The Dubai Holding Real Estate LLC entity (“we” or “us”) that you work for is committed to protecting the privacy and security of the personal data of our employees (“you”). By employees, we mean current and former employees, staff, workers and contractors (full-time or part-time, directly employed or outsourced). Whilst we use the term “employee” throughout this notice to apply to all such people, the use of this term does not confer any employment rights. If you belong to any of these groups, this Employee Privacy Notice (“this Notice”) applies to you. We have prepared this Notice to outline your rights in accordance with the applicable data protection laws, in relation to how and why we collect and process your personal data, how we use it, how long we store it for, as well as whom we share it with. However, you should be aware that this Notice does not form part of any contract of employment or services agreement.
You can access a ‘Data Controller List’ here, which sets out all of our different entities and their contact details. This will enable you to identify the relevant entity that holds, processes, and secures your personal data and is the data controller in relation to your personal data.
The Data Controller list refers to the entities or individuals who are responsible for determining the purposes and means of data processing.
Personal data is any information relating to you from which you can be identified. We may collect personal data either directly from you, third parties or public sources. We may process different categories of personal data whilst adhering to the data minimization and purpose limitation principles in accordance with the applicable data protection law. As described below:
- Identification data:
Includes but is not limited to name, employee ID, your photo, payroll ID, business email address, business address, business landline, citizenship, nationality, passport data, Visa information, drivers' licence information, the resident country`s ID, marriage certificate, birth certificate and education certificates, national/social insurance number (if applicable), health insurance, government retirement plan information and tax reference/ID (if applicable); - Other personal data:
Includes but is not limited to date and place of birth, emergency contact details (if applicable), and gender; marital status, electronic signature, device information (including operating system/version, hardware model and unique device identifiers such as MAC address); - Sensitive data:
This includes data that reveals the following about a data subject: racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health; - Contact details:
Home address, home / personal mobile number and personal email address, emergency contact number; - Dependents’ information:
Includes but is not limited to name, telephone number, date of birth, email address; - Employment history and education:
Includes but is not limited to your position, business title, employee type, management level, time type (full or part time and percentage), default weekly working hours, scheduled weekly working hours, working time information, work location, division, department, position level, manager (name and employee ID), support roles, start and end date, CV details, contract status reference, job history (including position history, title history, effective dates and past pay groups), worker history (including log-files of changes in our Human Resources databases) and reason/s for leaving, reference information, qualifications, formal certifications and Grades; - Information about your salary and benefits/fees:
Includes but is not limited to basic salary, bonus and commission entitlements, raise amounts and percentages, insurance benefits (including information about you and your dependants that we provide to the insurer), pension plans, fees paid to you in return for your services, your bank account details and payment dates, and accrued salary and fee information; - Time, and systems/buildings access monitoring information:
Includes but is not limited to CCTV, swipe card access, time recording software, internet, email and telephone usage data, personal vehicle information, like number plate, car registration, and colour details; - Performance and disciplinary information:
Includes but is not limited to performance reviews, evaluations and ratings, reviews of alignment to policies and procedures, information about disciplinary allegations, the disciplinary process and any disciplinary warnings, details of grievances and any outcome, termination of services agreements; - Absence information:
Includes but is not limited to dates of leave of absence/vacation, maternity/paternity/shared parental leave, training/educational leave, national/reserve leave, family care leave/ compassionate leave, medical leave; and - Organisational data:
Includes but is not limited to training records, IDs for IT systems, system permissions, web browsing history, company details, cost centre allocations, and organisations.
We collect, use and process your personal data for a variety of reasons linked to your employment or engagement. To help clarify these the below is a list of why personal data is collected, used and processed (the "Processing Purposes") along with examples where personal data is used for each of the Processing Purposes. Your personal data will not be kept longer than necessary to meet the purposes outlined below. The criteria that we use to determine how long we will keep your personal data includes the period of time during which we have an ongoing relationship with you, and whether we have a legal obligation to store it beyond our working relationship (for example, for accounting purposes or for litigation, or regulatory investigations purposes).
To ensure that the Processing Purposes are completed, your personal data may be shared with any of the entities within the Dubai Holding Group (the “Company Group”) or to third party entities outside of the Company Group. When we share your personal data in this way, it is our policy to limit the categories of individuals who have access to your personal data.
We may share and transfer your personal data to third party entities for Processing Purposes. This includes entities within and outside our own Company Group entities, or affiliated entities located in any jurisdictions where those third party entities are located, as follows:
- Within the Company Group. As your employing/engaging entity is part of a wider group with offices and locations across the globe, we may transfer your personal and sensitive data to, or otherwise allow access to such data, by other Company Group entities, which may use, transfer, and process the data. The following circumstances may require personal data sharing:
- To maintain and improve effective administration of the employees and/or staff
- To facilitate movement of staff into other Company Group entities, including secondments
- To communicate information about the Company Group; to maintain a corporate directory
- To maintain IT systems
- To monitor and assure compliance with applicable policies and procedures, and applicable laws
- To respond to requests and legal demands from regulators and other authorities.
- With Third Parties. As necessary in connection with business operations, work contact details and contact details may need to be transferred to existing or potential business partners, suppliers (e.g. suppliers providing employee benefits), customers, end-customers (for instance, where customer issues have been escalated to you) or government officials and other third parties (e.g. our external advisors) for communication purposes.
- Regulators, authorities, and other third parties. As necessary for Processing Purposes described above, personal data may be transferred to regulators, courts, and other authorities (e.g., tax and law enforcement authorities), independent external advisors (e.g., auditors), Directors within the Company Group, insurance providers, pensions and benefits providers, internal compliance and investigation teams (including external advisers appointed to conduct internal investigations).
- Acquiring entities. If the Company Group business for which you work is sold or transferred in whole or in part (or such a sale or transfer is being contemplated), your personal data may be transferred to the new employer or potential new employer as part of the transfer itself or as part of an initial review for such transfer (i.e. due diligence), subject to any rights provided by applicable law, including jurisdictions where the new employer or potential new employer are located.
- Data processors. As necessary for the Processing Purposes described above, personal data may be shared with one or more third parties, whether affiliated or unaffiliated, to process personal data under appropriate instructions ("Data Processors"). The Data Processors that we engage with fall into the following categories: suppliers who support us in relation to employee and staff administration, IT system support, payroll and compensation, training, compliance, and other activities. Data Processors will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard the personal data and to process the personal data only as instructed.
We may transfer personal data to recipients in countries outside of the country you work in. In this case, we will put in place appropriate measure to protect the security and confidentiality of your data, to ensure your data is protected adequately. The majority of personal data we collect is stored in the United Arab Emirates, where the appropriate data protection measures are in place.
You may have certain rights relating to your personal data. However, these rights can differ depending upon the country in which you are located. That country’s law will determine which rights apply and in what instances.
Right to withdraw consent
Where you have provided your consent to us, you will always have the right to withdraw this at any time. You can do this by either by following the information provided at the time you provided your consent, or by contacting us using the following email address privacyoffice@dhre.ae. The withdrawal of consent will not affect any processing that was based on consent before its withdrawal.
Right to request correction of your personal data
You will always have the right to request that we correct and update any personal data that we process about you that is inaccurate or incomplete. You can do this by contacting us at privacyoffice@dhre.ae.
Additional Data Protection Rights
Certain Data Protection Regulation also provide you with additional rights which may allow you to:
- upon request, be provided access to, or copies of, your personal data that we process;
- upon request, restrict the processing of your personal data;
- upon request, delete your personal data which we process;
- object to our processing of your personal data; or
- upon request, obtain a copy of your personal data which we process in a commonly used and machine-readable format.
- lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which an alleged infringement of data protection law has occurred
It is important to understand that these rights are not absolute (e.g. their application may depend upon the lawful basis we rely upon to process your personal data) and that we may require further information from you (e.g. to confirm your identity) to action your request. You can enquire whether these rights apply to you by contacting us using the following email address at privacyoffice@dhre.ae.
Artificial Intelligence (AI) Systems:
Dubai Holding use AI Systems that process personal data to enable us to improve our services and user experiences. We remain vigilant when using AI to protect personal data, ensuring Employee and Contractor privacy, and preventing unauthorized or fraudulent activity. Our Employee, Contractors and stakeholders shall remain confident that personal data is adequately protected with us, especially in cases where AI is used to deliver the product or service, as this may infer heightened protection where AI is deployed.
How we use AI Systems
This notice gives you information on how we protect your personal data in our use of the AI System.
Personal data may be processed within our AI Systems. We remain the data controller for your personal data when it is processed while using our AI Systems. We process personal data in accordance with the relevant data protection laws. In the case where we have engaged a processor, we have mandated contracts that uphold our standards in compliance with the relevant data protection laws.
We will sometimes process Employee and Contractor personal data when using AI Systems. We have regulated the use of AI internally, weighed the opportunities and risks in advance of our use of AI and ensure appropriate human supervision where important matters are concerned. Where we offer dialogues with an AI, we will make this evident and, if necessary, point out potential errors.
Personal Data Processed by AI Systems
We process your personal data using AI Systems to improve the efficiency, quality, and speed of our business processes and for the purpose of providing services. In using AI Systems, we may process different types of personal data. For more information, please refer to the section "What personal data do we collect from you?” and “How do we use your personal data?". In limited circumstances, we may process sensitive data through the AI System, but we will ensure that we have the necessary lawful basis in place before doing so.
Where we process your existing personal data we will continue to rely on the appropriate lawful basis for that processing activity. In certain instances, we engage data processors; however, they are unable to access any of your personal data entered in the AI Systems. We have mandated contracts with data processors to ensure that your personal data is protected.
If you have any questions regarding this Notice or if you would like to exercise any of your rights as a data subject, please contact the Data Protection Officer at privacyoffice@dhre.ae.