The purpose of this document (“Data Protection Policy”) is to inform you of how Middle East Africa Asia Crypto and Blockchain Association (“MEAACBA”) manages Personal Data which is subject to Data protection under the ADGM Data Protection Regulations 2021 (“DP Law”). Please take a moment to read this Data Protection Policy so that you know and understand the purposes for which we collect, use and disclose your Personal Data.
We are committed to safeguarding Personal Data and processing data in line with DP Law. As part of our commitment to protect your Personal Data in a transparent manner, we want to inform you:
- why and how we collect, treat and store your Personal Data;
- the legal basis on which your Personal Data is processed; and
- what your rights and our obligations are in relation to such processing.
1. Who is responsible for data processing?
MEAACBA is a Data Controller in ADGM in accordance with the provisions set out in DP Law. We are responsible for deciding how we hold and use personal information about you.
2. What does this Privacy Notice cover?
This notice applies to all forms of use (“processing”) of Personal Data by MEAACBA in the ADGM.
3. How we get your information
We collect your information in different ways, specifically:
- When you fill in forms, visit the member portal or when you correspond with us by phone, email or otherwise. This includes information you provide when you subscribe to our training, events and/or services, complete a survey, sign up to a newsletter, post material on our site, report a problem with our site, or request further services;
- When applying for a role or position within MEAACBA either online, via third party sites and/or direct contact made with MEAACBA.
With regard to each of your visits to our site we may collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), cookies and methods used to browse away the page and any phone number used to call our customer service number.
- Further, if you visit our offices or premises, we may have CCTV which may record your image.
Information received from events, training and working groups / committees
We may collect data about you when you attend any of our events, training sessions and/or MEAACBA working groups / committees. This may be collected via business card information you have provided to a MEAACBA member or representative or where you have been invited, nominated or otherwise requested to attend one of our events, training sessions and/or working groups / committees. This information may include your name, job title, company, business or personal email address, phone numbers (business or personal).
Information received from other sources
- We may receive information from other sources, such as from our members, government officials, law enforcement and fraud prevention agencies, regulatory bodies, our other partners for the purpose of providing services to our members.
- Offers and promotions to you via our site, any other websites we operate or other services we provide, advertising networks and analytics providers or publicly accessible data.
4. Information we hold about you
Depending on the service we provide to you, we collect Personal Data about you including:
- Your personal information (e.g. your name, date of birth);
- Contact details (e.g. phone number, address, etc);
- Customer relationship data (e.g. notes of calls or requests you may have made or attendance at an event or webinar);
- Online profile;
- Location data;
- Communications data;
- Technical information including IP address, your login data, etc;
- User login and subscription data;
- Visual images and personal appearance.
On occasion special category (sensitive) personal data may be obtained. We will only obtain and process this information with your consent (permission) or in situations where it is in the wider public interest.
If you choose to provide us with any personal data relating to a third party (for example, information relating to your spouse, children, parents, and/or employees) or ask us to share their personal data with third parties by submitting such information to us, you confirm that they understand the information in this notice about how we will use their personal data.
5. Purpose of Processing
We will always process your Personal Data for a specific purpose and only process Personal Data which is relevant to achieve that purpose. We process Personal Data for the following purposes:
- To carry out our obligations arising from any agreements entered into between you and us and to provide you with the information, products and services that you request from us, including providing membership services to you, including events, training and working groups;
- Manage client relationships;
- Engage stakeholders;
- Inform and execute MEAACBA policy work and non-policy projects
- Process complaints;
- Improve the services offered to members;
- Manage client relationships and communications;
- To upload and host blog material written and provided by members including associated personal data such as photographs of individuals;
- To carry out suitable adjustments for events/services that involve the processing of special category (sensitive) personal data such as dietary needs or disabilities;
- Events and training coordination (such as contacting you once you have signed up for an event or training);
- Queries from members of the public;
6. Legal basis for Processing
MEAACBA processes Personal Data in accordance with the ADGM DP Law. We are not permitted to process Personal Data if we do not have a valid legal basis. Accordingly, we will only process your Personal Data if one of the following legal basis applies:
- To allow us to perform our contractual obligations towards you or take pre-contractual steps at your request;
- To allow us to comply with our legal or regulatory obligation, for example obtaining proof of identification to meet our AML obligations;
- To allow us to protect the vital interests of the relevant individual or of another natural person;
- Necessary for the legitimate interests of JAP, without unduly affecting your interests or fundamental rights and freedoms and to the extent such Personal Data is strictly necessary for the intended purpose
- Where we have your consent to do so.
MEAACBA processes special category of Personal Data in line with additional obligations for such personal data under the Data Protection Law and Regulations, namely:
- the processing is necessary to meet our legal or regulatory responsibilities;
- the processing is necessary for our regular exercise of rights, including in judicial, administrative or arbitration proceedings;
- the processing is necessary to protect the vital interests of the relevant individual or of another natural person
- the processing is necessary for reasons of substantial public interest;
- processing relates to Personal Data that has been made public by you; or
- you have given your explicit consent to us to process that information (where legally permissible).
If you have granted us consent in accordance with the DP Law to process your personal data for certain purposes, this processing is legal on the basis of your consent. Consent given can be withdrawn at any time by notifying us using the contact methods set out under the heading “Exercising your right” in section 10. Withdrawal of consent does not affect the legality of data processed prior to the withdrawal.
7. Who has access to Personal Data and with whom are they shared?
We take your privacy very seriously and we will only share your information where:
- we need to for the purposes of providing you with products or services you have requested;
- we have a public or legal duty to do so e.g. to assist with detecting fraud and tax evasion, economic crime prevention, regulatory reporting, litigation or defending legal rights;
- we have a legitimate reason for doing so e.g. to manage risk, to assess your suitability for services, or to enable one of our virtual activity sponsors to promote themselves to you; or
- we have asked you for your permission to share it, and you’ve agreed.
To extent permitted under applicable law, may also transfer Personal Data to Third Parties outside the MEAACBA such as:
- Authorities, e.g. regulators, enforcement or exchange body or courts or party to proceedings where we are required to disclose information by applicable law or regulation or at their request, or to safeguard our legitimate interests;
- To a natural or legal person, public authority, agency or body for which you have given us your consent to transfer personal data to or for which you have released us from banking confidentiality.
- To service providers and agents such as IT services, logistics, printing services, telecommunications, collection, advice and consulting, and sales and marketing.
For data back-up purposes, we do transfer data to a cloud provider that hosts your data in a location that has equivalent controls for protection of Personal Data.
We have implemented appropriate organizational and technical safeguards to protect Personal Data for which we act as data controller or processor, including when disclosing such data to third parties.
Data transfers to Third Countries
We would usually ensure that the majority of personal data we store or process is within the ADGM. There may be situations where the data that we collect from you may be transferred to, and stored at, a destination outside the ADGM. We will only transfer Personal Data outside ADGM, provided that:
- The firm is in a jurisdiction considered by the ADGM Data Protection Commissioner (“Commissioner”) as providing adequate level of Data Protection. We ensure the firm agrees to apply equivalent levels of protection for Personal Data as we do under the DP Law;
- If the firm is not in a jurisdiction that the Commissioner regards as having adequate levels of protection for Personal Data, we will put in place appropriate safeguards (such as contractual commitments, by adopting the standard clauses as prescribed by the Commissioner); or
- You have explicitly consented to the proposed transfer
8. Data Retention
We will process and store your Personal Data for as long as it is necessary to fulfill the purpose for which it was collected to comply with legal, regulatory or internal policy requirements.
We will only retain information that enables us to:
- Maintain business records for analysis and/or audit purposes;
- Comply with record retention requirements under the law;
- Defend or bring any existing or potential legal claims;
- Deal with any future complaints regarding the services we have delivered;
- Legal Hold requirements.
9. Security of your Personal Data
We always take appropriate technical and organisational measures to ensure that your information is secure. In particular, we train our individuals who handle personal data to respect the confidentiality of customer information and the privacy of individuals. We regard breaches of your privacy very seriously and will impose appropriate penalties, including termination where necessary. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
10. Your rights
We always aim to use our Personal Data in a way that is fair to you. You have a legal right to:
- Request a copy of the personal data we hold about you;
- Inform us to correct or rectify any inaccuracy in the data we hold about you;
- Exercise your right to restrict use of your Personal Data;
- Exercise your right to erase your Personal Data;
- Withdraw your consent where JAP obtained your consent to process Personal Data; and
- Object to decisions based solely on automated processing including profiling.
In addition to the above rights, you have the right to object at any time to:
- the processing of your personal data to the extent permitted;
- for direct marketing purposes, and profiling to the extent related to direct marketing; and
- where your personal data being disclosed to third parties for the purposes of direct marketing.
Your right to exercise these rights are not absolute. They will depend on a number of factors and in some instances, we will not be able to comply with your request as exemptions may be engaged. We will usually, in response to a request, ask you to verify your identity and/or provide information that helps us to understand your request better. If we do not comply with your request, we will explain why.
11. Extent of automated decision making
In establishing and carrying out a business relationship, we generally do not use any fully automated decision-making. If we use this procedure in individual cases, we will inform you of this separately, provided it is a legal requirement to inform you. You have a right to object in certain instances where a decision is taken by us based only on automated decision making and to require such decision to be reviewed manually.
12. Exercising your right
Please send your request using the attached form to: Data Access Request
If you feel that we have not complied with applicable data protection and privacy rules, please let us know and we investigate your concern. Please raise any concerns by contacting the Data Protection Office.
Data Protection Office
If you feel that we have not complied with applicable data protection and privacy rules, you may lodge a complaint with the Commissioner.
13. Changes to the privacy notice
This notice explains how MEAACBA handles your Personal Data and your rights under the Data Protection Law and Regulations, rather a document that binds MEAACBA or any other party contractually. A copy of this privacy notice can be requested from us using the contact details set out above. We may modify or update this privacy notice from time to time.
Where changes to this privacy notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice