The following Privacy Policy provides an overview of how ITHRA (which includes ITHRA Dubai LLC and all of its subsidiaries and related companies, including ITHRA Dubai LLC (DIFC Branch) (“ITHRA DIFC”)) (together “we“, “us” “our” or “ITHRA“) collect, use and Process your Personal Data, and sets out your rights with respect to your Personal Data in accordance with the applicable data protection laws in the UAE, which, depending on the ITHRA entity, includes, but is not limited to, the DIFC Data Protection Law No. 5 of 2020 (the “DIFC Data Protection Law”).
For the purposes of this Privacy Policy, the following terms (and any other capitalised terms used in this Privacy Policy) are defined in accordance with the DIFC Data Protection Law:
- You are referred to as the “Data Subject” to whom Personal Data relates to.
- “Personal Data” means any information relating to an identified or Identifiable Natural Person (i.e. ‘Data Subject’). An Identifiable Natural Person means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.
- “Processing” (and other variants) means any operation or set of operations carried out on personal data or sets of personal data, either by means of automated procedures or by other procedures. As a way of example and not limited to the following, Processing includes collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting processing of it in the future), erasure or destruction, but excludes operations or sets of operations performed on Personal Data by: (a) a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or (b) law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.
1. WHO IS THE CONTROLLER OF PERSONAL DATA AND HOW CAN YOU CONTACT THEM
For the purposes of applicable data protection laws and regulations, an ITHRA entity will be the “Data Controller” processing your Personal Data. This means that we are responsible for determining the purposes and means of Processing your Personal Data. ITHRA is a property developer as well as a commercial and residential asset manager operating in the UAE (including the DIFC).
If you have any questions about this Privacy Policy, or our processing of your Personal Data, please contact us at [email protected].
2. WHAT PERSONAL DATA AND SOURCES DO WE USE
Personal Data that we process in the context of our relationship with service providers/suppliers may be obtained either directly from the Data Subjects or indirectly from other sources, in particular – from the service providers/suppliers that Data Subjects represent or work for, from third parties, clients and other business contacts – by way of introduction, or from publicly available sources (e.g. Internet).
Categories of Personal Data may include but are not limited to:
- business contact details (e.g. name, phone number, e-mail address, office location, postal address and other business card details, as the case may be);
- identification data (e.g. passport copies, Emirates ID / government ID copies, etc.
- authentication data (e.g. sample signature, sample initials, etc.);
- financial information such as bank account details or fee information;
- electronic identification data where required for the purpose of delivering products or services for ITHRA (e.g. login, password, access details);
- monitoring information (e.g. IT systems usage data, CCTV footage from our premises, electronic and telephone communications data); and
- background screening/criminal record checks.
3. WHAT DO WE PROCESS YOUR PERSONAL DATA FOR (PURPOSE OF PROCESSING) AND ON WHAT LEGAL BASIS
ITHRA processes Personal Data on the following legal grounds (depending on the applicable data protection laws and regulations):
- if processing of Personal Data is necessary for the purpose of business contract performance.
Personal Data is processed where necessary to do so for the purposes of entering into, performing and terminating of a business contract with the Data Subject or the entity the Data Subject represents. - in pursuit of legitimate interests
ITHRA may process Personal Data for the purpose of the legitimate business interests pursued by us or our clients. This could be: in order to meet our obligations vis-à-vis our clients and in the context of client relationship management, for security and quality assurance (e.g. call recordings, IT systems access controls, building access controls and video surveillance), operational risk management and implementing extraordinary operations e.g. transfer of business and entering into joint venture agreements or asserting legal claims.
- to comply with legal obligations
ITHRA is subject to various applicable laws and regulations including in the areas of real estate, tax, corporate compliance and employment law (including in the DIFC). - as a result of your consent
There may be specific circumstances where we ask for your consent to process your Personal Data. As long as you have granted us this consent, the processing is legal on the basis of that consent. Consent may be withdrawn at any time (for withdrawal, see contact details above).
4. WHO RECEIVES PERSONAL DATA AND WILL THE DATA BE TRANSFERRED TO A THIRD COUNTRY
For the above purposes and subject to applicable data protection laws and regulations, your Personal Data may be shared with recipients outside of ITHRA, such as other ITHRA suppliers and service providers including asset managers; real estate managers; accounting, IT, security and marketing service providers; professional advisers that perform services on our behalf, our clients (tenants, leaseholders) as well as with other third parties such as banks, insurers, pension providers and government, public and judicial authorities, as the case may be.
ITHRA has implemented reasonable technical and organizational security measures to protect Personal Data collected in the course of employment relationship against unauthorized access, disclosure, misuse, loss or destruction.
ITHRA may transfer Personal Data to countries located outside of the UAE. This may happen when ITHRA’s suppliers and/or service providers are based outside of the UAE or when ITHRA needs to transfer your Personal Data from ITHRA DIFC to one of the ITHRA group companies in the DIFC (or vice versa). ITHRA will adopt appropriate safeguards in accordance with the applicable data protection laws and regulations (including the DIFC Data Protection Law, where applicable) and take reasonable steps to ensure that your data privacy rights are respected. ITHRA will implement appropriate measures (such as standard contractual measures required under the DIFC Data Protection Law, where applicable, a copy of which you can obtain by contacting us) to ensure that the relevant third parties receiving your Personal Data provide an adequate level of protection to your Personal Data as required by applicable data protection laws and regulations.
5. FOR HOW LONG WILL MY PERSONAL DATA BE STORED
ITHRA will process and store your Personal Data for as long as it is necessary in order to fulfill the purpose for which it was collected including its contractual and statutory obligations and/or to comply with legal, regulatory, accounting, reporting or internal policy requirements. It should be noted here that business relationship with ITHRA is a long-term obligation, which is set up on the basis of periods of years. If the data is no longer required in accordance with the above, it is deleted or anonymized.
6. DATA SUBJECT’S RIGHTS
Depending on the applicable data protection laws and regulations, a Data Subject has certain rights in relation to their Personal Data. These include the right, to access, rectify, and erase Personal Data related to them. If you have any questions about the type of Personal Data we hold about you or if you wish to request correction of your Personal Data that we hold about you, or exercise any other Data Subject right, please contact us using the details above.
You can withdraw consent granted to us for the processing of Personal Data at any time. The withdrawal will not affect the lawfulness of processing based thereon before the withdrawal.
You have the right to restrict processing, the right to object and if applicable – the right to data portability.
While we will make reasonable efforts to accommodate your request as soon as reasonably possible, we reserve the right to reject such access requests or to impose restrictions or requirements upon such requests if required or permitted by applicable law.
To the extent that the DIFC Data Protection Law applies to you as a Data Subject, you have the right to lodge a complaint before the DIFC Data Protection Commissioner (DIFC Data Protection Authority), should ITHRA violate the DIFC Data Protection Law whilst processing your Personal Data.
7. USE OF PERSONAL DATA FOR DIRECT MARKETING
We may use your Personal Data for the purposes of marketing of our products and services to you.
You have the right to object to the Processing of your Personal Data for marketing purposes and we will provide you with the means to opt-out or unsubscribe to marketing communications.
8. ARE YOU OBLIGED TO PROVIDE THE PERSONAL DATA
Personal Data we process is necessary for us in order to enter a business contract and pursue a business relationship with our service providers/suppliers. Without this Personal Data, we may not be in a position to continue our business relationship with you.