ADCB Asset Management Limited Privacy Notice

 

  1. Who We Are

    1. Our Establishment:

      ADCB Asset Management Limited (AAML)

    2. Description:

      Established on 11 April 2018, AAML is a wholly owned subsidiary of Abu Dhabi Commercial Bank PJSC (ADCB).

    3. Our Contact Information

      1. Address:

        ADCB Asset Management Limited, Level 10, Al Sila Tower, ADGM Square, Al Maryah Island, Abu Dhabi, United Arab Emirates.

      2. Email:

        dataprivacy@adcb.com


  2. Introduction - Purpose and Applicability of this Privacy Notice

    ADCB Asset Management Limited (“AAML”, “We”, “Us” or “Our”) is committed to protecting your privacy and your Personal Data.

    This Privacy Notice (“Notice”) aims to help you understand what Personal Data we collect, store or process about you, the legal bases on which we do so, the purpose for which we do so, if and whom we share your Personal Data with. This Notice also describes how long we retain your Personal Data.

    Further, this Notice describes your rights and the choices you can make in relation to our collection, use and disclosure of your Personal Data.

    This Notice explains the various measures we have in place to protect the security of your Personal Data and minimize the potential for its unauthorized use, disclosure and destruction.

    The terms of this Notice will apply to you when you use our products or services, visit our online services at https://www.adcbam.com and any of its ancillary pages and websites (the “Sites”), or provide us with your Personal Data.

    Please review this Notice periodically as we may update it from time to time without informing you to reflect changes in our data practices. Should you wish to contact us to discuss any questions, concerns and comments you may have regarding your Personal Data that we process, please reach us through our contact details provided in Section 1.3 Our Contact Information of this Notice.



  3. Our role as Data Controller and Data Processor


    1. Data Controller


      A Data Controller is an entity who solely, or jointly with others, determines the how and the why of Personal Data Processing. In most cases, we will act as the Data Controller when processing your Personal Data.

    2. Data Processor


      A Data Processor is an entity who processes Personal Data on behalf of another entity, i.e the Data Controller, and does so solely on the basis of instructions provided by the Data Controller.
      In some cases, AAML will act as the Data Processor when processing your Personal Data on behalf of another ADCB Group entity. In these cases, AAML will perform the processing of the Personal Data under the specific instructions from the ADCB Group entity acting as the Data Controller.


  4. Understanding Personal Data and Processing

    Personal Data and Processing have very specific meanings under data protection laws. It is important that you understand these terms.

    1. What is Personal Data?

      Personal Data means any data which relate to a living individual who can be identified directly or indirectly from those data. The definition includes a wide range of data, including names, identification numbers, location data or online identifiers, reflecting changes in technology and the way organizations collect information about people. Examples of Personal Data include the following:
      • name;
      • address;
      • date of birth;
      • gender;
      • marital status;
      • identification number (e.g. national ID, passport number, NI number, and drivers license number);
      • telephone, mobile, fax numbers and email address;
      • location data (e.g. GPS coordinates);
      • photographs, videos, voice recordings;
      • financial data;
      • contact information;
      • transactional data;
      • website technical data: e.g. your internet protocol (IP) address, website login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website; and
      • website profile and usage data: e.g. your interests, preferences, feedback and survey responses, and information about how you use our website; and/or transaction details while performing online payments: e.g., merchant name, location, device used.

    2. What is Processing?

      Processing means doing anything with personal data, e.g. viewing, collecting, using, storing, sharing, manipulating, printing, copying, archiving etc. 'Processing activity' means any task that involves doing anything with personal data.


  5. Personal Data we collect about you and the purposes for which we do so

    The following clauses describe the categories of personal data we process and the reasons for which we process them (you need to provide some of the following types of personal data to us by law).

    1. Your identity as an individual

      We process the following Personal Data that enables us to identify you as a unique individual. This information is required to facilitate the opening of a relationship with AAML and to ensure its maintenance throughout its lifetime. Further, we are required to maintain this information about our Customers as per the ADGM Know Your Customer (KYC) requirements:
      • Your full name;
      • Your gender;
      • Your nationality;
      • Your date of birth; and
      • Your age.

    2. Your contact information

      We process the following Personal Data about you to enable us to contact you in relation to your relationship with AAML. Additionally, this information is required to help us identify the right products and services we can offer you. Further, we are required to maintain this information about our Customers as per the ADGM Know Your Customer (KYC) requirements.
      • Your home address;
      • Your phone number;
      • Your personal email address; and
      • Your residency status in the UAE.

    3. Your employment information

      We process the following Personal Data about you to enable us to contact your employer or your business establishment in relation to your relationship with AAML. Additionally, this information is required to help us identify the right products and services we can offer you. Further, we are required to maintain this information about our Customers as per the ADGM Know Your Customer (KYC) requirements.
      • Your employer’s name and address;
      • Your business establishment’s name and address (if self employed); and
      • Your employer’s or own business’ phone number, fax and email address.

    4. Commercial information about you

      We process the following Personal Data about you to help us identify the right products and services we can offer you. Further, we are required to maintain this information about our Customers as per the ADGM Know Your Customer (KYC) requirements.
      • Sources of income;
      • Your record of investments; and
      • Your estimated financial net worth.

    5. Your financial information

      We process the following Personal Data about you to help us identify the right products and services we can offer you. Further, we are required to maintain this information about our Customers as per the ADGM Know Your Customer (KYC) requirements.
      • Your annual salary, with various benefits and allowances;
      • Your bank account details including account number;
      • Your Customer Identification Number (CIN); and
      • Your estimated financial net worth.

    6. Sensory and Electronic Information about You

      We process the following Personal Data about you to help us identify the right products and services we can offer you. Further, we are required to maintain this information about our Customers as per the ADGM Know Your Customer (KYC) requirements.
      • Audio Information.

    Please note that you can choose not to share your Personal Data with us. In such a case, we are likely to be limited in terms of what services we can offer you. Additionally, you may be unable to access our website or receive our offers.

    Where we need to collect your Personal Data due to the requirements of applicable law or professional standards, or for the performance of a contract between you and AAML, and you fail to provide that data when requested, we may have to decline your request for our products and/or services, or, if we are already supplying products and/or services, we may have to suspend or cease your access to them. We will notify you if this is the case at the time.



  6. Lawful bases for processing your Personal Data

    We can only process your Personal Data if we have a legal reason to do so, that is, if we have a “lawful basis”. We will use different lawful bases to process different categories of Personal Data. They are as follows:

    1. We have obtained your Consent for the Processing of Personal Data and we are able to demonstrate this on demand;
    2. The Processing is required for the performance of a contract between you and AAML;
    3. The Processing is necessary for AAML’s compliance with a legal obligation under Applicable Law;
    4. The Processing is necessary to protect your vital interests, or those of another natural person; or
    5. The Processing is necessary for the purposes of the legitimate interests of AAML or its affiliates, except where such interests are overridden by your interests or rights which require protection of Personal Data.


  7. Lawful bases for processing Special Categories of Personal Data

    Special Categories of Personal Data include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, Biometric Data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, and Personal Data relating to criminal convictions and offences or related security measures.

    It is our policy not to collect and process any Special Categories of Personal Data. However, should there be a need to process Special Categories of Personal Data that belong to you, it will be conditional upon at least one of the following criteria being met:


    1. You have provided Explicit Consent to the Processing of your Special Categories of Personal Data for one or more specified purposes;
    2. Our rights and obligations under applicable employment law require us to perform the Processing. Processing will be in line with AAML’s Personal Data Protection Policy in this case;
    3. the Processing is necessary to protect your vital interests if you are physically or legally incapable of providing Consent, or those of another natural person;
    4. the Processing is necessary for Archiving and Research Purposes in accordance with applicable law;
    5. the Processing relates to Personal Data which you have already intentionally made public;
    6. the Processing is required for the performance of a contract between you and AAML;
    7. the Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
    8. the Processing is necessary for reasons of substantial public interest.


  8. How we collect your Personal Data

    We may collect your Personal data from two primary sources

    1. Directly from you

      We may collect your Personal Data directly from you in a number of ways, including the following:
      1. when you apply for any product on our Sites, through a postal application, telephone or directly with one of our Employees;
      2. when you provide your Personal Data online or by any other method of communication, for example, on "contact us" forms, or when you provide it on the merit of your relationship with AAML, for example, if you inform us of a change in your circumstances; and,
      3. when you visit our Sites, technical information, including the Internet Protocol (IP) address used to connect to the internet, may be collected from you.

    2. Indirectly from other parties

      We may obtain your Personal Data indirectly from Third Parties in the following ways:
      1. following an introduction to us by another Third Party, such as an accountancy firm, law firm or management consultancy;
      2. if another person provides your information to us when they apply to obtain a product from us:
        1. on your behalf; or,
        2. that is to be held jointly with you; or,
        3. on behalf of any other organization of which you are a director, shareholder, owner, trustee or beneficiary (as applicable); or
        4. where they have nominated you as a guarantor under our agreement with them, or to provide any other security, or informed us that you are a donor or lender of any deposit monies or occupier of any security property;
      4. when we carry out searches for the purposes of processing your application and/or during the course of your relationship with us; or,
      5. in response to our marketing activities, you request information about our products via a Third Party (e.g. websites and social media platforms).

    If you are applying to us through a Third Party, then they should have provided you with their own privacy notice in order to tell you (whether online or in person) how they may process your Personal Data.



  9. How we secure your Personal Data

    The security of your Personal Data is important to us. We have designed and implemented appropriate measures to prevent your Personal Data from being disclosed, modified or destroyed without sufficient authorization. These measures address several dimensions of data security including and not limited to the following:

    1. Data Security:

      concepts and principles that ensure the protection of data and information assets, such as your Personal Data from theft, misuse or destruction;

    2. Access Control:

      techniques that regulate the ability of various entities to interact with your Personal Data (user authentication), and the degree to which they may do so (user authorization);

    3. Encryption:

      the use of mathematical algorithms to protect your Personal Data by rendering it unreadable using methods such as encryption and hashing;

    4. Network Security:

      concepts and principles that secure our telecommunication networks appropriately to ensure your Personal Data flowing through them is not disclosed to unauthorized entities;

    5. Application Security:

      concepts and principles that ensure our software applications that collect, store and otherwise process your Personal Data are securely developed and operated;

    6. Communications Security:

      principles that drive secure transmission of your Personal Data across entities; and

    7. Physical Security:

      principles that support a secure physical environment for your Personal Data as it relates to printed hard copy records, for instance.

    AAML is not responsible for any information posted on AAML website or other social media sites other than the information posted by AAML employees on its behalf. AAML is only responsible of its own use of the Personal Data received through such sites.



  10. What happens if there is a Personal Data Breach?

    Whilst we take measures to secure your Personal Data, risks to data security do exist, and there always is a possibility of unauthorized use, disclosure, modification and/or destruction of your Personal Data. In the event of such a Personal Data Breach, within the limits of Applicable Law, we will take reasonable measures to notify you about it and its likely consequences, measures taken by us to mitigate the increased risk and avenues available to you to mitigate the risk as a result of the Personal Data Breach. For further information on how we respond to and handle Personal Data Breaches, please contact us at dataprivacy@adcb.com.



  11. Your rights in relation to our processing of your Personal Data

    Your rights in relation to our processing of your data are as follows. If you want to exercise any of your rights, please contact our Data Protection Officer (“DPO”) in writing at dataprivacy@adcb.com.

    1. Right of access: you are entitled to request access to the information that we process about you.
    2. Right to rectification: under certain circumstances, you have the right to have inaccurate personal data about yourself rectified or completed if it is incomplete.
    3. Right to erasure: you have the right to ask to have your personal data erased under certain circumstances. We may refuse a request for erasure in some circumstances, for example where the personal data is required for compliance with the law or in connection with legal claims.
    4. Right to restrict processing: under certain circumstances, you are entitled to ask us to restrict the processing of your personal data.
    5. Right to data portability: if you have provided information to us directly, the right to data portability allows you to obtain and easily reuse (move, copy or transfer) your personal data for your own purposes from one IT environment to another, securely and without affecting its usability.
    6. Right to object: you have the right to object to the processing of your personal data. For example, you have an absolute right to stop your data being used for direct marketing. In other circumstances we may be able to continue processing your data provided we have a compelling reason to do so, for example on the basis of our legitimate interests.
    7. Rights in relation to automated decision making and profiling: you have the right not to be subject to a decision based solely on Automated Processing, including profiling, which produces legal effects, i.e. something which adversely affects your legal rights. You have the right to obtain an explanation of a decision made by automated means and to challenge it.

  12. AAML’s obligations in relation to your rights

    AAML will maintain the following obligations in relation to your rights concerning our Processing of your Personal Data:

    1. Modalities to exercise your rights: If you want to exercise any of your rights, please contact our Data Protection Officer (“DPO”) in writing at dataprivacy@adcb.com.
    2. Services at no charge: We will not charge you a fee for facilitating the exercise of your rights in Section 11. In case of a repetitive or excessive request from you, we will either charge you a reasonable fee taking into account the administrative costs, or we may decide to not act on your request.
    3. Notification to Third Parties if applicable: If you exercise your right to erasure, rectification or restriction of processing, we will communicate this with applicable Data Processors to ensure your wishes are executed as applicable.
    4. Response Timeline: If you exercise any of your rights in Section 11, we will respond to you without delay and within 2 months. This timeline may be extended by an additional 1 month for large and complex requests.
    5. Your Identification: If we have reasonable doubts concerning your identity, we may request additional information to verify your identity. In such cases, the time period for complying with your request will only commence once we receive sufficient evidence to confirm your identity.
    6. Notification of inaction if applicable: If we are unable to take action in response to your requests to exercise your rights in Section 11, we will inform you within 2 months of receiving your request, along with the reasons for our inability to take action. We will also, in such cases, remind you of your right to lodge a complaint with the ADGM Commissioner of Data Protection and seek a judicial remedy. Should you wish to submit a complaint to the ADGM Commissioner of Data Protection, please do so at the link: https://www.adgm.com/registration-authority/complaints/submit-a-complaint

  13. Cross-border Personal Data transfers

    Throughout the course of your relationship with AAML and even after its conclusion, your Personal Data may need to be shared with Data Processors who are both internal and external to AAML. Under certain circumstances, within the permits of Applicable Law, this will involve us transferring your data across the boundaries of the Abu Dhabi Global Market (ADGM). If we need to transfer your Personal Data outside the ADGM, we will do so on the basis of the following grounds:

    1. On the basis of an adequacy decision: we may transfer your Personal Data to jurisdictions outside the ADGM that have been designated by the ADGM Commissioner of Data Protection as offering adequate levels of protection.
    2. On the basis of appropriate safeguards: we may transfer your Personal Data outside the ADGM on the basis of appropriate safeguards including standard contractual clauses adopted by the ADGM Commissioner of Data Protection, an approved code of conduct, Binding Corporate Rules (BCRs) as explained in the next sub-section.
    3. On the basis of Derogations: we may transfer your Personal Data outside the ADGM on the basis of the following derogations:
      1. we have obtained your Explicit Consent to the transfer; or
      2. the transfer is necessary for one or more of the following conditions:
        1. the performance of a contract between you and and AAML or for the implementation of pre-contractual measures at your request;
        2. the conclusion or performance of a contract concluded in your interest between AAML and another natural or legal person;
        3. important reasons of public interest;
        4. requirements of law enforcement agencies of the UAE in accordance with Applicable Law;
        5. the establishment, exercise or defense of legal claims; or
        6. the protection of your vital interests or of another person, where you are physically or legally incapable of giving Consent.

  14. Data retention

    We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

    To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

    "In some circumstances you can ask us to delete your data. For further information, please see Section 11: Your rights in relation to our processing of your Personal Data.”



  15. Marketing from us

    You will only receive direct marketing communication from us where we have obtained your consent as described in this Privacy Notice, or where we have legitimate interests as described in this Privacy Notice, that must be fulfilled through the marketing communication.

    You have the right to object at any time to the Processing, including Profiling, of your Personal Data for such direct marketing purposes. You may place your request to stop receiving marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting the ADCB Customer Care Team on the following numbers:

    1. Within UAE 600 50 2030,
    2. Outside UAE +971 2 6210090 at any time.

    Where you opt-out of receiving our marketing messages, this will not apply to Personal Data provided to us for other purposes.



  16. Disclosures of Your Personal Data

    We may have to share your Personal Data with the parties set out below for the purposes set out in the table above:

    1. Internal Third Parties as further described in the section, Terms and Definitions below.
    2. Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Notice.
    3. In some instances, we may be required by law, regulation or instruction to provide your Personal Data to government-authorized Credit Information Agencies. To do this, we will supply your Personal Data to such agencies who may carry out, amongst other things, checks on you which may lead to possible limitations of accessing future Financial Products and/or Services from AAML ADCB based on the Consumer records provided to these agencies.

    We require all Third Parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.



  17. Terms and Definitions

    Term Definition
    AAML means ADCB Asset Management Ltd.
    ADCB means Abu Dhabi Commercial Bank PJSC.
    ADGM means the Abu Dhabi Global Market.
    ADGM Commissioner of Data Protection means the ADGM Commissioner of Data Protection appointed by the ADGM board who heads the Office of Data Protection at ADGM.
    ADGM Data Protection Regulations means ADGM Data Protection Regulations 2021 enacted by the board of directors of the Abu Dhabi Global Market, in exercise of its powers under Article 6(1) of the Law No.4 of 2013 concerning the Abu Dhabi Global Market.
    ADGM Know Your Customer (KYC) means mandatory requirements to ensure updated information about AAML’s Customers, to perform identity verification and prevention of illegal transactions through the business relationship with AAML such as money-laundering, identity theft.
    Applicable Law means any enactment or subordinate legislation applicable in (i) ADGM; or (ii) under Abu Dhabi or Federal Law having application in ADGM, as it applies to Data Controllers and Data Processors that are within the scope of these Regulations;
    Automated Processing means Processing that is conducted using an electronic application or system that operates automatically, either independently without any human intervention or under the supervision and limited intervention of a human.
    Binding Corporate Rules means Binding Corporate Rules or BCRs are internal rules which define the policy across entities regarding intra-organizational Personal Data transfers outside the ADGM.
    Biometric Data means Personal Data that results from the use of specific technology related to the physical, physiological or behavioral characteristics of the Data Subject that allow or confirm the unique identification of the Data Subject. This includes facial imaging or fingerprints.
    Consent means the approval in which the Data Subject authorizes a Third Party to process his / her Personal Data, provided that this Consent is specific, clear, and unambiguous through a statement or a clear positive action stating that the Data Subject accepts the Processing of his or her Personal Data.
    Data Controller means the entity or the natural person that has Personal Data and, by virtue of their activity, determines the method, approach, criteria, and purpose of Processing this Personal Data, whether alone or jointly with other persons or entities.
    Customer means consumers of products and services from AAML.
    Data Protection Officer means the entity who is tasked with overseeing AAML’s data protection programme and ensuring in an independent manner that all Personal Data processing at AAML is in compliance with Applicable Laws including the ADGM Data Protection Regulations.
    Data Subject means an identified or identifiable natural person that Personal Data pertains or applies to.
    Employee means full time staff of AAML.
    Explicit Consent means an indication that the Data Subject has given an active, clear and unambiguous agreement for their Personal Data to be used in a specific way, including, for example by signing a document, sending an email.
    Personal Data means any data related to a specific natural person or a natural person that can be identified directly or indirectly by linking identification elements, such as the person’s name, voice, photo, identification number, electronic identification, geographical location, or one or more of the person’s physical, physiological, economical, cultural or social attributes.
    Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
    Processing means any operation or set of operations performed on Personal Data through electronic means, including collecting, storing, recording, organizing, adapting, modifying, circulating, transferring, retrieving, exchanging, sharing, using, describing, and disclosing Personal Data by broadcasting, transfer, distributing, making available, coordinating, merging, restricting, obfuscating, deleting, destroying, or modeling the data.
    Data Processor means the entity or natural person that processes Personal Data on behalf of the Data Controller under the Data Controller’s direction and instructions.
    Profiling means the use of Personal Data to evaluate certain aspects related to the Data Subject.
    Recipient means the entity to whom Personal Data is transferred.
    Special Categories of Personal Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, Biometric Data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation; and Personal Data relating to criminal convictions and offences or related security measures.
    Third Parties means an entity who processes Personal Data on behalf of AAML or any of the joint Controllers of AAML.
    UAE means the United Arab Emirates.