Privacy Notice
Introduction
Truth Auditors, Accountants, Advisors Limited (“TruthGroup”), including any companies affiliated to TruthGroup (“us” or “we”) is strongly committed to privacy issues and wants to be transparent about the data it collects and how data is used. During the course of our Business Relationship (as defined below) with you, we collect and process personal data. In particular, the personal data which is processed by us is that of natural persons who are our clients, contractors and/or business affiliates as well as personal data of any other individuals, including but not limited to authorised representatives, beneficial owners, shareholders and any other stakeholders of our clients, contractors and/or business affiliates, being legal entities (“you”).
During the course of our Business Relationship, we collect and process personal data. We are a data controller and processor in respect of such personal data. This means that we are responsible for determining the purposes and means of the processing of such personal data.
For the purposes of this Privacy Notice,
‘Personal data’ means any information relating to an identified or identifiable natural person and ‘Processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, storage, use, disclosure, erasure or destruction in order to fulfill our AML obligations and our obligations to you as per our Letter of Engagement.
‘Business Relationship’ means our commercial and/or business and/or other relationship with you including, but not limited to, for the provision of our services to you and the various transactions entered into between us and you from time to time.
Pursuant to the provisions of the Federal Decree Law No.45 of 2021 (“UAE Data Protection Law”), and the Data Protection Regulations 2021 (the “ADGM Data Protection Regulations”) , the Law and Regulations providing for the protection of personal data process or control from within United Arab Emirates (“UAE”) and the Abu Dhabi Global Market (“ADGM”), as amended and other applicable data protection laws, as amended from time to time, we are required to notify you of the information contained herein.
Our Principles
When we process your personal data during client onboarding process and during the course of our work to you, it is:
Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
This means that we provide information to you in respect of the processing of your personal data (transparency), that the processing matches the description given to you (fairness), and that it is based on at least one of the lawful basis set out in the UAE Data Protection Law and ADGM Data Protection Regulations (lawfulness).
Collected and processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’);
This means that we specify exactly what personal data is collected, the purpose of use and limit the processing of personal data to only what is necessary to meet the relevant purpose.
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
This means that we do not process any personal data over and above what is required.
Accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
This means that we have in place processes for identifying and addressing out-of-date, incorrect or unnecessary personal data.
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
This means that wherever possible, we process personal data in such a way that limits or prevents identification of the data subject.
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Categories of Personal Data
We process the following categories of personal data:
Special Categories of Personal Data (sensitive data)
In certain (occasional) cases we may collect and process special categories of personal data which is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or data concerning sex life or sexual orientation. [SL3] We shall process such data subject to your documented consent and/or where the processing is necessary for the establishment, exercise or defence of legal claims relevant to us.
If during the course of our Business Relationship there is a change in your personal data, you must ensure that the above details (as and where applicable) are updated by contacting us as soon as practically possible. If we request from you to be provided with certain personal data, we kindly request that such information is provided at your earlier convenience. If you fail to provide us with the personal data requested, we may not be able to perform or be prevented from complying with our obligations under our Business Relationship and/or any agreement entered into and/or exchanged between us and you.
Purposes of Processing
We will process your personal data (as and where applicable) for the following purposes:
Lawful Basis of Processing
We are committed to your privacy. As part of the values we stand for, we will always consider your fundamental rights as a data subject. We process your personal data for the purposes mentioned above on the lawful basis that (i) the processing is necessary for compliance with a legal obligation to which we are subject (e.g. KYC requirements, reporting requirements under our license issued by the ADGM); (ii) the processing is necessary for the performance of an agreement which you have entered into with us and in order to take steps at your request prior to entering into the said agreement(s); (iii) you have given consent (if and where applicable); and (iv) the processing is necessary for the purposes of the legitimate interests pursued by us.
Such legitimate interests include, inter-alia, our business and/or commercial interests and the management, operation and marketing of our business and/or our exercise or defence of legal claims and/or the prevention of fraud and money laundering activities and/or to disclose information to other data recipients such as our service providers, auditors and technology providers and/or to comply with obligations or internal policy requirements of our business, and/or to monitor and improve our relationships with you and/or to keep our internal records and/or to monitor communication to/from you using our systems and/or to protect the integrity of our IT systems.
Where we decide to rely on explicit consent to process your personal data, we will contact the relevant data subject to request this accordingly. In case consent is relied solely upon to achieve a lawful basis of processing of your personal data, you will have the right to withdraw this consent at any time.
Disclosure of Personal Data
We will only disclose your Personal Data to third parties if we are legally obliged to do so or where there is a need to comply with our contractual obligations to you.
For instance, we may disclose your personal data to the following categories of recipients:
Where there is a requirement to transfer your Personal Data, when we transfer personal data to jurisdictions located outside of the ADGM, we carry out such transfers (i) to a recipient who is in a jurisdiction which provides an adequate level of protection for personal data or (ii) to a recipient who is in a country which does not provide an adequate level of protection for personal data, under appropriate agreement which covers the ADGM requirements for the transfer of personal data to data processors outside ADGM as safeguard. In some (occasional) cases we may carry out such transfers where
Your Rights as a Data Subject
Right of access – you have the right to request a copy of the information that we hold about you.
You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. Such additional information includes, inter alia, details of the purposes of the processing, the categories of personal data concerned and the categories of recipients of the personal data. The right to obtain a copy of your data shall not adversely affect the rights and freedoms of others.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
Right to be forgotten (right to erasure) – where certain criteria are met you can ask for the data we hold about you to be erased from our records.
In some circumstances you have the right to obtain the erasure of your personal data without undue delay. Those circumstances include cases where (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw consent on which the processing is based solely on consent; (iii) you object to processing which is based on our legitimate interests and there are no overriding legitimate grounds for the processing; (iv) the processing is for direct marketing
purposes; (v) the personal data have been unlawfully processed; and (vi) the personal data have to be erased for compliance with a legal obligation to which we are subject.
The above shall not apply where processing is necessary (i) for exercising the right of freedom of expression and information; (ii) for compliance with a legal obligation which requires processing by a law to which we are subject; (iii) for reasons of public interest; or (iv) for the establishment, exercise or defence of legal claims.
Right to restriction of processing – where certain criteria are met you can ask to restrict the processing.
In some circumstances you have the right to obtain from us the restriction of processing of your personal data. Those circumstances include cases where (i) you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data; (ii) processing is unlawful but you oppose erasure and you request the restriction of their use instead; (iii) we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and (iv) and you have objected to processing which is based on our legitimate interests, pending the verification of that objection.
Where processing has been restricted on the basis of the above, we will continue to store your personal data. However, we will only otherwise process it (i) with your consent; (ii) for the establishment, exercise or defence of legal claims; (iii) for the protection of the rights of another natural or legal person; or (iv) for reasons of important public interest.
Right to object – you have the right to object to certain types of processing.
You have the right to object on grounds relating to your particular situation, to the processing of personal data to the extent that such processing is based on being necessary (i) for the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or (ii) for the purposes of the legitimate interests pursued by us or by a third party. If you make such a request, we will cease to process the personal data
unless we have compelling legitimate grounds for the processing, or the processing is for the establishment, exercise or defence of legal claims.
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
You have the right to receive personal data which you have provided to us in a structured, commonly used and machine-readable format and the right to transmit those data to another data controller. However, please note that this right to data portability only arises where (a) the processing is based on consent (as and where applicable) or is necessary for the performance of a contract to which you are a party; and (b) the processing is carried out by automated means (as and if applicable). In conforming to such requests, we will not adversely affect the rights and freedoms of others.
Right to withdraw consent – where the processing is based on your written consent you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
To the extent that the legal basis for our processing of your personal information is consent (as and where applicable), you have the right to withdraw that consent at any time, such withdrawal will not affect the lawfulness of processing before the withdrawal.
(viii) The right to lodge a complaint to a supervisory authority
You have a right to lodge a complaint with the ADGM Office of Data Protection in ADGM at any time.
Email: data.protection@adgm.com
Telephone: +971 23338888
Address: ADGM Commissioner of Data Protection
ADGM Authorities Building
ADGM Square, Al Maryah Island, PO Box 111999
Abu Dhabi , UAE
Retention of personal data
We shall process and store your personal data for as long as you have a Business Relationship with us and for ten years thereafter and/or as required under applicable law. Your personal data may be retained for longer periods for the purposes of our legitimate interests in case of any legal process commencing prior to the completion of the ten-year period. Your personal data will be retained and securely destroyed in accordance with our data retention and destruction policy and applicable laws.
Security
As part of our privacy policy, we process personal data which is adequate, relevant and limited to what is necessary in relation to the purposes mentioned above. We as well as any sub-contractor we are doing business with implement appropriate technical and organizational measures to ensure an adequate level of security appropriate to the applicable risk. Such measures aim to prevent unauthorized or unlawful processing, accidental loss, destruction or damage of personal data and include inter-alia, pseudonymization and encryption of personal data and include inter alia the following:
Our Website
We use a number of cookies on our website for analytics and for remarketing features, which inter-alia allow us to better track usage of our website and to reach users who have previously visited our website. In doing so, we may collect and/or process personal data of visitors to our website, which is adequate, relevant and limited to what is necessary. Further information about how we use cookies on our website can be found on our Cookie Policy which is available at https://truthgroup.com/.
Further Information
Further information and/or queries and/or requests regarding the processing of your personal data and any of your rights (where applicable) in respect of your personal data, can be requested by contacting us in writing as follows:
By e-mail: info@truthgroup.com
By post: Level 7, Al Maryah Tower, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, United Arab Emirates
Amendments
This Privacy Notice is kept under regular review and is updated from time to time. We will, where appropriate, notify you about amendments as soon as practically possible.