Introduction

We are committed to protecting and respecting your privacy. This Privacy Notice (this “Notice”) governs the collection and use of personal data by Dubai Holding Corporate LLC, its affiliates or any company it controls. It explains how and why we use your personal data and applies to the personal data that you provide us directly, or which we may obtain from other sources.

We may use your personal data for any of the purposes described in this Notice, or as otherwise stated at the point of collection. For more information about Dubai Holding Corporate LLC please see www.dubaiholding.com.

References to "our", "us" or "we" within this Notice are to Dubai Holding Corporate LLC, Dubai, United Arab Emirates, P.O. Box 66000, privacyoffice@dubaiholding.com.

Who we are

We are the data controller of your personal data. We decide how and why your personal data is processed, either alone or jointly with others.

If you visit our venues or use our facilities and services, the entity which manages the relevant venue, facility or service will also be a data controller in respect of your personal information. You can access a ‘Data Controller List’ here, which sets out all of our different entities and their contact details. This will enable you to identify the relevant entity that holds, processes, and secures your personal data and is the data controller in relation to your personal data.

Information covered by this notice

In this Notice we refer to “processing” your “personal data”.

Processing is taken to mean anything that is done to or with personal data (including simply collecting, storing or deleting that data).

Personal data is any information relating to an identified or identifiable living person (for example, name, address, telephone number).  When “you” or “your” are used in this Notice, we are referring to the relevant individual who is the subject of the personal data. Relevant individuals may include Primary Customers, Secondary Customers, and Children (as defined below).

Primary Customer: The individual or entity directly engaging with our services or products.

Secondary Customer: Individuals associated with the Primary Customer who benefit from or are involved in the service.

Children: Any individuals below 16 years of age

Sensitive Data: Includes data that reveals racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, and data concerning health.

Our use of cookies

Where we may use cookies, you can also control the data stored by cookies and withdraw consent to cookies by using the browser-based cookie controls described in our Cookie Policy available on our websites.

What personal data do we collect from you and how do we use it?

To provide services to you, we may process different categories of personal data whilst adhering to the data minimization and purpose limitation principles in accordance with the applicable data protection law. As described below:

Contact Details: Includes, but is not limited to, home address, home/personal mobile number, personal email address, and emergency contact number.

Identification Data: Includes, but is not limited to, name, title, company, individual physical description, photo, citizenship, nationality, passport data, visa information, driver’s license information, resident country's ID, marriage certificate, birth certificate, education certificates, national/social insurance number (if applicable), health insurance, government retirement plan information, and tax reference/ID (if applicable).

Sensitive Data: Includes data that reveals racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, and data concerning health.

Web Data: Includes, but is not limited to, cookies, user activity logs, IP address, social media profile, and website visitor interaction data.

Financial Data: Includes, but is not limited to, card details and bank details.

Other Personal Data: Includes, but is not limited to, date of birth, age, gender, voice recording, religion, languages spoken, place of birth, marital status, country of residence, family, signature and driving license number.


The reason these categories of personal data are processed, along with our lawful basis for doing so, are set out in the table below:

Personal Data Directly Obtained from You

CCTV: We use CCTV in our premises in order to better ensure the safety and security of our customers and our staff. It is in our legitimate interest to process any personal data captured. Your personal data will not be kept longer than necessary to meet the purposes detailed above. CCTV signage is in place where required by local laws or regulations.

Description of Processing Purpose for Processing Category of Personal Data Lawful Basis Storage Period
External Business Operations
We process your personal data for marketing purposes (e.g. personalising offers and for lead generation activities), as well as for analytics purposes. Marketing and Analytics services Identification Data, Contact Details, Web Data, Other Personal Data As appropriate we will process your personal data in reliance upon consent provided, or for our legitimate interest. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data when managing and fulfilling bookings, reservations and requests. Customer service and processing/fulfilling orders and transactions Contact Details, Identification Data, Other Personal Data, Web Data, Travel / Stay Information and Financial Data Contract and Legitimate Interest 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data during your visit (e.g. in order to provide Wi-Fi to you). Customer Service Contact Details, Identification Data, Other Personal Data, Web Data and Travel / Stay Information Consent and Legitimate Interest 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for competition and event purposes. Customer service and processing/ fulfilling orders and transactions Contact Details, Identification Data, Other Personal Data, Sensitive Data We process personal data in line with our contractual obligations. We may also rely upon legitimate interest to process your personal data. Where applicable, we also rely upon your explicit consent to do so. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data to collect, manage and analyse membership information. Maintaining / Servicing Accounts Identification data, Contact details As appropriate, we will process your personal data in reliance upon consent provided. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
Internal Business Operations
We process your personal data for service and quality monitoring purposes. Customer service Contact Details, Identification Data, Other Personal Data and Financial Data Legitimate Interest 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data in order to conduct surveys, obtain feedback and manage and progress complaints as necessary. Customer Service Contact Details, Identification Data, Other Personal Data, Web Data, Travel / Stay Information and Financial Data Legitimate Interest 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for procurement purposes, such as vendor management and contract management. Supporting Services Identification Data, Contact Details, Financial Data We process personal data in line with our contractual obligations. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for invoicing and payment purposes. Account Management Identification data, Contact details, Financial data We process personal data in line with our legal obligations. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for management and audit of our business operations including accounting. Financial Management Identification data, Contact details, Financial data We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data to comply with legal requirements and exercise or defend legal claims. Litigation & Disputes Identification data, Contact details We process personal data in line with our legal obligations. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for security purposes and to ensure secure backup and archival of IT Systems. Security Purposes Identification data, Contact details We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for application management and support purposes, and to respond to customer requests. Security Purposes Identification Data, Contact Details, Financial Data, Web Data, Other Personal Data We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data in relation to the usage of Wi-Fi services provided at our locations. Security Purposes Identification Data, Contact Details We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for management of call center queries and related activities. Customer Service Identification Data, Contact Details, Other Personal Data We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for identifying, investigating, and mitigating incidents, such as if a personal data breach occurred. Governance, Security Purposes Identification data, Contact details, Web data We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for whistleblowing purposes. Governance Identification data, Contact details We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process personal data for disaster recovery purposes. Governance Identification data, Contact details We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for internal audit and risk management purposes. Audit Purposes Identification data, Contact details We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data to facilitate application integration within our systems. Security Purposes Identification Data, Contact Details, Financial Data, Web Data, Other Personal Data We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data in relation to incidents and accidents. Health & Safety Identification data, Contact details, Sensitive Data As appropriate, we will process your personal data in reliance upon explicit consent provided by you or for vital interests. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data in order to provide medical care where required. Health and Safety Contact Details, Identification Data, Other Personal Data, Web Data and Travel / Stay Information Consent, Vital Interest and Legal obligation 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data in order to improve the services we provide. Customer Service Contact Details, Identification Data, Other Personal Data, Web Data, Travel / Stay Information and Financial Data Legitimate Interest 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for sales operations including building relationships through leads and on boarding new customers. Business Development Identification Data, Contact Details, Financial Data We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data for market research purposes. Strategy Identification Data, Contact Details We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.
We process your personal data in line with our corporate social responsibility commitments. Corporate Social Responsibility Identification Data, Contact Details We rely upon legitimate interest to process your personal data. 7 years from the date of last transaction with the customer. For sensitive data, 2 years from the data of last transaction with the customer.


Personal Data Indirectly Obtained from Others

We may also receive some information about you from third parties. These are further detailed below:

Medical Service Providers: As necessary, we obtain your personal data from medical service providers when accidents and incidents occur, as well as in order to provide medical care when required.

Financial Service Providers: As necessary, we obtain your personal data from financial service providers for membership information purposes and to fulfill contracts or services.

Social Media Platforms: As necessary, we obtain your personal data from social media platforms for analytics purposes, in order to manage and progress complaints, for marketing purposes, in order to improve the services provided and to conduct surveys.

To the extent necessary, we will also receive your personal data from other entities within the Dubai Holding Corporate LLC group of companies, including our subsidiaries and holding companies.

Legitimate Interest

Where we rely upon legitimate interest as a lawful basis, we have balanced your rights and freedoms against our interests, or those of any third parties, and determined your rights are not infringed. Legitimate Interest is where your personal data is processed for either our own interests or the interests of third parties. This can include commercial interests, individual interests, or broader societal benefits.

How do we use your personal data?
Personal data usage
How long do we keep your personal data?

Your personal data will not be kept longer than necessary to meet the purposes detailed above. The criteria that we use to determine how long we will keep your personal data includes the period of time during which we have an ongoing relationship with you, and whether we have a legal obligation to store it (for example, for accounting purposes or for litigation, or regulatory investigations purposes). For the storage period please refer to the section titled "What do we collect from you and how do we use it ?" above.

Should retention of your personal data no longer be required we will remove it from our systems and records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).

Who do we share your personal data with?

Where necessary to fulfil the purposes described in this Notice, we shall disclose your personal data to certain third-parties, vendors and service providers or affiliated employees, contractors and entities as described below.

To the extent necessary, and where we have a lawful basis to do so, we will also share your personal data with other entities within Dubai Holding Corporate LLC’s group of companies, including our subsidiaries and holding companies.

Where we share personal data, we do so with the following parties for the following purposes:

Category of Third-Party Purpose for Disclosure
Legal and Professional Advisers Audits, Invoicing, Legal Requirements, Transaction processing, Accident and Incidents, Comply with legal requirements and exercise or defend legal claims, Competition and events and IT security.
Health Providers Accident and Incidents, Comply with legal requirements and exercise or defend legal claims and Medical care
Finance, Insurance and Credit Providers Invoicing, Payment Processing, Insurance, Valuation
Government Bodies, Regulators Audits, Customer Queries, Invoicing, Legal Requirements, Improving our Service, Progress the Transaction
IT, Digital, Technology and Telecoms Audits, Customer Queries, Application Security and Support, Improving our Service, Analytics, Marketing and Memberships
Marketing and Research Services Providing services and Marketing
Education and Childcare Providers Providing services and IT security, Education Providers and Improving our Service
Membership Associations IT security, Marketing and Memberships
How do we protect your personal data?
Artificial Intelligence and Machine Learning
Profiling

Where we have a lawful basis to do so, we will use your personal data to evaluate certain personal aspects about you, such as to analyse or predict aspects concerning your economic situation, personal preferences, interests, reliability, behaviour, location, or movements. This is known as “Profiling”. We undertake Profiling, which can involve the use of artificial intelligence, to tailor our services and marketing efforts, or to improve our offerings. By using Profiling, you or individuals with similar profile characteristics as you, may receive a more personalised experience with us or offers from us. You have the right to object to Profiling where we have used it to conduct direct marketing or where it is based on our legitimate interests. Please see section on “Your rights” for further information.

Specific details about profiling and automated decisions involving candidates
Where we store/transfer your personal data?

When processing your personal data, we may transfer this to third parties based in other countries, to the extent necessary to fulfil the purposes described in this Notice. Your personal data may be transferred within the Dubai Holding Corporate LLC’s group of companies, including to our subsidiaries and holding companies. Such transfers shall always be done in compliance with relevant data protection laws. The majority of personal data processed by us is stored in the United Arab Emirates, where the appropriate data protection measures are in place.

For transfers of personal data from the UK and European Economic Area (“EEA”) we transfer personal data to entities outside the EEA, under the EU Standard Data Protection Clauses. Further information about transfers can be obtained by contacting us using the following email address privacyoffice@dubaiholding.com.

To the extent required, we will also transfer your personal data to third parties in connection with a reorganization, restructuring, merger, acquisition, or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with applicable laws and requirements.

Security of your personal data

We have implemented technology and operational security measures in order to protect personal data from loss, misuse, alteration, or destruction. Only authorised persons are provided access to personal data; such individuals have agreed to maintain the confidentiality of this personal data.

Third party websites and apps
Your rights

You may have certain rights relating to your personal data. However, these rights can differ depending upon the country in which you are located. That country’s law will determine which rights apply and in what instances.

Right to withdraw consent

Where you have provided your consent to us, you will always have the right to withdraw this at any time. You can do this by either by following the information provided at the time you provided your consent, or by contacting us using the following email address privacyoffice@dubaiholding.com. The withdrawal of consent will not affect any processing that was based on consent before its withdrawal.

Right to request correction of your personal data

You will always have the right to request that we correct and update any personal data that we process about you that is inaccurate or incomplete. You can do this by contacting us at privacyoffice@dubaiholding.com.

Additional Data Protection Rights

Certain Data Protection Regulation also provide you with additional rights which may allow you to:

- upon request, be provided access to, or copies of, your personal data that we process;

- upon request, restrict the processing of your personal data;

- upon request, delete your personal data which we process;

- object to our processing of your personal data; or

- upon request, obtain a copy of your personal data which we process in a commonly used and machine-readable format.

- lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which an alleged infringement of data protection law has occurred

It is important to understand that these rights are not absolute (e.g. their application may depend upon the lawful basis we rely upon to process your personal data) and that we may require further information from you (e.g. to confirm your identity) to action your request. You can enquire whether these rights apply to you by contacting us using the following email address at privacyoffice@dubaiholding.com.

AI Implications

Artificial Intelligence (AI) Systems:

We use AI Systems that process personal data to enable us to improve our services and user experiences. We remain vigilant when using AI to protect personal data, ensuring customer privacy, and preventing unauthorised or fraudulent activity. Our customers and stakeholders shall remain confident that personal data is adequately protected with us, especially in cases where AI is used to deliver the product or service, as this may infer heightened protection where AI is deployed.

How we use AI Systems

This notice gives you information on how we protect your personal data in our use of the AI System.

Personal data may be processed within our AI Systems. We remain the data controller for your personal data when it is processed while using our AI Systems. We process personal data in accordance with the relevant data protection laws. In the case where we have engaged a processor, we have mandated contracts that uphold our standards in compliance with the relevant data protection laws.

We will sometimes process customers' personal data when using AI Systems. We have regulated the use of AI internally, weighed the opportunities and risks in advance of our use of AI and ensured appropriate human supervision where important matters are concerned. Where we offer dialogues with an AI, we will make this evident and, if necessary, point out potential errors.

Personal Data Processed by AI Systems

We may collect personal data either directly from you, third parties or public sources. We process your personal data using AI Systems to improve the efficiency, quality, and speed of our business processes and for the purpose of providing services. When using AI systems, we may process various types of personal data. For more information, please refer to the section titled "What do we collect from you and how do we use it?".

In limited circumstances, we may process sensitive data through the AI System, but we will ensure that we have the necessary lawful basis in place before doing so. Where we process your existing personal data we will continue to rely on the appropriate lawful basis for that processing activity. In certain instances, we engage data processors; however, they are unable to access any of your personal data entered in the AI Systems. We have mandated contracts with data processors to ensure that your personal data is protected.

Contact us

If you want to exercise any of the rights set out above or have any questions or concerns about how we treat your personal data, please contact us at privacyoffice@dubaiholding.com or by writing to us at: Dubai Holding Corporate LLC, P.O. Box 66000, Dubai, United Arab Emirates. Please include your reply address when you write to us.

Changes to this Notice

We keep this Notice under regular review. We reserve the right, at our discretion, to change, modify, add, or remove sections of this Notice at any time. You are also encouraged to review this Notice from time to time for updates. We will notify you of any changes (including when they will take effect) if we are required to do so by data protection laws.