About us

Privacy Policy

Document

The Data Protection and Confidentiality Agreement (the “Agreement”) sets out the terms and conditions pursuant to which FFA Private Bank (Dubai) Limited (“FFA”) may collect, handle, disclose, use or otherwise Process Personal Data in the course of its business operations to its Clients, under effective Terms of Business Agreement and any supplements or notices issued by FFA that governs all investment business and financial services in accordance with the DIFC Law No. 5 of 2020, its DIFC Data Protection Regulations 2020 and any amendments to the Law and Regulations as applicable in the Dubai International Financial Centre (“DIFC”).



1. Defined Terms
In this Agreement the following data protection related terms shall have the following meaning(s) assigned to them here below:

“Client” means the company, or the legal entity, legal arrangements or person(s) that is or are determined to be eligible Client(s) of FFA and are not limited to investors (individual, joint and partly joint) who hold investment account(s) with FFA as defined under Chapter (2) of the Conduct of Business Module of the Dubai Financial Services Authority (“DFSA”) Rulebook and under FFA’s Terms of Business Agreement. In the event more than one person is a Client, reference to the “Client” shall include the plural.

“Court” means the DIFC Court as established under the DIFC laws.

“Commissioner” means the DIFC data protection authority.

“Data Controller” means FFA Private Bank (Dubai) Limited, alone or jointly with others determines the purposes and means of the Processing of Personal Data in accordance with applicable law (including the Data Protection Law).

“Data Protection Law” means DIFC Law No. 5 of 2020 and DIFC Data Protection Regulations 2020 and any amendments to the Law and Regulations as applicable in the Dubai International Financial Centre (DIFC).

“Data Subject”, “you”, “your” means the Client(s) as defined above and any Identifiable Natural Person whose Personal Data provided by the Client to FFA including, without limitation, the Client’s employees and Relevant Parties.

“DIFC” means the Dubai International Financial Centre.

“DIFC Bodies” includes the Commissioner, DIFCA, DFSA, DIFC Court, and any other person, body, office, registry or tribunal established under DIFC laws or established upon the approval of the President of the DIFC that is not revoked by the Data Protection law and any other DIFC laws.

“DFSA” means the Dubai Financial Services Authority.

“DIFCA” means the DIFC Authority as established under the DIFC laws.

“FFA”, “we” , “us”, or “ourselves”, means FFA Private Bank (Dubai) Limited, a Private Company wholly owned subsidiary of FFA Group Holding Limited, formed and registered under the Laws of the Dubai International Financial Center under a DIFC license number CL0269, regulated by the DFSA under reference number F000240, and having its registered office at the Dubai International Financial Center, Gate Precinct, Building 5, Level 4, office # 410, PO Box 506567, Dubai, UAE, Tel:+97143637470, Fax: +97143637471, www.ffaprivatebank.com, its owners, successors, subsidiaries, correspondents, affiliates, agents, sub-contractors, associates or employees. “FFA Group” means a group of companies that is linked by a shareholding relationship and/or owned by FFA Group Holding Limited.

“FFA Group Holding Limited”, a Private Company, formed and registered under the Laws of the Dubai International Financial Center under a DIFC license number CL4816, and having its registered office at the Dubai International Financial Center, Gate Precinct, Building 5, Level 4, office # 410, PO Box 506567, Dubai, UAE, Tel:+97143637470, Fax: +97143637471, www.ffaprivatebank.com

“Governing Law”, the “Law” means Data Protection Law and all other laws and regulations applicable in the Dubai International Financial Centre (DIFC).

“Party” means each of the Client and FFA (and together the Parties).

“Personal Data” means any personal data as defined in the DIFC Data Protection Law relating to an identified or Identifiable Natural Person which includes but is not limited to full name, date and place of birth, license details, entity structure and activities, nationality, address, contact details, social security number, passport copies, evidence of address, employment details and financial information such as assets, source of funds and wealth, income information, portfolio and accounts, authorised signatories, shareholders, directors and Relevant Party.

“Identifiable Natural Person” means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted accordingly)

“Process, Processed, Processes and Processing”, means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction but excluding operations or sets of operations performed on Personal Data by:

1. a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or
2. law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.

“Products and Services” means FFA financial services and financial products and ancillary services.

“Recipient”, means any person to whom Personal Data is disclosed, whether a third party or not; however, authorities which may receive Personal Data in the framework of a particular inquiry shall not be regarded as Recipients.

“Relevant Party” or “Relevant Parties” means beneficial owner(s), authorised signatories, nominated persons, attorney, shareholder(s) or any other individual(s) linked directly or indirectly and/or appointed to act on behalf of the Data Subject.



2. A Data Controller,

2.1. The legal entity responsible for Data Processing is FFA.
2.2. If the Client has any questions about this Data Protection and Confidentiality Agreement, or our Processing of Personal Data, please contact us at:
FFA Private Bank (Dubai) Limited, Dubai International Financial Center, Gate Precinct, Building 5, Level 4,
office #410, PO Box 506567, Dubai, UAE, Tel: +97143637470, Fax: +97143637471
E-mail: FFADubaiCompliance@ffaprivatebank.com

3. Processing and Disclosure of Personal Data

3.1. We may collect certain Personal Data in the course of providing Products or Services in accordance with the provisions of the Data Protection Law. We may collect the Personal Data directly from the Client through communications, applications or other forms, whether we receive these in writing or electronically. This can include and is not limited to the information set out below: a. Data Subject contact information we use to communicate with the Client such as entity details, name, current and former addresses (private and professional), telephone number (private and professional), email address; b. Identity information we use to identify or authenticate the Client or to meet tax, Anti-Money Laundering (AML) and other “Know Your Customer” (KYC) legal and regulatory obligations, including contact information, government IDs (including passport details), sample signature for authentication, order data (e.g. payment instructions), data from the fulfillment of contractual obligations (e.g. data in payment transactions), information about financial operation(s) (e.g. creditworthiness data, scoring/rating data, origin of assets, source of wealth), marketing and sales data, documentation data (e.g. file notes or meeting minutes from a consultation), and other data including any Personal Data; c. Name, incorporation details, license information, contact information (private and professional), telephone number (private and professional), email address, address details (current and former), date and place of birth, citizenship, tax information d. communications information in the course of use of FFA’s website including by e-mail, telephone or post, communications in relation to providing Products and Services to the Client, including recordings of telephone / video calls; e. account access information where we provide on-line account access, log-in and similar credentials, and information about use of such access; and f. relationship information that helps us to understand more about how to conduct business with the Client, and what types of Products and Services may be of interest to the Client.

3.2. We may Process Personal Data directly from you through meetings, correspondence with you, telephone conversations and emails.

3.3. We may also Process Personal Data about you that we obtain from publicly accessible sources (like press and internet) or from other third parties (e.g. credit rating agency).

3.4. We may also collect Personal Data from private companies and trade registers, and/or other publicly available sources such as media and online sources and/or from other third parties.

3.5. We may also collect and process Personal data which may include in particular data relating to your financial situation or debt or legal proceedings against you.

3.6. In order to facilitate, maintain, enable our business relationship, we may Process Personal Data relating to the Client’s Data Subjects and any other person involved in our business relationship with the Client such as beneficial owner(s), shareholders, authorised signatories, persons / attorney or other individuals nominated to act on behalf of the Client. To the extent that the Client provides FFA with Personal Data of its Data Subjects, the Client warrants that it has obtained effective written consent(s) from the Data Subjects in respect of FFA’s use of such Personal Data, and that the Client undertakes to provide FFA with a copy of any such consent(s) upon its request.

3.7. FFA relies on lawful bases as set out in further detail under Article 10 of the Data Protection Law for Processing Personal Data in accordance with this Agreement for the purpose of fulfilling our contractual obligations with the Client, and to ensure the efficiency and effectiveness of our business operations, acting for and on behalf of the Client. These include:

a. Processing Personal Data where necessary for compliance with Applicable Law (for example, to meet DFSA regulations, KYC and AML legal obligations), for providing Products and Services that the Client applies for and/or that the Client subscribes to, to update, confirm, and enhance FFA records, and/or as may be necessary to FFA, FFA Group or its affiliates;

b. to enable FFA to centralise or outsource its data processing and other administrative operations to FFA's head office, its affiliates or third parties engaged by FFA (whether within or outside the DIFC) for any such business services/operations;

c. where the Processing is necessary for the purpose of legitimate interests pursued by FFA or its third parties (whether within or outside the DIFC) to whom the Personal Data has been made available, except where such interests are overridden by the interests or rights of the Data Subjects. Such legitimate interests include administrative or operational processes, consulting with third party consultants / advisors, credit rating agencies and/or for the prevention and investigation purposes;

d. to respond to court orders and/or legal investigations; and/or

e. to conduct due diligence; carry out onboarding, assessment and acceptance as an FFA Client.

f. for the purpose of administering and fulfilling obligations under contracts entered into with you, for performing any obligations laid down by applicable laws, regulations, and rules for providing financial services and financial products and ancillary services that you apply for and/or that you subscribe to , to confirm, update and enhance our records, and/or as may be necessary, pursuant to the applicable law, regulation, rule, decree, code, directive, sanction, regime, judgement, treaty, or agreement applicable to FFA, FFA Group or its affiliates.

3.8. Subject to the Data Protection Law, we may use your Personal Data to inform you, by post, telephone or other electronic media, of any products and services that we think may be of interest to you. You have the right to object at any time to our Processing of your Personal Data for the purposes of direct marketing. If you wish to object you may do so by contacting us using the details set out in clause 2 above.

3.9. FFA may keep the Client’s Data Subjects up-to-date in compliance with applicable rules and regulations in connection with any Products and Services or direct marketing sent by FFA or the FFA Group and/or its affiliates which may be of interest to the Data Subjects. Where FFA uses Personal Data for marketing purposes, the Data Subjects have the right to opt out of, or object at any time to the Processing of their Personal Data by contacting FFADubaiCompliance@ffaprivatebank.com.

3.10. Telephone and/or video calls that we conduct with the Client may be recorded and monitored for regulatory, security and other legitimate business purposes such as: (1) to provide evidence of a business transaction; (2) to ensure compliance with applicable rules and regulations; (3) to resolve disputes and/or disagreements concerning the content of a transaction/conversation; (4) to investigate, prevent and detect fraud; (5) to evaluate the quality of our services; (6) for training purposes. We will retain records of these telephone and/or video calls in accordance with clause 6.1 below.

3.11. FFA may transfer or disclose your Personal Data (including by transferring Personal Data outside the DIFC). Where such disclosure is required (including but not limited to disclosures for the purpose of due diligence and/or credit review of any account(s) of the Data Subject with FFA whether singly or jointly with others or otherwise), any information relating to the Data subject, his/her/its account(s) or information on the assets held for the Data Subject or on his/her behalf, to:

a. its head office, affiliates, associated firms or any other branches or subsidiaries of FFA or FFA Group;
b. its auditors, lawyers, translators, professional advisers and any other person(s) under a duty of confidentiality to FFA;
c. vendors, installers, maintainers or service providers of FFA's computer systems;
d. brokers, custodians, support firms, correspondent banks, or any person (including any agent, contractor or third party service provider) with whom FFA is engaged, contracts or proposes to contract with regard to the provision of financial services in respect of the Data Subject account(s) or in connection with any services offered to the Data Subject by FFA, for effecting transactions, wire transfers, maintaining accounts for and/or on behalf of the Data Subject;
e. any person with whom FFA contracts or proposes to contract with regard to the sale or transfer or sharing of any of its rights, obligations or risks under this Agreement; and
f. any person employed with, or engaged as an agent by FFA or its head office or affiliates, including any relationship officers, for the purposes of or in connection with interactions you or providing services to you or Processing transactions pertaining to your account(s).

4. Transfer of Personal Data

4.1. Data transfers to legal entities in countries outside the DIFC (known as third countries) will take place so long as the third country has been determined by the Commissioner as a jurisdiction providing adequate level of protection under the Data Protection Law.

4.2. Where FFA transfers Personal Data to a third country that has not been determined by the Commissioner as providing adequate level of jurisdiction, FFA has put procedures in place to ensure the protection of Personal Data, to the extent required under the Data Protection Law including, without limitation, in the following circumstances:

a. where FFA enters into a data transfer agreement with the non DIFC entity receiving your Personal Data, such data transfer agreement containing standard contractual clauses which have been approved by the Commissioner;
b. where it is necessary for the purpose of carrying out our contractual obligations with the Client;
c. where it is required by applicable law (e.g. reporting obligations under applicable financial regulations); and/or
d. the transfer is necessary or legally required in the interests of the DIFC, including in the interests of DIFC Bodies relating to the proper discharge of their functions.

5. Data Subjects Rights

5.1. Pursuant to the Data Protection Law, you have certain legal rights in relation to the Processing of your Personal Data. These are set out in detail in the FFA data protection policy www.ffaprivatebank.com. These include, without limitation, the following legal rights. These legal rights are subject to terms of the Data Protection Law:

a. the right to obtain information regarding the Processing of your Personal Data and access to the Personal Data which FFA holds about your (or which is held on FFA’s behalf);
b. the right to request that FFA rectify your Personal Data if it is inaccurate or incomplete;
c. the right to object to processing of Data Subject Personal Data at any time including the right to object to processing for the purposes of direct marketing. If you object to Processing your Personal Data for the purposes of direct marketing, we will no longer process your Personal Data for this purpose;
d. the right to request that FFA erase the Data Subject Personal Data in certain circumstances. This may include (but is not limited to) circumstances in which it is no longer necessary for FFA to retain your Personal Data for the purposes for which we collected it;
e. the right not to be discriminated against in terms of products or services provided, including in relation to the quality or price of the products or services, based on the Data Subjects exercising their privacy rights under this Agreement; and
f. the right to lodge a complaint with the Commissioner.

5.2. The Client confirms that all the Data Subjects whose Personal Data is provided to FFA by the Client shall be informed of these rights and how to exercise them, including lodging a complaint with the Commissioner. The Client shall inform FFA immediately of any requests made by the Data Subject in relation to Personal Data provided by the Client to FFA.



6. Retention of Personal Data

6.1. We will process and store the Client’s Personal Data for as long as it is necessary in order to fulfill our contractual, regulatory and statutory obligations, including, without limitation, the DFSA requirements and the Data Protection Law. We will delete Personal Data where Personal Data is no longer required in order to fulfill our contractual, regulatory or statutory obligations, including, without limitation, the Data Protection Law.

6.2. To determine the appropriate retention period for the Client’s Personal Data, we consider, the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of the Personal Data, the purposes for which we process your Personal Data and any applicable legal requirements.

6.3. We will assess and respond to requests to delete Personal Data in accordance with the Data Protection Law. We will delete Personal Data in accordance with the Data Protection Law.

7. Confidentiality

7.1. Except as otherwise set out above, the Parties agree and covenant that they shall treat as confidential, non-public and any and all data and other information (whether proprietary or otherwise, including the Terms of Business Agreement and all referenced names and relationships) obtained directly or indirectly from or on behalf of each other (“Disclosing Party” and “Recipient Party”, respectively), whether received prior or subsequent to the execution of this Agreement, and whether or not so designated or marked, including information transmitted through any means, whether oral, written, electronic or other format, or otherwise recorded. Recipient Party shall not disclose any Confidential Information to any third party without prior consent of Disclosing Party, except:

a. if it becomes generally available to the public other than as a result of a breach of an obligation under this clause 7;

b. if it is acquired from a third party who owes no obligation of confidence in respect of the Confidential Information;

c. to our respective employees (where available) involved in the services, but we will each make of our respective employees, to whom such confidential information is disclosed, aware of the restrictions on disclosure contained in this clause 7.

d. where the information has been independently developed by the Recipient; and/or

e. where the information has been required by a lawful process, provided that the Party compelled by lawful process to disclose Confidential Information shall immediately give the other Party notice of such requirement, and, to the extent reasonable under the circumstances, consult with the other Party in advance of disclosure as to the form, nature and purpose of such disclosure, or as soon thereafter as is legally permissible, and in any event give to the other Party copies of any disclosure as soon thereafter as is legally permissible.

7.2. The obligations of the Parties under this clause 7 shall continue at all times during the term of this Agreement and thereafter without any limitation as to time.

7.3. Nothing in this clause 7 derogates from FFA’s obligations as a Data Controller under the Data Protection Law.

8. Update of Personal Data

The Client hereby undertakes to inform FFA immediately of any changes to the Personal Data or of any beneficial owner, any authorised signatory or any nominated person or attorney (each, a “Relevant Party”) provided in Agreement(s) entered into with Data Subject or in any other document related to your account(s) with FFA, including but not limited to the provision of updated identification documents and changes to the declared status, inclusive of tax domicile of any Relevant Party.

9. Governing Law

The terms and conditions of this Agreement are governed by and construed in accordance with the Laws of the DIFC and the DIFC Courts shall have exclusive jurisdiction on any dispute that may arise.



10. Waiver of Banking Secrecy Obligations

Notwithstanding the foregoing, the Client hereby waives any banking secrecy and any related confidentiality obligation on FFA , or on the FFA Group and authorises FFA, and the FFA Group, to disclose information about the Client, the accountholder(s), beneficial owners, authorized signatories or other Related Parties (including any information held with FFA Group) where required or requested by providers of products or services that FFA obtains on behalf of the Client, in order for FFA to provide the Client with financial Products, Financial Services or other ancillary services; where the relevant information is no longer confidential; or where disclosure is required under any applicable law.