Register of Amendments

{table}
Date | Autor | Change Description | Version
November 2021 | Data Protection Officer | Document created | 1.0
April 2024 | Data Protection Officer | Document created | 2.0
June 2024 | Data Protection Officer | Document created | 3.0
{ 25 | 35 | 30 | 10 }
{table}

1. Overview {add}

1.1 This Privacy Policy outlines how ACM Limited, regulated by the Financial Services Regulatory Authority (FSRA) and located in Abu Dhabi Global Market (ADGM), collects, stores, uses, and shares your Personal Data. It also details your privacy rights, the legal protections applicable to you, and how to contact us with any inquiries or concerns regarding our handling of your Personal Data.

‍

2. Controller {add}

2.1 The term "we" or "us" refers to ACM Limited. The entity you interact with when providing your Personal Data will act as the Controller concerning the Processing of your Personal Data.

2.2 Section 62(1) provides the following definition in the DPR 2021:
‍
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

‍

3. Data Protection Regulations {add}

3.1 Our approach to data privacy adheres to the ADGM Data Protection Regulations 2021 (DP Regulations). Other applicable laws may also govern the Processing of Personal Data in specific situations.

‍

4. Data Collection {add}

4.1 We may collect Personal Data directly from individuals or their authorized representatives through various means, including:

• a) Email and telephone communications;
• b) Web-based conferences or video calls;
• c) Onsite visits or in-person meetings;
• d) Application forms;
• e) Recruitment and employment-related interactions;
• f) Correspondence and documents sent via postal or courier services;
• g) Security cameras;
• h) Wi-fi sign-ins.

4.2 We may also obtain Personal Data from third parties during:

• a) The preparation or receipt of reports on suspected misconduct;
• b) Oversight or investigative functions and activities;
• c) Collaboration with governmental, regulatory, law enforcement agencies, or public bodies.
  ‍

5. Types of personal data collected {add}

5.1 The Personal Data we collect may include:

• a) Names, contact details (current and previous email addresses, postal addresses, phone numbers);
• b) Nationality, residency, date and place of birth, passport numbers, and other identification document details;
• c) Education, professional, and employment history;
• d) Criminal records, complaints, allegations, personal opinions, and reports;
• e) Payment information such as bank account details;
• f) Device information, including IP addresses;
• g) CCTV footage from visits to our offices;
• h) Special categories of personal data, where permitted.

5.2 The ADGM Data Protection Regulations 2021 define the following as special categories of Personal Data under Section 7(1) of the Regulations:

• a) Personal data revealing racial or ethnic origin;
• b) Personal data revealing political opinions;
• c) Personal data revealing religious or philosophical beliefs;
• d) Genetic data;
• e) Biometric data (where used for identification purposes);
• f) Data concerning health;
• g) Data concerning a person’s sex life or sexual orientation; or
• h) Personal data relating to criminal convictions and offences or related security measures.

5.3 Minors (under 18 years) should have their Personal Data provided through a parent or guardian. We assume that any Personal Data received from minors has been appropriately provided.

‍

6. Use of personal data {add}

6.1 The Firm may process your Personal Data as an individual client or a representative of a corporate client, job candidates, and employees for the following purposes:

• a) Processing applications for products and services, including assessing customer suitability and performing necessary checks and risk assessments;
• b) Providing products and services, including, transactions and completing instructions or requests;
• c) Monitoring and improving our website client user tools and its content;
• d) Establishing and managing investment relationships;
• e) Conducting market research and surveys with the aim of improving our products and services;
• f) Sending you information about our products and services for marketing purposes and promotions;
• g) Preventing, detecting, investigating and prosecuting crimes (including but not limited to money laundering, terrorism, fraud and other financial crimes) in any jurisdiction, identity verification, government sanctions screening and due diligence checks;
• h) Complying with applicable local or foreign law, regulation, policy, voluntary codes, directive, judgement or court order, as well as any contractual obligation pursuant to agreements between any Affiliate and any authority, regulator or enforcement agency or body or any request coming from legal representative;
• i) Establishing, exercising or defending legal rights in connection with legal proceedings (including any prospective legal proceedings) and seeking professional or legal advice in relation to such legal proceedings.
  ‍

7. Legal basis for processing {add}

7.1 The Firm processes your personal data for the performance of the services provided to you as an individual client, compliance with applicable legal or regulatory obligations of the Firm’s legitimate interests to provide you with adequate and qualitative products and services and to prevent against any excessive risk.

7.2 Personal data shared by you with the Firm are necessary. If it is not provided, the Firm will be unable to comply with its legal or regulatory obligations or to provide you with the requested products and services.

7.3 ADGM Data Controllers must rely upon a valid lawful basis for processing personal data as defined under Section 5(1) of the ADGM Data Protection Regulations 2021. There are six legal basis for processing in the ADGM Data Protection Regulations:

• (i) Consent: Data Subject has provided consent to the processing of their personal data for one or more specific purposes.
• (ii) Contractual Obligation: Processing is necessary for the performance of a contract to which Data Subject is a party, or in order to take steps at the request of Data Subject prior to entering into a contract.
• (iii) Legal Obligation: Processing is necessary for compliance with a legal obligation to which the Data Controller is subject to under applicable law.
• (iv) Vital Interests: Processing is necessary to protect the vital interests of the Data Subject or of another individual.
• (v) Public Interests: Processing is necessary for the performance of a task carried out by a public authority in ADGM’s interest.
• (vi) Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller.
  ‍

8. Data storage {add}

8.1 Personal Data is securely transferred to and stored in both electronic and physical formats. Electronic data is stored on secure servers managed by ACM Limited and backup locations within the United Arab Emirates. Physical copies of Personal Data are securely stored in safe storage facilities.

‍

9. Data security {add}

9.1 We employ appropriate measures to protect Personal Data from unauthorized access, loss, alteration, or disclosure. Access to Personal Data is restricted to employees and third parties who need it for business purposes and are bound by confidentiality obligations. While we take extensive measures to ensure the security of data transmission, we cannot guarantee security for Personal Data transmitted over the internet by you. Any data you transmit is done at your own risk.

9.2 Suspected security incidents should be reported to us immediately at dpofficer@acmgroup.ae or by writing to ACM Limited at PO Box 22646, Unit 1, Floor 9, Al Maqam Tower, ADGM Square, Al Maryah Island, Abu Dhabi, United Arab Emirates.

‍

10. Data retention {add}

10.1 Personal Data is processed for the duration necessary to fulfill our functions and purposes outlined in this Policy, unless a longer retention period is required by law. Data based on consent will be retained as specified in the consent or until consent is withdrawn.

‍

11. Cookies and third-party websites {add}

11.1 Our website uses cookies to collect anonymous and aggregated information to improve website functionality. Cookies may store information such as your name, company, telephone number, and email address. Acceptance of cookies is indicated by a warning displayed on our website.

‍

12. Your rights {add}

12.1 Under the DP Regulations, you have the following rights regarding your Personal Data:

• a) Right to be informed: You have the right to be notified when your personal data is acquired, whether directly or indirectly.
• b) Right of access: You have the right to request access to and receive a copy of your personal data.
• c) Right to rectification: You are entitled to have your information corrected if it’s inaccurate or incomplete.
• d) Right to data portability: You have the right to request and obtain a copy of your personal data in an electronic or structured format.
• e) Right to object: You have the right to object to the processing of your personal data.
• f) Right to erasure: You have the right to request erasure or destruction of your personal data (subject to certain conditions – refer Annex 1).
• g) Right related to automated decision making: You have the right not to be subjected to a decision based solely on automated processing, including profiling.
• h) Right to restriction: You have the right to request the restriction and limitation of the way that your personal data is used.

12.2 Further information on the rights of Data Subjects can be found under sections 13 to 20 in the ADGM Data Protection Regulations 2021.

12.3 To exercise these rights, please contact us at dpofficer@acmgroup.ae. Note that certain rights may be restricted by legal obligations or the need to maintain confidentiality.

‍

13. Contact information {add}

13.1 Our Data Protection Officer (DPO) oversees data privacy and protection compliance. For questions, requests, or complaints, contact the DPO at dpofficer@acmgroup.ae or by writing to PO Box 22646, Unit 1, Floor 9, Al Maqam Tower, ADGM Square, Al Maryah Island, Abu Dhabi, United Arab Emirates.

‍

14. Changes to the privacy policy {add}

14.1 This Privacy Policy may be amended periodically to address changes in regulations, business needs, or customer requirements. Updates will be posted on our website with date stamps to ensure awareness of the latest version. Please review this Policy periodically.
‍

15. Glossary {add}

{table}
Term | Definition
Controller | Is defined in the DP Regulations 2021. At the date of and in the context of this Privacy Policy, it means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; as defined under Section 62(1) of the Data Protection Regulations 2021.
Data Subject | Is defined in the DP Regulations 2021. At the date of this Privacy Policy, it means an identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; as defined under Section 62(1) of the Data Protection Regulations 2021.
{ 20 | 80 }
{table}

This formal Privacy Policy reflects the regulatory requirements and operational practices of ACM Limited and is intended for publication on our website.