personal Data for
marketing purposes and to
remove
it from our database, to not receive future communications or
to no longer receive our App or Website
Services.
You may change your preferences at any time.
Please note that we may continue to send you transactional or service-related e-mails despite
your desire to
not
receive promotional or marketing e-mail messages. Additionally, please note
that if you elect to opt-out of
or
unsubscribe from receiving promotional or other similar e-mails
or messaging from one of our Website
Services
or
the App, you may continue to receive
promotional emails from our other websites, providers, or other,
non-affiliated marketers whose
services you may have accessed via the DIFC Website Services or App.
Finally, while we may remove your individual contact information from our professional
contacts database,
please
be aware that if such information is in a different, third party's
marketing directory through your request
or
election, you will need to request removal with such
third party directly.
Access to and Correction of Your Personal Information
You have the right to access information held about you. Your right of access can be exercised
for any
reason,
at any time, in accordance with DIFC and other applicable laws.
You have the right to ask us to rectify information you think is inaccurate. You also have the
right to ask
us
to complete information you think is incomplete.
You may also request that we restrict the processing of, erase, transfer the information you gave
us from
one
organisation to another, or otherwise process your Personal Data in line with the
relevant articles
providing
for such rights set out in the DP Law or other applicable laws.
Any access request generally comes at no cost to you and we must respond within one month
unless provided
otherwise by the DP Law or other applicable laws. We may, where permissible,
impose a reasonable fee to meet
any
extraordinary administrative costs in providing you with
details of the information we hold about you.
When you contact us about a potential Personal Data error or query, we will endeavor to confirm
or verify
the
information in question, then correct verified inaccuracies and respond to the
original inquiry. We will
endeavor to send a correction notice to businesses or others whom we
know to have received the inaccurate
data,
where required and / or appropriate. However, some
third parties and third party sites may continue to
process
inaccurate data about you until their
databases and display of data are refreshed in accordance with their
update schedules, or until
you contact them personally to ensure the correction is made in their own files.
As set out in Article 39 on the DP Law, we may not discriminate against you for exercising your
rights by
denying services or changing prices or quality of service, unless reasonable to do so in
general, as
objectively
determined, and applicable to all individuals offered or receiving such
benefits.
The DIFC Data Subject Access and Requests policy is available for your review, and you may
contact us using
the
information provided therein or below.
7. Security Precautions
DIFC makes every effort to ensure that your Personal Data is secure on its system. DIFC has
staff dedicated
to
maintaining our data protection and security policies, periodically reviewing
them and making sure that DIFC
employees are aware of our data protection and security
practices. Unfortunately, no data transmission over
the
internet can be guaranteed to be 100%
secure. As a result, DIFC cannot warrant or guarantee the security of
any
Personal Data you
transmit to us, and you do so at your own risk.
DIFC has established policies and procedures for securely managing information and protecting
Personal Data
against unauthorized access. We continually assess our data privacy, information
management and security
practices. We do this in the following ways:
• Establishing policies and procedures for securely managing information;
• Limiting employee access to
viewing
only necessary information in order to perform his
or her duties;
• Protecting against unauthorized access to Personal Data by using data encryption,
authentication and virus detection technology, as required;
• Requiring service providers with whom we do business to comply with relevant data
privacy legal and regulatory requirements;
• Monitoring our websites through recognized online privacy and security organizations;
• Engaging in
regular
third party audits of our policies and practices; and
• Conducting background checks on employees and
providing
training to our employees.
If you have any further questions about our security and processing activities, please contact the
Data
Protection Commissioner’s team or refer to
our Terms of Use. To the
extent permitted by
applicable law, DIFC expressly disclaims any liability that may arise should any other
third
parties obtain the Personal Data you submit through fraud or otherwise where it is no fault of
DIFC.
8. Cookies
A cookie is a small text file that is unique to the web browser on your computer or mobile
device, which is
used
to retain user preferences, and enhance browsing experience ("Cookie").
DIFC uses Cookies to track
overall site usage and enables us to provide a better user experience.
We do not use Cookies to "see" other
data
on your computer or determine your email address.
Types of cookies we drop and the information collected using them include but are not
necessarily limited
to:
Essential
Google Tag Manager - helps make tag management simple, easy and reliable by allowing
marketers and
webmasters
to
deploy website tags all in one place.
Site Analytics
Google Analytics - gives website owners the digital analytics tools needed to analyse data from
all
touchpoints
in one place, for a deeper understanding of the customer experience.
Customer Interaction
Salesforce Chat Solution - lets website owners chat with customers and give them real-time
support.
Advertising
• DoubleClick - a subsidiary of Google which develops and provides Internet ad serving
services.
• Twitter Advertising - enables website owners to track and measure the actions users take
after viewing or engaging with ads on Twitter.
• Facebook Advertising - lets website owners measure, optimise and build audiences for
advertising campaigns.
• LinkedIn Analytics – enables website owners to promote their company updates to
targeted audiences on desktop, mobile, and tablet.
Most browsers accept and maintain Cookies by default. The DIFC Data Protection Law requires
that DIFC
entities
(including DIFC Bodies, as defined in the Founding Law, Dubai Law No. 5 of
2021), set such collection
methods
to
collect the bare minimum, necessary cookies in order to
operate the relevant website or app. Check the
‘Help’
or
‘Settings’ menu of your browser to
learn how to change your Cookie preferences. You can choose to alter
Cookies
settings related to
the use of our Website Services, but this may limit your ability to access certain areas
of
the
Website.
Alternatively you may wish to visit an independent source of information,
www.aboutcookies.org, which contains comprehensive information on how
to
alter settings or
delete Cookies from your computer as well as more general information about Cookies. For
information on how to do this on the browser of your mobile phone you will need to refer to your
handset
manual or network operator for advice.
9. External Links
The Website and the App may contain links to other websites on the Internet that are owned and
operated by
third
parties (the "External Sites"). These links are provided solely as a convenience
to you and not as an
endorsement by DIFC of the contents of or reliability on such External
Sites. You acknowledge that DIFC is
not
responsible for the availability of, or the information
and content of any External Site. You should contact
the
site administrator or webmaster for
those External Sites if you have any concerns regarding such links or
the
content located on such
external Sites.
If you decide to access linked third party websites, you do so at your own risk. DIFC does not
accept
liability,
and shall not be liable to you for any loss or damage arising from or as a result of
your acting upon the
content of another website to which you may link from the Website
Services or the App.
10. DIFC Buildings Security and Contents
Building security records containing sign in and sign out information collected at the time of
visiting and
departing a DIFC-owned building will be maintained in accordance with this
Policy.
To the extent permitted by applicable law, DIFC is not responsible for any contents, whether or
not they
contain
Personal Data or other business information, that remain after you leave or
vacate a DIFC property. Having
given
proper notice to tenants vacating DIFC buildings or
property and upon expiration of such notice, DIFC may
remove
any remaining tenant property
including contents, materials or information at its sole discretion and your
liability.
Buildings within the DIFC free zone that are not owned and operated by the DIFC Authority or
its
subsidiaries
are not bound by this Policy, but management of third party buildings must in any
case comply with the DP
Law
as
it applies generally in the DIFC.
11. Changes to this Policy
We may change this Policy from time to time and without notice. If we make significant changes
in the way we
treat your Personal Data, or to the Policy, we will endeavor to provide you notice
through the App or
Website
Services or by some other means, such as email. Your continued use
of the App or Website Services after such
notice constitutes your understanding of the changes.
We encourage you to periodically review this Policy
for
the latest information on our privacy
practices. We provide links to it through:
• The App or Website Services
• Referencing it in our Terms of Use
• Incorporating it into our
contracts,
agreements, and other documents as necessary or
appropriate
Contact Us
If you have any questions, comments and requests related to this Policy, or if you have any
complaints
related
to how DIFC processes your personal data, please contact the Commissioner
of Data Protection’s Office at:
Dubai International Financial Centre Authority
Level 14, The Gate Building
+971 4 362 2222
commissioner@dp.difc.ae
DIFCA has appointed a Data Protection Officer in accordance with Article 16 of the DP Law.
She may be
contacted
using the above address or telephone number, or via e
mail at dpo@difc.ae