Introduction

We are committed to protecting and respecting your privacy. This Privacy Notice (this “Notice”) governs the collection and use of personal data in relation to suppliers by Dubai Holding Asset Management LLC. It explains how and why we use your personal data and applies to the personal data that you provide us directly, or which we may obtain from other sources.

We may use your personal data for any of the purposes described in this Notice, or as otherwise stated at the point of collection.

References to "our", "us" or "we" within this Notice are to Dubai Holding Asset Management LLC, Umm Suqeim Road

P.O. Box 66000, privacyoffice@dham.ae.

Who we are

We are the data controller of your personal data. We decide how and why your personal data is processed, either alone or jointly with others. If you supply us with facilities and services, the entity which manages the relevant facility or service will also be a data controller in respect of your personal information.

You can access a ‘Data Controller List’ here, which sets out all of our different entities and their contact details. This will enable you to identify the relevant entity that holds, processes, and secures your personal data and is the data controller in relation to your personal data.

The Data Controller list refers to the entities or individuals who are responsible for determining the purposes and means of data processing.

Information covered by this notice

In this Notice we refer to “processing” your “personal data”.

Processing is taken to mean anything that is done to or with personal data (including simply collecting, storing, or deleting that data).

Personal data is any information relating to an identified or identifiable living person (for example, name, address, telephone number).  When “you” or “your” are used in this Notice, we are referring to the relevant individual who is the subject of the personal data.

Our use of cookies

Where we may use cookies, you can also control the data stored by cookies and withdraw consent to cookies by using the browser-based cookie controls described in our Cookie Policy available on our websites.

What personal data do we collect from you and how do we use it?

To provide services to you, we may process different categories of personal data whilst adhering to the data minimization and purpose limitation principles in accordance with the applicable data protection law. To help clarify these the below is a list of why personal data is collected, used and processed (the "Processing Purposes") along with examples where personal data is used for each of the Processing Purposes.

- Contact Details: Includes, but is not limited to, address, mobile number and email address, emergency contact number.

- Identification data: Includes but is not limited to name, your photo, citizenship, nationality, passport data, Visa information, drivers' licence information, the resident country's ID, and education certificates, national/social insurance number (if applicable), health insurance, and tax reference/ID (if applicable) and digital signature.

- Web Data: Includes, but is not limited to, cookies, user activity logs, and website visitor interaction data.

- Financial Data: Includes, but is not limited to, card details and bank details.

- Other Personal Information: Includes but is not limited to date and place of birth, emergency contact details, (if applicable).  

The reason these categories of personal data are processed, along with our lawful basis for doing so, are set out in the table below:

Description of Processing Purpose for Processing Category of Personal Data Lawful Basis Storage Period
We process your personal data for procurement purposes, such as vendor management and contract management. Supporting Services Identification Data, Contact Details, Financial Data Contract 10 years from the end of the contract.
We process your personal data for invoicing purposes Account Management Identification data, Contact details, Financial data Legal Obligation 10 years from the end of the contract.
We process your personal data for management and audit of our business operations including accounting Financial Management, Operations, Supporting Service Identification data, Contact details, Financial data Legitimate Interests 10 years from the end of the contract.
We process your personal data for internal audit and risk management purposes Audit Purposes Identification data, Contact details Legitimate Interests 10 years from the end of the contract.
We process your personal data to comply with legal requirements and exercise or defend legal claims Audit Purposes, Business Development, Governance, Litigation & Disputes, Operations, Supporting Service Identification data, Contact details Legal Obligation 10 years from the end of the contract.
We process your personal data for security purposes and to ensure secure backup and archival of IT Systems Security Purposes Identification data, Contact details Legitimate Interests 10 years from the end of the contract.
We process personal data for disaster recovery purposes Governance Identification data, Contact details Legitimate Interests 10 years from the end of the contract.
We process your personal data for identifying, investigating, and mitigating incidents, such as if a personal data breach occurred Governance, Security Purposes Identification data, Contact details, Web data Legitimate Interests 10 years from the end of the contract.
We process your personal data for whistleblowing purposes Governance Identification data, Contact details Legitimate Interests 10 years from the end of the contract.

Personal Data Indirectly Obtained from Others

To the extent necessary, we will also receive your personal data from other entities within the Dubai Holding Corporate LLC group of companies, including subsidiaries and holding companies.

Legitimate Interest

Where we rely upon legitimate interest as a lawful basis, we have balanced your rights and freedoms against our interests, or those of any third parties, and determined your rights are not infringed. Legitimate interest is where your personal data is processed for either our own interests or the interests of third parties. This can include commercial interests, individual interests, or broader societal benefits.

How do we use your personal data?
Personal data usage
How long do we keep your personal data?

Your personal data will not be kept longer than the storage period outlined in section titled "What do we collect from you and how do we use it ?" above. The criteria that we use to determine how long we will keep your personal data includes the period during which we have an ongoing relationship with you, and whether we have a legal obligation to store it beyond our partnership (for example, for accounting purposes or for litigation, or regulatory investigations purposes).

Should retention of your personal data no longer be required we will remove it from our systems and records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).

Who do we share your personal data with?

Where necessary to fulfil the purposes described in this Notice, we shall disclose your personal data to certain third-parties, vendors and service providers or affiliated employees, contractors and entities as described below.

Dubai Holding Asset Management LLC forms part of Dubai Holding Corporate LLC and its subsidiaries. To the extent necessary, and where we have a lawful basis to do so, we will also share your personal data with other entities within Dubai Holding Corporate LLC’s group of companies, including our subsidiaries and holding companies.

How do we protect your personal data?

Where we share personal data, we do so with the following parties for the following purposes:

Category of Third-Party Purpose for Disclosure
Legal and Professional Advisers Audits, Invoicing, Legal Requirements
Finance, Insurance and Credit Providers Invoicing, Payment Processing
Government Bodies, Regulators Audits, Invoicing, Legal Requirements, Improving our Service
IT, Digital, Technology and Telecoms Audits, Analytics, Application Security and Support, Marketing
Artificial Intelligence and Machine Learning
Profiling
Specific details about profiling and automated decisions involving candidates
Where we store/transfer your personal data?

When processing your personal data, we may transfer this to third parties based in other countries, to the extent necessary to fulfil the purposes described in this Notice. Your personal data may be transferred within the Dubai Holding Corporate LLC’s group of companies, including to our subsidiaries, and holding companies. Such transfers shall always be done in compliance with relevant data protection laws.

For transfers of personal data from the UK and European Economic Area (“EEA”) we transfer personal data to entities outside the EEA, under the EU Standard Data Protection Clauses. Further information about transfers can be obtained by contacting us using the following email address privacyoffice@dham.ae.

To the extent required, we will also transfer your personal data to third parties in connection with a reorganization, restructuring, merger, acquisition, or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with applicable laws and requirements. The majority of personal data processed by us is stored in the United Arab Emirates, where the appropriate data protection measures are in place.

Security of your personal data

We have implemented technology and operational security measures to protect personal data from loss, misuse, alteration, or destruction. Only authorised persons are provided access to personal data; such individuals have agreed to maintain the confidentiality of this personal data.

Third party websites and apps
Your rights

You may have certain rights relating to your personal data. However, these rights can differ depending upon the country in which you are located. That country’s law will determine which rights apply and in what instances.

Right to withdraw consent

Where you have provided your consent to us, you will always have the right to withdraw this at any time. You can do this by either by following the information provided at the time you provided your consent, or by contacting us using the following email address privacyoffice@dham.ae. The withdrawal of consent will not affect any processing that was based on consent before its withdrawal.

Right to request correction of your personal data

You will always have the right to request that we correct and update any personal data that we process about you that is inaccurate or incomplete. You can do this by contacting us at privacyoffice@dham.ae.

Additional Data Protection Rights

Certain Data Protection Regulation also provide you with additional rights which may allow you to:

- upon request, be provided access to, or copies of, your personal data that we process;

- upon request, restrict the processing of your personal data;

- upon request, delete your personal data which we process;

- object to our processing of your personal data; or

- upon request, obtain a copy of your personal data which we process in a commonly used and machine-readable format.

- lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which an alleged infringement of data protection law has occurred

It is important to understand that these rights are not absolute (e.g. their application may depend upon the lawful basis we rely upon to process your personal data) and that we may require further information from you (e.g. to confirm your identity) to action your request. You can enquire whether these rights apply to you by contacting us using the following email address at privacyoffice@dham.ae.

AI Implications

Artificial Intelligence (AI) Systems:

We use AI Systems that process personal data to enable us to improve our services and user experiences. We remain vigilant when using AI to protect personal data, ensuring supplier privacy, and preventing unauthorised or fraudulent activity. Our suppliers and stakeholders shall remain confident that personal data is adequately protected with us, especially in cases where AI is used to deliver the product or service, as this may infer heightened protection where AI is deployed.

How we use AI Systems

This Notice gives you information on how we protect your personal data in our use of the AI System. Personal data may be processed within our AI Systems. We remain the data controller for your personal data when it is processed while using our AI Systems. We process personal data in accordance with the relevant data protection laws. In the case where we have engaged a processor, we have mandated contracts that uphold our standards in compliance with the relevant data protection laws.

We will sometimes process suppliers personal data when using AI Systems. We have regulated the use of AI internally, weighed the opportunities and risks in advance of our use of AI and ensured appropriate human supervision where important matters are concerned. Where we offer dialogues with an AI, we will make this evident and, if necessary, point out potential errors.

Personal Data Processed by AI Systems

We may collect personal data either directly from you, third parties or public sources. We process your personal data using AI Systems to improve the efficiency, quality, and speed of our business processes and for the purpose of providing services. When using AI systems, we may process various types of personal data. For more information, please refer to the section titled "What do we collect from you and how do we use it?".

In limited circumstances, we may process sensitive data through the AI System, but we will ensure that we have the necessary lawful basis in place before doing so. Where we process your existing personal data we will continue to rely on the appropriate lawful basis for that processing activity.

In certain instances, we engage data processors; however, they are unable to access any of your personal data entered in the AI Systems. We have mandated contracts with data processors to ensure that your personal data is protected.

Contact us

If you want to exercise any of the rights set out above or have any questions or concerns about how we treat your personal data, please contact us at privacyoffice@dham.ae or by writing to us at: Dubai Holding Asset Management LLC, P.O. Box: 66000. Please include your reply address when you write to us.

Changes to this Notice

We keep this Notice under regular review. We reserve the right, at our discretion, to change, modify, add, or remove sections of this Notice at any time. You are also encouraged to review this Notice from time to time for updates. We will notify you of any changes (including when they will take effect) if we are required to do so by data protection laws.