We are committed to protecting and respecting your privacy. This Privacy Notice (this “Notice”) governs the collection and use of personal data by Dubai Holding Corporate LLC, its affiliates or any company it controls. It explains how and why we use your personal data and applies to the personal data that you provide us directly, or which we may obtain from other sources.
We may use your personal data for any of the purposes described in this Notice, or as otherwise stated at the point of collection. For more information about Dubai Holding Corporate LLC please see www.dubaiholding.com.
References to "our", "us" or "we" within this Notice are to Dubai Holding Corporate LLC, Dubai, United Arab Emirates, P.O. Box 66000, privacyoffice@dubaiholding.com.
We are the data controller of your personal data. We decide how and why your personal data is processed, either alone or jointly with others.
If you visit our venues or use our facilities and services, the entity which manages the relevant venue, facility or service will also be a data controller in respect of your personal information. You can access a ‘Data Controller List’ here, which sets out all of our different entities and their contact details. This will enable you to identify the relevant entity that holds, processes, and secures your personal data and is the data controller in relation to your personal data.
In this Notice we refer to “processing” your “personal data”.
Processing is taken to mean anything that is done to or with personal data (including simply collecting, storing or deleting that data).
Personal data is any information relating to an identified or identifiable living person (for example, name, address, telephone number). When “you” or “your” are used in this Notice, we are referring to the relevant individual who is the subject of the personal data. Relevant individuals may include Primary Customers, Secondary Customers, and Children (as defined below).
Primary Customer: The individual or entity directly engaging with our services or products.
Secondary Customer: Individuals associated with the Primary Customer who benefit from or are involved in the service.
Children: Any individuals below 16 years of age
Sensitive Data: Includes data that reveals racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, and data concerning health.
Where we may use cookies, you can also control the data stored by cookies and withdraw consent to cookies by using the browser-based cookie controls described in our Cookie Policy available on our websites.
To provide services to you, we may process different categories of personal data whilst adhering to the data minimization and purpose limitation principles in accordance with the applicable data protection law. As described below:
Contact Details: Includes, but is not limited to, home address, home/personal mobile number, personal email address, and emergency contact number.
Identification Data: Includes, but is not limited to, name, title, company, individual physical description, photo, citizenship, nationality, passport data, visa information, driver’s license information, resident country's ID, marriage certificate, birth certificate, education certificates, national/social insurance number (if applicable), health insurance, government retirement plan information, and tax reference/ID (if applicable).
Sensitive Data: Includes data that reveals racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, and data concerning health.
Web Data: Includes, but is not limited to, cookies, user activity logs, IP address, social media profile, and website visitor interaction data.
Financial Data: Includes, but is not limited to, card details and bank details.
Other Personal Data: Includes, but is not limited to, date of birth, age, gender, voice recording, religion, languages spoken, place of birth, marital status, country of residence, family, signature and driving license number.
The reason these categories of personal data are processed, along with our lawful basis for doing so, are set out in the table below:
Personal Data Directly Obtained from You
CCTV: We use CCTV in our premises in order to better ensure the safety and security of our customers and our staff. It is in our legitimate interest to process any personal data captured. Your personal data will not be kept longer than necessary to meet the purposes detailed above. CCTV signage is in place where required by local laws or regulations.
Personal Data Indirectly Obtained from Others
We may also receive some information about you from third parties. These are further detailed below:
Medical Service Providers: As necessary, we obtain your personal data from medical service providers when accidents and incidents occur, as well as in order to provide medical care when required.
Financial Service Providers: As necessary, we obtain your personal data from financial service providers for membership information purposes and to fulfill contracts or services.
Social Media Platforms: As necessary, we obtain your personal data from social media platforms for analytics purposes, in order to manage and progress complaints, for marketing purposes, in order to improve the services provided and to conduct surveys.
To the extent necessary, we will also receive your personal data from other entities within the Dubai Holding Corporate LLC group of companies, including our subsidiaries and holding companies.
Legitimate Interest
Where we rely upon legitimate interest as a lawful basis, we have balanced your rights and freedoms against our interests, or those of any third parties, and determined your rights are not infringed. Legitimate Interest is where your personal data is processed for either our own interests or the interests of third parties. This can include commercial interests, individual interests, or broader societal benefits.
Your personal data will not be kept longer than necessary to meet the purposes detailed above. The criteria that we use to determine how long we will keep your personal data includes the period of time during which we have an ongoing relationship with you, and whether we have a legal obligation to store it (for example, for accounting purposes or for litigation, or regulatory investigations purposes). For the storage period please refer to the section titled "What do we collect from you and how do we use it ?" above.
Should retention of your personal data no longer be required we will remove it from our systems and records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).
Where necessary to fulfil the purposes described in this Notice, we shall disclose your personal data to certain third-parties, vendors and service providers or affiliated employees, contractors and entities as described below.
To the extent necessary, and where we have a lawful basis to do so, we will also share your personal data with other entities within Dubai Holding Corporate LLC’s group of companies, including our subsidiaries and holding companies.
Where we share personal data, we do so with the following parties for the following purposes:
Where we have a lawful basis to do so, we will use your personal data to evaluate certain personal aspects about you, such as to analyse or predict aspects concerning your economic situation, personal preferences, interests, reliability, behaviour, location, or movements. This is known as “Profiling”. We only conduct profiling where it will not have a legal or other significant effect on you. We undertake profiling to help tailor our marketing to you.
When processing your personal data, we may transfer this to third parties based in other countries, to the extent necessary to fulfil the purposes described in this Notice. Your personal data may be transferred within the Dubai Holding Corporate LLC’s group of companies, including to our subsidiaries and holding companies. Such transfers shall always be done in compliance with relevant data protection laws. The majority of personal data processed by us is stored in the United Arab Emirates, where the appropriate data protection measures are in place.
For transfers of personal data from the UK and European Economic Area (“EEA”) we transfer personal data to entities outside the EEA, under the EU Standard Data Protection Clauses. Further information about transfers can be obtained by contacting us using the following email address privacyoffice@dubaiholding.com.
To the extent required, we will also transfer your personal data to third parties in connection with a reorganization, restructuring, merger, acquisition, or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with applicable laws and requirements.
We have implemented technology and operational security measures in order to protect personal data from loss, misuse, alteration, or destruction. Only authorised persons are provided access to personal data; such individuals have agreed to maintain the confidentiality of this personal data.
You may have certain rights relating to your personal data. However, these rights can differ depending upon the country in which you are located. That country’s law will determine which rights apply and in what instances.
Right to withdraw consent
Where you have provided your consent to us, you will always have the right to withdraw this at any time. You can do this by either by following the information provided at the time you provided your consent, or by contacting us using the following email address privacyoffice@dubaiholding.com. The withdrawal of consent will not affect any processing that was based on consent before its withdrawal.
Right to request correction of your personal data
You will always have the right to request that we correct and update any personal data that we process about you that is inaccurate or incomplete. You can do this by contacting us at privacyoffice@dubaiholding.com.
Additional Data Protection Rights
Certain Data Protection Regulation also provide you with additional rights which may allow you to:
- upon request, be provided access to, or copies of, your personal data that we process;
- upon request, restrict the processing of your personal data;
- upon request, delete your personal data which we process;
- object to our processing of your personal data; or
- upon request, obtain a copy of your personal data which we process in a commonly used and machine-readable format.
- lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which an alleged infringement of data protection law has occurred
It is important to understand that these rights are not absolute (e.g. their application may depend upon the lawful basis we rely upon to process your personal data) and that we may require further information from you (e.g. to confirm your identity) to action your request. You can enquire whether these rights apply to you by contacting us using the following email address at privacyoffice@dubaiholding.com.
Artificial Intelligence (AI) Systems:
We use AI Systems that process personal data to enable us to improve our services and user experiences. We remain vigilant when using AI to protect personal data, ensuring customer privacy, and preventing unauthorised or fraudulent activity. Our customers and stakeholders shall remain confident that personal data is adequately protected with us, especially in cases where AI is used to deliver the product or service, as this may infer heightened protection where AI is deployed.
How we use AI Systems
This notice gives you information on how we protect your personal data in our use of the AI System.
Personal data may be processed within our AI Systems. We remain the data controller for your personal data when it is processed while using our AI Systems. We process personal data in accordance with the relevant data protection laws. In the case where we have engaged a processor, we have mandated contracts that uphold our standards in compliance with the relevant data protection laws.
We will sometimes process customers' personal data when using AI Systems. We have regulated the use of AI internally, weighed the opportunities and risks in advance of our use of AI and ensured appropriate human supervision where important matters are concerned. Where we offer dialogues with an AI, we will make this evident and, if necessary, point out potential errors.
Personal Data Processed by AI Systems
We may collect personal data either directly from you, third parties or public sources. We process your personal data using AI Systems to improve the efficiency, quality, and speed of our business processes and for the purpose of providing services. When using AI systems, we may process various types of personal data. For more information, please refer to the section titled "What do we collect from you and how do we use it?".
In limited circumstances, we may process sensitive data through the AI System, but we will ensure that we have the necessary lawful basis in place before doing so. Where we process your existing personal data we will continue to rely on the appropriate lawful basis for that processing activity. In certain instances, we engage data processors; however, they are unable to access any of your personal data entered in the AI Systems. We have mandated contracts with data processors to ensure that your personal data is protected.
If you want to exercise any of the rights set out above or have any questions or concerns about how we treat your personal data, please contact us at privacyoffice@dubaiholding.com or by writing to us at: Dubai Holding Corporate LLC, P.O. Box 66000, Dubai, United Arab Emirates. Please include your reply address when you write to us.
We keep this Notice under regular review. We reserve the right, at our discretion, to change, modify, add, or remove sections of this Notice at any time. You are also encouraged to review this Notice from time to time for updates. We will notify you of any changes (including when they will take effect) if we are required to do so by data protection laws.
