Data Protection Policy

UniHawk Holdings Private Limited

Contents

1. Introduction
2. Scope of this policy
3. Processing personal data
4. Processing of sensitive personal data
5. Data protection impact assessments
6. Security of personal data and record keeping
7. Rights of data subjects
8. Confidentiality and information security
9. Storage and retention of personal information
10. Transferring personal data outside the UAE
11. Data sharing with public authorities
12. Data breaches
13. Training
14. Failure to comply

1. Introduction

We, UniHawk Holdings Private Limited, a private company limited by shares incorporated and registered in Abu Dhabi Global Market (ADGM), United Arab Emirates (UAE) bearing Registration No. 000008682, whose registered office is at DD-14-124-027, 14th floor, Al Khatem Tower Wework Hub71, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, UAE along with our subsidiaries (collectively, “we”, “us” “our” or the "UniHawk Group"), obtain, use and retain personal information (personal data) as part of our day-to-day activities and for various lawful purposes. That personal data relates to all persons who are subject of the personal data, including but not limited to current, former and prospective directors, employees, interns, business partners, contractors, agency workers, volunteers, trainees and apprentices, suppliers, customers and other third parties (data subjects). In doing so, the UniHawk Group is subject to various legislative provisions including those set out in the Data Protection Regulations 2021 (as amended) (ADGM data protection law) and Federal Decree Law No. 45 of 2021 on the Protection of Data (as amended), (UAE data protection law). The Data Protection Regulations 2021 and Federal Decree Law No. 45 of 2021 are hereinafter referred to as the data protection laws. These legislative provisions address how we, as data controllers and data processors, should obtain, deal with and process personal data, the UniHawk Group is committed to complying with those provisions and to being concise, clear and transparent in how we obtain, use and delete (where relevant) that personal data.

We may collect personal data from a data subject who:

• is or was employed by us, including contractors and temporary employees, or applicant for a job opportunity with us;
• is a customer, a representative of a customer;
• are students (who may be minors) who use our services;
• uses our, website, or other digital interfaces, fill our online forms or engage with us using other forms of direct communication;
• has accessed a third party website or a social media website which has directed such person to our websites or web page;
• attends our business development, marketing or other sponsored events (including school fairs, exhibitions, open days, in-person events) or visit our offices;
• interacts and communicates with us in a business capacity;
• provides services to us (or represents an entity which provides services to us); and/or
• has met one of our staff and have exchanged business cards or contact details.

Such information may include, but is not limited to:

• In relation to students who use our services, names, parent/guardian names, email addresses of the student and the parent/guardian, contact numbers, names of schools the student has attended, age of students, grades achieved by students and the country of residence of the student and/or their parents/guardians;
• In relation to students represented by us, academic records (including transcripts, report cards and test scores), passport and residence ID copies, residential address, emergency contact information, supporting documentation for applications to educational institutions, signed consent and authorisation forms.
• Name, gender, home address, parent/guardian names and telephone number, email address, academic level, date of birth, marital status, emergency contacts;
• Residency and visa status, nationality and passport information;
• Emirates ID number, banking details;
• Information captured on security systems, including CCTV and key card entry systems;
• Voicemails, emails, correspondence and other work product and communications created, stored and transmitted by an employee using our computer or communications equipment;
• Employee information, including:
  • Sick pay, pensions, insurance and other benefits information (including the gender, age, nationality and passport information for spouse, minor children or other eligible dependents and beneficiaries);
  • Dates of hire, date(s) of promotion(s), work history, technical skills, educational background, professional certifications and registrations, language capabilities, training courses attended;
  • Records of work absences, vacation entitlement and requests, salary history and expectations, performance appraisals, letters of appreciation and commendation, and disciplinary and grievance procedures (including monitoring compliance with and enforcing our policies);
  • Where permitted by law and proportionate in view of the function to be carried out by an employee or perspective employee, the results of credit and criminal background checks, health certifications;
  • Date of resignation or termination, reason for resignation or termination of employment (i.e. references).

The purpose of this policy is to set out the means by which we comply with our data protection obligations and the means by which we protect personal information relating to the data subjects. This includes our obligations as to the collection, processing, transfer, storage, and disposal of that personal data.

A dedicated UniHawk staff has been appointed as our data protection manager/officer. He is responsible for informing and advising us on our data protection obligations, for monitoring compliance and for ensuring that we comply with our obligations in accordance with our policies. comments or queries concerning this policy should be addressed to him.

The data protection manager will deal with issues relating to this policy and the application of the data protection laws including:

• issues relating to the correct lawful basis to be applied to personal data collected, held or processed and in particular when consent or legitimate interest is being relied upon;
• issues relating to the use to which data can be put having regard to the purpose for which it was acquired;
• issues relating to the periods for which personal data is retained;
• privacy notices and when these are required;
• subject access requests and other data subject rights as set out in the data protection laws;
• actual or suspected data breaches or issues relating to security arrangements;
• sharing data with third parties and transferring data outside the UAE, to the extent permitted under data protection laws;
• where processing uses new technologies and is likely to result in a high risk to the rights and freedoms of natural persons and a data protection impact assessment is required;
• in relation to automated processing, including profiling or automated decision-making; and
• in relation to information which is deemed to be special category such as any data that directly or indirectly reveals a natural person’s family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/ her health status (sensitive personal data).

2. Scope of this policy

This policy applies to the personal data of all of those referred to in paragraph 1.1 above.

This policy is intended to set out:

• how data is protected;
• how we comply with our data protection obligations;
• what we will expect to be done by our directors, managers, employees, contractors, agency workers, interns, volunteers and trainees and apprentices (personnel) in that regard.

It is intended that this policy will help to ensure that personnel understand and are able to comply with the various data protection requirements to which they are subject in the course of their work.

We have produced other policies dealing with other areas of data and security i.e., the privacy policy. All personnel should be aware of, and comply with, these policies in addition to complying with the terms contained within this policy.

The provisions in this policy apply to all personal data whether it is on paper or stored electronically and whether it is in writing or stored as verbal messages. It applies whether the personal data is stored on our network, on individual desktop or laptop computers, on mobile devices, phones or tablets, in paper files or in any other way.

This policy will be reviewed and updated regularly in order to ensure that we continue to act in accordance with our data protection obligations. Revised versions will be brought to the attention of all personnel as and when necessary.

3. Processing personal data

We process personal data on the basis of the following:

• Legitimate interest in offering educational services;
• Consent provided through opt-in forms or other written authorization;
• Performing contractual obligations when a student enrolls in our services.

The data protection law requires that personal data is processed in accordance with the data protection principles. Therefore, when processing personal data, we must ensure that we:

• process personal information lawfully, fairly and in a transparent manner;
• only collect personal data for specified, clear and legitimate purposes and not process that data in a way that is incompatible with those legitimate purposes;
• only process the personal data that is adequate, relevant and limited to what is necessary for the purpose;
• keep the personal data accurate and up to date, and ensure that all necessary measures are in place for correcting and updating inaccurate data;
• only process the personal data in accordance with the data subject rights under the data protection laws;
• keep personal data in a way that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed subject to certain exceptions;
• process the personal data in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and
• have appropriate measures and records in place to be able to demonstrate our compliance.

In order to determine whether the processing of personal data for a purpose other than that specified in paragraph 3.2.2 above is compatible with the original purpose for which the personal data was initially collected, we must consider the following factors:

• The degree of linkage between the original purpose of collection and the intended purpose of further processing;
• The context in which the personal data was collected, including the nature of the relationship between the data subjects and the data controller;
• The nature of the personal data, particularly whether it involves special categories of personal data, as defined under paragraph 4;
• The potential impact and consequences of the intended further processing on the rights and interests of the data subjects; and
• The existence of appropriate safeguards to protect the personal data, including but not limited to encryption or pseudonymisation.

In addition to only processing data in accordance with the data protection principles, the data protection laws require that we must also ensure that personal data is processed lawfully only if and to the extent that:

• the data subject has given consent to the processing of his or her data for one or more specific purposes (‘consent’);
• the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
• the processing is necessary for compliance with a legal obligation to which we are subject;
• the processing is necessary for the protection of the vital interests of the data subject or another natural person;
• the processing is necessary for the performance of a task carried out in the public interest;
• the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The data protection laws, however, provide certain exceptions to this processing of personal data of the data subjects without their consent and permit the processing of the same in the following circumstances, where the processing:

• is necessary for the performance of a task carried out in the public interest or exercise of official authority or to protect public health;
• relates to personal data which are made public by the data subject;
• is necessary for the defence of legal claims;
• is necessary for the purposes of occupational or preventive medicine, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services;
• is necessary for the assessment of an employee’s ability to perform work;
• is necessary for parties to fulfil obligations and exercise legal rights related to employment, social security etc. or to conclude, amend, or terminate contracts at the data subject's request;
• is necessary for achieving purposes, scientific, historical or statistical research;
• is necessary for the controller to carry out their legal obligations in the fields of recruitment, social security or social protection or in compliance with other laws in the UAE;
• is necessary to protect the interests of the data subject;
• is necessary for the performance of a contract to which the data Subject is a party; and
• is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

The data protection laws states that where processing is based on consent, we must be able to demonstrate that the data subject has consented to the processing of his or her personal data, in written or electric form and that such consent has been freely given for each purpose of processing in such circumstances that it is able to be clearly distinguishable from the other matters and in an intelligible and easily accessible form, using clear and plain language. The consent should also include a reference to the right of the data subject to withdraw his or her consent and in the event that a data subject withdraws consent to the processing of personal data, and we will ensure that the procedure to do so is simple and easy.

The data subject shall have the right to withdraw his or her consent at any time which shall not, however, affect the lawfulness of processing based on consent before its withdrawal. When assessing whether consent is freely given regard must be had to the fact that the performance of a contract or provision of a service must not be made to be conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Other than where the processing is based on consent, we must satisfy ourselves at all times that the processing is necessary for the purpose of the relevant lawful basis set out above and that there is no other reasonable way to achieve that purpose. In order to demonstrate compliance, we must document our decision as to which lawful basis applies and record information both, concerning the purposes of the processing, and the lawful basis relied upon.

4. Processing of sensitive personal data

If the personal data in question is sensitive personal data, then we can only process if one of the following applies:

1. The data subject has provided explicit consent for the processing of their sensitive personal data for one or more specified purposes.
2. Processing is necessary to fulfil legal obligations or exercise specific rights under law.
3. Processing is necessary to protect the vital interests of the data subject or another individual where the data subject is physically or legally incapable of providing consent.
4. Processing is necessary for health purposes, including preventive or occupational medicine, medical diagnosis, assessment of employee working capacity, provision of healthcare or treatment, or management of healthcare systems, provided that such processing is conducted by or under the responsibility of a health professional subject to an obligation of professional secrecy or confidentiality.
5. Processing is necessary for reasons of public interest in public health, such as protecting against serious health threats or ensuring high standards in healthcare, medicinal products, or medical devices.
6. Processing is necessary for archiving and research purposes, as permitted under applicable law.
7. Processing is conducted by a not-for-profit organization (e.g., foundation, association, religious, cultural, educational, social, or fraternal entity) as part of its legitimate activities, with appropriate safeguards in place, and where the personal data relates solely to its members, former members, or individuals in regular contact with the organization for its purposes, provided that the personal data is not disclosed outside the organization without the data subject’s consent.
8. Processing relates to personal data that has been intentionally made public by the data subject.
9. Processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the data subject’s request prior to entering into a contract.
10. Processing is necessary for the establishment, exercise, or defense of legal claims, or when courts are acting in their judicial capacity.
11. Processing is necessary for reasons of substantial public interest, provided that (unless otherwise specified), we as a data controller have an appropriate policy document in place in accordance with paragraph 4.2. Such processing may include:
    1. Exercising a function or legal requirement imposed under applicable law.
    2. Fulfilling a function of the board, Abu Dhabi, or the UAE government.
    3. Administration of justice.
    4. Promoting equality of opportunity or treatment, provided it does not cause substantial harm or distress to individuals and is not conducted against the wishes of an individual who has explicitly opted out.
    5. Encouraging diversity at senior levels of organizations, where obtaining consent is impracticable, and no substantial harm or distress is likely to occur.
    6. Prevention or detection of unlawful acts, where obtaining consent would prejudice the purpose of Processing. If personal data is disclosed to a public authority, an appropriate policy document under paragraph 4.2 is not required.
    7. Protecting the public from dishonesty, malpractice, incompetence, mismanagement, or failures in services provided by organizations, where obtaining consent would prejudice this purpose.
    8. Compliance with, or assisting others in complying with, regulatory requirements, particularly those related to unlawful acts, dishonesty, or malpractice, where obtaining consent is impractical.
    9. Fraud prevention as part of an anti-fraud organization or initiative.
    10. Disclosure to authorities in good faith related to suspected terrorist financing, identification of terrorist property, or money laundering, in compliance with applicable law.
    11. Publication of judicial decisions, or where processing is necessary for the publication of such decisions by courts or tribunals.

Where a condition in paragraph 4.1.2 requires an appropriate policy document, we must ensure:

1. The policy document (which may incorporate other documents by reference) details:
   1. Compliance measures for ensuring adherence to the principles in paragraph 4.
   2. The data controller’s retention and erasure policies for personal data processed under this condition.
2. From the commencement of processing under the relevant condition and for six (6) months following cessation of such processing, the policy document must be:
   1. Retained, reviewed, and updated as appropriate.
   2. Made available to the Commissioner of Data Protection under the data protection laws upon request.

5. Data protection impact assessments

The data protection laws require that prior to undertaking high risk processing activities to privacy and confidentiality of personal data, by way of using of any of the modern technologies, an assessment of the impact of the proposed processing operations on the protection of such data, considering the risks to the rights of the data subjects concerned must be carried out.

A data protection impact assessment (DPIA) shall be required in the case of high risk activities such as:

• processing that includes the adoption of new technologies or methods, which creates a materially increased risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise his rights;
• a systematic and extensive evaluation of personal aspects relating to data subjects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
• processing on a large scale of sensitive personal data.

In such circumstances we will carry out a DPIA to assess and record:

• a clear and systematic explanation of the purposes and impact of the processing, including, where applicable, the legitimate interest we are pursuing;
• whether the processing is necessary and proportionate in relation to its purpose;
• the risks to data subjects; and
• the measures that can be put in place in order to address those risks and protect personal information.

A single DPIA may cover multiple similar processing operations that present comparable high risks. The findings of the DPIA must be considered when determining appropriate measures to ensure compliance with the data protection laws in the processing of personal data.

We must seek the advice of the data protection manager, where appointed, when conducting a DPIA.

The Commissioner of Data Protection shall publish a list of processing operations that require a DPIA under paragraph 5.4 above and may update this list periodically.

The DPIA must:

• describe the nature, scope, context, and purpose of the processing;
• assess necessity, proportionality, and compliance measures;
• identify and evaluate risks to individuals; and
• determine any additional measures required to mitigate identified risks.

Where necessary, we will conduct a review to ensure that processing aligns with the DPIA, particularly when changes in processing activities alter the associated risks.

If a DPIA indicates that processing is likely to result in a high risk to the rights of natural persons, we will notify the Commissioner of data protection before proceeding with such processing.

6. Security of personal data and record keeping

The data protection laws mandate that all entities that are processing personal data to maintain a special record of data will keep internal written records of those processing activities which they undertake in their role as data controllers. In all cases those records will contain:

• a description of the categories of data subjects and of the categories of personal data;
• the name and contact details of the data protection manager;
• the categories of recipients to whom the personal data has been or will be disclosed including recipients in countries other than UAE or international organisations; and
• where possible, the envisaged time limits for erasure of the different categories of data.

Provide all data principals with the information set out in paragraph 6.3 below, along with the consent notice.

The following information shall be supplied by us as data controllers:

• details including contact details and the names and details of our data protection manager;
• the purposes for which the personal data is being collected, how it will be processed and the lawful basis for that collection and processing;
• any legitimate interests justifying its collection and processing;
• where we have not obtained the personal data directly from the data subject, the categories of personal data collected and processed;
• any relevant data retention periods;
• the data subject’s rights under the data protection laws;
• where applicable, the fact that we intend to transfer your personal data to a recipient outside of ADGM or to an International Organisation or the UAE;
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• where relevant, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and
• any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.

We will ensure appropriate technical and organizational security measures are in place to protect all personal data in accordance with the global standards, in particular:

• encryption of personal data and data hiding mechanisms such as pseudonymization;
• procedures to ensure continuity for confidentiality and integrity, validity and flexibility of personal data;
• procedures to retrieve and access personal data in the event of technical failures;
• procedures to support testing and evaluation of security measures; and
• evaluation of security measures will ensure that the risks associated with processing personal data, such as loss, modification, or disclosure and the cost, nature, scope, context, and processing of personal data and their potential risks are taken into account.

Procedure to ensure that the processing must not result in, or be likely to result in, substantial harm or significant distress to the data subjects.

Procedure to ensure that processing is not conducted for measures or decisions regarding a specific data Subject, except where necessary for approved medical research.

Regular reviews of the personal information we process will be undertaken and we will, where necessary, update our documentation accordingly.

7. Rights of data subjects

We will ensure that data subjects are informed that they have the following rights in relation to their personal data:

The data protection laws allow that all data subjects have the right to the information set out herein. The following information shall be supplied upon request made by the data subject in relation to:

• The categorise of personal data which is subject to processing;
• the purposes for which the personal data is being collected, how it will be processed and the lawful basis for that collection and processing;
• information pertaining to any automated decision-making or profiling that will take place using the personal data;
• information on the establishment with whom we are sharing the personal data and the jurisdiction of such establishment;
• Where possible, the anticipated duration for which the personal data will be retained, or, if determination of a specific period is not feasible, the criteria used to establish such duration.
• standards and controls for storage and preservation of the personal data;
• procedures on rectification, erasure and/or restrictions on processing of personal data;
• protective measures on cross border transfer of personal data;
• procedures in place and measures undertaken by us in case of breach or infringement of events that involve risk to the personal data;
• a copy of the personal data undergoing processing, for any additional copies requested by the data subjects, we may impose a reasonable fee based on administrative costs. If the request is made by electronic means, the information shall be provided in a commonly used electronic format, unless the data subjects requests otherwise;
• The right to obtain a copy will not adversely affect the right of others;
• the right to lodge a complaint with the Commissioner of Data Protection or the Office;

If we process a large volume of information related to the data subjects, we may request the data subjects to specify the particular information or processing activities to which the request pertains before providing the requested information.

Subject to paragraph 7.1 above, we may reject any request made by the data subject for any information requested in relation to any breach in the following cases, if the request:

• is untrue or exaggerated;
• contradicts any procedures or investigations by any competent authority(ies);
• adversely affects our efforts to protect personal data; and/or
• violates the privacy and confidentiality of third parties’ personal data.

The data protection law extends the data subjects, the right to request for transfer of personal data. By virtue of this right, the data subjects can:

• obtain their personal data which has been provided to us in a structured and machine readable manner only if processing of their information is (a) based on consent or is necessary to fulfil a contractual obligation, and (b) is made by automated means;
• request the transfer of their personal data to another controller when feasible

The data protection law allow data subjects to correct or delete personal data.

Data subjects have the right to request correction of any personal data collected by us, which is inaccurate or incomplete. The same will be completed by us in a timely manner;

The Data subjects have the right to request the erasure of personal data if:

• where it is no longer necessary for us to retain that personal data having regard to the purpose for which it was originally collected or processed;
• where the data subject wishes to withdraw consent to holding and processing personal data previously given to us;
• where the data subject objects to us holding and processing their personal data and no overriding legitimate interest permitting us to continue doing so exists;
• where there is no other legal ground for the processing;
• the personal data has been processed unlawfully or in violation of the data protection laws; and
• the personal data has to be erased for compliance with a legal obligation in applicable law.

Subject to the provisions of paragraph 7.5.2, the data subject shall not have the right to request the erasure of their personal data held by us in the following circumstances:

• Where the request pertains to the erasure of personal data related to public health and held by private entities;
• Where the request would interfere with ongoing investigations, legal claims, judicial proceedings, or our right to defense;
• Where the processing is necessary for reasons of public interest in the area of public health;
• Where the processing is necessary for archiving and research purposes to the extent that the right referred to in paragraph 7.5.2 is likely to render impossible or seriously impair the achievement of the objectives of that processing
• Where the request is in conflict with applicable legislation to which us as the controller is subject to; or
• Any other circumstances prescribed by the applicable law.

Where we, as data controllers, have made any personal data publicly available and are required to erase such data pursuant to paragraph 7.5.2 above, we shall take all reasonable steps, including the implementation of appropriate technical measures, to inform other controllers processing the same personal data of the data subject’s request for erasure. Such steps shall, taking into account available technology and the cost of implementation, include notifying said controllers to erase any links to, copies of, or replications of the personal data.

Where the rectification of personal data is not technically feasible, we shall not be deemed in violation of these regulations for failing to comply with a request for rectification, provided that:

• The personal data was collected directly from the data subject; and
• The information provided to the data subject was explicit, clear, and prominently stated, specifically indicating that rectification of the personal data at the request of the data subject would not be feasible due to technical constraints.

The data protection laws allow data subjects to restrict the processing of their personal data in any of the following cases:

• it objects to the processing or accuracy of their personal data;
• we no longer need the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;
• the processing was carried out in violation of the data protection laws;

We may however proceed with the processing of such personal data, regardless of any restrictions requested, and without the consent of the data subject if the processing is:

• limited to storing of their personal data;
• required to be undertaken for the protection of public interest or third party rights; or
• necessary to establish a claim or defence of rights.

We will notify the data subject of any lifting of restrictions under paragraph 7.6.

The data protection laws allows the data subjects the right to object to the processing of their personal data by us when it is based on legitimate interests, for direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes or in violation of paragraph 3. Where such an objection is received based on our legitimate interests, we must cease such processing immediately unless we can demonstrate that our legitimate grounds for such processing override the data subject’s interests, rights and freedoms, or that the processing is necessary for the conduct of legal claims. Where such an objection is received based on our use of the data for direct marketing purposes, we must cease such processing promptly. We will notify data subjects of their right to object no later than the time of the first communication with them and this notification will be presented in a clear and distinct manner, separate from any other information.

A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her unless it is necessary for entering into, or the performance of, a contract between the data subject and a data controller; is authorised by the data protection laws to which we are subject to and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent. The data subject has the right to obtain human intervention to review decisions made which were based on automated processing. Decisions referred to herein must not be based on special categories of personal data unless paragraph 4 applies, and suitable measures to safeguard the data subject’s rights and legitimate interests are in place.

The data protection laws allow a data subject to have the right to receive the personal data held by or on behalf of the controller concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit that data to another controller without interference from the original controller, provided that the processing is based on consent and is carried out by automated means. Additionally, the data subject has the right to have their personal data transmitted directly from one controller to another, where technically feasible. However, this right does not apply to any processing carried out in reliance on paragraph 3.3.5. Furthermore, the exercise of this right must not adversely affect the rights of others. Data subjects may make a request at any time in order to find out more about the personal data which we hold about them, the processing we are carrying out and the purpose of that processing. We must normally respond to such a request within one month of receipt. This may, however, be extended by up to two months if the request is complex and/or numerous requests are made but the data subject must be informed if we are to rely on this. All requests received must be dealt with by the data protection manager.

We do not charge a fee for dealing with a request in normal circumstances, although we may charge a reasonable fee for further copies of information already provided or for requests that are manifestly unfounded or excessive, particularly where those requests are repetitive. We may also refuse to act on the request in such circumstances, provided we inform the data subject of the reasons for the refusal.

8. Confidentiality and information security

All personnel must keep confidential data about all the data subjects for which they are responsible or to which they have access. Failure to do so would be a breach of our duties under the data protection law and any professional or similar regulations to which we are subject.

Personnel who have access to personal data must:

• only access the personal data which they have authority to access, and only for authorised purposes;
• only allow other personnel to access personal data if they have appropriate authorisation;
• only allows individuals who are not members of our staff to access personal data if specific authority to do so exists;
• keep personal data secure, for example by complying with rules on access to premises, computer access, password protection and secure file storage and destruction and other precautions set out in our information security policy;
• whenever passwords are used to protect personal data they must be changed regularly and common or easily guessed words or phrases should not be used;
• not remove personal data, or devices containing personal data (or which can be used to access it), from our premises unless appropriate security measures are in place (such as, encryption or password protection) to secure the data and the device and they have authority to do so;
• ensure that if personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, that the computer and screen are locked before the user leaves it;
• not store their own personal information on local drives or on personal devices that are used for work purposes or store work-related information on local drives or on personal devices that are used for personal purposes.

In the event that any personnel have any concerns or suspicions that any of the matters set out below are taking place, they should immediately inform the data protection manager of those concerns or suspicions:

• personal data is being processed without a lawful basis or, in the case of special categories of personal data, without one of the conditions in paragraph 4.1 above being met;
• a data breach;
• personal data is being accessed without the proper authorisation;
• personal data is not being retained or deleted securely;
• personal data, or devices containing personal data, are being removed from our premises without appropriate security measures being in place;
• any other breach of this policy or of any of the data protection principles set out in paragraph 3.2 above.

We will use all appropriate technical and organisational measures in order to keep personal data secure and to protect it from unauthorised or unlawful processing and accidental loss, destruction or damage. Those measures may include:

• ensuring that wherever possible personal data is encrypted and password protected;
• ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• ensuring that, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner; and
• the regular testing, assessing and evaluating of effectiveness of technical and organisational measures for ensuring the security of the processing.

In the event that we use external organisations to process personal data on our behalf, we will ensure that additional security arrangements are implemented in contracts with those organisations in order to safeguard the security of personal data. In particular, contracts with external organisations will provide that:

• the external organisation may act only on our written instructions;
• those processing the data are subject to a duty of confidentiality similar to that set out above;
• appropriate measures are taken to ensure the security of processing;
• sub-contractors are only engaged with our prior consent and only under a written contract;
• the external organisation will assist us in providing subject access and allowing individuals to exercise their rights in relation to data protection;
• the external organisation will assist us in meeting our obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments;
• the external organisation will delete or return all personal information to us as requested at the end of the contract;
• the external organisation will submit to audits and inspections, provide us with whatever information we need to ensure that they are meeting their data protection obligations; and
• the external organisation will inform us immediately if it is asked to do something infringing the data protection laws.

No one may enter into an agreement with an external organisation to process personal data on our behalf without the consent of the data protection manager.

9. Storage and retention of personal information

We must not retain personal data (and in particular special category of personal data) for any longer than necessary. The length of time over which data may be retained is dependent upon the circumstances, including why the personal information was obtained in the first place.

We provide details of the relevant retention periods for different types of personal data or the criteria that should be used to determine that retention period in our records depending upon the purpose for which personal data was primarily collected.

We will ensure that the following measures are taken as to the storage of personal data:

• All electronic copies of personal data will be stored securely using passwords and appropriate data encryption;
• We will store securely in a locked box, drawer, cabinet, or similar all hardcopies of personal data. This will include electronic copies of data that are stored on physical or other removable media;
• Suitable backups will be made of all personal data that is stored electronically. We will adopt the 3-2-1 method for backups, keeping at least three (3) copies of our data, store two (2) backup copies on different storage media and keep one (1) of them located offsite. All backups will be encrypted;
• Personal data must not be stored on mobile devices (including memory sticks, laptops, tablets, and smartphones) without the consent of the data protection manager and, in the event that such approval is granted, for no longer than is absolutely necessary; and
• Personal data will not be transferred to any device personally belonging to any member of personnel.

We must delete permanently from our information systems any personal data (and special category of personal data) that is no longer required and destroy any hard copies securely in accordance with the applicable data retention guidelines, unless we use the anonymization feature to store such data for a longer period of time.

10. Transferring personal data outside the UAE

From time to time, we may need to transfer, make available remotely or store remotely personal data in or to places or countries outside the UAE.

The data protection laws stipulate that the personal data may only be transferred to a place or country outside the UAE if there is an adequate level of protection. We may transfer personal data if any one of the following conditions are met:

• The country to which the data is being transferred has local legislation that includes the main provisions, measures, controls, conditions and rules for protecting the confidentiality and privacy of the personal data, including the data subject’s individual right, through a supervisory or judicial authority;
• The country to which the data is being transferred has bilateral or multilateral agreements with the UAE in relation to data protection
• The data controller has implemented appropriate safeguards and ensured that enforceable rights and effective legal remedies for data subjects are available.

The data protection laws provides for certain exceptions which permit the transfer of personal data to countries which do not have an adequate level of protection, as detailed in paragraph 10.2.1 and 10.2.2 above. These exceptions include:

• the data subject has explicitly consented to the proposed transfer;
• a contract or agreement which applies the provisions, measures, controls and requirements of the data protection laws can be signed between the two organisations transferring the data;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person, where it is in the interests of the data subject;
• the transfer is necessary for fulfilling obligations and establish, exercise or defend rights before judicial authorities or necessary to perform international judicial cooperation;
• the transfer is necessary for important public interest reasons;
• the transfer is necessary in order to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent; or
• Where the transfer is necessary to carry out obligations and to prove, exercise or defend rights before the judicial authorities. It is also permitted if the transfer is necessary for the implementation of a procedure relating to an international judicial cooperation

11. Data sharing with public authorities

If we, as a data controller, receive a request for personal data from a public authority outside of the UAE with jurisdiction over us as the data controller, processor, or any part of our UniHawk Group (a "Requesting Authority") we must:

• Exercise reasonable diligence to evaluate the legitimacy of the request and ensure that any disclosure of personal data is necessary to achieve the stated objectives of the Requesting Authority;
• Assess the potential impact of the transfer on the rights and legitimate interests of affected data subjects. Where appropriate, apply risk mitigation measures such as redacting or minimizing the personal data transferred or implementing suitable safeguards;
• Where reasonably practicable, secure appropriate assurances from the Requesting Authority that it will respect the rights of data subjects and implement adequate safeguards for the personal data; and
• We may seek guidance from the Commissioner of Data Protection regarding any matters related to paragraph 11.

12. Data breaches

A data breach is any loss of data or information in whatever form it is held and by whatever means the data was lost including data that is destroyed or rendered unusable. It may take many different forms, including:

• loss or theft of data or equipment on which personal information is stored;
• unauthorised access to or use of personal information either by a member of staff or third party such as from hacking;
• loss of data resulting from an equipment or systems (including hardware and software) failure;
• human error, such as accidental deletion or alteration of data;
• unforeseen circumstances, such as a fire or flood;
• deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
• social engineering such as phishing and vishing, where information is obtained by deception.

All personal data breaches, violation or infringement must be reported immediately to the data protection manager.

In the event that any personnel become aware of a data breach, or suspect that a data breach has occurred, they must not attempt to investigate it themselves as this can lead to further issues arising. They must instead report all evidence relating to the personal data breach to the data protection manager.

Where a personal data breach compromises a data subject’s confidentiality, security or privacy, the data protection manager must ensure that the Office is notified of that breach as soon as practicable without delay. They shall at least:

• describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate amount of personal data records concerned;
• communicate the name and contact details of the data protection manager or other contact point where more information can be obtained;
• describe the likely potential consequences and expected effects of the personal data breach; and
• describe the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; and
• any data or documents requested by the Office.

Where a personal data breach may result in a high risk that the rights and freedoms of data subjects will be compromised, the data protection manager must ensure that all data subjects affected by that breach are notified directly and without undue delay. A data breach notification shall at least:

• describe the nature of the personal data breach including where possible, the categories;
• describe the likely consequences of the personal data breach; and
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

13. Training

We will ensure that all personnel receive adequate training as to their data protection responsibilities and as to how to act and respond as and when they receive requests for matters such as subject access requests, objections and requests for erasure and rectification. Those whose roles require regular access to personal information, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

Information will be provided to all new personnel as part of their induction training.

14. Failure to comply

We regard compliance with this policy as an extremely serious matter. Failing to comply puts at risk those individuals whose personal information is being processed, carries the risk of significant civil, criminal and regulatory sanctions for us and our personnel and may, in some circumstances, amount to a criminal offence by the individual.

Because of the importance of this policy, any failure to comply with the provisions set out in this policy by any personnel will be taken seriously and may lead to disciplinary action being taken against that person under our usual disciplinary processes. Breaches may result in dismissal for gross misconduct for employees and immediate contract termination for non-employees.