Data Privacy Statement
The Entrepreneur’s Investment Office Ltd (“EIO”, We”, “Our” or “Us”) respects an individual’s privacy and complies with the applicable data protection laws in the Dubai International Financial Centre ("DIFC"). We issue this Data Privacy Statement in light of the DIFC Data Protection Law 2020 (“DPL”) and the EU General Data Protection Regulation (“GDPR”). This Data Privacy Statement (“the Statement”) sets out how EIO as a data controller, will collect and use personal data.
Any reference to “You” or “Your” in this Statement is meant to include:
(a) a natural person who may be a client, a prospective client, supplier, business partner, introducer; or
(b) a natural person who may be a director, officer, staff, shareholder or beneficial owner of a prospective client, a client, supplier, business partner or introducer (“connected individual”).
We should be grateful if You would make the notice available to anyone, whose data We may obtain in the context of Our relationship with You or Your organisation..
This Statement is relevant and applicable to natural persons and connected individuals of whom We collect personal data. The Statement sets out Our practices when using personal data in the context of business relationships with a prospective client, a client, supplier, business partner or introducer to whom EIO provides, or from whom EIO receives any product or service, and/or with whom EIO enters into any transaction.
2. Key Terms Explained
Any data or information relating to an identified natural person or Identifiable Natural Person. For example, Personal Data may include an individual’s name, age, home address, income, marital status, education and employment information. This includes reference to “client data” included but is not limited to any information such as ID, identity information, domicile, address, corporate information, accounts, financial and facilities statements and transactions, financial, investment and credit products, trusts, funds, investment vehicles and transactions etc., which is disclosed and contemplates “personal data” that identifies a living individual.
Sensitive Personal Data
Personal Data revealing or concerning (directly or indirectly) an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, trade‐union membership and health or sex life.
Identifiable Natural Person
A natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity
A natural person to whom Personal Data relate.
Any person in DIFC (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the Processing of Personal Data. EIO is the Data Controller with regards to the personal data it collects.
Any person (excluding a natural person acting in his capacity as a staff member) who Processes Personal Data on behalf of a Data Controller. With regards to EIO, where applicable, it includes outsourced service providers, business partners, introducers, and group entities.
Any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and "Processed", "Processes" and "Process" shall be construed accordingly. The meaning of Processing is very broad and covers almost any action involving Personal Data.
Any person to whom Personal Data are disclosed, whether a third party or not, but does not include any disclosure made to an authority or any power conferred by law
Any person other than the Data Subject, the Data Controller, the Data Processor and the persons who, under the direct control of the Data Controller or the Data Processor, are authorised to Process the Personal Data.
3. Who is responsible for handling of Your personal data?
Under the DPL, such role lies with the “data controller”, namely:
The Entrepreneur’s Investment Office Ltd
1102E, Level 11, Burj Daman,
Dubai International Financial Centre,
Dubai, UAE, PO Box 482079
If You wish to exercise Your individual rights, or to raise any questions, concerns, or complaints concerning this Statement or Our data protection practices, You can contact Us at firstname.lastname@example.org
We are required to handle (or “process”) personal data securely and in accordance with applicable data protection laws.
4. What personal data might We hold about You and where do We source such data?
We will only hold data about You that is relevant in the context of the business relationship which We have with You or with entities where you may be regarded as “connected individual”. Most of this information We will obtain directly from You. We may also obtain personal data from a range of other sources, which may include prospective client, a client, supplier, business partner or introducer of which You are regarded as connected individual (by virtue of beneficial owner, shareholder, director, authorised signatory, staff), publicly available sources (e.g. the press, registers of companies or assets, internet Websites, including social media platforms like LinkedIn) and from providers of business-risk screening services, such as credit reference agencies, anti-fraud databases, WorldCheck, sanctions lists and databases of news articles.
The types of personal data that We process may include (but are not limited to):
Contact information Name, address, telephone, e-mail address and other contact information We use to communicate
KYC (“Know Your Customer”) records, such as passport, visa, emirates ID details, any national ID number, date and place of birth, nationality, citizenship, marital status, dependants, information to determine whether the individual is a Politically Exposed Person (PEP), or has a criminal record or any adverse media, etc.
Financial information with regards to source of wealth, source of funds including past employment and qualifications, income, pension, investments, assets, liabilities, creditworthiness, bank account details, specimen signature, investment objectives, knowledge of financial products and services, risk appetite, tax status, domicile, etc.
Communications information includes communications by e-mail, recordings of telephone calls and conference calls (includes MS Teams, Zoom, WebEx, etc.) and/or post in the course of Our interactions with You
5. What will We use Your personal data for and on what legal basis?
EIO processes Your personal data for various purposes in accordance with the provisions of the DPL, and, where applicable, the European GDPR and only uses such personal data where EIO has a lawful basis for using it. The lawful basis and purposes include processing:
For the performance of a contract / transaction
In order to provide advisory and financial services as per the terms of the contract / transaction or potential contract / transaction with You, or to take steps prior to entering into a contract.
The purposes of data processing are primarily dependent on the specific services provided by EIO: e.g. advisory, arranging custody, advising and arranging on credit facilities, etc. and can include needs assessments.
For compliance with the applicable law
As a regulated firm, We are subject to a number of statutory and regulatory obligations that may require Us to collect, store or disclose personal data, such as for anti-money laundering purposes or to respond to investigations or disclosure orders from the police, regulators, and tax or other public authorities (including outside the DIFC).
For limited purposes, such as in the case of undertaking AML, KYC and PEP checks and related actions, it may be necessary to process sensitive personal data such as criminal conviction or adverse media records. In these circumstances, We will process personal data only when there is a legal basis We can rely on under the applicable law and legislation.
For the purposes of legitimate interests
Where necessary, We process Your personal data to serve Our legitimate interests or those of a third party to whom the Personal Data has been made available. A legitimate interest will apply in so far as such interests are not outweighed by Your legitimate interests. The legitimate interests to process Your personal data include (but are not limited to):
Know-your-customer and creditworthiness checks;
Credit assessment in order to determine whether to onboard You;
Business analysis and development of products and services;
Activities relating to information security;
Managing the risks and optimising the efficiency of EIO;
Recording of telephone lines and monitoring of electronic communications for business and compliance purposes;
Prevention and detection of fraud and financial crime;
Evaluating, bringing or defending legal claims;
Marketing of EIO products /services (unless You have objected/unsubscribed);
On the basis of Your consent
If We wish to process Your personal data in a way not covered by the legal justifications above, We will need Your consent. Where You give consent, You are entitled to withdraw it at any time. Note that withdrawing Your consent does not render Our prior handling of Your personal data unlawful and that it might have an impact on Our ability to continue to provide Our services in the same way in future, as illustrated below.
There are some categories of personal data which the law deems so sensitive that We generally need an individual’s consent to be able to store and use it. If You voluntarily provide Us with such information in circumstances where this could be relevant to the financial products and services We offer You (as could be the case for appropriate investment planning or Islamic financing) or for broader relationship management purposes, We will take it that this constitutes Your consent to use this information as appropriate. You could withdraw that consent but it may hamper Our ability to ensure You receive the most suitable advice for Your circumstances.
6. Who We share personal data about You with?
Where necessary to fulfil Your instructions to Us and for the other purposes outlined above, We may share information about You with a range of recipients including (but not limited to) the following:
Our affiliated Group companies for the purposes as set out in this Statement;
Credit reference and other third-party agencies / suppliers in order to carry out AML/KYC/PEP and creditworthiness checks and comply with the applicable law;
Third parties who have introduced customers, suppliers or agents to Us, such as financial service providers, in order to process the data for the purposes as set out in this Statement;
Third parties who work on Our behalf or for the customer to service or maintain customer accounts, such as business partners;
Third parties who provide technical services, such as suppliers of IT systems, which We use to process that personal data;
Third parties providing services to Us such as Our professional advisers (e.g. auditors and lawyers);
Competent authorities such as tax authorities, courts, regulators and other government agencies, security or police authorities where required or requested by law, or where We consider it necessary (to the extent permitted by law); and
Subject to applicable laws, in the event that EIO is merged, sold, or in the event of a transfer of some or all of Our assets (including in bankruptcy), or in the event of another corporate change, in connection with such transaction.
We will only disclose information about You as permitted under the DPL.
7. Where might We transfer Your data?
We may transfer and maintain the personal data covered by this Statement on servers or databases outside the DIFC, in particular to EIO Group companies. In most cases, the jurisdictions outside the DIFC to which EIO sends personal data are the United Arab Emirates, the United Kingdom, Europe and Canada. However, such transfers will only be made where permitted by the DPL.
Where the jurisdiction may not have the equivalent level of data protection laws as in the DIFC and We transfer Your personal data outside the DIFC, We will use, share and safeguard that personal data as described in this Statement. When transferring personal data to a location which does not have laws recognised as providing an adequate level of protection for personal data, EIO requires the Recipient to apply the same level of protection to Your data as would be necessary in the DIFC.
8. How long do We store personal data for?
We will retain Your personal data for as long as required to fulfil the purposes for which the data was collected, depending on the legal basis on which that data was obtained and/or whether additional legal/regulatory obligations mandate that We retain the personal data. In general terms, this will mean that personal data will be kept for the duration of Our relationship with You as well as beyond our relationship to comply with the record keeping requirements under the applicable law.
If the personal data is no longer required in order to fulfil contractual or statutory obligations, they are regularly deleted, unless their further processing – generally for a limited time - is required for the following purposes:
Compliance with records retention periods under applicable commercial and tax law: for example, the DFSA Rulebook including AML; this may also include, where applicable, the UAE Federal Law on VAT;
Preservation of evidence in accordance with statutes of limitations;
as long as it is necessary for You to be able to bring a claim against Us and for Us to be able to defend Ourselves against any legal claims. This will generally be the length of the relationship, the length of any applicable statutory limitation period under applicable law.
In certain circumstances, personal data may need to be retained for a longer period of time, for example, where We are in ongoing correspondence or there is a continuing claim or investigation.
9. What are Your rights in relation to the personal data?
You will have certain rights in relation to Your personal data. Some of these rights will only apply in certain circumstances. If You would like to exercise, or discuss, any of these rights, You should submit a request to email@example.com and provide sufficient information to allow Us to understand the scope of the request.
You are entitled to ask Us whether We are processing Your personal data and, if We are, You can request access to Your personal data. This enables You to receive a copy of the personal data We hold about You and certain other information about it.
If Our processing is based on consent, You can withdraw Your consent at any time by contacting firstname.lastname@example.org. This will not affect the lawfulness of processing based on consent before such withdrawal.
You are entitled to request that any incomplete or inaccurate personal data We hold about You be corrected.
You are entitled to ask Us to delete or remove personal data in certain circumstances. There are also certain exceptions where We may refuse a request for erasure, for example, where the personal data is required for compliance with the applicable law, or in connection with claims.
Where We are processing personal data based on legitimate interests (or those of a third party), an individual may challenge this. However, We may be entitled to continue processing personal data based on Our compelling legitimate interests or where this is relevant to legal claims. You also have the right to object where We are processing personal data for direct marketing purposes.
You are entitled to ask Us to restrict the processing of Your personal data, for example if You want to establish its accuracy or the reason for processing it.
Meaning that You have the right to receive Personal Data that You have provided to Us in a structured, commonly used and machine-readable. You also have the right to direct Us to transfer this data to any other person where technically feasible.
Right to lodge a complaint
You also have the right to lodge a complaint with the DIFC Commissioner of Data Protection and also, where applicable, with a supervisory authority in the Member State in the European Union where they are habitually resident, where they work or where an alleged infringement of the applicable data protection legislation has taken place.
10. Marketing communications
We may use Your personal data to give You information about products and services offered by Us or Our affiliates that We think You may be interested in receiving. Where We consider it appropriate, and so far as compliant with marketing laws, We may contact You in this regard by email or telephone. You can opt out of, or object to receiving marketing by contacting email@example.com.
Additionally, We will ensure that any outside companies assisting Us in marketing Our products and services, or with whom We have marketing agreements, are under contractual obligations to protect the confidentiality of personal data, and to use it only to provide the services We have asked them to perform.
11. Are You under an obligation to provide Us with Your personal data?
You are not required by law to provide Us with Your personal data. However, if You refuse to do so We may not be able to conduct further business with You. For example, in order to satisfy Our anti-money laundering obligations We have to verify the identity of Our clients. This inevitably requires Us to collect certain personal data from current and prospective clients.
Amendment to this Statement
This Statement may be amended by EIO from time to time. Amendments shall take effect on the date specified in the relevant Statement. Amended Statements will be issued to clients.