At Habib Bank AG Zurich, UAE Operations (‘Bank’, ‘we’, ‘us’) we respect your privacy rights. This Data Privacy Notice explains who we are, how we collect, share, and use personal information about you, and how you can exercise your privacy rights. This Data Privacy Notice only applies to personal information that we collect when you use or interact with our services and through our website at: www.habibbank.com.

If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Data Privacy Notice.

We strongly recommend that you read this Data Privacy Notice in full to ensure you are fully informed about how we protect your privacy.

1) What Do We Do?

Habib Bank AG Zurich, UAE is licensed as a foreign bank by the Central Bank of the UAE. We have been supporting our customers in the United Arab Emirates since 1974 and take pride in our long-standing relationships with our multi-cultural business community clientele.

For more information about us, please visit our website at: https://habibbank.com/ae

2) What Personal Information Do We Collect And Why?

The Bank processes data that we receive from our clients as well as data generated during our business relationship with them. To facilitate, enable, and maintain this relationship, we collect and process personal data related to clients and any individuals involved in the relationship, such as authorised representatives, persons holding a power of attorney, and beneficial owners, if different from the client (collectively referred to as ‘Authorised Persons’).

Personal data includes the personal information of the client or an Authorised Person, such as identification data and authentication data. This can also encompass data related to orders, fulfillment of contractual obligations, financial situation, sales data, and documentation.

In addition to data provided directly by clients, we may also obtain and process client information available in the public domain or from other entities within the Habib Bank Group (‘Habib Bank Group’).

In summary, personal data processed by the Bank may include the following:

• Personal details (e.g. name, address and other contact data, date and place of birth, as well as nationality)
• Identification data (e.g. identification documentation data)
• Authentication data (e.g. specimen signature)
• Order data (e.g. payment orders)
• Data arising from the fulfillment of obligations (e.g. data required for payment transactions)
• Information regarding a client’s financial situation (e.g. credit reports, scoring/rating data, origin of assets)
• Record-keeping data (e.g. minutes of consultation)
• Data available from the public domain (e.g. internet, social media, debtor directories, land register, trade association registers, media, etc.)
• Other comparable data in line with the criteria outlined above

We collect and process your personal information to meet our legal, statutory, and contractual obligations and to provide you with our products and services.

We use a variety of personal information depending on the products and services we deliver to you.

3) We Collect Personal Information In Following Ways

Data that you give to us:

• When you apply for our products and services
• When you fill out an application on paper, and on website, or provide information through documents
• When you talk to us on the phone or visit us in a branch
• When you use our website and mobile device apps
• In emails and letters
• In financials reviews and interviews
• In customer surveys

Data that we collect when you use our products and services or the products and services of members of our Group. This includes:

• The amount, frequency, type, location, origin and recipients
• Payment and transaction data
• Profile you create to identify yourself when you connect to our internet, mobile and telephone services

Data from third-parties that we work with:

• Credit reference agencies
• Fraud prevention agencies
• Public information sources such as National Economic Register / online Free zone registry, search engines, etc
• Government and law enforcement agencies

We may also obtain data from other people who know you, including joint account holders and people you are linked to financially.

We also may obtain some personal information from monitoring or recording calls and when we use CCTV at our branches. We will record or monitor phone calls with you for regulatory purposes, for training, to ensure and improve the quality of service delivery, to ensure safety of our staff and customers and to resolve queries or issues. We also use CCTV on our premises to ensure the safety and security of our staff and customers.

4) Who Do We Share Personal Information With?

We may disclose your personal information to the following categories of recipients:

4.1) Habib Bank Group

We may share your data with other entities in the Habib Bank Group where required to fulfill our contractual and legal obligations. We may transfer your personal data to other members of the Habib Bank Group for risk control purposes in connection with statutory/regulatory obligations. We may also share information with other members of the Habib Bank Group in connection with services that we believe may be of interest to you.

4.2) External Recipients Of Personal Data

We will transfer personal data about you in the course of conducting our usual business or if legal, regulatory or market practice requirements demand it, to the following external recipients, or if you have given consent (e.g. to process a financial transaction you have ordered us to fulfill) for the following purposes:

• To public entities and institutions (e.g. financial authorities, Central Bank of the UAE, law enforcement authorities)
• To other credit and financial services institutions or similar institutions to which the Bank transfers personal data within the context of its business relationship with you (e.g. correspondent banks, custodian banks, brokers, stock exchanges, information agencies)
• To third-parties (for example correspondent banks, brokers, exchanges, trade repositories, processing units and third-party custodians issuers, authorities and their representatives, property surveyors, lawyers, audit firms, debt collection agencies and credit reference agencies) for the purpose of ensuring that we can meet the requirements of applicable law, contractual provisions, market practices and compliance standards in connection with transactions you enter into and the services that we provide you with, or
• To a natural or legal person, public authority, agency or body for which you have given us your consent to transfer personal data to or for which you have released us from banking confidentiality

4.3) Service Providers And Agents

We will transfer your personal data to service providers and agents appointed by us for the purposes stated above, subject to maintaining banking confidentiality. These are companies in the categories of banking services, IT services, logistics, printing services, telecommunications, collection and advice and consulting.

We will implement appropriate organisational and technical safeguards to protect your personal data for which it acts as data controller at all times.

5) How Do We Keep Personal Information Secure?

We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. Specific measures we use include strong access controls, encryption of data in transit, etc.

6) International Data Transfers

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protected).

Data transfers to legal entities in countries outside of the UAE takes place so long as:

• It is necessary to administer our working relationship with you
• We have a legitimate interest in doing so
• It is required by law (e.g. reporting obligations under financial regulation), or
• You have given your consent

These data transfers are secured through corresponding guarantees of the recipients to ensure an appropriate level of data protection.

We will also share your personal information with other entities in the Habib Bank Group as part of our regular reporting activities on the Bank’s performance, in the context of a business reorganisation of Group restructuring exercise, for system maintenance support and for data hosting purposes.

However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Data Privacy Notice.

7) Data Retention

We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it.

We will normally retain your records for a minimum of fifteen (15) years from the date of termination of your relationship, to comply with regulatory and contractual requirements, unless there is a particular reason to hold records for longer, including legal retention requirements (which would require us to keep records for a longer period of time).

8) Your Data Protection Rights

Your data protection rights include the following (*):

• Right of access: Requesting that information on your personal data that the Bank holds on record be shared with you
• Right to rectification: Demanding that the information be rectified should it be incorrect
• Right to erasure: Asking that your data be deleted if the Bank is not permitted or is not legally obliged to retain your data
• Right to restrict processing: Demanding that the processing of your data be restricted if:
  – you have disputed the accuracy of your data stored by the Bank and it has not yet completed its assessment
  – you object to the deletion of your data although the Bank is obligated to delete it, or
  – you have objected to the processing of your data but it has not yet been established whether this outweighs the Bank’s reasons for processing your data
• Right to object: Objecting to the processing of your data by the Bank if it processes your data on the basis of its legitimate interest (it will cease this processing unless it is outweighed by compelling and legitimate grounds)
• Right to data portability: Demanding that your personal data that you have provided to the Bank be transferred in a generally useable, machine-readable and standardised format
• Right to withdraw: You can withdraw your consent at any time, even if personal information has been collected and processed with your consent. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. Unless specified otherwise, the withdrawal to be effected within 30 calendar days from the date of request

You also have the right of appeal (as far as this affects you) to your respective Authority. (*) Certain rights are applicable only under GDPR (for EU residents).

9) Will Cookies Be Collected?

Yes, the Bank does collect cookies.

9.1) What Are Cookies?

Cookies are information packages sent by a web server (in this case this website) to your internet browser, saved on your computer and checked by the server on each subsequent visit to the website. To gain full benefit from this website, we recommend that you configure your browsers to accept cookies.

9.2) Why Do We Use Them?

Cookies are used to facilitate navigation within the website and correct use. They also serve a statistical purpose, making it possible to establish which areas of the website have been visited, and to improve and update user procedures.

9.3) Type Of Cookies Used

For further information about the types of cookies used please refer to our “Cookies Notice” on our website.

9.4) How Should I Manage My Settings With Respect To Cookies?

To optimise your use of our website, we recommend that you accept the cookies. Most internet browsers are initially set to accept cookies. You can at any time set your browser to accept all cookies, just some cookies or no cookies. In the latter case, you would disable use of part of the websites. Additionally, you can set your preferences in the browser so that you will be notified whenever a cookie is saved on your device. Please note that if you disable the cookies, you may not have optimal use of the website.

10) Is The Decision-Making Automated?

No, the Bank does not use automated decision-making.

11) Will Your Data Be Automatically Processed?

We process some of your data automatically, with the goal of assessing certain personal aspects (profiling). For example we may use profiling in the following ways:

• To combat money laundering, the financing of terrorism, and criminal acts, the Bank also conducts data assessments (among others in payment transactions). The aim of these measures is to protect you
• To use assessment tools to provide clients with relevant and appropriate information on its products and services. These allow communications to be tailored, as needed, including market and opinion research
• To use assessment tools in order to be able to specifically notify you and advise you regarding products. These allow communications to be tailored as needed, including market and opinion research

12) Updates to this Data Privacy Notice

We may update this Data Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Data Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.

13) How To Contact Us?

If you have any questions or concerns about our use of your personal information, please contact us using the following email address: dataprotection.ae@habibbank.com