This Privacy Policy (“Policy”) is designed to help you understand how we use your Personal Data, in accordance with the applicable da ta protection laws and regulations in ADGM (i.e., ADGM data protection regulations 2021) and further guidance thereunder (the “applicable laws”) [1]. This Policy applies to Processing of Personal Data by Lulu Group entities which are incorporated in the Abu Dhabi Global Market (ADGM).
We encourage you to read the whole Policy. Alternatively, if you wish to read about specific privacy practices that interest you, please click on the relevant links below.
PART A - PURPOSE & APPLICABILITY
PART B - YOUR PERSONAL DATA
PART C - OUR USE OF YOUR PERSONAL DATA
PART D - OTHER IMPORTANT THINGS YOU SHOULD KNOW
PART E - YOUR RIGHTS
We, Lulu International Holdings Limited and its subsidiary companies which are incorporated in ADGM, Abu Dhabi, individually referred to as “we”, “us”, “our”, the “group” or “Lulu”, “Lulu Group” and as applicable to the respective entity, in this Privacy policy.
Registered office is at ADGM: 2454, Floor 24, Al Sila Tower, Al Maryah Island, Abu Dhabi Global Market Square, UAE.
Lulu Group has presence in ADGM in the form of special purpose vehicle (SPV) companies, which hold shares in the group companies. In compliance with the applicable laws and regulations (“Applicable Law”), we collect and process Personal Data for meeting the requirements of the ADGM companies.
This is our general Privacy Policy that applies to our operations.
This Policy may be updated from time to time.
Personal Data is any information referring to an identified or Identifiable Natural Person[3]. This includes information like your name, (e-mail) address and telephone number but can also include less obvious information such as your attendance at a seminar or analysis of your use of our website(s).
Additional protection is afforded under the Law to Special Categories of Personal Data, ie. Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.
We Process your Personal Data in our capacity as a Controller. This means that we are responsible for ensuring that we comply with the Law when Processing your Personal Data.
For any queries relating to our Data Processing activities in relation to our entities in ADGM or other matters under this Policy or the Law, you may contact us by:
We only collect Personal Data about you in connection with providing our services and conducting our normal business operations, and/ or communications to invite you to our event or sharing relevant information with you. We may hold information about you if:
Depending on the purposes, the types of information we Process about you may include:
|
Types of Personal Data |
Details |
|
Individual details |
Name, address (including proof of address), other contact details (e.g. email and telephone numbers), gender, marital status, date and place of birth, nationality, employer, job title and employment history, and family details, including their relationship to you |
|
Identification details |
Identification numbers issued by government bodies or agencies, such as your passport number, Emirates ID or other national identity number, tax identification number and driving licence number, including copies of such government-issued identification document |
|
Financial information |
Bank account details, income, source of wealth, source of funds or other financial information |
|
Engagement details |
Information about you which is relevant to a matter on which we are advising you or a client |
|
Anti-money laundering and sanctions data |
Screening information received from various anti-money laundering, counter-terrorism financing and sanctions databases relating to you |
|
Special Categories of Personal Data |
Information about your political affiliations or opinions or criminal record, to the extent required for compliance with Applicable Law. |
|
Identifiers |
Information which can be traced back to you, such as an IP address, a website tracking code or any other information that may be automatically collected through our Website(s) or any other digital communication or network security applications used by us. |
As a policy, we do not normally collect any Special Categories of Personal Data, unless such collection is warranted under specific circumstances.
We may collect your Personal Data from various sources, including:
The sources that apply to you will depend on the purpose for which we are collecting your Personal Data. Where we obtain your information from a third party, in particular your employer or our client, we may ask them to provide you with a copy of this Privacy Policy (or a shortened version of it) to ensure that you know we are Processing your information and the purpose for such Processing.
In this section we set out in more detail:
|
Purpose for Processing |
Lawful basis for Processing |
|
Client services We may obtain information about individuals where this is necessary or appropriate to provide services to our clients. We disclose this information to our clients in connection with our role in the relevant engagement. |
For Personal Data -Performance of an engagement. |
|
Service providers We collect information about you in connection with your provision of services to us or your position as a representative of a provider of services to us. We do not collect Special Categories of Personal Data for this purpose, other than where we are required to do so to meet our legal obligations (see ‘Anti-Money Laundering and other legal obligations’ above). |
For Personal Data -Performance of an engagement. |
|
Seminars, events, legal updates, and other marketing activities If you wish to attend our seminars or events or receive our updates, we ask you to provide us with a limited amount of information (normally your work contact details, your employer's name, your job title, and the legal subjects/events of interest). We use this information to communicate with you about our seminars, events and updates, to ensure that you are an appropriate audience for them, and to conduct analysis for marketing purposes. We do not collect Special Categories of Personal Data for this purpose. |
For all communications with you -Consent from Data Subject. |
|
Visitors to our websites Where you provide us with Personal Data on our Website(s) for the purpose of inquiring about our services, we will only use it for the purpose for communicating with you in connection to your request. Most of our websites use a small number of non-intrusive cookies to help them work more efficiently and to provide us with information on how the website is being used. You can control cookies through the settings or preferences of your browser, as well as through dedicated browser extensions or add-ons. We do not collect Special Categories of Personal Data on our Website(s). |
For Personal Data - Legitimate interests for business development purposes |
|
Visitors to our offices We have security measures in place at our offices, which include building access controls and may include CCTV. Images captured by CCTV are securely stored and only accessed on a need to know basis (e.g. to investigate an incident). Visitors to our offices may be required to sign in and sign out at building reception in accordance with the building’s security policies. In addition, we may also maintain visitor records ourselves, which are securely stored and only accessible on a need to know basis (e.g. to investigate an incident). We do not collect Special Categories of Personal Data for this purpose. |
For Personal Data - Legitimate interests for information security and physical security purposes |
|
Visitors to our events Where you provide us with Personal Data on our Website(s) for the purpose of inquiring about our services, we will only use it for the purpose for communicating with you in connection to your request. |
For Personal Data - Legitimate interests for business development purposes |
|
Staff Recruitment We ask you to provide Personal Data to us as part of your job application. We will also conduct checks in order to verify your identity and the information in your application as well as to obtain further information about your suitability for a role within the group. This may include obtaining information from regulators, anti-money laundering databases, sanctions lists, etc. In some cases, this information will include Special Categories of Personal Data, where such information is required for the purpose of pre-employment verification checks or other employment-related Processing. |
For Personal Data -(1) For compliance with Applicable Law that we are subject to; and (2) Legitimate interests to prevent fraud. For Special Categories of Personal Data -For carrying out our obligations and exercising our rights in the context of the Data Subject’s employment. |
|
Former Staff We retain Personal Data of former staff members to the extent that we have a statutory obligation to do so. |
For all Personal Data -For compliance with Applicable Law that we are subject to |
We do not generally Process your Personal Data based on your consent (as we can usually rely on another lawful basis). Where we do Process your Personal Data based on your consent, you have the right to withdraw your consent at any time. To withdraw your consent, please contact us using the contact details mentioned in Section 7 above.
We do not sell your information nor make it generally available to others. However, we may share your information in the following circumstances:
In each case where we share your Personal Data with other parties, whether or not in an adequate jurisdiction (as defined by the Commissioner of Data Protection - ADGM), we take appropriate measures and ensure that the relevant party is contractually required to keep such Personal Data safe, secure and confidential in accordance with the minimum standards under the Law.
We implement appropriate steps to help maintain the security of our information systems and processes and prevent the accidental destruction, loss, or unauthorised disclosure of the Personal Data we Process.
We do not use profiling (where an electronic system uses Personal Data to try and predict something about you) or automated decision making (where an electronic system uses Personal Data to make a decision about you without human intervention).
We retain your Personal Data in accordance with our data retention policy which categorises all the information held by us and specifies the appropriate retention period for each category of information. Those periods are based on the requirements of the relevant laws and regulations of the ADGM, and the purpose for which the information is collected and used, taking into account legal and regulatory requirements to retain the information for a minimum period, limitation periods for taking legal action, good practice and our business purposes.
Normally, we do not transfer Personal Data outside the ADGM other than in the specific circumstances indicated in Section 13 above.
Where any such transfers of Personal Data to non-adequate jurisdictions (as defined by the Commissioner of Data Protection - ADGM) take place, we take appropriate measures in accordance with the Law.
If you have any questions in relation to our use of your Personal Data, please email us using the contact details provided in Section 7 above.
Subject to certain exceptions outlined in the Law, you have the right to require us to:
In certain circumstances, we may need to restrict your rights in order to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. responding to regulatory requests), or in accordance with other exceptions and limitations specified in the Law.
If you are not satisfied with our use of your Personal Data or our response to any request by you to exercise your rights, or if you think that we have breached any relevant provision of the Law, then you have the right to complain to the authority that supervises our Processing of your Personal Data.
Our data protection supervisory authority is the Office of Data Protection in ADGM whose contact details are as follows:
Address:
Office of the Data Protection, ADGM
Abu Dhabi Global Market
Telephone:+971 (2) 333 8888.
Website:https://www.adgm.com/operating-in-adgm/office-of-data-protection
Email: [email protected]
[1] https://www.adgm.com/operating-in-adgm/office-of-data-protection
[2] “Processing” of Personal Data can include any one or more of the following, whether or not by automated means: collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting, erasure or destruction.
[3] Identifiable Natural Person means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted accordingly).
