DATA PRIVACY POLICY NOTIFICATION TO CLIENTS OF EXOTIX ADVISORY LTD
Data protection under the Dubai International Financial Centre (DIFC) Data Protection Law 2020 (the Law)
Exotix Advisory Ltd (Exotix or the Firm) respects your privacy and is committed to protecting your personal data. To run our business, Exotix collects information about living individuals (also known as Personal Data).
This privacy notice contains information on how we look after your Personal Data, what we do with that information, and what rights you have.
It is important that you read this privacy policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements the other notices and is not intended to override them.
As part of our commitment to protect your Personal Data in a transparent manner, we want to inform you:
why and how Exotix collects, treats and stores your Personal Data;
the lawful basis on which your Personal Data is processed; and
what your rights and our obligations are in relation to such processing.
1. What does this Privacy Notice cover?
This notice applies to any and all forms of use of Personal Data (processing) by us in the DIFC.
2. What types of Personal Data do we collect?
Depending on the product or service we provide to you (if any), we collect Personal Data about you including:
Personal details, such as your name, identification number, date of birth, KYC documents (including a copy of your national identity card or passport), phone number, physical and electronic address, and family details (when applicable);
Financial information, including payment and transaction records and information relating to your assets (including fixed properties), financial statements, liabilities, taxes, revenues, earnings and investments (including your investment objectives), tax domicile and other tax-related documents and information;
Where applicable, employment details, such as your job title and work experience;
When you access our website, data transmitted by your browser and automatically recorded by our server, including date and time of the access, name of the accessed file as well as the transmitted data volume and the performance of the access, your web browser, browser language and requesting domain, and IP address (additional data will only be recorded via our website if their disclosure is made voluntarily, e.g. in the course of a registration or request).
Exotix collects certain of the above Personal Data types in relation to prospective clients. This Personal Data is relevant to establish and build relationships with a view to entering into a contractual agreement with them.
In some cases, we collect this information from public registers (which, depending on the product or service you receive, may include beneficial ownership and other registers), public administration or other third-party sources, such as wealth screening services, credit reference agencies, fraud prevention agencies, and intermediaries that facilitate data portability.
If relevant to the services we provide to you, we will also collect information about your representatives, agents, directors, employees, shareholders and beneficial owners. Before providing Exotix with this information, you should provide a copy of this notice to those individuals.
3. On which legal basis and for which purposes do we process Personal Data?
3.1. Legal basis for processing
Depending on the purpose of the processing activity (see Section 3.2), the legal basis for the processing of your Personal Data will be one of the following:
necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request, such as when we use your data for some of the purposes in Sections 3.2 (a), (b), (c) below;
necessary to meet our legal or regulatory obligations;
necessary for the legitimate interests of Exotix, without unduly affecting your interests or fundamental rights and freedoms and to the extent such Personal Data is strictly necessary for the intended purpose (see below); or
in some cases, and as may be requested from you from time to time, we have obtained prior consent (for instance where required by law) or processed with your explicit consent in the case of special category of Personal Data.
Examples of the legitimate interests referred to above are:
when we make the disclosures referred to in Section 4 below, providing services and assuring a consistently high service standard from Exotix, and keeping our customers, employees and other stakeholders satisfied; or
meeting our accountability and regulatory requirements around the world, in each case provided such interests are not overridden by your privacy interests.
To the extent Exotix has obtained your consent to process Personal Data in the past in any product-specific terms and conditions for the purposes of data protection law only, Exotix will, unless explicitly stated otherwise in this notice, no longer rely on such consent, but instead will rely on lawful grounds of compliance with a legal obligation, contractual necessity or legitimate interests (as specified in this notice), and Exotix's ability to rely on that consent is hereby waived or extinguished. For the avoidance of doubt, any consent given for any other reason remains unaffected by this paragraph.
To the extent that we process any special categories of data relating to you, we will do so because:
the processing is necessary to meet our legal or regulatory responsibilities;
the processing is necessary for our regular exercise of rights, including in judicial, administrative or arbitration proceedings;
the processing is necessary to protect the vital interests of the relevant individual or of another natural person;
the processing is necessary for reasons of substantial public interest;
processing relates to Personal Data that has been made public by you; or
you have given your explicit consent to us to process that information (where legally permissible).
Where the Personal Data we collect from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if we cannot collect this Personal Data there is a possibility we may be unable to onboard you as a client or provide services to you (in which case we will inform you accordingly).
3.2. Purposes of processing
We always process your Personal Data for a specific purpose and only process the Personal Data which is relevant to achieve that purpose. In particular, we process Personal Data for the following purposes:
a) client onboarding processes, including to verify your identity, and to conduct legal and other regulatory compliance checks (for example, to comply with anti-money laundering regulations, and prevent fraud);
b) providing services to you and ensuring their proper execution;
c) managing our relationship with you, including communicating with you in relation to the services you obtain from us, and handling customer service-related queries and complaints;
d) taking steps to improve our services and our use of technology, including testing and upgrading of systems and processes, and conducting market research to understand how to improve of our existing services or learn about other services we can provide;
e) meeting our ongoing regulatory and compliance obligations (e.g. laws of the financial sector, anti-money-laundering and tax laws), including in relation to recording and monitoring communications, disclosures to financial services regulators and other regulatory, judicial, tax and governmental bodies or in proceedings, and investigating or preventing crime;
f) ensuring the safety of our clients, employees and other stakeholders;
g) undertaking transactional and statistical analysis, and related research for Exotix’s prudent operational; and
h) any other purposes we notify to you from time to time.
4. How do we protect your Personal Data?
All Exotix staff accessing Personal Data must comply with the internal rules and processes in relation to the processing of Personal Data to protect them and to ensure their confidentiality.
We have implemented adequate technical and organizational measures to protect your Personal Data against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other unlawful forms of processing. As complete data security cannot be guaranteed for communication via e-mails, instant messaging, and similar means of communication, we would recommend sending any particularly confidential information by an alternative secure means.
Relevant security measures include:
Engagement documentation for assignments for clients include suitable confidentiality undertakings, which are applicable also to Personal Data provided of advisors, consultants and professional experts.
Personal Data stored by the Firm is done so securely. The information is stored in folders with access only granted to individuals who require it.
Some of our services providers (e.g., accountants, compliance consultants) can also access such folders but suitable confidentiality undertakings are contained within the service level agreement between the Firm and the provider.
The IT support services provider can also access such folders but suitable confidentiality undertakings are contained within the service level agreement between the Firm and the provider.
5. Who has access to Personal Data and with whom are they shared?
5.1. Within Exotix
We may share Personal Data with members of the Exotix team for the purposes indicated in section 3 to ensure a consistently high service standard across the Firm and to provide services to you.
5.2. Outside Exotix
For the purposes listed in section 3 above, and to the extent permitted under applicable law, we may also transfer Personal Data to third parties outside Exotix, such as:
a) A potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part or all of Exotix’s business or assets, or any associated rights or interests, or to acquire a business or enter into a merger with it; or
b) Third party service providers, who are contractually bound to confidentiality including but not limited to:
i. Accountants (to prepare the financials of the Firm) - DIFC
ii. Internal auditors (to review the activity of the Firm) – UAE
iii. External auditors (to audit the financials of the Firm) - UAE
iv. Exotix’s bank (to process salary payments and pay suppliers) – UAE
v. Health and Life insurance providers (to provide policies) - UAE; or
c) Authorities, e.g. regulators, enforcement or exchange body or courts or party to proceedings where we are required to disclose information by applicable law or regulation or at their request, or to safeguard our legitimate interests including:
i. DIFC (for licensing and registration) - DIFC
ii. DIFCA (to process employee visa) - DIFC
iii. DEWS administrator (Zurich Workplace Solutions (Middle East) Limited) – DIFC
iv. DFSA (for licensing and registration) – DIFC
v. Compliance consultants (to perform the compliance activity) - DIFC; or
d) Third parties that submit complaints, requests or reports to compliance or other units within Exotix; or
e) Other credit, financial services, comparable institutions or other recipients to whom we transfer Personal Data in order to conduct business. In particular: (i) when providing services to you, to persons acting on your behalf or otherwise involved in the transaction (depending on the type of service you receive from us), including, where relevant the following types of companies: a party acquiring interest in, or assuming risk in or in connection with, the transaction (such as an insurer); or (ii) issuers of securities (including third parties appointed by them) in which you have an interest, where such securities are held by third party banks for you; (iii) payment recipients, beneficiaries, account nominees, intermediaries, and correspondent and agent banks (including custodian banks); (iv) clearing houses, and clearing or settlement systems and specialised payment companies or institutions such as SWIFT; (v) other banks, market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges; (vi) any third-party fund fiduciary administrator or asset manager who provides services to you; (vii) other financial institutions, credit reference agencies or credit bureaus (for the purpose of obtaining or providing credit references); and (viii) any introducing broker to whom we provide introductions or referrals; or
f) Any legitimate recipient required by applicable laws or regulations.
Where we transfer your data to third party service providers processing data on Exotix behalf, we take steps to ensure they meet our data security standards, so that your Personal Data remains secure. Third party service providers are thereby mandated to comply with a list of technical and organizational security measures, irrespective of their location, including measures relating to: (i) information security management; (ii) information security risk assessment and (iii) information security measures.
5.3. Data transfers to other countries
The Personal Data transferred within or outside Exotix as set out in sections 5.1 and 5.2, is in some cases also processed in other countries. We only transfer your Personal Data abroad to countries which are considered to provide an adequate level of data protection, or in the absence of such legislation that guarantees adequate protection, based on appropriate safeguards (e.g., use of the standard data protection clauses as provided by the Commissioner in accordance with the Data Protection Regulations).
6. How long do we store your data?
We will only retain Personal Data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements. To help us do this, we apply criteria to determine the appropriate periods for retaining your Personal Data depending on its purpose, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests.
7. What are your rights and how can you exercise them?
7.1. Your rights
The Law ensures that you have the right to access, rectification, erasure or restricting of the Personal Data that Exotix processes about you, if any. You also have the right to object to such processing, or to ask that it be handled manually or given options for portability. Your rights also include:
Right to withdraw consent
Rights to access, rectification and erasure of Personal Data
Right to object to Processing
Right to restriction of Processing
Controller's obligation to notify
Right to data portability
Automated individual decision-making, including Profiling
Non-discrimination
Methods of exercising your rights.
Your right to access Personal Data is often referred to as a Subject Access Request (SAR). We are required to confirm whether or not Personal Data concerning you is being processed, and where that is the case, we must give you access to the Personal Data, with very few and limited exceptions. SAR must normally be in writing, in no specific format. Each SAR is different and must be responded to on a case-by-case basis. We will usually, in response to a request, ask you to verify your identity and/or provide information that helps us to understand your request better. Exotix reserves the right to exclude data that does not qualify as Personal Data or may not be appropriately responsive to the SAR. If we do not comply with your request, we will explain why.
7.2. Exercising your rights
The processing that occurs as part of the services the Firm provides are not considered to be a High Risk Processing Activity. Therefore, the firm is not required to appointment a Data Protection Officer (DPO).
However, the Firm has assigned a person with responsibility for data matters with details below:
Name: Fabrizio Ferrero
Role: SEO
Email: fabrizio.ferrero@exotixadvisory.com
Phone Number: +971 4 575 6650
Address: Emirates Financial Towers, unit N319, DIFC, Dubai, UAE
If you are not satisfied with how Exotix processes your Personal Data, please let us know and we will investigate your concern.
8. Changes to Personal Data
We are committed to keeping your Personal Data accurate and up to date. Therefore, if your Personal Data changes, please inform us of the change as soon as possible.
9. Changes to this Privacy Notice
This Privacy Notice was published in October 2021. It is a notice explaining what Exotix does, rather than a document that binds Exotix or any other party contractually. It may be subject to amendments. We may update, revise and change the contents of this notice. Please visit the Exotix website frequently to understand the current privacy notice, as the terms of this notice are closely related to you.
Where there is a material change to this notice, we will promptly take steps to inform you of the update by appropriate means, depending on how we normally communicate with you.
10. Entities in the DIFC covered by this Privacy Notice
The provisions herein apply to you if you have a contractual relationship with Exotix in the DIFC.
Entity Name: Exotix Advisory Ltd
Registered Address: Emirates Financial Towers, unit N319, DIFC, Dubai, United Arab Emirates
If you have any questions or comments about this notice, please contact the person assigned responsibility for Data Protection at fabrizio.ferrero@exotixadvisory.com.
11. Third party links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.