Mashreq Capital (DIFC) Limited located at Unit 2803, level 28, Currency House – Tower 2, DIFC, P.O. Box 1250, Dubai, UAE and/or its affiliates and entities (collectively referred as “Mashreq Capital”, “we”, “our” or “us”) acts as Data controller on the processing of your Personal Data. Any capitalised terms in this data privacy notice will have the meanings given to such terms in the section “Key terms” below. Mashreq Capital is subject to the Data Protection Law DIFC Law No. 5 of 2020 (and the related Data Protection Regulations), both as may be amended from time to time (collectively the “Data Protection Law”). The Data Protection Law prescribes rules and regulations regarding the processing (i.e. collection, handling, disclosure and use) of Personal Data in the DIFC, the rights of individuals to whom the Personal Data relates and the power of the DIFC Commissioner of Data Protection (“DIFC Commissioner”) in performing their duties in respect of matters related to the processing of Personal Data as well as the administration and application of the Data Protection Law.
This data privacy notice (the “Notice") sets out the basis on which any information, including any Personal Data, we collect from you, or you provide to us, will be processed by Mashreq Capital.
Data controller: any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
Data processor: any person who processes Personal Data on behalf of the Data controller.
Data Protection Law: means the DIFC Data Protection Law 2020, Law No. 5 of 2020 as may be amended, and the related Data Protection Regulations.
Data protection officer (DPO): person with expert knowledge of Data Protection Law and practices, officially appointed by the Data controller or Data processor to independently oversee data protection operations.
Group: MashreqBank PSC, its affiliates and/or subsidiaries
Personal Data: any information related to an identified or identifiable natural person; an identifiable person is one who can be directly or indirectly identified by an identifier (such as a name, an identification number, location data, an online identifier or to one or more factors specific to the biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity of that natural person).
Processing: any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction.
Special Categories of Personal Data: means Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religions or philosophical beliefs, criminal record, trade-union membership and health or gender and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us. If your Personal Data is not kept accurate and current, it may delay or prevent us from providing you with our products and services or updating you on key changes to our products and services. If you discover that your Personal Data is inaccurate, please contact your relationship manager or our call centre at +971 4 424 4618 and our agents will promptly update or correct any erroneous information.
This Notice shall apply from 01st October 2020.
This Notice may be updated from time to time and we will notify you, in particular when material changes are made, by email of any update without delay. You may also check regularly the webpage https://www.mashreqcapital.ae/en/capital/ so that you can read the up to date version.
The information about our products and services are available on our own website as well as through professional and financial advisors and anyone else who acts as a person sitting in between you and us in relation to what we do for you. In this Notice, we will call these persons “brokers and other intermediaries”.
When a broker or other intermediary processes your Personal Data on our behalf, and acts as Data Processor, this Notice will apply and you should contact us to exercise your rights under the Data Protection Law. When a broker or other intermediary processes your Personal Data as a Data Controller, its own privacy notice will apply and you should ask them for a copy if you do not have one by the time you are introduced to us.
Where a broker or other intermediary processes your Personal Data on our behalf, and acts as Data Processor, they will only process your Personal Data on our instructions. In accordance with the Data Protection Law, they are subject to appropriate obligations in terms of confidentiality, security and personal data protection.
We may process your Personal Data for the following purposes:
We process only relevant Personal Data about you that is needed to establish and maintain your account and provide products and services to you as the Data Protection Law allows or requires us to collect. We may collect Personal Data about you that is "non-public." Non-public Personal Data is data about you that we obtain in connection with providing a financial product or service to you.
The personal data we collect varies depending on the products or services you apply for and (if your application is successful) obtain from us. We set out below Personal Data that we generally process relating to all our products and services.
This includes but is not limited to:
We will generally collect your Personal Data from you directly and from the following sources:-
We retain Personal Data from any application you submit for financial services. This includes but is not limited to Personal Data such as name, postal and e-mail address, phone numbers, employment and financial status, and credit history.
We retain the transaction Personal Data any time you make a transaction on one of your accounts. The transaction Personal Data includes your account number, date, amount, location of the transaction and any other pertinent Personal Data.
We obtain information online when you visit our website www.mashreqcapital.ae. This includes retaining Personal Data you provide us on any online application, or Personal Data you send to us by e-mail.
If you are introduced to us by a broker or intermediary, we will obtain some Personal Data about you indirectly from them when they introduce you to us.
In addition, we may obtain your Personal Data from other sources such as fraud prevention agencies, credit reference agencies, , publicly available directories and information (e.g. telephone directory, social media, internet, news articles), , other organisations to assist in prevention and detection of crime, police and law enforcement agencies. In addition, some of your Personal Data may come from other members of our Group if you already have a product with them.
The Data Protection Law requires us to explain what legal grounds justify our Processing of your Personal Data (this includes sharing it with other organisations). For some Personal Data Processing activities more than one legal ground may be relevant (except where we rely on your consent as the legal ground for Processing your Personal Data). Here are the legal grounds that are most relevant to us:
You have the right to withdraw your consent at any time. Please see the section below for more information on how you can exercise your right to withdraw your consent.
Much of what we do with your Personal Data is not based on your consent, instead it is based on other legal grounds. For processing that is based on your consent, you have the right to withdraw that consent for future processing at any time. You can do this by contacting us using the contact details below (please refer to the below section “How you can contact us?”). Please note that any processing of your Personal Data that we undertook prior to you withdrawing your consent remains lawful.
We will tell the broker or other intermediary who introduced you to us that you have withdrawn your consent only if it is our data processor (this means an organisation who is processing Personal Data on our behalf) or if we are required to do so when you exercise certain other rights under the Data Protection Law. You should make sure to contact the broker or other intermediary directly to withdraw your consent for what they do with your Personal Data as a Data controller.
Some countries outside the DIFC, Dubai have been identified by the DIFC Data Protection Commissioner as having an adequate level of protection and transfers of Personal Data can be made to these countries without the need for putting additional, suitable, safeguards in place. Where a country has not been identified as having an adequate level of protection. we will make sure that suitable safeguards are in place before we transfer your Personal Data to such countries. These suitable safeguards include standard data protection clauses issued by the DIFC Data Protection Commissioner for use in these circumstances.
For more information about these suitable safeguards and how to obtain a copy of them or to find out where they have been made available you can contact us using the contact details below (please refer to the below section “How you can contact us?”).
We may be unable to provide you with products and services or to process your application without having certain Personal Data about you. Your Personal Data is required before you can enter into the relevant contract with us, or it is required during the life of that contract, or it is required by laws that apply to us. If we already hold some of the Personal Data that we need – for instance if you are already a customer – we may not need to collect it again when you make your application.
In this section monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, email, text messages, social media messages, in person face to face meetings and other communications.
Some of our monitoring may be to comply with regulatory rules, self-regulatory practices or procedures relevant to our business, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, to have a record of what we have discussed with you and actions agreed with you, to protect you and to provide security for you (such as in relation to fraud risks on your account) and for quality control and staff training purposes.
Some of our monitoring may check for obscene or profane content in communications.
We may conduct short term carefully controlled monitoring of your activities on your account(s) where this is necessary for our legitimate interests or to comply with our legal obligations. For instance, where we suspect fraud, or other crimes.
Telephone calls and/or in person meetings between us and you relating to your application and/or your account(s) may be recorded to make sure that we have a record of what has been discussed and what your instructions are. We may also record these types of calls for the quality control and staff training purposes.
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements as provided by local sectorial law (where applicable).
In principle, your Personal Data is retained for the duration of our relationship with you + 6 years.
In the event of a claim, your Personal Data is retained until the end of the applicable statute of limitation period or, if there are legal proceedings, until the end of these proceedings.
For more information on the data retention periods applied to your Personal Data, you may choose to contact us by using the below contact details (please refer to the below section “How you can contact us?”).
We are committed to maintaining the confidentiality of your Personal Data. We will also comply with all legal requirements regarding the sharing and disclosure of Personal Data. As already mentioned above, we may disclose Personal Data to the following recipients where it is lawful to do so:
In order to provide financial services to you, we may share certain Personal Data about you with entities of our Group.
In order for us to conduct our operations, including servicing your account or processing your transactions, we may need to share Personal Data with our service providers, including data processing companies, and other payment processing companies, and financial service providers with whom we have joint marketing agreements. These service providers act on our behalf and have agreed in writing to keep the customer Personal Data we provide to them confidential. We share the following categories of information with third-party service providers depending on the specific services provided:
We do not share your account numbers with independent third-party marketers offering their own products and services. While we may assist in offering financial products and services of our affiliates or other financial service providers, we control your personal data used in connection with these offers and ensure that this is processed in accordance with our documented instructions.
We may share your Personal Data in response to a lawful request issued by the following public authorities or otherwise as permitted by applicable law:
We may also share your Personal Data in response to a request made by a merchant or business necessary to effect, administer or enforce a transaction that you had requested or authorized in connection with the servicing or processing of a financial product or service, or to maintain or service your account with us.
We maintain strict policies and security controls to assure that customer Personal Data in our computer systems and files is protected. Our employees and contractors are only permitted access to customer information that they may need to perform their jobs and to provide services to you. Our employees and contractors have access to such customer information as necessary to conduct a transaction or respond to your inquiries. All employees and contractors are required to respect customer privacy. No one except our employees and contractors has access to Mashreq Capital’s computer system and records storage. Mashreq Capital has ensured internal security controls, including physical, electronic and procedural safeguards to protect the information you provide to us and the information we collect about you. We will continue to review our internal security controls to safeguard your customer information as we employ new technology in the future.
We work hard to ensure that the customer information we maintain is complete and accurate. We have procedures and processes for updating our customer information as well as removing old, outdated information. We have measures in place to protect the integrity of customer information such as maintaining back-up copies of account data in the event of power outages or other business interruptions. We use computer virus detection and eradication software and employ other technical means (known as "firewalls") to protect against unauthorized computer entry into systems containing customer information.
From our website (http://www.mashreqcapital.ae/ ), you may apply for accounts and services, and you may communicate with us via e-mail. To protect the information, you provide to us online, we use multiple levels of security. Generally, e-mail communication over the Internet cannot be assumed to be secure.
Under certain circumstances, the Data Protection Law provides you with the right to:
Please note that we will not be required to provide you with any Personal Data that you already possess.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you are not satisfied with the way your Personal Data is processed, you have the right to lodge a complaint before the DIFC Commissioner. You may contact the DIFC Commissioner at:
Dubai International Financial Centre Authority
Level 14, The Gate Building
+971 4 362 2222
If you have any questions about this Notice, our privacy practices or want to exercise your rights, please write to us at DPO@mashreq.com or send us your correspondence at:
Injaz Building I, Floor III
Dubai Outsource Zone, P O Box No. 1250,
Al Manama street, Dubai.