Data Protection Policy
Document
The Data Protection and Confidentiality Agreement (the “Agreement”) sets out the terms and conditions
pursuant to which FFA Private Bank (Dubai) Limited (“FFA”) may collect, handle, disclose, use or otherwise
Process Personal Data in the course of its business operations to its Clients, under effective Terms of Business
Agreement and any supplements or notices issued by FFA that governs all investment business and financial
services in accordance with the DIFC Law No. 5 of 2020, its DIFC Data Protection Regulations 2020 and any
amendments to the Law and Regulations as applicable in the Dubai International Financial Centre (“DIFC”).
1. Defined Terms
In this Agreement the following data protection related terms shall have the following meaning(s) assigned to
them here below:
“Client” means the company, or the legal entity, legal arrangements or person(s) that is or are
determined to
be eligible Client(s) of FFA and are not limited to investors (individual, joint and partly joint) who hold
investment
account(s) with FFA as defined under Chapter (2) of the Conduct of Business Module of the Dubai Financial
Services Authority (“DFSA”) Rulebook and under FFA’s Terms of Business Agreement. In the event more than
one person is a Client, reference to the “Client” shall include the plural.
“Court” means the DIFC Court as established under the DIFC laws.
“Commissioner” means the DIFC data protection authority.
“Data Controller” means FFA Private Bank (Dubai) Limited, alone or jointly with others
determines the purposes
and means of the Processing of Personal Data in accordance with applicable law (including the Data Protection
Law).
“Data Protection Law” means DIFC Law No. 5 of 2020 and DIFC Data Protection Regulations 2020
and any
amendments to the Law and Regulations as applicable in the Dubai International Financial Centre
(DIFC).
“Data Subject”, “you”, “your” means the Client(s) as defined above and any Identifiable Natural
Person whose
Personal Data provided by the Client to FFA including, without limitation, the Client’s employees and Relevant
Parties.
“DIFC” means the Dubai International Financial Centre.
“DIFC Bodies” includes the Commissioner, DIFCA, DFSA, DIFC Court, and any other person, body,
office, registry
or tribunal established under DIFC laws or established upon the approval of the President of the DIFC that is
not
revoked by the Data Protection law and any other DIFC laws.
“DFSA” means the Dubai Financial Services Authority.
“DIFCA” means the DIFC Authority as established under the DIFC laws.
“FFA”, “we” , “us”, or “ourselves”, means FFA Private Bank (Dubai) Limited, a Private Company
wholly owned
subsidiary of FFA Group Holding Limited, formed and registered under the Laws of the Dubai International
Financial Center under a DIFC license number CL0269, regulated by the DFSA under reference number F000240,
and having its registered office at the Dubai International Financial Center, Gate Precinct, Building 5, Level
4,
office # 410, PO Box 506567, Dubai, UAE, Tel:+97143637470, Fax: +97143637471, www.ffaprivatebank.com, its
owners, successors, subsidiaries, correspondents, affiliates, agents, sub-contractors, associates or employees.
“FFA Group” means a group of companies that is linked by a shareholding relationship and/or
owned by FFA
Group Holding Limited.
“FFA Group Holding Limited”, a Private Company, formed and registered under the Laws of the
Dubai
International Financial Center under a DIFC license number CL4816, and having its registered office at the Dubai
International Financial Center, Gate Precinct, Building 5, Level 4, office # 410, PO Box 506567, Dubai, UAE,
Tel:+97143637470, Fax: +97143637471, www.ffaprivatebank.com
“Governing Law”, the “Law” means Data Protection Law and all other laws and
regulations applicable in the
Dubai International Financial Centre (DIFC).
“Party” means each of the Client and FFA (and together the Parties).
“Personal Data” means any personal data as defined in the DIFC Data Protection Law relating to
an identified
or Identifiable Natural Person which includes but is not limited to full name, date and place of birth, license
details, entity structure and activities, nationality, address, contact details, social security number,
passport
copies, evidence of address, employment details and financial information such as assets, source of funds and
wealth, income information, portfolio and accounts, authorised signatories, shareholders, directors and
Relevant Party.
“Identifiable Natural Person” means a natural living person who can be identified, directly or
indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an online
identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental,
genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted
accordingly)
“Process, Processed, Processes and Processing”, means any operation or set of operations which
is performed
upon Personal Data, whether or not by automated means, such as collection, recording, organization,
structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting
(meaning marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or
destruction but excluding operations or sets of operations performed on Personal Data by:
1. a natural person in the course of a purely personal or household activity that has no connection to a
commercial purpose; or
2. law enforcement authorities for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, including safeguarding against
and preventing threats to public security.
“Products and Services” means FFA financial services and financial products and ancillary
services.
“Recipient”, means any person to whom Personal Data is disclosed, whether a third party or not;
however,
authorities which may receive Personal Data in the framework of a particular inquiry shall not be regarded as
Recipients.
“Relevant Party” or “Relevant Parties” means beneficial owner(s), authorised
signatories, nominated persons,
attorney, shareholder(s) or any other individual(s) linked directly or indirectly and/or appointed to act on
behalf
of the Data Subject.
2. A Data Controller,
2.1. The legal entity responsible for Data Processing is FFA.
2.2. If the Client has any questions about this Data Protection and Confidentiality Agreement, or our
Processing of Personal Data, please contact us at:
FFA Private Bank (Dubai) Limited, Dubai International Financial Center, Gate Precinct, Building 5, Level
4,
office #410, PO Box 506567, Dubai, UAE, Tel: +97143637470, Fax: +97143637471
E-mail: FFADubaiCompliance@ffaprivatebank.com
3. Processing and Disclosure of Personal Data
3.1. We may collect certain Personal Data in the course of providing Products or Services in accordance with
the provisions of the Data Protection Law. We may collect the Personal Data directly from the Client
through communications, applications or other forms, whether we receive these in writing or
electronically. This can include and is not limited to the information set out below:
a. Data Subject contact information we use to communicate with the Client such as entity details,
name, current and former addresses (private and professional), telephone number (private and
professional), email address;
b. Identity information we use to identify or authenticate the Client or to meet tax, Anti-Money
Laundering (AML) and other “Know Your Customer” (KYC) legal and regulatory obligations, including
contact information, government IDs (including passport details), sample signature for
authentication, order data (e.g. payment instructions), data from the fulfillment of contractual
obligations (e.g. data in payment transactions), information about financial operation(s) (e.g.
creditworthiness data, scoring/rating data, origin of assets, source of wealth), marketing and sales
data, documentation data (e.g. file notes or meeting minutes from a consultation), and other data
including any Personal Data;
c. Name, incorporation details, license information, contact information (private and professional),
telephone number (private and professional), email address, address details (current and former),
date and place of birth, citizenship, tax information
d. communications information in the course of use of FFA’s website including by e-mail, telephone or
post, communications in relation to providing Products and Services to the Client, including
recordings of telephone / video calls;
e. account access information where we provide on-line account access, log-in and similar credentials,
and information about use of such access; and
f. relationship information that helps us to understand more about how to conduct business with the
Client, and what types of Products and Services may be of interest to the Client.
3.2. We may Process Personal Data directly from you through meetings, correspondence with you, telephone
conversations and emails.
3.3. We may also Process Personal Data about you that we obtain from publicly accessible sources (like press
and internet) or from other third parties (e.g. credit rating agency).
3.4. We may also collect Personal Data from private companies and trade registers, and/or other publicly
available sources such as media and online sources and/or from other third parties.
3.5. We may also collect and process Personal data which may include in particular data relating to your
financial situation or debt or legal proceedings against you.
3.6. In order to facilitate, maintain, enable our business relationship, we may Process Personal Data relating
to the Client’s Data Subjects and any other person involved in our business relationship with the Client
such as beneficial owner(s), shareholders, authorised signatories, persons / attorney or other individuals
nominated to act on behalf of the Client. To the extent that the Client provides FFA with Personal Data of
its Data Subjects, the Client warrants that it has obtained effective written consent(s) from the Data
Subjects in respect of FFA’s use of such Personal Data, and that the Client undertakes to provide FFA with
a copy of any such consent(s) upon its request.
3.7. FFA relies on lawful bases as set out in further detail under Article 10 of the Data Protection Law for
Processing Personal Data in accordance with this Agreement for the purpose of fulfilling our contractual
obligations with the Client, and to ensure the efficiency and effectiveness of our business operations,
acting for and on behalf of the Client. These include:
a. Processing Personal Data where necessary for compliance with Applicable Law (for example, to
meet DFSA regulations, KYC and AML legal obligations), for providing Products and Services that the
Client applies for and/or that the Client subscribes to, to update, confirm, and enhance FFA records,
and/or as may be necessary to FFA, FFA Group or its affiliates;
b. to enable FFA to centralise or outsource its data processing and other administrative operations to
FFA's head office, its affiliates or third parties engaged by FFA (whether within or outside the DIFC)
for any such business services/operations;
c. where the Processing is necessary for the purpose of legitimate interests pursued by FFA or its third
parties (whether within or outside the DIFC) to whom the Personal Data has been made available,
except where such interests are overridden by the interests or rights of the Data Subjects. Such
legitimate interests include administrative or operational processes, consulting with third party
consultants / advisors, credit rating agencies and/or for the prevention and investigation purposes;
d. to respond to court orders and/or legal investigations; and/or
e. to conduct due diligence; carry out onboarding, assessment and acceptance as an FFA Client.
f. for the purpose of administering and fulfilling obligations under contracts entered into with you, for
performing any obligations laid down by applicable laws, regulations, and rules for providing
financial services and financial products and ancillary services that you apply for and/or that you
subscribe to , to confirm, update and enhance our records, and/or as may be necessary, pursuant
to the applicable law, regulation, rule, decree, code, directive, sanction, regime, judgement, treaty,
or agreement applicable to FFA, FFA Group or its affiliates.
3.8. Subject to the Data Protection Law, we may use your Personal Data to inform you, by post, telephone or
other electronic media, of any products and services that we think may be of interest to you. You have
the right to object at any time to our Processing of your Personal Data for the purposes of direct
marketing. If you wish to object you may do so by contacting us using the details set out in clause 2
above.
3.9. FFA may keep the Client’s Data Subjects up-to-date in compliance with applicable rules and regulations
in connection with any Products and Services or direct marketing sent by FFA or the FFA Group and/or its
affiliates which may be of interest to the Data Subjects. Where FFA uses Personal Data for marketing
purposes, the Data Subjects have the right to opt out of, or object at any time to the Processing of their
Personal Data by contacting FFADubaiCompliance@ffaprivatebank.com.
3.10. Telephone and/or video calls that we conduct with the Client may be recorded and monitored for
regulatory, security and other legitimate business purposes such as: (1) to provide evidence of a business
transaction; (2) to ensure compliance with applicable rules and regulations; (3) to resolve disputes and/or
disagreements concerning the content of a transaction/conversation; (4) to investigate, prevent and
detect fraud; (5) to evaluate the quality of our services; (6) for training purposes. We will retain records
of these telephone and/or video calls in accordance with clause 6.1 below.
3.11. FFA may transfer or disclose your Personal Data (including by transferring Personal Data outside the
DIFC). Where such disclosure is required (including but not limited to disclosures for the purpose of due
diligence and/or credit review of any account(s) of the Data Subject with FFA whether singly or jointly
with others or otherwise), any information relating to the Data subject, his/her/its account(s) or
information on the assets held for the Data Subject or on his/her behalf, to:
a. its head office, affiliates, associated firms or any other branches or subsidiaries of FFA or FFA
Group;
b. its auditors, lawyers, translators, professional advisers and any other person(s) under a duty of
confidentiality to FFA;
c. vendors, installers, maintainers or service providers of FFA's computer systems;
d. brokers, custodians, support firms, correspondent banks, or any person (including any agent,
contractor or third party service provider) with whom FFA is engaged, contracts or proposes to
contract with regard to the provision of financial services in respect of the Data Subject account(s)
or in connection with any services offered to the Data Subject by FFA, for effecting transactions,
wire transfers, maintaining accounts for and/or on behalf of the Data Subject;
e. any person with whom FFA contracts or proposes to contract with regard to the sale or transfer or
sharing of any of its rights, obligations or risks under this Agreement; and
f. any person employed with, or engaged as an agent by FFA or its head office or affiliates, including
any relationship officers, for the purposes of or in connection with interactions you or providing
services to you or Processing transactions pertaining to your account(s).
4. Transfer of Personal Data
4.1. Data transfers to legal entities in countries outside the DIFC (known as third countries) will take place
so
long as the third country has been determined by the Commissioner as a jurisdiction providing adequate
level of protection under the Data Protection Law.
4.2. Where FFA transfers Personal Data to a third country that has not been determined by the Commissioner
as providing adequate level of jurisdiction, FFA has put procedures in place to ensure the protection of
Personal Data, to the extent required under the Data Protection Law including, without limitation, in the
following circumstances:
a. where FFA enters into a data transfer agreement with the non DIFC entity receiving your Personal
Data, such data transfer agreement containing standard contractual clauses which have been
approved by the Commissioner;
b. where it is necessary for the purpose of carrying out our contractual obligations with the Client;
c. where it is required by applicable law (e.g. reporting obligations under applicable financial
regulations); and/or
d. the transfer is necessary or legally required in the interests of the DIFC, including in the interests of
DIFC Bodies relating to the proper discharge of their functions.
5. Data Subjects Rights
5.1. Pursuant to the Data Protection Law, you have certain legal rights in relation to the Processing of your
Personal Data. These are set out in detail in the FFA data protection policy www.ffaprivatebank.com.
These include, without limitation, the following legal rights. These legal rights are subject to terms of the
Data Protection Law:
a. the right to obtain information regarding the Processing of your Personal Data and access to the
Personal Data which FFA holds about your (or which is held on FFA’s behalf);
b. the right to request that FFA rectify your Personal Data if it is inaccurate or incomplete;
c. the right to object to processing of Data Subject Personal Data at any time including the right to
object to processing for the purposes of direct marketing. If you object to Processing your Personal
Data for the purposes of direct marketing, we will no longer process your Personal Data for this
purpose;
d. the right to request that FFA erase the Data Subject Personal Data in certain circumstances. This
may include (but is not limited to) circumstances in which it is no longer necessary for FFA to retain
your Personal Data for the purposes for which we collected it;
e. the right not to be discriminated against in terms of products or services provided, including in
relation to the quality or price of the products or services, based on the Data Subjects exercising
their privacy rights under this Agreement; and
f. the right to lodge a complaint with the Commissioner.
5.2. The Client confirms that all the Data Subjects whose Personal Data is provided to FFA by the Client shall
be informed of these rights and how to exercise them, including lodging a complaint with the
Commissioner. The Client shall inform FFA immediately of any requests made by the Data Subject in
relation to Personal Data provided by the Client to FFA.
6. Retention of Personal Data
6.1. We will process and store the Client’s Personal Data for as long as it is necessary in order to fulfill our
contractual, regulatory and statutory obligations, including, without limitation, the DFSA requirements
and the Data Protection Law. We will delete Personal Data where Personal Data is no longer required in
order to fulfill our contractual, regulatory or statutory obligations, including, without limitation, the Data
Protection Law.
6.2. To determine the appropriate retention period for the Client’s Personal Data, we consider, the amount,
nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure
of the Personal Data, the purposes for which we process your Personal Data and any applicable legal
requirements.
6.3. We will assess and respond to requests to delete Personal Data in accordance with the Data Protection
Law. We will delete Personal Data in accordance with the Data Protection Law.
7. Confidentiality
7.1. Except as otherwise set out above, the Parties agree and covenant that they shall treat as confidential,
non-public and any and all data and other information (whether proprietary or otherwise, including the
Terms of Business Agreement and all referenced names and relationships) obtained directly or indirectly
from or on behalf of each other (“Disclosing Party” and “Recipient Party”, respectively), whether received
prior or subsequent to the execution of this Agreement, and whether or not so designated or marked,
including information transmitted through any means, whether oral, written, electronic or other format,
or otherwise recorded. Recipient Party shall not disclose any Confidential Information to any third party
without prior consent of Disclosing Party, except:
a. if it becomes generally available to the public other than as a result of a breach of an obligation
under this clause 7;
b. if it is acquired from a third party who owes no obligation of confidence in respect of the
Confidential Information;
c. to our respective employees (where available) involved in the services, but we will each make of
our respective employees, to whom such confidential information is disclosed, aware of the
restrictions on disclosure contained in this clause 7.
d. where the information has been independently developed by the Recipient; and/or
e. where the information has been required by a lawful process, provided that the Party compelled by
lawful process to disclose Confidential Information shall immediately give the other Party notice of
such requirement, and, to the extent reasonable under the circumstances, consult with the other
Party in advance of disclosure as to the form, nature and purpose of such disclosure, or as soon
thereafter as is legally permissible, and in any event give to the other Party copies of any disclosure
as soon thereafter as is legally permissible.
7.2. The obligations of the Parties under this clause 7 shall continue at all times during the term of this
Agreement and thereafter without any limitation as to time.
7.3. Nothing in this clause 7 derogates from FFA’s obligations as a Data Controller under the Data Protection
Law.
8. Update of Personal Data
The Client hereby undertakes to inform FFA immediately of any changes to the Personal Data or of any beneficial
owner, any authorised signatory or any nominated person or attorney (each, a “Relevant Party”) provided in
Agreement(s) entered into with Data Subject or in any other document related to your account(s) with FFA,
including but not limited to the provision of updated identification documents and changes to the declared
status, inclusive of tax domicile of any Relevant Party.
9. Governing Law
The terms and conditions of this Agreement are governed by and construed in accordance with the Laws of the
DIFC and the DIFC Courts shall have exclusive jurisdiction on any dispute that may arise.
10. Waiver of Banking Secrecy Obligations
Notwithstanding the foregoing, the Client hereby waives any banking secrecy and any related confidentiality
obligation on FFA , or on the FFA Group and authorises FFA, and the FFA Group, to disclose information about
the Client, the accountholder(s), beneficial owners, authorized signatories or other Related Parties (including
any information held with FFA Group) where required or requested by providers of products or services that
FFA obtains on behalf of the Client, in order for FFA to provide the Client with financial Products, Financial
Services or other ancillary services; where the relevant information is no longer confidential; or where
disclosure
is required under any applicable law.