1.    Introduction

1.1.    MARITIME LAW ASSOCIATION (UAE) NPIO (the “ASSOCIATION”) is a non-profit incorporated organization registered in Dubai International Financial Center (DIFC), United Arab Emirates. Its activity, policies and regulatory compliance requirements are subject to the Laws of DIFC, of the Emirate of Dubai and the Federal Laws of the United Arab Emirates (herein referred to as the “Applicable Law”). This Policy complies with and is issued in furtherance to the Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data in UAE (“Data Law”).
1.2.    THE ASSOCIATION collects and processes personal data of its members (“Members”) and its events attendees (“Attendees”). Collectively, the persons whose personal data (“Personal Data”) is collected and processed by THE ASSOCIATION are referred to as “Data Subjects”.
1.3.    This Privacy and Data Policy (herein referred to as the “Policy”) applies to the Data Subjects defined herein, and therefore, to their Personal Data and management of that Personal Data in any form, whether oral, electronic, or written.  
1.4.    THE ASSOCIATION is always committed to ensure and safeguard maximum protection of data and privacy that it gathers from Data Subjects, according to the relevant regulatory provisions in DIFC and to the terms expressly provided herein. The purpose of this Policy is to ensure that:
(a)    THE ASSOCIATION complies with the Data Law; 
(b)    THE ASSOCIATION protects the rights of the Data Subjects; 
(c)    THE ASSOCIATION processes are transparent in relation to how Personal Data is stored and administered; 
(d)    The Data Subjects are protected against risks of data breach or unauthorized / unlawful uses and processing. 
1.5.    This Policy and any other documents referred to in it set out the lawful bases on which we will process Personal Data we collect from any Data Subjects, or that is provided to us by Data Subjects or other sources. It sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer, and store Personal Data.
1.6.    THE ASSOCIATION is the owner of https://www.emla-uae.com/ (THE ASSOCIATION Website). For the purposes of this Policy, THE ASSOCIATION Website and, where applicable, the branded pages are collectively referred to as the “Website” or “Websites”.  

2.    Compliance and Administration

2.1.    Data Subjects, have rights regarding the way in which their Personal Data is collected, stored, and processed. We recognize that the fair and lawful treatment of this data will maintain confidence in THE ASSOCIATION and will support its activity.
2.2.    The Personal Data, which THE ASSOCIATION collects from the Data Subjects, is subject to certain legal safeguards specified in applicable data protection laws and regulations, including the Data Protection Law, DIFC Law No. 5 of 2020 (“DIFC DP Law 2020”).
2.3.    THE ASSOCIATION has taken the following steps:
(a)    established a compliance program; and 
(b)    appointed a Data Protection Officer, who must act independently, reporting to the members of the ASSOCIATION, and who is responsible for:
(i)    ensuring compliance with the DP Law 2020 and all Applicable Laws and with this Policy;
(ii)    ensuring the DP Notification in the DIFC Client Portal is updated on an annual basis as well, in accordance with DP Law 2020; 
(iii)    providing training for the members of the ASSOCIATION about data protection;
(iv)    conduct data protection impact assessments and risk analysis;
(v)    supporting THE ASSOCIATION in keeping and updating a register of processing activities; and
(vi)    ensuring compliance with any other requirements necessary to comply with the DIFC DP Law 2020.

 
Any questions about the operation of this Policy or any concerns that the Policy has not been followed should be referred in the first instance to Paul Wilkinson, who can be reached at telephone number +97148811110, email address: privacyofficer@emla-uae.com

3.    Definitions

3.1.    Applicable Law means applicable data protection laws and regulations, including the Data Protection Law, DIFC Law No. 5 of 2020, as well as all other applicable laws, statutes, codes, ordinances, decrees, rules, regulations, municipal by-laws, judgments, orders, decisions, rulings of any government, quasi-government, statutory body, regulatory body, ministry, government agency or department, court, agency or association of competent jurisdiction that may be in force from time to time.
3.2.    Controllers are the people who or organizations which determine the purposes for which, and the manner in which, any Personal Data is processed. They are responsible for establishing practices and policies in line with the Applicable Laws. We are the Controller of all Personal Data collected from the Data Subjects.
3.3.    Attendees mean the persons attending the events of THE ASSOCIATION. 
3.4.    Data Subjects for the purpose of this Policy include all identified or identifiable individuals about whom we hold Personal Data. All Data Subjects have legal rights in relation to their Personal Data.
3.5.    Further Information Requests refers to lawful email requests for further information, by any investigative, governmental, or regulatory authority, about whether certain natural persons or legal entities have or had any relationship with THE ASSOCIATION in the period up to and including the prior five years from receipt of the email requesting such information.
3.6.    Processors include any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. We are the Processor of all Personal Data collected from the Data Subjects.
3.7.    Personal Data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Data can be factual (for example, a name, address, or date of birth) or it can be an opinion about that person, their actions and behavior.
3.8.    Processing is any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. Processing also includes transmitting or transferring Personal Data to Third Parties.
3.9.    Special Categories of Personal Data is information revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations, or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life. Special Category Data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.
3.10.    Third-Party refers to any person or entity authorized to Process Personal Data, other than the Data Subject, Controller or Processor. 
3.11.    Third Country refers to a jurisdiction other than the Dubai International Financial Centre (DIFC), whether in the UAE or elsewhere. 

4.    Data collection and protection principles 

4.1.    THE ASSOCIATION may, in the ordinary course of business, collect and process information about anyone who:
(a)    is our member; 
(b)    uses our website, or other digital interfaces;
(c)    attends our events.
4.2.    Such information may include, but is not limited to:
(a)    Personal details and identity information such as full name and surname, including any previous names and surnames, gender, date and place of birth, nationality, emergency contact numbers, national insurance numbers, home status and address, telephone number, email address;
(b)    Personal details shall also include signatures, geographic information, telephone and image recordings and key card entry systems;
(c)    Associations such as marital status, family, friends, business partners as well as whether the Data Subject is financially connected to any person;
(d)    Correspondences, including all information provided to THE ASSOCIATION, whether in person, telephonically, by post, email, online or otherwise
(e)    Voicemails, emails, correspondence and other work product and communications created, stored and transmitted using THE ASSOCIATION equipment such as computers, laptops, mobile phones or other communications equipment;
(f)    Taxation details such as taxation residence, tax numbers and other tax related information;
(g)    Online information such as user identities, subscriptions, IP address, site preferences, and any other information that we may collect using technologies such as cookies;
(h)    Residency status, visa status, as well as details pertaining to entry and exit of the UAE;
(i)    Passport details such as passport number, date of issue, expiry date, place of issue
(j)    Emirates (or other national) ID number;
(k)    Financial information such as bank account details, credit and debit details, payment details and history, pension and investment details, payments into your account including salary details and health insurance providers’ details.
4.3.    Anyone processing such information must adhere to the following principles of lawfulness, transparency, and accountability:
4.3.1.    Personal Data must be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject.
4.3.2.    Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
4.3.3.    Personal Data must be adequate, relevant, and limited to those which are necessary in relation to the purposes for which they are processed.
4.3.4.    Personal Data must be accurate and, where necessary, kept up to date.
4.3.5.    Personal Data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
4.3.6.    Personal Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
4.3.7.    The Controller shall be responsible for and be able to demonstrate compliance with these principles.
4.4.    Fair processing
4.4.1.    The DIFC DP Law 2020 is not intended to prevent the processing of Personal Data, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject.
4.4.2.    For Personal Data to be processed lawfully, it must be processed based on one of the legal grounds set out in the DIFC DP Law 2020. These include, among other things:
(a)    the Data Subject's consent to the Processing; or
(b)    that the Processing is necessary for the performance of a contract with the Data Subject; or  
(c)    for the compliance with a legal obligation to which the Controller is subject; or 
(d)    for the legitimate interest of the Controller or the party to whom the data is disclosed. 
4.4.3.    When a Special Category of Personal Data is being Processed, additional conditions as set out in article 11 of the DIFC DP Law 2020 must be met. Such conditions include, that the Data Subject has given explicit consent to Processing or that the Processing is necessary to protect their vital interests.
4.4.4.    When processing Personal Data as Controllers during activity, THE ASSOCIATION and its representatives will ensure that those requirements in clause 4.4.2 above are met.  
4.4.5.    In the absence of any other applicable basis for fair and lawful processing of Personal Data, THE ASSOCIATION processes Personal Data on the basis that the processing is necessary for the purposes of pursuing their legitimate interests or those pursued by a Third Party or parties to whom the Personal Data is disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation.
4.5    Processing for limited purposes  
4.5.1.During our activity, we may collect and process Personal Data. This may include data we receive directly from a Data Subject and data we receive from other sources.
4.5.2.We will only process Personal Data for specific purposes or for any other purposes specifically permitted by the Applicable Laws. We will notify those purposes to the Data Subject. 
4.6.    Adequate, relevant, and non-excessive processing
4.6.1.    We will only collect Personal Data to the extent that it is required for the specific purpose notified to the Data Subject.
4.7.    Accurate, Complete and Up-to-Date Data
4.7.1.    We will ensure that Personal Data we hold is accurate and kept up to date. We will take reasonable steps to destroy or amend inaccurate or out-of-date data. 
4.8.    Timely processing
4.8.1.    We will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required or which a Data Subject has asked that we destroy or modify. 
4.8.2.    We will conduct timely reviews of our processing operations with respect to data that is collected and stored in our systems. Such reviews will include but are not limited to understanding where our data is processed, who our sub-processors are (if any) and any recipients of our data and the purposes for which they are processing it if such information may legally be made available to us. 
4.8.3.    Where the basis for processing changes for any reason, processes are in place for ensuring one of the following actions is taken with respect to the Personal Data: 
(a)    securely and permanently deleted;
(b)    anonymized so that the data is no longer Personal Data, and no Data Subject can be identified from the data including where the data is lost, damaged or accidentally released;
(c)    pseudonymized;
(d)    securely encrypted; or
(e)    properly archived / put beyond further use.

4.9.    Data security

4.9.1.    We will take appropriate security measures against unlawful or unauthorized processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.
4.9.2.    We will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data will only be transferred to a Processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
4.9.4.    We implement as part of our security policies and processes an incident management policy to address Personal Data breaches and how to manage / report them in accordance with Articles 41 (and where required, Article 42 of the DIFC DP Law 2020).

4.10.    Transferring Personal Data 

4.10.1    We may transfer any Personal Data we hold to and from the jurisdiction in which it is collected. In relation to Personal Data that: (i) we transfer out of the DIFC, or (ii) specifically to the UK, the EU, or a country within the European Economic Area ("EEA"), we may subsequently transfer that Personal Data to another country provided that one of the following conditions applies:
(a)    One of the appropriate safeguards is in place under Article 27(2) of the DIFC DP Law 2020;
(b)    The country to which the Personal Data are transferred ensures an adequate level of protection for the Data Subjects' rights and freedoms;
(c)    The Data Subject has given his consent;
(d)    The transfer is necessary for one of the reasons set out in the Applicable Laws, including the performance of a contract between us and the Data Subject, or to protect the vital interests of the Data Subject;
(e)    The transfer is legally required on important public interest grounds or for the establishment, exercise, or defense of legal claims;
(f)    The transfer is authorized by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the Data Subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights.

4.11    Accountability to Data Subjects

4.11.1    Our use or disclosure of Personal Data must be necessary for the purpose(s) or compatible with the purpose(s) for which we collect and keep the data. Except in certain limited circumstances (including where we are required by law) we should only use and disclose the data in ways consistent with such purpose(s).
4.11.2    We will inform through publicly available privacy notices (i.e., on our website) Data Subjects who provide us with or inform us about their Personal Data regarding:
(a)    The purpose(s) for which we intend to process that Personal Data;
(b)    How we process their Personal Data;
(c)    The types of Third Parties, if any, with which we will share or to which we will disclose their Personal Data;
(d)    The means, if any, with which Data Subjects can limit our use and disclosure of their Personal Data;
(e)    Any other rights they have with respect to our use of their Personal Data in line with Applicable Laws;
(f)    The methods and mechanisms we have in place to be transparent with and accountable to the Data Subject;
(g)    THE ASSOCIATION’s role as a Controller of their Personal Data and how to reach the Commissioner of Data Protection.

5.    Disclosure and sharing of Personal Data

5.1.    We may share Personal Data we hold to Third Parties if we are under a duty to disclose or to comply with any legal obligation, or to enforce or apply any contract with the Data Subject or other agreements; or to protect our rights, property, or safety of our members or others; or in other cases permitted by the Applicable Law. 

6.    Dealing with Data Subjects’ rights and requests 

6.1.    With some limited exceptions, any Data Subjects are entitled to:
(a)    Request access to any Personal Data that THE ASSOCIATION holds about them (known as a subject access request);
(b)    Request that we stop processing their Personal Data, including automated processing of Personal Data;
(c)    Request that we rectify, block, or erase any Personal Data we hold about them; or
(d)    Make a complaint to the Commissioner of Data Protection regarding the processing of their Personal Data.  
6.2.    Data Subjects should make the request by writing to the DIFC Commissioner of Data Protection or his delegate.  
6.3.    Anybody from THE ASSOCIATION who receives a written or verbal request or complaint from a Data Subject will respond to such requests promptly, as a specific time limit applies to such requests, and a breach of the Applicable Laws may occur if THE ASSOCIATION does not respond accordingly.

7.    Questions about this Policy

7.1.    If you have any questions about this Policy, or any concerns or complaints with regard to the administration of this Policy, or if you would like to submit a request as described in Section 6 above for access to the Personal Data that we maintain about you, please contact us through our Data Protection Officer, whose details are contained in Schedule 1 of this Policy.

​