DATA PRIVACY NOTICE

IMPORTANT INFORMATION AND WHO WE ARE

Mashreq Capital (DIFC) Limited located at Unit 2803, level 28, Currency House – Tower 2, DIFC, P.O. Box 1250, Dubai, UAE and/or its affiliates and entities (collectively referred as “Mashreq Capital”, “we”, “our” or “us”) acts as Data controller on the processing of your Personal Data. Any capitalised terms in this data privacy notice will have the meanings given to such terms in the section “Key terms” below. Mashreq Capital is subject to the Data Protection Law DIFC Law No. 5 of 2020 (and the related Data Protection Regulations), both as may be amended from time to time (collectively the “Data Protection Law”). The Data Protection Law prescribes rules and regulations regarding the processing (i.e. collection, handling, disclosure and use) of Personal Data in the DIFC, the rights of individuals to whom the Personal Data relates and the power of the DIFC Commissioner of Data Protection (“DIFC Commissioner”) in performing their duties in respect of matters related to the processing of Personal Data as well as the administration and application of the Data Protection Law.

This data privacy notice (the “Notice") sets out the basis on which any information, including any Personal Data, we collect from you, or you provide to us, will be processed by Mashreq Capital.

Key terms regarding data protection

Data controller: any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.

Data processor: any person who processes Personal Data on behalf of the Data controller.

Data Protection Law: means the DIFC Data Protection Law 2020, Law No. 5 of 2020 as may be amended, and the related Data Protection Regulations.

Data protection officer (DPO): person with expert knowledge of Data Protection Law and practices, officially appointed by the Data controller or Data processor to independently oversee data protection operations.

Group: MashreqBank PSC, its affiliates and/or subsidiaries

Personal Data: any information related to an identified or identifiable natural person; an identifiable person is one who can be directly or indirectly identified by an identifier (such as a name, an identification number, location data, an online identifier or to one or more factors specific to the biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity of that natural person).

Processing: any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction.

Special Categories of Personal Data: means Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religions or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.

Duty to inform us of changes to keep your Personal Data accurate

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us. If your Personal Data is not kept accurate and current, it may delay or prevent us from providing you with our products and services or updating you on key changes to our products and services. If you discover that your Personal Data is inaccurate, please contact your relationship manager or our call centre at +971 4 424 4618 and our agents will promptly update or correct any erroneous information.

Changes to this Notice

This Notice shall apply from 01st October 2020.

This Notice may be updated from time to time and we will notify you, in particular when material changes are made, by email of any update without delay. You may also check regularly the webpage https://www.mashreqcapital.ae/en/capital/ so that you can read the up to date version.

Have you been introduced to us by a broker or other intermediary?

The information about our products and services are available on our own website as well as through professional and financial advisors and anyone else who acts as a person sitting in between you and us in relation to what we do for you. In this Notice, we will call these persons “brokers and other intermediaries”.

When a broker or other intermediary processes your Personal Data on our behalf, and acts as Data Processor, this Notice will apply and you should contact us to exercise your rights under the Data Protection Law. When a broker or other intermediary processes your Personal Data as a Data Controller, its own privacy notice will apply and you should ask them for a copy if you do not have one by the time you are introduced to us.

Where a broker or other intermediary processes your Personal Data on our behalf, and acts as Data Processor, they will only process your Personal Data on our instructions. In accordance with the Data Protection Law, they are subject to appropriate obligations in terms of confidentiality, security and personal data protection.

THE DESCRIPTION OF THE PROCESSING ACTIVITIES WE PERFORMED REGARDING YOUR PERSONAL DATA

FOR WHICH PURPOSES OF PROCESSING DO WE PROCESS YOUR PERSONAL DATA?

We may process your Personal Data for the following purposes:

  • The management of our business relationship with you, in order to administer this relationship;
  • Complying with legal and regulatory obligations to which we are subject (fight against anti-money laundering and terrorist financing; anti-bribery and corruption; accounting and tax purposes; etc.);
  • Internal financial accounting, information technology (for example, the provision of IT support on network and servers, and on our IT tools) and other administrative support services;
  • The provision of certain facilities when you visit our office (such as access to our buildings and conference rooms or Wi-Fi), to control access to our building, and to protect our offices, personnel, goods and confidential information (for example, by using CCTV, or by keeping a record of visitors and providing them with a temporary access badge to our offices);
  • To establish, exercise or defend legal rights;
  • To convert your Personal Data into statistical or aggregated data which cannot be used to re-identify you. It may then be used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this Notice;

DO WE USE YOUR PERSONAL DATA FOR ANY OTHER PURPOSE?

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us by using the contact details below (please refer to the below section “How you can contact us?”). If we need to use your Personal Data for an unrelated purpose, we will collect your consent if required or will notify you and we will explain the legal basis which allows us to do so.

WHAT CATEGORIES OF PERSONAL DATA ABOUT YOU DO WE PROCESS?

We process only relevant Personal Data about you that is needed to establish and maintain your account and provide products and services to you as the Data Protection Law allows or requires us to collect. We may collect Personal Data about you that is "non-public." Non-public Personal Data is data about you that we obtain in connection with providing a financial product or service to you.

The personal data we collect varies depending on the products or services you apply for and (if your application is successful) obtain from us. We set out below Personal Data that we generally process relating to all our products and services.

This includes but is not limited to:

  • Your title, full name, signature, and contact details, including for instance your email address, home and mobile telephone numbers and fax number;
  • Your home address, correspondence address (where different from your home address) and address history;
  • Your date of birth and/or age, e.g. to make sure that you are eligible to apply for the product and/or that it is suitable for you;
  • Your place of birth, nationality, residency details and any other citizenships if this is necessary for us to comply with our legal and regulatory requirements;
  • Your government identification number and identification documents including for instance document type, number, country of issue and expiry date;
  • Records of how you have contacted us and, if you get in touch with us online, details such as your mobile phone location data, IP address and MAC address;
  • Details of your marital status, spouse’s name and account information, dependents, beneficiaries, beneficial owners, representatives, indemnifiers, tax status, sources of income and funds, assets and liabilities, and whether you are a politically exposed person;
  • Details of shareholdings, prominent functions, directorships and/or employment including for instance your occupation, salary, employer and length of service;
  • Details of the products and services you both apply for and receive from us, including for instance application information, customer ID number, account number, account balance and currency, account history, security or collateral held by us, your branch name, , direct debits, payment transactions, cards held, card numbers, details of additional signatories, banking details, information relating to complaints and/or fraud reports, and details associated with account closure;
  • Security identifiers;

WHAT IS THE SOURCE OF YOUR PERSONAL DATA?

We will generally collect your Personal Data from you directly and from the following sources:-

  • Application Information

    We retain Personal Data from any application you submit for financial services. This includes but is not limited to Personal Data such as name, postal and e-mail address, phone numbers, employment and financial status, and credit history.

  • Your Transactions

    We retain the transaction Personal Data any time you make a transaction on one of your accounts. The transaction Personal Data includes your account number, date, amount, location of the transaction and any other pertinent Personal Data.

  • Online

    We obtain information online when you visit our website www.mashreqcapital.ae. This includes retaining Personal Data you provide us on any online application, or Personal Data you send to us by e-mail.

If you are introduced to us by a broker or intermediary, we will obtain some Personal Data about you indirectly from them when they introduce you to us.

In addition, we may obtain your Personal Data from other sources such as fraud prevention agencies, credit reference agencies, , publicly available directories and information (e.g. telephone directory, social media, internet, news articles), , other organisations to assist in prevention and detection of crime, police and law enforcement agencies. In addition, some of your Personal Data may come from other members of our Group if you already have a product with them.

WHAT ARE THE LEGAL GROUNDS FOR OUR PROCESSING OF YOUR PERSONAL DATA (INCLUDING WHEN WE SHARE IT WITH OTHERS)?

The Data Protection Law requires us to explain what legal grounds justify our Processing of your Personal Data (this includes sharing it with other organisations). For some Personal Data Processing activities more than one legal ground may be relevant (except where we rely on your consent as the legal ground for Processing your Personal Data). Here are the legal grounds that are most relevant to us:

  1. Processing necessary to perform our contract with you or for taking steps prior to entering it:
    1. Administering and managing your account(s) and related services, updating your records, tracing your whereabouts to contact you about your account;
    2. Sharing your Personal Data with other payment services providers such as when you ask us to share information about your account with them; and
    3. All stages and activities relevant to managing your account(s) including enquiry, application, administration and management of accounts, illustrations, requests for transfers of equity etc.
  2. Where we consider that, on balance, it is appropriate for us do so, processing necessary for the following legitimate interests which apply to us and in some cases other organisations (who we list below) are:
    1. Administering and managing your account(s) and services relating to that, updating your records, tracing your whereabouts to contact you about your account and advise you in relation to products and services;
    2. To test the performance of our products, services and internal processes;
    3. For management and audit of our business operations including accounting and insurance;
    4. To carry out searches at pre-application, at the application stage, and periodically after that. Where you have been introduced to us by a broker or other intermediary they may do these searches on our behalf;
    5. To carry out monitoring and to keep;
    6. To administer our good governance requirements and those of other members of our Group;
    7. For market research and analysis and developing statistics;
    8. When we share your Personal Data with these other people or organisations;
      • Your guarantor (if you have one);
      • Trustees and beneficiaries and any person with power of attorney over your affairs (in each case only if relevant to you);
      • Members of our Group;
      • Other financial services providers such as when you ask us to share information about your account with them;
      • Our legal and other professional advisers, auditors and actuaries;
      • Financial institutions and trade associations;
      • Tax authorities who are overseas for instance if you are subject to tax in another jurisdiction we may share your Personal Data directly with relevant tax authorities overseas
      • Other organisations and businesses who provide services to us such as financial agencies, back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back office functions;
      • Buyers and their professional representatives as part of any restructuring or sale of our business or assets; and
      • Market research organisations who help us to develop and improve our products and services.
  3. Processing necessary to comply with our legal obligations:
    1. For compliance with laws that apply to us (e.g. fight against anti-money laundering and terrorist financing, etc.);
    2. For establishment, defence and enforcement of our legal rights or those of any other member of our Group;
    3. For activities relating to the prevention, detection and investigation of crime;
    4. To carry out identity checks, financial checks, and checks with fraud prevention agencies pre-application, at the application stage, and periodically after that. Where you have been introduced to us by a broker or other intermediary they may do these searches on our behalf.
    5. To carry out monitoring and to keep records;
    6. To deal with requests from you to exercise your rights under the Data Protection Law;
    7. To process information about a crime or offence and proceedings related to that (in practice this will be relevant if we know or suspect fraud); and
    8. When we share your Personal Data with these other people or organisations:
      • Your guarantor (if you have one);
      • Trustees and beneficiaries, and the person with power of attorney over your affairs;
      • Other financial services providers such as when you ask us to share information about your account with them;
      • Fraud prevention agencies and law enforcement agencies
  4. Processing with your consent:
    1. When you request that we share your Personal Data with someone else and consent to that
    2. When we would like to use your Personal Data for a purpose unrelated to the one for which it was initially collected, if consent is required under the Data Protection Law.

You have the right to withdraw your consent at any time. Please see the section below for more information on how you can exercise your right to withdraw your consent.

HOW AND WHEN CAN YOU WITHDRAW YOUR CONSENT?

Much of what we do with your Personal Data is not based on your consent, instead it is based on other legal grounds. For processing that is based on your consent, you have the right to withdraw that consent for future processing at any time. You can do this by contacting us using the contact details below (please refer to the below section “How you can contact us?”). Please note that any processing of your Personal Data that we undertook prior to you withdrawing your consent remains lawful.

We will tell the broker or other intermediary who introduced you to us that you have withdrawn your consent only if it is our data processor (this means an organisation who is processing Personal Data on our behalf) or if we are required to do so when you exercise certain other rights under the Data Protection Law. You should make sure to contact the broker or other intermediary directly to withdraw your consent for what they do with your Personal Data as a Data controller.

IS YOUR PERSONAL DATA TRANSFERRED OUTSIDE THE DIFC, DUBAI?

Some countries outside the DIFC, Dubai have been identified by the DIFC Data Protection Commissioner as having an adequate level of protection and transfers of Personal Data can be made to these countries without the need for putting additional, suitable, safeguards in place. Where a country has not been identified as having an adequate level of protection. we will make sure that suitable safeguards are in place before we transfer your Personal Data to such countries. These suitable safeguards include standard data protection clauses issued by the DIFC Data Protection Commissioner for use in these circumstances.

For more information about these suitable safeguards and how to obtain a copy of them or to find out where they have been made available you can contact us using the contact details below (please refer to the below section “How you can contact us?”).

DO YOU HAVE TO PROVIDE YOUR PERSONAL DATA TO US?

We may be unable to provide you with products and services or to process your application without having certain Personal Data about you. Your Personal Data is required before you can enter into the relevant contract with us, or it is required during the life of that contract, or it is required by laws that apply to us. If we already hold some of the Personal Data that we need – for instance if you are already a customer – we may not need to collect it again when you make your application.

DO WE DO ANY MONITORING INVOLVING PROCESSING OF YOUR PERSONAL DATA?

In this section monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, email, text messages, social media messages, in person face to face meetings and other communications.

Some of our monitoring may be to comply with regulatory rules, self-regulatory practices or procedures relevant to our business, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, to have a record of what we have discussed with you and actions agreed with you, to protect you and to provide security for you (such as in relation to fraud risks on your account) and for quality control and staff training purposes.

Some of our monitoring may check for obscene or profane content in communications.

We may conduct short term carefully controlled monitoring of your activities on your account(s) where this is necessary for our legitimate interests or to comply with our legal obligations. For instance, where we suspect fraud, or other crimes.

Telephone calls and/or in person meetings between us and you relating to your application and/or your account(s) may be recorded to make sure that we have a record of what has been discussed and what your instructions are. We may also record these types of calls for the quality control and staff training purposes.

FOR HOW LONG IS YOUR PERSONAL DATA RETAINED BY US?

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements as provided by local sectorial law (where applicable).

In principle, your Personal Data is retained for the duration of our relationship with you + 6 years.

In the event of a claim, your Personal Data is retained until the end of the applicable statute of limitation period or, if there are legal proceedings, until the end of these proceedings.

For more information on the data retention periods applied to your Personal Data, you may choose to contact us by using the below contact details (please refer to the below section “How you can contact us?”).

WHOM DO WE SHARE YOUR PERSONAL DATA WITH?

We are committed to maintaining the confidentiality of your Personal Data. We will also comply with all legal requirements regarding the sharing and disclosure of Personal Data. As already mentioned above, we may disclose Personal Data to the following recipients where it is lawful to do so:

Sharing Information with members of our Group

In order to provide financial services to you, we may share certain Personal Data about you with entities of our Group.

Sharing Information with Third-Party Service Providers

In order for us to conduct our operations, including servicing your account or processing your transactions, we may need to share Personal Data with our service providers, including data processing companies, and other payment processing companies, and financial service providers with whom we have joint marketing agreements. These service providers act on our behalf and have agreed in writing to keep the customer Personal Data we provide to them confidential. We share the following categories of information with third-party service providers depending on the specific services provided:

  • Personal Data relating to identity (name, address and account number)
  • Account data (type of accounts, account balances and transaction history)
  • Transaction data (dates, amounts, locations and type of transaction)

We do not share your account numbers with independent third-party marketers offering their own products and services. While we may assist in offering financial products and services of our affiliates or other financial service providers, we control your personal data used in connection with these offers and ensure that this is processed in accordance with our documented instructions.

Sharing Information as Legally Required or Permitted

We may share your Personal Data in response to a lawful request issued by the following public authorities or otherwise as permitted by applicable law:

  • a court
  • a government agency
  • a regulatory authority

We may also share your Personal Data in response to a request made by a merchant or business necessary to effect, administer or enforce a transaction that you had requested or authorized in connection with the servicing or processing of a financial product or service, or to maintain or service your account with us.

HOW SECURE IS YOUR PERSONAL DATA WITH US?

Our Confidentiality and Security Safeguards

We maintain strict policies and security controls to assure that customer Personal Data in our computer systems and files is protected. Our employees and contractors are only permitted access to customer information that they may need to perform their jobs and to provide services to you. Our employees and contractors have access to such customer information as necessary to conduct a transaction or respond to your inquiries. All employees and contractors are required to respect customer privacy. No one except our employees and contractors has access to Mashreq Capital’s computer system and records storage. Mashreq Capital has ensured internal security controls, including physical, electronic and procedural safeguards to protect the information you provide to us and the information we collect about you. We will continue to review our internal security controls to safeguard your customer information as we employ new technology in the future.

Information Integrity Measures

We work hard to ensure that the customer information we maintain is complete and accurate. We have procedures and processes for updating our customer information as well as removing old, outdated information. We have measures in place to protect the integrity of customer information such as maintaining back-up copies of account data in the event of power outages or other business interruptions. We use computer virus detection and eradication software and employ other technical means (known as "firewalls") to protect against unauthorized computer entry into systems containing customer information.

Online Privacy Protection

From our website (http://www.mashreqcapital.ae/ ), you may apply for accounts and services, and you may communicate with us via e-mail. To protect the information, you provide to us online, we use multiple levels of security. Generally, e-mail communication over the Internet cannot be assumed to be secure.

WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?

Under certain circumstances, the Data Protection Law provides you with the right to:

  • Request access to your Personal Data (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Data we hold about you in electronic form. You can also request confirmation in writing as to whether or not Personal Data relating to you is being processed and request details of the purposes for which we are processing that Personal Data, the categories of Personal Data concerned and the recipients or categories of recipients to whom we disclose that Personal Data,
  • Request rectification of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate Personal Data we hold about you rectified, so long as it is technically feasible to do so.
  • Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where the processing of the Personal Data is no longer necessary in relation to the purposes for which it was collected. You also have the right to ask us to delete your Personal Data where you have exercised your right to object to processing (see below) and there is no overriding legitimate grounds for us to continue with the Processing; where you have withdrawn your consent (in the circumstances where we are processing your Personal Data on the basis of that consent; or where the processing is unlawful or we need to erase the Personal Data to comply with applicable law.
  • Object to the processing of your Personal Data on reasonable grounds relating to your particular situation where we are relying on a legitimate interest (or those of a third party) to process your Personal Data. We will also inform you before we process your Personal Data for direct marketing purposes and you also have the right to object where we are processing your Personal Data for direct marketing purposes.
  • Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the portability of your personal data, i.e. the transfer of your Personal Data directly to another party in the circumstances where we are processing your Personal Data on the basis of your consent or as required for the performance of a contract and the processing is carried out by automated means. We will only be able to undertake such a transfer where it is technically feasible to do so and in the circumstances where it does not infringe on the rights of any other natural person.

Please note that we will not be required to provide you with any Personal Data that you already possess.

No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you are not satisfied with the way your Personal Data is processed, you have the right to lodge a complaint before the DIFC Commissioner. You may contact the DIFC Commissioner at:

Dubai International Financial Centre Authority
Level 14, The Gate Building
+971 4 362 2222
commissioner@dp.difc.ae

HOW YOU CAN CONTACT US?

If you have any questions about this Notice, our privacy practices or want to exercise your rights, please write to us at DPO@mashreq.com or send us your correspondence at:

Group DPO
Injaz Building I, Floor III
Dubai Outsource Zone, P O Box No. 1250,
Al Manama street, Dubai.

Contact Number & Working Hours

  • Contact Number : +971 4 424 4618
  • Working Hours : Sunday to Thursday 8:30am - 5:00pm

Join us on

Office Address

Mashreq Capital (DIFC) Ltd
Al Fattan Currency House, Tower 2, Floor 28, Office 2803
Dubai International Financial Centre (DIFC)
Post Box 1250, Dubai, UAE

Copyright © 2020 Mashreq. All Rights Reserved.