Data Protection Policy
Your privacy is important to us. We are committed to be transparent about how we collect or otherwise process your personal information.
This Data Protection Policy (thereafter “the Policy”) is therefore intended to inform you how we collect, use, and share your personal information. Please read it carefully to understand our practices and your rights.
Kindly note that Probus Group’s website (“the Website”) is not intended for use by children [under the age of 16] and we do not knowingly collect or use personal information of children.
2. Controller and Data Protection Officer
For the purposes of the Data Protection Law 2020 DIFC Law No.5 of 2020 (“the Law”) enacted in the Dubai International Financial Centre (“DIFC”) and the European Union General Data Protection Regulations 2016/679, the Data Controller is Probus Middle East Limited (thereafter referred to as “PMEL”, “we”, or “us”). Our full contact details are:
DIFC - Emirates Financial Towers
South Tower - Office 1101
P.O. Box 9519 - Dubai
UNITED ARAB EMIRATES
+971 4 305 8000 (International rates may apply)
2.2 Data Protection Officer
Our Data Protection Officer is Mr Usman Basharat. You can contact him at email@example.com via postal address of Probus (with sealed envelope addressed to the Data Protection Officer) or by calling on telephone number of PMEL provided above.
The terms and expressions listed below should be interpreted as follows:
“AML/CFT” means Anti-Money Laundering and Combating Financing of Terrorism;
“Applicable Law” means all applicable laws, statutes, codes, ordinances, decrees, rules, regulations, municipal by-laws, judgments, orders, decisions, rulings or awards of any government, quasi-government, statutory or regulatory body, ministry, government agency or department, court, agency or association of competent jurisdiction
“Controller” means any person who alone or jointly with others determines the purposes and means of the Processing of Personal data;
“Commissioner” means the person appointed by the President of the DIFC pursuant to Article 43(1) of the Law to administer the Law;
“Data Protection Officer” means a data protection officer appointed by a Controller (including a Joint Controller), or Processor to independently oversee relevant data protection operations in the manner set out in Article 16, 17, 18 and 19 of the Law;
“Data Subject” means the identified or Identifiable Natural Person to whom Personal data relates;
“DFSA” means Dubai Financial Services Authority;
“DIFC” means the Dubai International Financial Centre;
“Direct marketing” means any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services;
“Filing System” any structured set of Personal data that is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis;
“Group” any group of entities that are related to each other by virtue of being Subsidiaries of the same Ultimate Holding Company or subsidiaries of any such Subsidiaries. Ultimate Holding Company and Subsidiary have the meaning given in the DIFC Companies Law, Law No. 5 of 2018 (as amended or updated);
“High Risk Processing Activities” means Processing of Personal data where one (1) or more of the following applies:
(a)Processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise his rights;
(b)a considerable amount of Personal data will be Processed (including staff and contractor Personal data) and where such Processing is likely to result in a high risk to the Data Subject, including due to the sensitivity of the Personal data or risks relating to the security, integrity or privacy of the Personal data;
(c)the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
(d)a material amount of Special Categories of Personal data is to be Processed;
“Identifiable Natural Person” means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted accordingly);
“Joint Controller” any Controller that jointly determines the purposes and means of Processing with another Controller;
“Processor” means any person who Processes Personal data on behalf of a Controller;
“Personal data” means any information relating to a data subject
“Personal data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal data transmitted, stored or otherwise Processed;
“Process, Processed, Processes and Processing” means any operation or set of operations performed upon Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal data by: (a) a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or (b) law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security;
“Profiling” the automated Processing of Personal data to evaluate the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the person's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements;
“Ruler” means the Ruler of the Emirate of Dubai;
“Single Discrete Incident” a processing operation or a collection of Processing operations that relate to a: (a) single, non-recurring transaction; or (b) non-recurring and clearly defined purpose that a Data Subject is seeking to achieve, in each case, with a definable end point.
“Special Category of Personal data” means Personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person;
“Sub-Processor” means a processor appointed by the Processor as set out in Article 24(2);
“Substantial Public Interest” means includes, but is not limited to:
(a) administration of justice, including criminal and regulatory investigations; and
(b) exercise of a function conferred on a person by Applicable Law;
“Supervisory authorities” means the DFSA, Commissioner of Data Protection and any other authority supervising our business activities;
“Third Country” means jurisdiction other than the DIFC, whether in the UAE or elsewhere;
“Third Party” means any person authorised to Process Personal data, other than the: (a) the Data Subject; (b) the Controller; (c) Joint Controller; (d) the Processor; or (e) Sub-processor.
Probus Middle East Limited is regulated by the Dubai Financial Services Authority as a Category 3C firm and is licensed to provide the following financial services:
Arranging Credit and Advising on Credit;
Arranging Deals in Investments; and
Advising on Financial Products.
5.To what does the Policy apply to?
The Policy applies to the processing of Personal data we gather or use when you visit or use the Website, when you visit or use our social media accounts, when we discharge our obligations in relation to a contract between you and PMEL, and when you interact with us in general.
Note that the Website may include links to third party websites. We do not have any control and accept no responsibility for the way these third party websites operate and collect or process Personal data. When accessing these third party websites we recommend that you consult the privacy policies of every website you visit. It may be useful to read our cookies policy for more information about how to manage cookies that may get into your computer or other device when browsing our website.
This Policy supplements other privacy notices we may provide you on specific occasions when we collect Personal data about you to inform you about how we will use your data.
6.Collection of Information
There may be various ways by which you provide us with information about you. This includes, for example, if you fill in the contact us form on the Website (personal information provided includes your name, email address, and maybe more personal information depending on the message you send us), by liaising with us by telephone, e-mail, fax or other similar means. Other ways by which we may get your information is if you apply for a job, enquire or engage the services of PMEL, subscribe to receive our periodic newsletter or you make a complaint or enquiry to us among others.
When accessing the Website, the personal information you give us may include your name, address, e-mail address and phone number, certain device information, username, password, residential building, work address, photograph and other information you choose to provide or that is required depending on the use you make of the Website.
Kindly note that we may collect Special Categories of Personal data in certain specific circumstances if we require this in view of satisfying applicable legal and regulatory obligations.
7. How do we collect your personal information?
We collect personal information through the methods described below:
Directly from you when you:
Visit or use our website and social media account(s);
Subscribe / use any of our products and/or services;
Interact with us by telephone, in writing (electronic format or courier) or in person;
Sending us emails or other forms of correspondences;
Subscribe to newsletters, or other communications from us;
Fill in the contact us form on our website; and
Give us feedback.
From third parties when:
-In case a third party mandated by you provides us with information we require to provide our products and/or services, or for the legitimate interest of our business in general;
-We conduct searches and screening processes using search engines / browsers and/or third party service providers to satisfy our legal and regulatory duties under Anti-Money Laundering and Combating Terrorism Financing legislations.
8.How and why do we use your Personal data?
We process your Personal data for lawful, specific and legitimate purposes. We ensure to process Personal data that is adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected. The table below describes the purposes for which we process your Personal data:
-Fulfil our duties as per the contract signed with our clients;
-Comply with relevant legal and regulatory obligations (For example AML/CFT requirements);
-Address inquiries or complaints;
-Provide you with information about our products and services;
-Fraud Prevention, Crime Investigation and reporting of Financial Crime;
-Administering and Managing risks;
-Personalizing our activities on an ongoing basis to ensure customer satisfaction;
-Establishment, exercise and defense of legal claims (if any);and
-Responding to legitimate requests from supervisory and other relevant authorities.
We may use screening processes, mechanisms and/or software as part of our Customer Due Diligence process in order to comply with applicable laws, including AML/CFT laws and for our legitimate interest in preserving the integrity of our organization. This screening process may lead us to take decisions terminating business relationships or satisfying our reporting obligations with our supervisory authority if deemed necessary.
We will request your consent in case we want to use your Personal data for any direct marketing, or other similar campaigns. Not providing your consent will entail that we shall not do any direct marketing or other similar campaigns with you, but this will not affect the contractual business relationship we have with you (if any).
9.What is the legal basis for processing your Personal data?
The Law requires us to inform data subjects of the legal grounds (or legal basis) we rely on for processing their Personal data. We generally rely on one or more of the following legal basis to process personal information:
To take steps at your request to enter into a contract with you or perform our contractual obligations towards you;
To satisfy a requirement of an applicable Law (example AML/CFT requirements);
To protect your vital interests or that of another person;
Our legitimate interests in the effective delivery of services and information to you;
Our legitimate interests in the effective and lawful operation of our business activities;
Our legitimate interests in managing, developing and improving our business, services, platforms and offerings (on condition that your rights and freedoms do not override these interests);or
Where there is no other legal basis which is applicable, your consent to us processing your Personal data for the relevant purpose.
10. Information Security
PMEL is committed to ensure that Personal data it has in its possession is adequately protected. As such, we have implemented the below safeguards, in line with the relevant requirements of the Law:
Appointment of a suitably qualified and experienced Data Protection Officer who will have the responsibility to ensure that we are at all time compliant with the Law, and ensure adequate security and protection of Personal data;
Implementation of Data Protection policies and procedures, in line with the requirements of the Law, to ensure the safekeeping of information;
Implementation of appropriate security measures to safeguard the integrity of information, both in physical and electronic format. This includes appropriate authentication mechanism, adequate physical security to our office premises to monitor access and robust security software to prevent intrusions and unauthorized access;
We have a robust IT infrastructure and a well-structured business continuity and disaster recovery plan in place to preserve the integrity of Personal data at all times and under any circumstances;
Implementation of relevant measures for employee screening prior to on-boarding and ongoing training on data privacy;
Implementation of appropriate confidentiality and non-disclosure clauses in any agreement we execute with service providers, or other third party (as applicable).
Note that the above is a non-exhaustive list.
Although we have taken reasonable measures to protect your Personal data, we cannot guarantee the security of the Personal data you transmit to us over the internet as it also depends on the security of the device you use, among other factors.
11. For how long do we keep your Personal data?
We retain Personal data for as long as it is necessary to fulfil the purpose for which it was collected, our legal or business purposes, or as required by relevant laws.
With regards to marketing, if you do not provide your consent, or if you withdraw your consent to any marketing communications or any other processing which require your consent, we will remove you permanently from our marketing database.
12. Who has access to your personal information?
Access to your Personal data is restricted to persons on a need-to-know basis and, subject to a duty of confidentiality. This includes employees, third party contractors or service providers who need access to your information to allow us to fulfil our contract with you, or for our legitimate business purposes. If we are required to share your Personal data, we will ensure that the third party has implemented appropriate Data Protection measures and are required to process Personal data with equivalent degree of care as required by the Law. We do not allow any third party service providers to use your Personal data for any other purposes than the one for which it was collected for.
We also communicate your personal information when required by law to Supervisory authorities, law enforcement authorities, government organisations and agencies to fulfil our legal and regulatory obligations, as applicable.
13. How can you manage your marketing communication preferences?
We will only send you marketing communications if you have requested information from us or if you have given your consent to receive marketing communication from us.
If you wish to stop receiving marketing communications from us or if you wish to update your marketing communication preferences please write to firstname.lastname@example.org You may also click the Unsubscribe link at the bottom of any marketing email you receive from us.
If you do not wish to receive our advertisements or notifications within social media, you need to update your preferences on these platforms.
A cookie is a small text file that is placed on the device you use to browse. It collects information about how you navigate the Internet, which helps to tailor content.
15.Rights of Data Subjects
You have rights in relation to your personal information. Please see your rights below:
a.Right to Access
You can ask us for confirmation as to whether or not we are processing your Personal data and where this is the case, you can request to receive a copy of the Personal data we hold about you and obtain specific information. This includes but is not limited to:
the source of your personal information that we process:
the purposes of processing your Personal data,
the legal basis and methods of processing your Personal data;
the data controller’s identity; and
the entities or categories of entities to whom we may transfer your personal information to.
b.Right for Rectification
This enables you to have any incomplete or inaccurate data we hold about you corrected. We may need to verify the accuracy of the new data you provide to us before rectifying it.
c.Request erasure of your Personal data
This enables you to ask us to delete or remove your Personal data in the following circumstances:
It is no longer required for the purpose(s) for which it was collected and there is no lawful and legitimate reason for us continuing to process it;
You have successfully exercised your right to object to processing (see below);
Processing was based on consent and you have withdrawn your consent;
Your Personal data was processed unlawfully; or
We are required to erase your Personal data to comply with any of the laws mentioned above.
Please note that we may not be required to comply with your request to erase personal information if the processing of your personal information is necessary:
for compliance with an applicable law; or
for the establishment, exercise or defence of legal claims.
d. Right to Object
You may object to processing of your Personal data at any time on reasonable grounds relating your particular situation to the processing.
You also have the right to be informed before your Personal data is disclosed for the first time to third parties or used for the purposes of direct marketing, and subsequently, should you wish so, object to this disclosure and/or use.
You may object that we take decisions that may have legal or other similar consequences based solely on automated processing (example profiling). This is subject to a few limitations.
the right to object applies in certain circumstances only, and its applicability will
depend on the purpose of processing and the relevant lawful basis;
If you object to the processing of your Personal data and we have no overriding
grounds, we will stop processing your Personal data;
If we stop processing your data in view of the objection made, we will erase your
Personal data unless same is also being processed for other purposes.
e. Right to Restriction
This enables you to ask us to restrict the processing of your Personal data, but only where:
you contest the accuracy of your Personal data and the restriction period allows us to establish the data’s accuracy;
our use of the data is unlawful but you do not want us to erase it, and you request for restriction of processing instead;
you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
you have exercised your right to object and we need to verify whether we have overriding legitimate grounds to continue the processing.
Please note that we are allowed to continue using your personal information following a request for restriction, where:
we have your consent to do so;
to establish, exercise or defend legal claims;
to protect the rights of another person; or
it is for reasons of substantial public interest
We shall communicate any restriction of processing, rectification and/or erasure of your Personal data to each recipient to whom the data has been disclosed (if applicable). Additionally, we shall inform you about the recipient(s) upon request.
f.Right to Portability
This enables you to request us to provide you, or another person of your choice (where technically feasible), your Personal data in a structured, commonly used, machine-readable format. Please note that this right only applies when:
The processing was based on your consent or on the performance of a contract with you; and
We processed your Personal data by automated means.
g.Right to Withdraw Consent
Where we are relying on your consent to process your Personal data, you have the right to withdraw your consent at any time. Note however that withdrawal of consent will not affect the lawfulness of processing based on consent prior to the withdrawal.
16. How to exercise your rights
To make it easy for a Data Subject to exercise his rights, we have put in place different channels as outlined below:
Fill in the Data Subject Request Form and click submit. The form will be sent to our Data Protection Officer who will contact you as soon as possible;
Send an email to our Data Protection Officer on email@example.com;
Call on +971 4 305 8000 and ask to talk to our Data Protection Officer; or
Send a written correspondence to the below address to the attention of the Data Protection Officer:
DIFC - Emirates Financial Towers
South Tower - Office 1101
P.O. Box 9519 - Dubai
UNITED ARAB EMIRATES
17.Complaint to the DIFC Commissioner of Data Protection
While we did our best to implement appropriate measures to safeguard your Personal data, and allow you to exercise your rights effectively, you have the right to lodge a complaint with the DIFC Commissioner of Data Protection should you believe that we have breached the Law or your rights.
18.Change to the Policy
Kindly note that we may change this policy from time to time and without prior notice. We would therefore encourage you to consult our Website Data Protection Policy periodically to keep up to date with any changes made. If you continue to use our website, we shall take this as an acceptance from your side to the changes made to our policy.
In case there are any material change in the manner into which we process your Personal data, we will duly inform you of same via email, or another appropriate channel.