PRIVACY NOTICE IN ACCORDANCE WITH THE DIFC DATA PROTECTION LAW No. 5 OF 2020

What is the purpose of this document?

This Privacy Notice describes the ways in which Empira Investment Solutions S.A. (Dubai International Financial Centre (“DIFC”) Representative Office (“Empira” “Empira Investment DIFC” “we” “us”), processes and protects the personal data of our clients, individuals related or adverse to our clients and other business contacts.

This Privacy Notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with the DIFC Data Protection Law No. 5 of 2020 (DIFC Law).

This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

Empira Investment DIFC acts as in a “controller” capacity by introducing potential clients to Empira group. In some cases, Empira Investment DIFC acts under the instruction of Empira group and would therefore be acting in the capacity of a “processor” and the group entity would be the controller.   You may refer to the Group Privacy Policy here for further details of how your data may be collected and processed.

This notice applies to, provides, or handles information relating to suppliers and other third parties, prospective employees, clients, and prospective clients who anywhere in the world access Empira Investment DIFC’s website services. Any reference to ’you’, ‘your’, ‘yours’ or ‘yourself’ in this privacy notice is a reference to any of our clients, prospective clients, contractors and others, as the context requires unless otherwise stated.

We may update this notice at any time, but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical via our website.

It is important that you read and retain this notice, together with any other Privacy Notice we may provide on specific occasions so that you are aware of how and why we are using your personal information and what your rights are under the data protection legislation.

Data protection principles

We comply with DIFC Data Protection Law No. 5 of 2020 (DIFC Law). This ensures your personal data is:

  1. Used in accordance with the DIFC Law and in accordance with your rights pursuant to the DIFC Law.
  2. Used lawfully, fairly and in a transparent manner.
  3. Collected or used only for legitimate purposes that we have explicitly and specifically explained to you at the time of collection and not collected or used in any way that is incompatible with those purposes.
  4. Relevant to the purposes we have told you about and limited only to those purposes.
  5. Accurate and, where necessary, kept up to date including via erasure or rectification.
  6. Kept only as long as necessary for the purposes we have told you about.
  7. Kept securely.

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified, directly or indirectly. It does not include data where the identity has been removed (anonymous data).

We collect, use, disclose, transfer and store personal data when needed to provide our services, for example pre-contractual measures, and for our operational and business purposes, as described in this Policy. We want to be clear about our privacy practices so you can make informed choices about the use of your personal data. You can contact us at any time with questions or concerns.

We collect your data from various sources which includes through our company website, consent driven mailing lists for marketing purposes, and our interactions with you. We may also process personal data collected by Empira Group.

We may also obtain information from other sources, background and/or identity checks or through the use of cookies on our website and/or application.

The Empira  website is not targeted, intended or expected to be of use to children. Apart from providing information for specific services or purposes, as directed by DIFC processes, user-provided contributions of content or contact information regarding or about children are expressly prohibited.

How we will use your personal information

We use your personal data to provide you with the services you request through the website in order to perform our pre-contractual employment obligations, contractual obligations in relation to our services, to keep in touch with you, to provide you with information and manage your account, to prevent fraud or ensure network and information security. We may also, in accordance with our legitimate interests, use your personal information to market our products and services to people like you. We will notify you separately if we process your personal data for any other purpose and, if required, ask for your consent.

You can control what and how you receive communications from us and how we use your information.

We may also collect information about employment details, employment history, the individual’s current financial circumstances; and other matters that are relevant to the services we provide.

If you choose not to provide the information we need as a business or to fulfil your request for a specific product or service, we may not be able to provide you with the requested product or service. We may not also be able to do business with you as a supplier, or we may not be able to consider you are a potential employee candidate.

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you, and explain the legal basis that allows us to do so.

If you receive email communications from us and you don't want to in the future, please use the unsubscribe link within the email or reply to this email and we will stop sending you this information via email.

Please note that we may process your personal information in compliance with the above rules, where this is required or permitted by law.

How we use sensitive personal information

“Special categories" of particularly sensitive personal information require higher levels of protection. We have justification for collecting, storing, and using this type of personal information. We have in place an appropriate policy document and safeguards in compliance with the law. We are likely to process special categories of personal information like financial details, health data, PEP data, etc. in the following circumstances where:

  • In limited circumstances, we have your explicit written consent.
  • It is necessary to comply with the law applicable to us in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection, or prosecution of any crime.
  • It is necessary for the compliance with specific requirements pursuant to laws applicable to us. In such circumstances, we will provide you with clear notice unless the obligation in question prohibits such notice being given.

Less commonly, we may process this type of information where it is needed in relation to legal claims, where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, where you have already made the information public, where it is required for the purposes of preventative or occupational medicine (such as the assessment of the working capacity of an employee or medical diagnosis).

For marketing purposes, we would not obtain sensitive information, however, if we do, we will issue a separate notice on how we would use the data.

We envisage that we may hold information about criminal convictions.  We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. For example,to determine whether you are suitable to be our employee.

Legal Obligations

We may be required to retain and use personal data to meet our internal and external audit requirements, for data security purposes and as we believe to be necessary or appropriate: (a) to comply with our obligations under applicable law and regulations, which may include laws and regulations outside your country of residence; (b) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence; (c)  to carry out anti-money laundering, sanctions or Know Your Customer checks as required by applicable laws and regulations; or (d) to protect our rights, privacy, safety, property, or those of other persons. We may also be required to use and retain personal data after you have doing business with us for legal, regulatory and compliance reasons, such as the prevention, detection or investigation of a crime; loss prevention; or fraud prevention.

Do we need your consent?

We do not rely on consent as our processing reason. However, if we do so, we will provide you with full details of the information that we would like and the reason we need it so that you can carefully consider whether you wish to consent.  You should be aware that it is not a condition of your relationship with us that you agree to any request for consent from us.

Data sharing

To comply with our regulatory obligations, we may disclose personal data to the relevant government, supervisory and judicial authorities such as:

  • Public authorities, regulators and supervisory bodies such as the financial sector supervisors in the countries in which we operate.
  • Tax authorities may require us to report customer assets or other personal data such as your name and contact details and other information about your organization. For this purpose, we may process your identification data such as your tax identification number or any other national identifier in accordance with applicable local law.
  • Judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legitimate request.

When we use other service providers or third parties to carry out certain activities in the normal course of business, we may have to share personal data required for a particular task. For instance:

  • IT service providers who may provide application or infrastructure (such as cloud) services;
  • Marketing activities or events and managing customer communications;
  • Legal, auditing or other special services provided by lawyers, notaries, trustees, company auditors or other professional advisors;
  • Identifying, investigating or preventing fraud or other misconduct by specialized companies.

Personal data in the form of ID documents, KYC data and financial information may be shared with Empira Group as a pre-contractual or contractual measure.

Personal data in the form of previous employment, employment references etc. may be transferred within the Empira Group for internal administrative and employment purposes

In the course of business, and to manage our relationship we may transfer personal data to a jurisdiction that does not have the same level of data protection as the DIFC.

Third parties who have access to personal data obtained from us are either subject to standard data protection clauses or the personal data transfer is subject to a lawful derogation, in order to treat your data in a manner consistent with this Privacy Notice and in line with the Data Protection Law no. 5 of 2020. You may ask us for further details of these safeguards, where required.

Cookie policy

The Internet pages of the Empira Group website use cookies. Cookies are text files that are stored in a computer system via an Internet browser. For further details please refer to our cookie policy available within section 4 via this link.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Additionally, as per your request we will remove your personal contact details from our database, however, you may continue to receive promotional emails from our other websites, providers, or other non-affiliated marketers whose services you may have accessed via Empira Investment DIFC website. You can request them directly to remove your data from their system.

Data subject rights

Under certain circumstances, and where the conditions specified in the DIFC Data Protection Law No. 5 of 2020 (DIFC Law) are met, by law, you have the right to:

  • Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data. You have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
  • Data portability enables you to receive or request transfer of the data you have provided us in a structured, commonly used and machine-readable format.
  • Object to automated processing, including profiling which produces legal or other seriously impactful consequences concerning you.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances and were permitted by law.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Officer using the email provided below. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

To inform us of changes

It is important that the personal information we hold about you is accurate and, where necessary, kept up to date. Please keep us informed if your personal information changes during your working relationship with us and respond promptly to our request for updates of your data.

Contact us

You can contact us by any of the following means for any privacy-related questions, including regarding how we collect, store, and use your personal data:

Email: Data_protection_DIFC@empira-invest.lu or

Contact us at: +971 50 929 9538

Our registered office address is:

Empira Investment Solutions S.A. (DIFC Representative Office)

Unit 40-01, Level 40

ICD Brookfield Place

DIFC

PO Box 507034

Dubai

UAE.

Complaints

You have the right to make a complaint at any time to the relevant authority that safeguards your interests.

DIFC Data Protection Commissioner Contact Details:

Dubai International Financial Centre Authority

Level 14, The Gate Building

+971 4 362 2222

commissioner@dp.difc.ae

Changes to this privacy notice

We reserve the right to update this privacy notice at any time. We will publish the most updated privacy notice on our website. You can find this here. We may also notify you in other ways from time to time about the processing of your personal information where we process your data outside of the published privacy notice.

 

Last updated: June 2023