Privacy Policy
Last Updated on 30 September 2020
BSA Ahmad Bin Hezeem & Associates LLP (“BSA”, “we”, “us” or “our”) is a DIFC based law firm with associated offices in Dubai and other emirates in the UAE and regional offices across the region.
BSA is committed to protecting the confidentiality of personal information relating to people who retain our services, former and current employees, trainees, contacts, business partners, service providers and visitors to BSA website www.bsabh.com, whether such information is collected directly or indirectly through our partners and affiliates (“Data Subjects”, “you” or “your”).
This privacy policy (this “Policy”) aims to provide Data Subjects with an understanding regarding how we collect, use, disclose, handle and store their data. We aim to provide clarification, through this Policy, about the methods through which we collect data, use such data, how it is shared (if at all) and how it is protected and stored. This Policy also provides information about your rights.
By visiting our website or providing us information, you consent to our collection, use, disclosure and processing of your personal data in accordance with this Policy.
Unless the context suggests otherwise, any reference to data in this Policy is to personal data, which means any data relating to an identified or identifiable person. This Policy applies to personal information about you that we collect, use and otherwise process in connection with your relationship with BSA. For the avoidance of doubt, this Policy does not apply to anonymized or aggregate data or data that it is no longer identifiably linked to you. We may use and disclose such data to our partners, advertisers and any other third parties.
It is important that you read this Policy together with any other notice we may provide on other occasions when collecting or processing data about you. This Policy is supplementary to such other notices and does not override them.
We may modify this Policy from time to time. Changes cannot be retroactive. We will provide you with notice if any material changes are made to this Policy. What constitutes a “material change” will be determined at our sole discretion, in good faith and using reasonable judgment and common sense. Your continued use of our services after notice of change is issued means that you are consenting to the updated terms.
The provisions contained in each paragraph of this Policy shall apply independently of each of the others and its validity shall not be affected if any of the others is invalid. If any of those provisions is void but would be valid if some part of the provision were deleted or reduced in scope or time, the provision in question shall apply with the minimum modification necessary to make it valid.
This Policy explains:
- How we collect your data
- Categories of data
- How we use your data
- Legitimate interests
- Sharing of data
- Transferring data outside the DIFC
- Data retention
- Your data rights
- Marketing purposes
- Non-discrimination
- Cookies and other tracking technologies
- Third party sites
- Security measures
- Complaints, Questions and Suggestions
- How we collect your data
We collect data from you and from third parties (any person acting on your behalf, including legal consultants, advisors, employer and others).
In general, we collect data relating to the following categories of persons:
- people who retain our services;
- former and current employees and trainees;
- contacts;
- business partners; and
- service providers, visitors to our offices and people we meet with; and
- visitors to BSA website.
We collect data from you by way of telephone calls or other forms of virtual calls and meetings, by way of physical meetings, by way of email, post, your submission of documents and applications or other forms in soft and hard formats, or face-to-face, including in conversations with our lawyers, legal consultants and other staff. Circumstances in which we may collect your data include:
- where you or your company are seeking our services;
- where you approach us through your current or former organization, company, or any entity in possession of your data, including government entities or service providers;
- where it is provided to us by a third party requesting a legal service relating to or indirectly related to you (g. in the cases of labor disputes or due diligence exercises with respect to an acquisition);
- where you submit any enquiries, documents, applications, and so on to us, including where you submit documents for the purpose of our file opening formalities including customer due diligence and anti-money laundering compliance purposes;
- where you attend our events or seminars or sign-up to receive our newsletters or other marketing materials from us; and
- where you or your organization provides or approaches us to offer your services.
Where you have provided us with the data of third parties, you confirm that you have shared with them a copy of this Policy and they have consented to your giving us their data in accordance therewith or that you are otherwise legally authorized to represent such persons.
Our collection of data may be legally or contractually required for the provision of our services.
- Categories of data
We process data, which includes:
- Identity data: This includes first name, last name, nationality, addresses, title, marital status, gender and date of birth, national identifiers (e.g. passport number and identity card number).
- Contact data: This includes business card, residency country, delivery address, location, billing address, email address and telephone numbers.
- Employment data: This includes information about your employment.
- Academic and professional history data for candidates for internships, job vacancies, employees and other staff: This includes curriculum vitae and similar documentation, information relating to job titles and salaries.
- Communications data: This includes details of any communication we have had with you, such as complaints or incidents.
- Physical access data: This includes details relating to any visits by you to our offices.
- Data related to legal work: Any information provided by a client or otherwise publicly available that is relevant to any dispute, grievance, investigation, court proceedings or other legal advice.
- Financial and payment data: This includes details of your bank account and other details necessary for the purpose of processing payments and preventing fraud, including credit/debit card numbers, security code numbers and other related billing information. This also includes payment history.
- Accessibility data: This includes your settings with respect to the receipt of marketing material from us.
- Usage data: This includes data about how you use our website and its content, how you use your devices to access our website and what actions you take, including the screens you visit and searches you make, the times, frequencies and duration of any visits or activities. This data is often collected through the use of cookies, web beacons and other tracking technologies. Please refer to “Cookies and similar technologies” below for further information on our use of such technology and your choices with respect thereto.
- Anti-fraud checks data: This includes the results of any searches undertaken to ascertain whether the information provided by you is accurate.
- Sensitive personal data: While providing our client services, we may collect sensitive personal data concerning you related to the legal matters we are handling on your behalf or involving you directly or indirectly, such sensitive personal data may include racial or ethnic communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, health data, including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person etc. An example of this is (1) where we are handling criminal matters and part of the evidence consists of DNA traces; or (2) where a discrimination case is filed on the basis of your sensitive personal data (e.g. religion or ethnicity).
If we collect materially different data or if we materially change how we use your data, we will notify you and modify this Policy.
- How we use your data
We may use your data for the purposes set out in this Policy as well as for any legal reasons that may apply, some of which we have set out herein. We normally only process your data where required for marketing purposes and the purpose of providing you, directly or indirectly (e.g. as a processor or on behalf of an affiliate), with our services and/or to protect our or our partners’ legitimate interests, or where required or allowed by law.
We are legally obliged to have a lawful reason for processing your data, which we process if:
- You have provided your consent, whether to us or our partners, to the processing of your data for the stated purpose;
- Processing of your data is necessary to perform or enter a contract with you (g. where registering clients, providing or administering our legal services, processing payments, and recruiting new employees);
- Processing is necessary to protect your vital interests or that of another natural person;
- Processing is necessary for legitimate interests pursued by us or any of our partners to whom your data was made available, except where overridden by your interests or rights; and
- Processing is required to comply with applicable law to which we are subject.
- Legitimate interests
Where we are processing your data for legitimate interests, we will always take into account your interests, rights and freedoms. Our legitimate interests include:
- Relationship administration and management purposes, including identifying authorized representatives of our clients, partners and service providers and administrative purposes such as accounting and auditing;
- Conducting background checks, including diligence checks for anti-money laundering and other regulatory purposes;
- Monitoring compliance with our policies and standards;
- Analyzing and improving our services;
- Managing access to our offices and for security reasons;
- For insurance purposes;
- Exercising or defending our legal rights or complying with court orders;
- Providing our services to our clients;
- Processing your preferences and settings to communicate with you accordingly;
- Keeping you updated on the latest legal developments, announcements and other information related to our services (including by way of newsletters), as well as any events and initiatives or marketing campaigns.
- With respect to business contacts, for the purpose of obtaining/providing services, depending on the nature of the business;
- Considering prospective candidates for recruitment;
- Enrolling our employees and those of our partners into competitions or recording any incidents, and other related internal administrative purposes;
- Obtaining any required visas, flight tickets and other related immigration papers, and insurance and other related papers, for our employees’ dependents;
- Keeping your data safe and secure. Using your data for security purposes or to investigate possible fraud or other violations of this Policy and other contractual obligations; and
- Maintaining records and conducting compliance checks or screening and recording against available data bases including where required by applicable law. This includes automated processing to confirm your identity and the information provided by you against available databases and contacting you as part of this exercise.
We may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We process your sensitive personal data where either or both of the following apply:
- Processing is necessary for the purpose of carrying out the obligations and exercising our or your specific rights in the context of employment, including but not limited to recruitment, visa or work permit processing, the performance of an employment contract, termination of employment, the conduct of proceedings relating to employment and the administration of a pension, retirement or employee money purchase benefit scheme; or
- Processing is necessary to assist you or your organization in establishing, exercising or defending yourselves against legal claims (including, without limitation, arbitration and other structured and commonly recognized alternative dispute resolution procedures, such as mediation).
- Sharing of data
Where we share your data with third parties, we always ensure appropriate measures are taken to protect your data in compliance with applicable laws.
We share your data with our affiliates, with persons representing you or arranging services on your behalf, as well as with other persons to help us provide you with our services. We also share your information where required to by law or to protect our legal rights.
In certain instances, we share your data with the following persons for the purposes set out in this Policy:
- Entities to which our services are outsourced;
- Our partners and other third parties that assist us in our provision of products and services, including printing services, agents working on our behalf, attorneys, consultants, mediators, experts, other legal specialists or foreign legal advice, translators, notary publics, or any other person required to attest and legalize documents, couriers, and any other necessary persons;
- Our client, where your data was collected in connection with our legal services to said client, as part of performing our legal services or where permitted by law;
- Entities providing background check services, including credit risk, AML and CFT detection companies;
- Data protection supervisory authorities and other regulators;
- Where applicable, to your legal representative;
- Any entity which purchase all or part of our services or our law firm;
- Courts, law-enforcement authorities, regulators, public officials and other parties where reasonably necessary to establish, exercise or defend ourselves against a legal claims or to otherwise resolve legal disputes;
- Persons with whom we are permitted or obliged to share your data by applicable law;
- Law-enforcement authorities to assist them in performing their duties, including any investigations that may concern you; and
- Other public authorities where legally permissible.
- Transferring data outside the DIFC
As part of a regional law firm, we deal with entities in different jurisdictions with global presence themselves. As a result, where legally required or while carrying out our rights pursuant to this Policy, we transfer and process data inside and outside the DIFC. Certain countries where we process data may have laws less protective than those in the DIFC and the DIFC Data Protection Commissioner may consider them to not have an adequate level of data protection.
Where we transfer your data outside the DIFC, we always ensure appropriate measures are taken to protect your data in compliance with applicable laws.
Unless:
- you have expressly consented to the transfer of your data;
- the transfer of your data is necessary for us to perform the services for which we were engaged or conclude or perform a contract concluded in your interests; or
- the transfer is otherwise permitted by applicable data protection laws,
we will only transfer your data to a jurisdiction classified as adequate by the DIFC DP Commissioner or otherwise where we have put in place adequate safeguards to protect your data. In particular, if none of the above apply and we wish to transfer your data to a jurisdiction that does not have an adequate level of data protection as per the DIFC Data Protection Commissioner, we will undertake all reasonable measures to ensure this protection is set out in a written agreement between us and the receiving entity or that otherwise, the legally required measures are undertaken. For more information on the safeguards and measures undertaken by us to protect your data, please contact us using the details set out under Section 14.
- Data retention
We will retain your data to the extent reasonably necessary to protect our legitimate interests, comply with our legal, accounting or reporting obligations or enforce our agreements with you.
While determining the appropriate retention period of data, we take into consideration:
- Legal and contractual requirements, including how long it is reasonable to retain records to prove compliance therewith;
- Time limitations for the making of claims relating to the data;
- Mandatory or recommended record keeping obligations by laws, regulations and other advisors;
- The purposes for which we process your data;
- The nature, sensitivity and amount of the data;
- The potential risk of harm from disclosure or unauthorized use of your data; and
- Whether we can achieve our purposes through other means than retention.
- Your data rights
With respect to your data, you have the following rights, among others:
- Right to withdraw consent: Where the basis to our processing of your data is consent, you have the right to withdraw such consent. Such withdrawal shall not affect the legality, accuracy and validity of any processing or related activities carried out before the date of receipt of your withdrawal.
- Right of access: You have the right to ask us to provide you with information relating to any data of yours processed by us. We are permitted to restrict such access where legal grounds set out in applicable data protection laws apply, such as, among others, to protect the rights of others or avoid obstructing legal inquiries, investigations and procedures. Where we restrict your access to data, we will inform you of the basis for such restriction.
- Right to request rectification: You have the right to request rectification of your data in accordance with applicable laws.
- Right to request deletion: You have the right to request deletion of your data where (a) it is no longer necessary for the purposes it was collected; (b) you withdrew your consent and no other lawful processing basis applies; (c) our storage is unlawful or deletion is required for us to comply with applicable law; or (d) you object to our processing of your data and we do not have any overriding legitimate grounds to continue with such processing. We are not obliged to delete any data unless at least 1 (one) of the above circumstances apply and we do not require your data to comply with legal requirements or to establish or defend ourselves with respect to any legal claims.
- Right to object to processing: You have the right to object to our processing of your data at any time on reasonable and justifiable grounds where our processing is based on a task carried out in the public interest or we informed you that your data is processed for legitimate interests of ours or of third parties.
- Right to restrict processing: You have the right to request that we restrict processing of your data if (a) you contest the accuracy of your data, for as long as it takes us to verify such accuracy; (b) our processing is unlawful and you oppose erasure of your data but request restriction instead; (c) we no longer need your data but you require them to establish, exercise or defend yourself against legal claims; or (d) where you have objected to our processing of your data and we are establishing if we have overriding legitimate grounds to continue such processing.
- Right to data portability: You have the right to request that we transfer your data to any other person in a machine-readable format.
- Right to object to automated processing, including profiling: Except for limited circumstances as provided by law, you have the right to object to any decision made by us solely on automated processing, including profiling, if such decision would affect you legally or in any other serious manner, and instead request that the decision is reviewed manually.
Where you wish to exercise any of the above rights, please contact us using the details set out under section 14. We may request that you confirm your identity and provide further information to enable us to assess your request.
Where your request pursuant to this section is clearly groundless, repetitive or excessive, we may charge a reasonable fee or to the extent legally permitted, refuse to comply with your request.
- Marketing purposes
We may use your data to provide you with relevant marketing communications, including tailored marketing emails and legal proposals, as well as more general material relating to the provision of our services.
You may unsubscribe from any electronic marketing materials we send you by clicking the “unsubscribe” option at the bottom of our emails. You may also contact us using the details set out under section 14 below to unsubscribe or object to receiving any marketing materials from us.
- Non-discrimination
We will not discriminate or penalize you in any manner for exercising any of your rights pursuant to this Policy or applicable laws.
Where you refuse to provide us the data necessary for our engaging you as a client or providing you with our services, this may result in our inability to engage you or provide you our services (as applicable).
- Cookies and other tracking technologies
As mentioned above, we use cookies and other tracking technologies when collecting and processing data. These include the following:
- Browser cookies: A cookie is a text file placed on a device when it is used to access our website. The main function of cookies to is identify you when you access our website. There are different types of browser cookies:
- First party cookies: Cookies originating from the site you are currently viewing.
- Third party cookies: Cookies originating from (or to be sent to) a site you are not visiting. These are served by third parties, which may include our advertising partners and analytics providers.
- Session cookies: Cookies that are stored for the duration of your visit.
- Persistent cookies: Cookies that continue to be stored after you leave our website.
- Flash cookies: Officially called a local shared object, a flash cookie is a text file sent by a web server to a user when the browser requests content supported by plug-ins, such as Adobe Flash.
- Device identification: We may collect identification data relating to devices you access our website through, such as IP addresses.
- Other tracking technologies: Our website may contain other tracking technologies often used together with browser cookies or other identifiers associated with your device.
- Managing Cookies and Opt-Out Options. Usually, you may modify your browser settings to disable or reject cookies. It is important to note that the disablement or rejection of certain cookies may result in your inability to avail of certain features in the Service
- Third party sites
The Service may include links to third-party websites, plug-ins and applications. Selecting those links or enabling those connections may allow third parties to collect and/or share data about you. We encourage you to read the privacy policies of those third-parties and are not responsible for their privacy statements.
- Security measures
We have undertaken all reasonable and legally required technical and organizational security measures to ensure your data is secure and prevent it from being accidentally lost, or used, accessed, altered or disclosed in an unauthorized way. We also regularly review and update such measures to meet new perceived threats that may arise from technological advances. We cannot warrant or guarantee the security of any data you send us.
Where legally required to do so, we will notify you and any applicable regulator of any suspected or actual breach of data.
- Complaints, questions and suggestions
If you have any questions, comments or complaints relating to this Policy or the manner in which we collect and use your personal data, please contact our data protection officer using the following contact information:
Data Protection Officer: Marta Zalewska
Telephone number: 971 4 5285555
Email address: marta.zalewska@bsabh.com
Physical address: Precinct Building 3, Level 6, Office 605, Dubai International Financial Center, Dubai, United Arab Emirates.
You also have the right to submit a complaint to the DIFC Data Protection Commissioner in relation to our handling of your data.