1. Introduction: UAE Exchange as Data Controller
UAE Exchange is an international organisation providing diverse financial services. Working with some of the largest banks and non-banking financial companies, UAE Exchange has established one of the largest remittance networks in the industry.
UAE Exchange UK Limited (“UAEX”) is the data controller of Personal Data collected in the United Kingdom and Ireland through its branches and digital channels. We are located at 14-15 Carlisle Street, Soho, London, United Kingdom, W1D 3BS.
2. Purpose of this Privacy Statement
UAEX respects your privacy and is committed to maintaining the confidentiality and security of the Personal Data of its existing, prospective and former customers and beneficiaries (“Data Subjects” or “you”). This Privacy Statement informs you about how we process Personal Data, how we look after it and tells you about your rights with respect to your Personal Data. UAEX encourages you to review this Privacy Statement and become familiar with it.
You are entitled to object to UAEX’s processing of your Personal Data in certain circumstances, for example, if you no longer want to be contacted by us for marketing purposes. To exercise this right, or for more information, please contact us using the details below.
3. Personal Data processed by UAEX
3.1 What does Personal Data mean?
Personal Data means any information relating to an identified or identifiable individual directly or indirectly, such as name, address, telephone number and e-mail address.
UAEX collects Personal Data from Data Subjects mainly through its branches, UAEX’s websites, and third parties or publicly available sources. For more information on these sources of Personal Data, please refer to the sections below.
Where UAEX needs to collect Personal Data by law or under the terms of a contract we have with you, and you fail to provide that Personal Data, UAEX may not be able to fulfil our contractual obligations (e.g. a money remittance) and we may have to cancel the services you requested.
3.2 Personal Data collected by UAEX
To provide the services requested by UAEX customers, UAEX collects the following Personal Data through its network of branches and Online Money Transfer platforms (OMT):
- Full Name (sender and recipient of the transaction)
- Address (sender and recipient of the transaction)
- Nationality (sender and recipient of the transaction)
- Telephone, including mobile (sender and recipient of the transaction)
- Relationship between sender and recipient of the transaction
- Birth Place
- Labour details
- Origin of the financial resources
- Financial background
- Identification document (e.g. National ID, Driving License, Passport)
- Bank Statements
- Transaction amounts
- Bank account details
- Credit / Debit card numbers
- Marketing & other Contact Preferences
As a financial institution, UAEX has certain obligations with regards to identity verification, fraud prevention and other similar security purposes. To ensure compliance with those obligations, certain of the Personal Data described above may be collected from, or verified against, third party sources such as government agencies and consumer reporting agencies. For identity verification purposes, senders and recipients of money transfers may be required to produce valid identification or consent to verification by other means before releasing funds.
3.3.1 Definition and usage of cookies
A "cookie" is a small piece of information that is stored on your device (such as your computer) and which records the way that you use a website so that, when you revisit that website, UAEX can provide tailored options based on the information that has been collected from your last visit. Cookies can also be used to analyse traffic and, in some cases, to provide you with tailored advertising and marketing.
With the exception of essential cookies (described below), users of UAEX websites are asked to accept cookies when visiting UAEX websites for the first time. Alternatively, where a user has set his/her browser to warn him/her with a message for each cookie, only those cookies that have been accepted will process Personal Data. Whilst essential cookies are necessary to run UAEX Websites, the rest are not compulsory and require your consent.
Following are the broad categories of cookies used on UAEX websites:
- Essential cookies: These cookies make UAEX website operation work and therefore they cannot be turned off or rejected. These cookies do not gather any information about you and do not have the ability to remember how you have used our website;
- Performance cookies: UAEX use these cookies to help analyse how its website is used and to improve its performance. For example, UAEX use them to understand where visitors to the UAEX site are based, how many people visit the website and which sections of the website are the most used;
- Functionality Cookies: These cookies allow UAEX website to remember if you have previously visited the UAEX site or the choices you made (e.g. language preferences) to provide a more personalised online experience.
- Third-Party cookies: These cookies collect information from your device and perform tasks that analyse behaviour and collect other information, such as demographics. These cookies may be used to provide you with personalised advertising.
3.4.2 Third Party Marketing Cookies and Social Advertising
3.4.3 How to manage cookies
Our Performance, Functionality and Third-Party cookies are not strictly necessary for our website to work but will provide you with a better browsing experience. You can delete or block these cookies, but if you do this, you may have to manually adjust some preferences every time you visit our website and some features of the site may not work as intended. Most internet browsers are initially set up to automatically accept cookies, however you can decide at any time what type of cookies you want to accept. You can change the settings on your browser to block cookies or to alert you when cookies are being sent to your device.
3.4 Personal Data collected by UAEX through Social Media
UAEX may process anonymized data derived from Data Subjects’ publicly available social media resources for statistical purposes. Although anonymized may be derived from your Personal Data, it is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. We may also process Personal Data derived from publicly available social media resources that Data Subjects make available when interacting with us including: Facebook, Twitter, YouTube, LinkedIn, Instagram, Google+, Pinterest, Weibo and WeChat. Such Personal Data may include but is not limited to:
- Public Social Media Profile Name
- Mobile number
- UAEX related posts (e.g. Mentions & Hashtags)
4. Legal basis for processing Personal Data
Personal Data will be processed by UAEX only if and to the extent that at least one of the following applies:
Compliance with Legal Obligations
UAEX may process Data Subjects’ Personal Data when necessary to comply with a legal obligation, e.g. Anti-Money Laundering screening and reporting requirements and where required to comply with court order or judicial proceedings.
UAEX may process Data Subject’s Personal Data in pursuance of its legitimate business interests where such processing is necessary, and our interests are not overridden by the privacy rights of the Data Subjects. E.g., our legitimate business interests may include communication with our customers in relation to requested transactions, pursuit of customer care initiatives, internal record keeping purposes and fraud prevention. For information about this balancing test, please contact us using the details below.
In certain scenarios, UAEX may rely on Data Subjects’ consent to process their Personal Data for a specific purpose. For example, UAEX obtains opt-in consent before sending direct e-marketing materials to Data Subjects.
UAEX may process Personal Data as required to ensure we comply with our contractual obligations towards Data Subjects.
5. Purpose of Data Processing:
UAEX generally uses Personal Data from Data Subjects for the purpose of providing a service. This may include the following:
- Authorising and processing Data Subjects’ transactions, including effecting and administering money transfers and ensuring proper payment to the designated recipient of funds.
- Monitoring and improving our services including websites/mobile apps and its content.
- Sending information to Data Subjects about UAEX products and services.
- Customer care initiatives to improve UAEX services.
- Meeting legal, regulatory, self-regulatory, risk management, fraud prevention and security requirements, which may include (among other measures) verifying the identity of the sender and recipient of funds and checking identities against money laundering, terrorist financing or similar watch lists established by regulatory agencies or similar bodies. For identity verification purposes, senders and recipients of money transfers may be required to produce valid identification or consent to verification by other means before releasing funds.
- Maintaining business and transaction records for reasonable periods, and generally managing and administering UAEX business.
- Meeting insurance, audit and processing requirements.
- Otherwise as permitted or required by law.
6. Personal Data Sharing
In order to carry out the processing activities established in this Privacy Statement, UAEX may disclose Personal Data relating to its Data Subjects to:
- Data Processors: UAEX may share Personal Data with third-party service providers (“Data Processors”), including affiliates of UAEX performing services on UAEX behalf, for example: information technology, data hosting, marketing, customer care, fraud prevention, etc. UAEX takes steps to ensure that Personal Data that is processed by Data Processors is protected and not used or disclosed for purposes other than as directed by UAEX.
- Third Party Data Controllers and Joint Controllers: UAEX may share Personal Data with third parties acting independently from UAEX as may be required in connection with the services provided to Data Subjects, for example: any intermediary banks or other financial institutions involved in the transaction of UAEX services.
- Successors: if UAEX is purchased by/sold to a third party, Personal Data held by UAEX will be transferred to the successor entity.
- Relevant Authorities: UAEX may disclose Data Subjects’ Personal Data as necessary to meet legal and regulatory requirements. This may include disclosure of Personal Data to government authorities, for example, in compliance with suspicious activity reporting requirements under anti-terrorism, anti-money laundering and similar laws and regulations.
7. Cross Border Personal Data Transfers
In connection with providing services to its customers, UAEX may transfer Personal Data to destinations outside of the European Economic Area (“EEA”). When transferring Personal Data outside the EEA, UAEX ensures that security measures and appropriate safeguards are put in place to protect the Personal Data and to ensure that all transfers comply with applicable data protection law. For example, UAEX relies on the Standard Contractual Clauses provided by the EU Commission (Article 46.2 General Data Protection Regulation (“GDPR”) and the EU Commission’s ‘adequacy decisions’ in respect of certain territories (Article 45 GDPR) to transfer Personal Data outside the EEA lawfully. For transfers of Personal Data between UAEX group companies, UAEX has in place an intra group data transfer agreement incorporating the Standard Contractual Clauses. More information about these transfer mechanisms is available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
8. Data Subject’s Rights
Data Subjects have certain rights with respect to their Personal Data. In summary, these are:
- To be informed: Data Subjects have the right to receive certain information about how their Personal Data is processed. This is why we are providing you with this Privacy Statement.
- Access: Data Subjects have the right to access and receive a copy of their Personal Data.
- Rectify: Data Subjects have the right to correct their Personal Data when inaccurate.
- Erasure: Data Subjects have the right to request deletion of their Personal Data in certain circumstances.
- Restriction of processing. Data Subject can restrict or limit the way that UAEX processes their Personal Data in certain circumstances.
- Right to object: In some circumstances, Data Subjects have the right to object to UAEX’s data processing activities, for example, if the Data Subject does not want to be contacted by UAEX for marketing purposes.
- Consent: if UAEX relies on consent to process Personal Data, Data Subjects have the right to withdraw their consent at any time by contacting us using the details below.
- Data portability: In certain scenarios Data Subjects may request UAEX to provide a copy of their Personal Data in a digital format or send it to a third party appointed by them.
Data Subjects are also entitled to lodge a complaint with a regulatory authority, in particular in the jurisdiction where they live or work or where they consider UAEX is processing their Personal Data unlawfully. We would, however, appreciate the chance to deal with your concerns before you approach the regulator, so please contact us in the first instance. For more information on your rights, please contact us using the details below.
9. UAEX Contact
If you wish to exercise any of your rights, or if you have any queries or suggestions about this Privacy Statement, you can contact UAEX [and our Data Protection Officer] at: firstname.lastname@example.org.
10. Un-Solicited Communications
UAEX employs a strict policy against sending unsolicited communications. Please note that UAEX will continue to send administrative communications (i.e. Transaction Notifications) if you opt out from Marketing/Customer Care communications. UAEX may also contact Data Subjects in response to their inquiries, to provide services at the Data Subjects’ request and to manage their requirements.
11. Third Party Websites
UAEX websites and emails may contain links to various other websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy statement of every website you visit.
12. Security Measures to protect Personal Data
UAEX takes all reasonable steps to ensure that all Personal Data collected through its branches and websites is treated securely and in accordance with this Privacy Statement and strict data protection standards.
13. Retention of Personal Data
In general, the period for which UAEX retains Data Subjects’ Personal Data is aligned with UAEX’s data retention obligations under anti-money laundering laws, i.e. five years. In all cases, UAEX only retains Personal Data for as long as is necessary for the purposes described in this Privacy Statement. When determining the appropriate retention periods, UAEX will take into account different factors, including: contractual obligations and rights; our legal obligations (for example, anti-money laundering laws); statute of limitations under applicable law; potential disputes; guidelines issued by relevant data protection authorities; and UAEX’s legitimate business interests. UAEX securely erases Personal Data once it is no longer needed.
14. Removal from UAEX Marketing Communications
Data Subjects may want to discontinue receiving marketing information from UAEX. While this may mean that Data Subjects will not receive product or service information of interest to them, UAEX respects Data Subject’s wishes not to be informed directly of these promotions or product introductions.
You may inform UAEX at any time that you want to opt-out of these communications by following the opt-out links on any marketing message sent to you or by contacting us. Where you opt out of receiving these communications, this will not apply to Personal Data provided to us as a result of services provided to you or other transactions (see Unsolicited Communications above).
15. Changes to this Privacy Statement
UAEX reviews and updates this Privacy Statement from time to time. We encourage Data Subjects to periodically review this Privacy Statement to make sure they are aware of the latest version. If we make any material changes, we will bring this to your attention.