Dubai International Financial Centre and/or its affiliates and entities (collectively “DIFC”, “we” or “us”) value your security and privacy. DIFC has its own Data Protection Law, DIFC Law No. 5 of 2020 (the “DP Law”), and may for certain types of personal data processing, be subject to laws from other jurisdictions.
This online data protection policy (the “Policy") sets out the basis on which any information, including any personal data, we collect from you, or you provide to us, will be processed by DIFC. Each time you access or use the Website Services or provide us with information, by doing so you acknowledge the practices described in this Policy. For use of specific services, i.e., the DIFC public wi-fi, you may be asked to opt-in to our use of the information you submit there. Your rights described herein apply in these instances as well.
1. Scope and application
This Policy applies to persons anywhere in the world who access or use DIFC’s Website Services or the App (“Users”).
2. Collection of Information
Information you give us
This is personal data you give us by providing information or filling in forms on the App or any DIFC-owned Website Services, or by corresponding with us (for example, by telephone, e-mail or any other digital or electronic form). It includes for example information you provide when you register using the DIFC-provided online client portal, or download and register to use the App, search for the App in app stores (including but not limited to Apple App Store and Google Play Store), share data via the App's social media functions, and when you report a problem with the App, or any of our Website Services. If you contact us, we will keep at least an electronic record of such correspondence, including personal information shared at that time, in order to reply or process it as per your request. The personal information you give us may include your name, address, e-mail address and phone number, certain device information, username, password, residential building, work address, photograph, and other registration information you choose to provide (“Personal Information” or “Personal Data”).
The Website Services or App collects and processes Personal Data for specific, lawful purposes only, or for the performance of tasks carried out in your interests or the interests of DIFC.
The Website Services or App are not targeted, intended, or expected to be of use to children. Apart from providing information for specific services or purposes, as directed by the DIFC processes, user-provided contributions of content or contact information regarding or about children are expressly prohibited.
Information we collect about you and your device
Each time you use our Website Services or App, we may and often will automatically collect the following information:
- Technical information, including the type of mobile device you use, a unique device identifier (for example, mobile network information, your mobile operating system, the type of mobile browser you use, device token, device type, time zone setting (“Device Information”).
- Details of your use of our Website Services or App including, but not limited to traffic data, weblogs and other communication data, and the resources that you access (“Log Information”).
- Location information if the Website Services or App uses GPS technology to determine your current location. If you wish to use the particular feature, you may be asked to opt-in to your data being used for this purpose.
If you do not wish to share certain data with us or do not want us to use / share it for certain purposes (to the extent possible, in accordance with applicable laws and information in this notice), you can alter your preferences at any time. Where applicable, please check with your device provider's instructions for further information about how to do this.
Other Information We May Collect Through Your Use of the Website Services or the App
When you use any Website Services or the App, we may collect Personal Data, including demographic information, for example information that you submit, or that we collect, which may include, but is not limited to, post code, age/birth date, current residence, hometown, gender, username, mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting, device location, IP address, SMS data, transaction information, business activities and services / distribution locations, browsing history information, search history information, and registration history information (“Demographic Information”).
3. Use of Personal Data
We may use Personal Data which you provide to us, or we collect from you to:
- Provide, maintain, and improve our App and Website Services, including, for example, to facilitate payments, send receipts, provide products and services you request (and send related information about them), develop new features that will enhance your user experience and our efficiency, provide customer support to Users, authenticate users, and send administrative messages, whether information-only or required by applicable law;
- Perform internal regulatory, administrative and operational requirements, including, for example, to prevent fraud or abuse of our Website Services; to troubleshoot software bugs and operational problems; to conduct data analysis, testing, and research; to ensure you and DIFC are complying with internal or external legal requirements, including those that necessitate use of digital systems; and to monitor and analyse usage and activity trends;
- Send you communications we think will be of interest to you based on your previous interactions with us, including information about products, services, promotions, news, and DIFC events, where permissible under DIFC Laws and according to any other applicable laws; and to process contests, sweepstakes, or other promotional entries and fulfil any related awards;
- Notify you about changes to this Policy, or our App and Website Services;
- Allow you to participate in any interactive features of our App or Website Services;
- Keep our App and Website Services safe and secure; or
- Personalise and improve the Website Services, including to provide or recommend features, content, social connections, referrals, and advertisements, in accordance with your preferences, to the extent permissible by law.
4. Processing, Storage and Transfer of Personal Data
We will take all steps reasonably necessary to ensure your data is processed fairly and lawfully, in accordance with the DP Law, other applicable laws and this Policy. By submitting your Personal Data (including Log, Device and / or Demographic Information), we expect you to understand that such transfer, storing or processing in order for DIFC to perform its general administrative and regulatory functions is necessary and will be done in a proportionate, lawful manner, including, but not limited to, responding to enquiries you raise via the App or Website Services, oversight of the business entities registered in DIFC’s jurisdiction and maintaining contacts for future informational or promotional activities. Unless otherwise notified, DIFC does not ordinarily rely solely on automated decision making when processing your Personal Data.
In order to conduct our operations or fulfil regulatory obligations, we must transfer the Personal Data described in this Policy to and from, and process and store it in, the United Arab Emirates and (where applicable or required) with processors in other countries, some of which may have less protective privacy laws than those where you reside. In all such cases, and generally for any processing operations, we take appropriate security measures to protect your Personal Data in accordance with this Policy. DIFC is ISO 27001 certified, and all information security policies are strictly enforced. Please see section 7 below for further details.
To preserve the integrity of our databases, to carry out ongoing Website Services or provide the App on behalf of all Users, for research, analytics and statistics purposes and to ensure compliance with applicable laws and regulations, we retain Personal Data submitted by Users for a reasonable length of time unless otherwise prescribed by applicable law.
DIFC is not responsible for the accuracy of the information you provide and will modify or update your Personal Data in our databases when you provide updated information or ad hoc upon your request, as further outlined below. We will erase or put beyond active use your Personal Data upon request, unless we are required to retain it in accordance with DIFC or other applicable laws or to perform agreed services, in which case, we align with applicable principles, such as purpose specification and data minimisation.
By accessing or using the App or Website Services to which this Policy applies, we can reasonably expect that you understand that all information submitted by you through the App or Website Services or otherwise to DIFC may be used by DIFC to support these processing operations, in accordance with applicable laws and its policies.
5. Sharing of Personal Data
We may share Personal Data that we collect about you as described in this Policy or as described at the time of collection or sharing, including as follows:
Through Our Website Services or the App
We may share Personal Data that we collect about you as described in this Policy or as described at the time of collection or sharing, including as follows:
Through Our Website Services or the App
We may share your Personal Data:
- With third parties to provide you a service you requested through a partnership or promotional offering made by a third party or us; or
- With third parties with whom you choose to let us share your Personal Data, for example, other apps or websites that integrate with our API or Website Services, or those with an API or Service with which we integrate.
Other Types of Data Sharing
We may share your Personal Data:
- With DIFC subsidiaries and affiliated entities, to the extent permissible by law;
- On the DIFC Public Register, in accordance with Article 153 of the Companies Law, DIFC Law No. 5 of 2018, and Section 9.2 of the Companies Regulations;
- With vendors, consultants, marketing and advertising partners, and other service providers who need access to such Personal Data to carry out work on our behalf or to perform a contract we enter into with them;
- If we otherwise notify you and you provide your affirmative opt-in to share your data, where needed;
- In response to a request for information by a competent authority or government entities if we determine that such disclosure is in accordance with, or is otherwise required by any applicable law, regulation, or legal process;
- With law enforcement officials, government entities or authorities, or other third parties as required by applicable law;
- With third parties in connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company; or
- With third parties in an aggregated and/or anonymised or pseudonymised form that cannot reasonably be used to identify you
Government Data Sharing
In some circumstances we are legally obliged to share information with public authorities or law enforcement. For example, we may be required to provide information related to a court order or where we must cooperate with other supervisory authorities in handling complaints or investigations.
We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information, document our decision making, and satisfy ourselves that we have a legal basis on which to share the information.
We may also share information in the event of the non-payment of a monetary penalty or fine. If the debt remains outstanding after the specified timeframe for payment, no payment plan is in place or an agreed payment plan is not being adhered to, we may initiate formal proceedings to recover the full amount of the unpaid penalty.
As a result, the relevant DIFC registrar or commissioner will share Personal Data with the litigation and recovery specialists it instructs in order for them to identify assets and undertake recovery action through the courts.
All sharing of Personal Data aligns to the extent possible with the DIFC Government Data Sharing Policy, which is an internal DIFC policy that governs fair and lawful sharing of Personal Data requested by government entities within the UAE and elsewhere.
6. Your Rights and Choices
Marketing and Preferences
DIFC supports Users’ legal rights to opt-in or subsequently opt-out of receiving communications from us and our partners. You have the option to ask us not to process your Personal Data for marketing purposes and to remove it from our database, to not receive future communications or to no longer receive our App or Website Services.
You may change your preferences at any time.
Please note that we may continue to send you transactional or service-related e-mails despite your desire to not receive promotional or marketing e-mail messages. Additionally, please note that if you elect to opt-out of or unsubscribe from receiving promotional or other similar e-mails or messaging from one of our Website Services or the App, you may continue to receive promotional emails from our other websites, providers, or other non-affiliated marketers whose services you may have accessed via the DIFC Website Services or App.
Finally, while we may remove your individual contact information from our professional contacts database, please be aware that if such information is in a different, third party's marketing directory through your request or election, you will need to request removal with such third party directly.
Access to and Correction of Your Personal Information
You have the right to access information held about you. Your right of access can be exercised for any reason, at any time, in accordance with DIFC and other applicable laws.
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
You may also request that we restrict the processing of, erase, transfer the information you gave us from one organisation to another, or otherwise process your Personal Data in line with the relevant articles providing for such rights set out in the DP Law or other applicable laws.
Any access request generally comes at no cost to you, and we must respond within one month unless provided otherwise by the DP Law or other applicable laws. We may, where permissible, impose a reasonable fee to meet any extraordinary administrative costs in providing you with details of the information we hold about you.
When you contact us about a potential Personal Data error or query, we will endeavour to confirm or verify the information in question, then correct verified inaccuracies and respond to the original inquiry. We will endeavour to send a correction notice to businesses or others whom we know to have received the inaccurate data, where required and / or appropriate. However, some third parties and third-party sites may continue to process inaccurate data about you until their databases and display of data are refreshed in accordance with their update schedules, or until you contact them personally to ensure the correction is made in their own files.
As set out in Article 39 of the DP Law, we may not discriminate against you for exercising your rights by denying services or changing prices or quality of service, unless reasonable to do so in general, as objectively determined, and applicable to all individuals offered or receiving such benefits.
The DIFC Data Subject Access and Requests policy is available for your review, and you may contact us using the information provided therein or below.
7. Security Precautions
DIFC makes every effort to ensure that your Personal Data is secure on its system. DIFC has staff dedicated to maintaining our data protection and security policies, periodically reviewing them and making sure that DIFC employees are aware of our data protection and security practices. Unfortunately, no data transmission over the internet can be guaranteed to be 100 per cent secure. As a result, DIFC cannot warrant or guarantee the security of any Personal Data you transmit to us, and you do so at your own risk.
DIFC has established policies and procedures for securely managing information and protecting Personal Data against unauthorised access. We continually assess our data privacy, information management and security practices. We do this in the following ways:
- Establishing policies and procedures for securely managing information;
- Limiting employee access to viewing only necessary information in order to perform his or her duties;
- Protecting against unauthorised access to Personal Data by using data encryption, authentication and virus detection technology, as required;
- Requiring service providers with whom we do business to comply with relevant data privacy legal and regulatory requirements;
- Monitoring our websites through recognised online privacy and security organisations;
- Engaging in regular third-party audits of our policies and practices; and
- Conducting background checks on employees and providing training to our employees.
Types of cookies we drop, and the information collected using them include, but are not necessarily limited to:
Google Tag Manager: helps make tag management simple, easy and reliable by allowing marketers and webmasters to deploy website tags all in one place.
Google Analytics: gives website owners the digital analytics tools needed to analyse data from all touchpoints in one place, for a deeper understanding of the customer experience.
Salesforce Chat Solution: lets the website owners chat with customers and give them real-time support.
- DoubleClick: a subsidiary of Google that develops and provides internet ad serving services.
- Twitter advertising: enables website owners to track and measure the actions users take after viewing or engaging with ads on Twitter.
- Facebook advertising: lets website owners measure, optimise and build audiences for advertising campaigns.
- LinkedIn analytics: enables website owners to promote their company updates to targeted audiences on desktop, mobile, and tablet.
Most browsers accept and maintain Cookies by default. The DIFC Data Protection Law requires that DIFC entities (including DIFC Bodies, as defined in the Founding Law, Dubai Law No. 5 of 2021), set such collection methods to collect the bare minimum, necessary cookies in order to operate the relevant website or app. Check the ‘Help’ or ‘Settings’ menu of your browser to learn how to change your Cookie preferences. You can choose to alter Cookies settings related to the use of our Website Services, but this may limit your ability to access certain areas of the Website.
Alternatively, you may wish to visit an independent source of information, www.aboutcookies.org, which contains comprehensive information on how to alter settings or delete Cookies from your computer as well as more general information about Cookies. For information on how to do this on the browser of your mobile phone, you will need to refer to your handset manual or network operator for advice.
9. External Links
The Website and the App may contain links to other websites on the Internet that are owned and operated by third parties (the "External Sites"). These links are provided solely as a convenience to you and not as an endorsement by DIFC of the contents or reliability of such External Sites. You acknowledge that DIFC is not responsible for the availability of, or the information and contents of any External Site. You should contact the site administrator or webmaster for those External Sites if you have any concerns regarding such links or the content located on such External Sites.
If you decide to access the linked third-party websites, you do so at your own risk. DIFC does not accept liability, and shall not be liable to you for any loss or damage arising from or as a result of your acting upon the contents of another website to which you may link from the Website Services or the App.
10. DIFC Buildings Security and Contents
Building security records containing sign in and sign out information collected at the time of visiting and departing a DIFC-owned building will be maintained in accordance with this Policy.
To the extent permitted by applicable law, DIFC is not responsible for any contents, whether or not they contain Personal Data or other business information, that remain after you leave or vacate a DIFC property. Having given proper notice to tenants vacating DIFC buildings or property and upon expiration of such notice, DIFC may remove any remaining tenant property, including contents, materials or information at its sole discretion and your liability.
Buildings within the DIFC free zone that are not owned and operated by the DIFC Authority, or its subsidiaries are not bound by this Policy, but management of third-party buildings must in any case comply with the DP Law as it applies generally in the DIFC.
11. Changes to this Policy
We may change this Policy from time to time and without notice. If we make significant changes in the way we treat your Personal Data, or to the Policy, we will endeavour to provide you notice through the App or Website Services or by some other means, such as email. Your continued use of the App or Website Services after such notice constitutes your understanding of the changes. We encourage you to periodically review this Policy for the latest information on our privacy practices. We provide links to it through:
- The App or Website Services
- Incorporating it into our contracts, agreements, and other documents as necessary or appropriate
DIFCA has appointed a Data Protection Officer in accordance with Article 16 of the DP Law. She may be contacted using the above address or telephone number, or via email at firstname.lastname@example.org
If you have any questions, comments and requests related to this Policy, or if you have any complaints related to how DIFC processes your personal data, please contact the Commissioner of Data Protection’s Office at:
Dubai International Financial Centre Authority
Level 14, The Gate Building
+971 4 362 2222
- Data Protection Regulations 2020
- Data Protection Law DIFC Law No. 5 of 2020
- DIFC Laws Amendment Law DIFC Law No. 2 Of 2022
- Enactment Notice Data Protection Law DIFC Law No. 5 of 2020
- DIFC Laws Amendment Law No. 2 of 2022