EN CN КR

Privacy Notice

Purpose and Scope

Ashon International DMCC (the ‘Company’ or ‘we’), a legally registered entity in the United Arab Emirates, operates in full compliance with both local regulatory requirements and the Group standards.

We are acting as the controller of personal data consider the protection of rights and freedoms of data subjects during processing of their personal data, and the implementation of data protection principles as an important condition for our personal data processing activities while achieving our business purposes.

The Notice describes the processing of personal data collected in the framework of the KYC process, performed by the Company.

All processes for processing personal data in the Company are described in the Privacy Policy

The Privacy Notice (hereinafter referred to as “Notice”) refers to the provisions of the applicable local legislation, including:

  • Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (hereinafter referred to as “Law No. 45 PDPL”).

Please read the Notice carefully so that you can understand how the Company collects and uses the personal information that you provide to us.

Any doubts on the Notice may be escalated to the Data Protection Officer by email privacy@ashon.ae.

If you have any questions or need to clarify information related to processing of your personal data, please contact us using the contact details specified in the "Contact Information" section of this Notice.

In case any updates are made to the Notice, an updated version of the Notice will be posted on the Company's website ashon.ae/privacy-notice.

Principles of personal data protection

We fulfil the basic principles of personal data processing by implementing the following measures to ensure the security of personal data:

Principles of the PD processing Article of Law No. 45 PDPL Exercise of the right

Lawfulness, fairness and transparency

Article 5(1)

·          “Lawful” – we carry out processing PD only on the appropriate legal basis.

·          “Fair” – we fulfill the Data Subjects’ rights while processing their PD.

·          “Transparent” – before and during the PD processing, we provide the Data Subjects information about the PD processing, presented in clear and understandable manner.

Specific, clear and legitimate purpose

Article 5(2)

·          “Specific” – we define and document all the purposes of processing PD in the company.

·          “Clear” – we formulate the purpose clearly. We divide large processes into subprocesses so that Data Subjects clearly understand what is happening with their data.

·          “Legitimate” – we don't process PD in a way incompatible with the purpose of processing.

Data minimization

Article 5(3)

·          We process PD only if the volume of PD is consistent with the stated processing purposes.

·          For each purpose we identify the minimum volume of PD necessary to achieve these purposes of PD processing.

Accuracy and relevance of PD

Article 5 (4, 5)

·          When processing PD, we ensure the accuracy, sufficiency and relevance of PD.

·          We assess the reliability of the source of PD, as well as respond to requests from the Data Subjects to rectify their PD.

Data security

Article 5(6)

·          When processing PD, we ensure the availability, authenticity, integrity and confidentiality of PD, and apply the necessary organizational and technical measures to protect PD.

Storage limitation

Article 5(7)

·          We store PD in a form that allows us to identify the Data Subjects for no longer than is required for the purpose of processing PD, unless the retention period is established by applicable law.

·          Upon achievement of the purposes of processing PD we delete the relevant PD.

Third parties with whom your personal data may be shared
We may share your personal data with third parties when it is necessary to fulfil the purposes of the personal data processing as indicated in the Data Subject's consent for processing of personal data.

When we transfer PD to third parties, we make sure that they have sufficient guarantees to implement the appropriate technical and organizational measures. This is to ensure that the processing of PD meets the requirements of Law No. 45 PDPL and protects the rights of the Data Subjects.

We transfer PD to third parties with whom we have concluded the appropriate types of contracts with the required obligations regarding the protection of PD at the level defined by us. Afterwards we request confirmation of the security measures implemented by these entities to protect the PD we disclose.

Cross-border transfer of personal data
We may transfer PD to third parties in other jurisdictions where there is special legislation in the field of PD protection in place. In cases, when there is no special legislation in the field of PD protection in the destination jurisdiction we conclude contracts with such third parties that include provisions obliging companies to comply with the requirements of Law No. 45 PDPL. The amount of PD the third parties process is strictly necessary and proportionate to the purposes of the data transfer.

When we transfer PD to third parties in other jurisdictions, we include provisions on protection and processing of PD in contracts with them. We monitor compliance with the principles of PD processing and application of the appropriate security measures by third parties.

How safe is my personal data with third parties?
We always ensure that the third party provides an appropriate level of personal data protection via concluding a contract stipulating their obligations regarding the processing and protection of personal data. When sharing your personal data with any third party with whom we have contractual relations, we request confirmation of the security measures these legal entities take to protect the personal data we provide. 

We do not share personal data with public authorities or other third parties without a proper lawful request of the authorities.

The access to the personal data by third parties is provided via specific procedures monitored by the Company.

How we shall use your data

Personal data retention
We keep your personal data only for as long as strictly necessary to fulfil the purposes that justify the processing activities. When determining the retention period of personal data, we consider in particular the amount, nature and sensibility of the personal data processed.

Categories of data subjects and purposes of processing
We do not process sensitive personal data as defined by Law No. 45 PDPL.

We process personal data of the indicated categories of data subjects for predefined purposes:

Purposes of PD processing Data Subjects List of processed PD Storage Period Legal basis

Counterparties

Establishing relationships

Representatives of prospective Counterparties

Full name, company's name, job position, work email, phone number, messenger user number / name

Until the purpose is reached

Legitimate interest

Conducting a KYC check and ongoing business activities

Counterparties, Representatives of Counterparties; Beneficiaries of Counterparties

Company’s name, signature, address and contact details (legal address, actual address, postal address, corporate website, phone number, email), information on key executive and non-executive managers (full name, position, date of birth, country of residence), bank details, information of audit (name of auditor, date),

For shareholders and beneficiary owners: Individuals: Full name, position, date of birth, country of residence, type of ID and ID number, % of the proprietary rights of an entity (directly or indirectly), Legal entities: Company name, country of incorporation, date of incorporation, register number, % of the proprietary rights of an entity (directly or indirectly)

End of evaluation of the business relationship, but not less than 5 years upon the contract termination or the transaction (if no contract has been concluded)

(1) Data Subject's consent for processing of personal data,

(2) Contract,

(3) Federal Decree Law No (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations

Counterparty credit risk assessment

Counterparties, Representatives of Counterparties;

Owners and Beneficiaries of Counterparties

Full name, ownership share, position, company's name

End of evaluation of the business relationship, but not less than 5 years upon the contract termination or the transaction (if no contract has been concluded)

(1) Data Subject's consent for processing of personal data,

(2) Contract,

(3) Federal Decree Law No (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations

Settlement with counterparties (third parties)

Representatives of Counterparties

Full name, company's name, position, phone number, email, signature, ID details
(citizenship, passport number, by whom (including the personal code) and when the document was issued, place of birth, address of registered residence), KYC details

End of evaluation of the business relationship, but not less than 5 years upon the contract termination or the transaction (if no contract has been concluded)

(1) Data Subject's consent for processing of personal data,

(2) Contract,

(3) Federal Decree Law  No (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations

We guarantee the fulfilment of your following rights as a data subject:

Rights Restrictions on the fulfilment of the rights Article of
Law No. 45 PDPL

We provide the following information about the processing
of Data Subjects PD:

·          the types of their PD that is processed;

·          purposes
of processing;

·          decisions made based on automated processing, including profiling;

·          the list of the third parties with which their PD is to be shared;

·          PD processing period;

·          procedures for correcting, erasing
or limiting the processing and objection to their PD;

·          protection measures for cross-border processing made
in accordance with Articles (22) and (23) Law No. 45 PDPL;

·          procedures to be taken in the event of a breach or infringement of their PD;

·          the process of filing complaints with the regulator.

·          the request is not related to the information referred to in Article 13(1) of Law No. 45 PDPL or is excessively repetitive;

·          the request conflicts with the judicial procedures or investigations made by the competent authorities;

·          the request may adversely affect the efforts of the controller to protect information security;

·          the request affects the privacy
and confidentiality of the personal data of others.

Articles 13

We provide a copy
of Data Subject’s PD
in a structured
and machine-readable format if processing
is based on the consent and / or contract and is made by automated means.

 

Also,  the Data Subject has the right to request the transfer of its Personal data to another

Controller whenever it is technically feasible.

·          the processing is not based on the consent of the Data Subject and is not necessary for the fulfillment of a contractual obligation;

·          the processing is not made by automated means;

·          the transmission
of personal data is not technically feasible.

Article 14

We correct or complete the inaccurate PD.

Please contact us as soon as possible if you notice any inaccuracy or incompleteness.

No restrictions

Article 15

Data Subjects can ask us erase some or all of their PD from our systems without undue delay if they:

 

·          think that PD is no longer required for the purposes for which it is collected
or processed;

·          withdraws Consent on which the processing is based;

·          objects to the processing or if we are no legitimate reasons to continue the processing;

·          think that we have a lack of legal bases for PD processing or Data Subjects’ PD is processed in violation of the provisions
of Law No. 45 PDPL.

·          the request is for the erasure of Data Subject’s personal data related to public health and held with private establishments;

·          the request affects the investigation procedures, claims for rights and legal proceedings or defense by the controller;

·          the request conflicts with other legislation to which the controller is subject.

Article 15

Data Subjects can ask us to stop or restrict using their PD for what we have been using it for, if they object to the:

·          accuracy of their PD;

·          processing of their PD in violation
of the agreed purposes;

·          processing for direct marketing purposes, including profiling related to direct marketing;

·          processing is made in violation of the provisions of Law No. 45 PDPL.

 

In case of receiving such requests, we restrict processing to confirming these facts and, if necessary, we stop processing and delete the PD.

·          the processing
is limited to storing;

·          the processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial procedures;

·          the processing is necessary to protect the rights of third parties in accordance with the legislation in force;

·          the processing is necessary to protect the public interest.

Article 16, 17

Data Subjects can object to decisions issued with respect to automated processing that have legal consequences or seriously affect you (including profiling).

 

We do not rely solely on automated processing of PD to make decisions that may have legal consequences for the Data Subject or impact their rights and legitimate interests (see section 2.4).

·          the automated processing is included in the terms of the contract entered into between the Data Subject and controller;

·          the automated processing is necessary according to other legislation in force in the UAE;

·          the Data Subject has given his/her prior Consent to the automated processing in accordance with the conditions set out in Article 6 of Law No. 45 PDPL.

Article 18

Data Subjects can receive information about PD breach.

No restrictions

Article 9(2)

Data Subjects can file a complaint with the regulator if you have grounds to believe that we process your PD in violation of the requirements of Law No. 45 PDPL

No restrictions

Article 24

To exercise these rights, you need to contact the Data Protection Officer at: privacy@ashon.ae. We process and respond to requests from the data subjects within one month. Considering the complexity and the number of requests, the term for the preparation of an answer to the request can be extended by two months. In this case we will notify the data subject about the reasons for the delay within one month.

When we receive your request for the exercise of your rights, we may request more specific information to confirm the identity and grant the personal data access rights.

Measures to ensure the security of personal data processed

We ensure the security of the personal data under our control via implementation of the appropriate organizational and technical measures, which include: 

  • appointment of a person responsible for the organization of personal data processing;
  • implementation of data protection policies to ensure that our personal data processing activities comply with the Law No. 45 PDPL (internal policies, internal allocation of responsibilities, trainings);
  • implementation of access control;
  • implementation of encryption;
  • implementation of antivirus protection;
  • keeping the records of processing activities;
  • organization of a process of receiving and controlling the processing of data subjects’ requests;
  • assessment of personal data protection impact for personal data processing activities that involve a systematic and comprehensive assessment of the personal aspects of the data subject based on automated processing, including profiling, which would have legal consequences or would seriously affect the data subject, or if the processing will be made on a large amount of sensitive personal data;
  • ensuring data protection by design and data protection by default;
  • ensuring security of personal data transferred to third parties (see section 4.1);
  • controlling the transfers of personal data outside UAE;
  • documenting personal data breaches (if any) and their consequences, investigating them, notifying the relevant parties about leaks immediately after discovering the personal data breach, and taking measures to eliminate the consequences of personal data breaches;
  • performing planned and unscheduled audits of personal data processing activities.

Contact details of the Data Protection Officer

Any doubts regarding this Notice shall be escalated to the Data Protection Officer.

Contacts of the Data Protection Officer 

Email: privacy@ashon.ae 

Our site uses cookies and other technologies so that we, and our partners, can remember you and understand how you and other visitors use our site and to provide you with tailored advertisements. If you have any questions and for more information on our digital advertising practices, 'Cookies' sections of our privacy policy.