Abu Dhabi Engineering Bank PJSC (“ADCE”, “Bank”, “We” or “Our”)
Data Protection in ADCB is regulated by the United Arab Emirates (“UAE”) Data Protection Law.
Our Contact Information
ADCE is committed to protecting your privacy and your Personal Data.
This Privacy Notice (“Notice”) aims to help you understand what Personal Data we collect, store or process about you, the legal bases on which we do so, the purpose for which we do so, if and whom we share your Personal Data with. This Notice also describes how long we retain your Personal Data.
This Notice describes your rights and the choices you can make in relation to our collection, use and disclosure of your Personal Data.
Further this Notice explains the various measures we have in place to protect the security of your Personal Data and minimise the potential for its unauthorised use, disclosure and destruction.
The terms of this Notice will apply to you when you use our products or services, visit our online services at https://www.adce.com and any of its ancillary pages and websites (the “Websites”), or provide us with your Personal Data.
Please review this Notice periodically as we may update it from time to time to reflect changes in our data practices.
Should you wish to contact us to discuss any questions, concerns and comments you may have regarding your Personal Data that we process, please reach us through our contact details provided in section “Our Contact Information” of this Notice.
Controller
A Controller is an entity who solely, or jointly with others, determines the how and the why of Personal Data Processing. In most cases, we will act as the Controller when Processing your Personal Data.
Processor
A Processor is an entity who processes Personal Data on behalf of another entity, i.e the Controller, and does so solely on the basis of instructions provided by the Controller.
In some cases, ADCE will act as the Processor when Processing your Personal Data on behalf of another ADCB Group entity. In these cases, ADCB will perform the Processing of the Personal Data under the specific instructions from the ADCB Group entity acting as the Controller.
Personal Data and Processing have very specific meanings under Applicable Law. It is important that you understand these terms.
What is Personal Data?
Personal Data means data which relates to a living individual who can be identified directly or indirectly from that data. The definition includes a wide range of personal identifiers that constitute Personal Data, including names, identification numbers, location data or online identifiers, reflecting changes in technology and the way organisations collect information about people.
Examples of Personal Data include the following:
What is Processing?
Processing means doing anything with Personal Data, e.g. viewing, collecting, using, storing, sharing, manipulating, printing, copying, archiving etc.
Processing activity means any task that involves doing anything with Personal Data.
We have set out a description of why we process your Personal Data in the table below, including what personal data we collect, and the legal basis for such processing.
Processing Activities | Description | Legal Basis |
Tendering |
Personal Data processed:name, contact details, date of birth, passport details, signature. Processing description: We process your Personal Data in order to carry out the full tendering process. Your Personal Data may be shared with the UAE Government Department of Finance upon request. Processing form: physical platform. |
Consent and performance of a contract with an individual |
Project Initiation |
Personal Data processed: name, children’s names, criminal history, date of birth, family book, Emirates ID details, nationality, contact details, signature, spouse’s name. Processing description: We process your Personal Data in order to execute the initial file opening stage after the UAE Government Department of Finance approves a project. Processing form: physical platform. |
Performance of a contract with an individual |
Supervision of Ongoing Projects |
Personal Data processed: name, contact details, date of birth, passport details, signature. Processing description: We process your Personal Data in order to fulfil requests from the UAE Government Department of Finance pertaining to the supervision of ongoing projects. Processing form: physical and digital platform. |
Performance of a contract with an individual and compliance with a legal obligation |
Provisional and Final Handing Over |
Personal Data processed: name, contact details, signature. Processing description: We process your Personal Data as part of the provisional and final handing over of a building. Processing form: physical and digital platform. |
Performance of a contract with an individual |
Additional Funding |
Personal Data processed: name, bank account information, bank statements, citizenship status, contact details, date of birth, emergency contact details, gender, home address, home country address, income details, loan account number, passport details, previous residence address, purchasing history, purchasing tendencies, record of investments, signature. Processing description: We process your Personal Data in order to request a loan to secure additional funds for projects exceeding the Government Price Ceiling. Processing form: physical and digital platform. |
Performance of a contract with an individual |
Managing Legal Cases and Arbitration |
Personal Data processed: name, application and claims history, compensation data, contact details, insurance policy information, signature. Processing description: We may process your Personal Data to manage legal cases. Processing form: physical platform. |
Legal claims |
Complaints |
Personal Data processed: name, contact details, signature. Processing description: We may process your Personal Data in order to review and resolve issues pertaining to your complaints. Processing form: physical and digital platform. |
Performance of a contract with an individual |
KYC Update |
Personal Data processed: Emirates ID, passport copy, income proof, address proof, Visa copy, and Email ID. Processing description: The KYC process is mandatory for identification and verification of your identity when opening an account, and also periodically over time. The objective of the KYC is to prevent us from being used by criminal elements for money laundering activities. Your Personal Data may be shared with Authorities upon request. Processing form: digital platform, email attachments, CIF update from branches. |
Performance of a contract with an individual and compliance with a legal obligation |
Business Operations |
We may process your Personal Data to manage and improve our business operations, for example, our internal governance functions, which may include monitoring communications. Such Processing may be necessary for our business and compliance purposes, accounting and audit purposes and to comply with our legal obligations. |
Performance of a contract with an individual |
Marketing |
We may process your Personal Data for marketing purposes to provide you with information about services that you may be interested in. We will obtain Express Consent before using and sharing your Personal Data for direct marketing or transferring the Personal Data to any third parties for direct marketing. You may place your request to stop receiving marketing messages at any time. In order to do so, follow guidance in section “Marketing From Us” of this Notice. |
Consent |
Analysis |
We may process your Personal Data for the purposes of performing statistical analysis and conducting market research. This enables us to better understand our Customer base and the markets in which we operate, or may wish to operate. |
Performance of a contract with an individual |
Websites |
The Personal Data that we process when you are browsing our Websites, such as your Internet Protocol (“IP”) address is processed so that we can create, manage, monitor, improve and maintain your experience on our Websites. |
Consent |
Assisting You in the Exercise of Your Rights |
Should you make a request to exercise your legal and regulatory rights, we will respond to you as per our legal obligations and Applicable Law. |
Compliance with a legal obligation |
Retention |
After your agreement has ended we will retain your Personal Data in accordance with our record retention procedures and to comply with our legal obligations and Applicable Law. |
Compliance with a legal obligation |
We may collect your Personal Data from two primary sources
Directly From You
We may collect your Personal Data directly from you in a number of ways, including the following:
Indirectly From Other Parties
We may obtain your Personal Data indirectly from third parties in the following ways:
If you are contacting us through a third party, then they should have provided you with their own privacy notice in order to inform you how they may process your Personal Data.
Where we need to collect Personal Data due to applicable legislative requirements or professional standards and you fail to provide that data when requested, we may have to decline a request for services or, if we are already supplying services, suspend or stop providing you with our services. We will notify you if this is the case at the time.
The security of your Personal Data is important to us. We have designed and implemented appropriate measures to prevent your Personal Data from being disclosed, modified or destroyed without sufficient authorisation. These measures address several dimensions of data security including and not limited to the following:
Whilst we take measures to secure your Personal Data, risks to data security do exist, and there is always a possibility of unauthorised use, disclosure, modification and/or destruction of your Personal Data. In the event of such a Personal Data Breach, within the limits of Applicable Law, we will notify you about it and its likely consequences, measures taken by us to mitigate the increased risk and avenues available to you to mitigate the risk as a result of the Personal Data Breach.
For reporting Personal Data Breaches or further information on how we respond to and handle Personal Data Breaches, please contact us at [email protected].
Under the UAE Federal Decree-Law No. 45 of 2021, individuals are afforded a set of rights over their Personal Data as set out below:
Please contact us if you would like to know more about the above rights or to exercise any of them.
ADCE will maintain the following obligations in relation to your rights concerning our Processing of your Personal Data:
We may, as required for the purposes listed above, transfer your Personal Data for processing outside the UAE. In such cases we will ensure that the protection measures, as required by the Law, are in place.
In addition, we will take such steps as are necessary to ensure appropriate safeguards apply to maintain the same levels of protection as required under Applicable Law. These safeguards include, but are not limited to:
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances you can ask us to delete your data. For further information, please see section “Your Rights in Relation to Our Processing of Your Personal Data”.
You will only receive direct marketing communication from us where we have obtained your Express Consent.
You may place your request to stop receiving marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting the ADCB Group Customer Care Team on the following numbers: within UAE 600 50 2030, outside UAE +971 2 6210090 at any time.
Where you opt-out of receiving our marketing messages, this will not apply to Personal Data provided to us for other purposes.
We may share your Personal Data with the parties set out below for the purposes set out in this Notice:
We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow third parties to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
Term | Definition |
ADCE | means Abu Dhabi Commercial Engineering Services and any of its branches, successors and assignees. |
Authority(ies) | means legal, supervisory, regulatory, governmental and quasi-governmental bodies such as the UAE Central Bank, the Securities and Commodities Authority (“SCA”), fraud prevention agencies, tax authorities etc. |
Automated Processing | means Processing that is conducted using an electronic application or system that operates automatically, either independently without any human intervention or under the supervision and limited intervention of a human. |
Applicable Law(s) | means all Applicable Law(s) relating to the Processing of Personal Data and privacy, in each case which are in force at the date on which this policy is updated in the UAE including the UAE Data Protection Law. |
Biometric Data | means any Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of the Data Subject, which allow the identification or confirm the unique identification of the Data Subject, such as facial images or fingerprints. |
Consent | means the Consent by which the Data Subject authorises ADCE or third parties to process his Personal Data, provided that such Consent is clear, specific and unambiguous indication of the Data Subject's agreement, by a statement or by a clear affirmative action, to the Processing of his Personal Data. |
Controller(s) |
means, as per the CPS, a natural or legal person, public authority, agency, or other body that has the authority over the Processing of Personal Data. This entity is the focus of most obligations under privacy and Applicable Law. It controls the use of Personal Data by determining the purposes for its use and the manner in which the data will be processed specific to their biological, physical, biometric, physiological, mental, economic, cultural or social identity. means, as per the UAE Data Protection Law, the establishment or the natural person who is in the possession of the Personal Data and who, by virtue of its activity, alone or jointly with other persons or establishments determines the means, methods, criteria and purposes of the Processing of such Personal Data. |
Customer(s) | means anyone who uses, participates in, purchases any ADCE service. |
Data Breach(es) |
means, as per the CPS, any unauthorised or accidental loss, misuse, modification, access, disclosure or Destruction of Personal Data. means, as per the UAE Data Protection Law a breach of information security and Personal Data through unauthorised or unlawful access thereto, including replication, transmission, distribution, exchange, transfer, communication or Processing in such a manner leading to the disclosure or divulgence to third parties, or otherwise the destruction or modification of such data while being stored, transferred and processed. |
Data Protection | means the protection of Personal Data. |
Data Protection Officer or DPO | means any natural or legal person appointed by the Controller or the Processor who undertakes responsibilities to verify that the entity he belongs to complies with the Personal Data Protection controls, requirements, procedures and rules provided for herein, and to verify the integrity of its systems and procedures to achieve the compliance with the provisions hereof. |
Data Protection Regulator | means any governmental or regulatory body or authority with responsibility for monitoring or enforcing Applicable Law, for example the Emirates Data Office (“The Office”), as per the UAE Data Protection Law. |
Data Subject(s) |
means, as per the CPS, any individual, who can be identified (either directly or indirectly) through one or more elements of Personal Data that are collected, used, shared, or otherwise processed as part of ADCE’s operations. means, as per the UAE Data Protection Law, the natural person to whom Personal Data relates. |
Data Subject Right(s) | means the set of rights afforded to individuals located in UAE, as per Applicable Law, who request information about the Personal Data collected or stored by ADCEand to exert choice or control over how that data is used by ADCEin accordance with Applicable Law. |
Destruction of Personal Data | means Personal Data no longer exists. |
Employee(s) | means full time staff of ADCE. |
Express Consent | means an indication that the Data Subject has given an active, clear and unambiguous agreement for their Personal Data to be used in a specific way, including, for example by signing a document, sending an email. |
Know Your Customer or KYC | means mandatory requirements to ensure updated information about ADCE’s Customers, to perform identity verification and prevention of illegal transactions through the business relationship with ADCE such as money-laundering, identity theft. |
Loss of Personal Data |
means that the Controller has lost control or access to the Personal Data. |
Personal Data | means any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his name, voice, image, identification number, online identifier, geographical location, or one or more physical, physiological, economic, cultural or social characteristics. Personal Data includes Sensitive Personal Data and Biometric Data. |
Processing | means any operation or set of operations performed upon Personal Data using any electronic means including the Processing or other means, including collection, storage, recording, organisation, adaptation or alteration, communication, modification, retrieval, exchange, sharing, use, description, disclosure by broadcasting, transmission, dissemination, or otherwise making available, formatting, merging, restriction, blocking, erasure, destruction or creation of a model of Personal Data. |
Processor(s) | means an establishment or a natural person who processes Personal Data on behalf of the Controller and under his supervision and instructions. |
Profiling | means a form of Automated Processing consisting of the use of Personal Data to evaluate certain personal aspects relating to the Data Subject. |
Recipient(s) |
means the entity to whom Personal Data is transferred. Target sectors to which Personal Data is transferred include, but is not limited to:
|
Sensitive Personal Data | means any data that directly or indirectly reveals a natural person’s family, ethnic origin, political or philosophical views, religious beliefs, criminal record, Biometric Data, or any data related to such person’s health and consisting of his physical, psychological, mental, cognitive, genetic or sexual status, including any information related to the provision of healthcare services to him which reveal his health condition. |
UAE | means the United Arab Emirates. |
UAE Data Protection Law |
means Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data issued by the Cabinet of United Arab Emirates. Document Reference No.: Version No.: 1.0 Document uncontrolled when printed |
Document Classification: Internal | Date of Issue: 28/2/2022 |