The following Privacy Policy provides an overview of how ITHRA (which includes ITHRA DUBAI L.L.C and all of its subsidiaries, affiliates, companies under its management and other related companies (together “we”, “us” “our” or “ITHRA”) collect, use and process the Personal Data (as defined below) you or Data Subjects provide to us. This Privacy Policy applies to you because you are, will be or were a service provider or supplier of ITHRA and you have provided us with the Personal Data of individuals or individuals have provided their Personal Data directly to us in relation to the arrangement we have with you (“Data Subjects”).
This Privacy Policy sets out the rights of the Data Subjects whose Personal Data we have been provided with, in accordance with applicable data protection laws and regulations in the UAE, including the Federal Decree-Law No. 45/2021 On the Protection of Personal Data, as amended from time to time (“Data Protection Laws”).
1. DEFINITIONS
For the purposes of this Privacy Policy, the below terms are defined as follows:
- “Personal Data” means any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and biometric data.
- “Sensitive Personal Data” means any data that directly or indirectly reveals a natural person’s family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/her health status.
2. WHO IS THE CONTROLLER OF PERSONAL DATA AND HOW CAN YOU CONTACT THEM
For the purposes of applicable Data Protection Laws, the applicable ITHRA entity which contracts with you will be a data controller processing the Personal Data of Data Subjects. This means that we are responsible for determining the purposes and means of processing your Personal Data. Depending on the data processing taking place, there may be more than one ITHRA entity processing your Personal Data.
You may also be a data controller as you separately collect, use and process the Personal Data of Data Subjects.
ITHRA is a property developer as well as a commercial and residential asset manager operating in the UAE.
If you or any Data Subject have any questions about this Privacy Policy, or our processing of Data Subjects’ Personal Data, please contact us at [email protected].
3. WHAT PERSONAL DATA AND SOURCES DO WE USE
Personal Data that we process in the context of our relationship with you may be obtained either directly from the Data Subjects or indirectly from other sources other than you, including from third parties, clients and other business contacts – by way of introduction, or from publicly available sources (e.g. Internet).
Categories of Personal Data may include but are not limited to:
- business contact details (e.g. name, phone number, e-mail address, office location, postal address and other business card details, as the case may be);
- identification data (e.g. passport copies, Emirates ID / government ID copies, etc.;
- authentication data (e.g. sample signature, sample initials, etc.);
- electronic identification data where required for the purpose of delivering products or services for ITHRA (e.g. login, password, access details);
- monitoring information (e.g. IT systems usage data, CCTV footage from our premises, electronic and telephone communications data etc.); and
- background screening / good conduct certificates / criminal record checks.
4. WHAT DO WE PROCESS YOUR PERSONAL DATA FOR (PURPOSE OF PROCESSING) AND ON WHAT LEGAL BASIS
ITHRA processes Personal Data on various legal grounds (depending on the applicable Data Protection Laws) including:
- if the processing is necessary to perform a contract to which you are a party (e.g. business contract performance) and which relates to the Data Subjects;
- if the processing is necessary to fulfil obligations imposed on us by other laws in the UAE. ITHRA is subject to various applicable laws and regulations including in the areas of real estate, tax, corporate compliance and employment law; or
- as a result of Data Subject consent.
ITHRA processes Personal Data for various purposes which may include but are not limited to:
- onboarding you as one of our service providers or suppliers;
- managing a seconded resource that you provide to us;
- complying with applicable laws;
- marketing purposes; and/or
- for the performance of our contract with you.
5. WHO RECEIVES PERSONAL DATA AND WILL THE DATA BE TRANSFERRED TO A THIRD COUNTRY
For the purposes described in this Privacy Policy, and subject to applicable Data Protection Laws, Data Subjects’ Personal Data may be shared with recipients outside of ITHRA, such as other ITHRA suppliers and service providers including:
- real estate managers;
- accounting;
- IT;
- security;
- marketing; and
- professional advisers that perform services on our behalf, our clients (tenants, leaseholders) as well as with other third parties such as banks, insurers, pension providers and government, public and judicial authorities, as the case may be.
ITHRA may transfer Personal Data to countries located outside of the UAE. This may happen when ITHRA’s suppliers and/or service providers are based outside of the UAE. ITHRA will transfer the Personal Data in accordance with applicable Data Protection Laws and use the applicable protection measures granted thereunder.
6. HOW DO WE PROTECT YOUR PERSONAL DATA
ITHRA has implemented reasonable and appropriate technical and organizational security measures to protect Data Subject Personal Data against unauthorized access, disclosure, misuse, loss or destruction. This includes encrypting Data Subjects’ Personal Data, implementing data back-up measures and regularly conducting security testing.
7. FOR HOW LONG WILL MY PERSONAL DATA BE STORED
ITHRA will process and store Data Subjects’ Personal Data only for as long as it is necessary in order to fulfil the purposes for which it was collected, including to meet its contractual and statutory obligations and/or to comply with legal, regulatory, accounting, reporting or internal policy requirements. It should be noted here that your contract with ITHRA may be a long-term obligation, lasting a number of years, and we will store Personal Data relating to our contract with you for the period of the contract, as a minimum.
If the Personal Data is no longer required in accordance with the above, it is deleted.
8. DATA SUBJECT RIGHTS
Depending on the applicable Data Protection Laws, and subject to certain limitations under these laws, a Data Subject has certain rights in relation to their Personal Data. These include the right to:
- access their Personal Data;
- obtain and request the transfer of their Personal Data;
- correct and/or erase their Personal Data;
- restrict, and stop, the Processing of their Personal Data;
- object to, and stop, the Processing of their Personal Data; and
- object to decisions made by automated processing, that have legal consequences or seriously affect the Data Subjects.
If any Data Subject has any questions about the type of Personal Data we hold about them or if they wish to exercise any Data Subject right, they can contact us at [email protected].
A Data Subject should be made aware that they can withdraw any consent for the processing of Personal Data at any time. The withdrawal will not affect the lawfulness of any processing based thereon before the withdrawal.
Whilst we will make reasonable efforts to accommodate any Data Subject rights request to the extent, and as soon as reasonably practicable, we reserve the right to reject such requests or to impose restrictions or requirements upon such requests if required or permitted by applicable laws.
9. USE OF PERSONAL DATA FOR DIRECT MARKETING
If a Data Subject has provided their consent for the purposes of marketing our products and services to them, we may process their Personal Data for such purposes. Any marketing by us, or any third parties on our behalf, will be conducted in accordance with applicable laws. Marketing includes, but is not limited to, contact by email, text message, social media and/or phone.
A Data Subject has the right to object to the Processing of their Personal Data for marketing purposes at any time and can exercise this right by sending an “opt-out” email to [email protected].
10. ARE YOU OBLIGED TO PROVIDE THE PERSONAL DATA
We may require certain Personal Data to comply with our legal obligations or to pursue a business relationship with our service providers/suppliers. Without this Personal Data, we may not be in a position to continue our business relationship with you. We will notify you if this is the case.