This Privacy Notice describes how and why CVML Limited (DIFC License No. CL1052 of 104, 1st Floor, Liberty House, Al Sukook Street, Dubai International Financial Centre, Dubai, United Arab Emirates; “CVML”, “we”, “us”, “our”) collects, stores, and uses personal information, and provides information about the rights of the individuals to whom such personal information relates.
This Data Protection Notice has been prepared with reference to DIFC Data Protection Law considerations and will be amended as may be required from time to time.
We are committed to safeguarding the privacy of the personal information that we process in the course of our business, including the personal information we receive from you (“you” or “your”).
For the purposes of applicable data protection law, CVML is typically the “data controller” of any personal information provided to us. Specifically, your data will be controlled by the CVML entity that you have engaged. Very occasionally, we will act on specific retainers as a “processor” (meaning that we process personal data only in accordance with the directions of a data controller, or as otherwise permitted by law).
Please read the following information thoroughly to understand our viewpoints and procedures regarding how we deal with personal information. If you have any questions about our approach to data protection that are not already addressed in this Privacy Notice, please contact our Director of Compliance, as per the contact details set out at the end of this Privacy Notice.
What Personal Information Do We Collect?
We may assemble personal information from you during our business, when you contact us or request information from us, when you instruct us to provide legal services, when you use our website or any of our other platforms or engage in business with our clients.
The personal information that we collect may include:
- Your name, title, employer, your relationship to a person’s email address, physical address, contact numbers, social media handle, birthdate, passport details, bank account details.
- Your address, IP address, browser details, traffic data, location data.
- Information relating to the matter on which you are seeking our legal support.
- Personal information provided to us by or on behalf of our clients or generated by us in the course of providing services to them, which may include special categories of personal data.
How do we collect your personal data?
The circumstances in which we can collect personal data about you include:
- when you or your organization seek legal advice from us.
- when you or your organization offer to provide, or provides, services to us.
- when it is provided to us by a third party because you are the subject of, or your data is otherwise included in, legal advice we are asked to provide to that third party client (for example, where we are asked to provide advice in an employment dispute, or where you are the subject of an investigation we are asked to conduct).
- when you correspond with us by phone, email, or other electronic means, or in writing, or when you provide other information directly to us, including in conversation with our lawyers, consultants, and staff.
- when you or your organization browse, complete a form, or make an enquiry or otherwise interact on our website or other online platforms.
- when you attend our events or sign up to receive personal data from us.
- by making enquiries from your organization, other organizations with whom you have dealings such as former employers, or from third party sources such as government agencies, information service providers or from publicly available records.
If you fail to provide personal data
Where we need to collect personal data by law or in order to process your instructions or perform a contract we have with you and you fail to provide that data when requested, we may not be able to carry out your instructions or perform the contract we have or are trying to enter into with you. In this case, we may have to cancel our engagement or contract you have with us, but we will notify you if this is the case at the time.
We may collect your personal information:
- As part of our client on-boarding process, continuance due diligence endeavors, and/or when you seek our services.
- As part of our employee on-boarding process, or employee retention exercise.
- When you propose to provide services to us.
- When you interact with our website, social media platforms, communications, or events.
We may collect this information from you directly, or through a third-party source, such as our clients, your employer, other parties to matters in which you are involved, technology and social media platforms, other governmental and/or private organizations that you deal with, or from publicly available records.
The information you provide may be confidential, and we will maintain such confidentiality and protect your information in accordance with our professional obligations and applicable law. We have arrangements in place with personnel and service providers who may process your personal information, to ensure that confidentiality is maintained.
How and why, we use your personal data?
Whether we receive your personal data directly from you or from a third party, we will only use your personal data if we have a lawful reason for doing so. Such reasons will include:
- Complying with our legal and regulatory obligations.
- For the performance of our contract with you or to take necessary steps, at your request, before entering into a contract.
- For our legitimate interests or those of any third parties.
- When we have your consent to do so.
We may use your personal data to enable us to:
- Provide legal advice or other services to you or one of our clients.
- To manage our business relationships with you or your organization.
- Acting in compliance with our legal obligations, including with respect to anti-money laundering, sanctions check, conflict checking, financial/credit checks and any other means required to ensure compliance with law and regulation including compliance with the rules of the SRA or other local bar in another jurisdiction.
- Gathering and providing information required by audits, enquiries, or investigations by regulatory authorities or for insurance purposes or to consider and defend claims against our business.
- Managing and securing access to our offices, systems, and online platforms.
- Monitoring our technology tools, including our websites and email communications.
- Complying with court orders.
- Processing that is necessary for the legitimate interest of our business or third parties provided that such interests are not overridden by your interests or fundamental rights and freedoms.
- Keeping our databases up to date with relevant and accurate information.
- Communicating with you about events and seminars or to send briefings or other marketing materials we feel will be of interest to you, your organization or business.
We may use your personal data to send you marketing communication by email, text, telephone, or post on legal developments that may be of interest to you and/or information about our services. We have a legitimate interest in processing your personal data in this way. This means we do not always need your consent to send you marketing communications. However, where consent is required, we will ask for this separately and clearly. You have the right to opt-out of marketing communications. An unsubscribe link will be included in all marketing communications. We may, from time to time, ask you to update your marketing preferences to ensure you receive communications that are relevant to you or to take into account changes in law or regulation.
Keeping your personal data secure
We have appropriate security measures in place to prevent personal data from being accidentally lost or used or accessed unlawfully. However, the transmission of data via the internet is not completely secure and although we use several technical and organizational measures to protect your data, we cannot guarantee the security of your information transmitted online.
We have procedures in place to deal with any suspected data breach and will notify you, and any applicable regulator(s), of a suspected data breach when legally required to do so.
We operate an email mailing list program, which we use to notify our clients and other contacts about our services publications, and events. Such messages may contain tracking technologies in order to track subscriber activity relating to engagement, demographics and other data, and to build subscriber profiles. We use this as a means by which to undertake direct marketing.
If you would like to cease receiving marketing materials or amend your choices on what you would like to receive from us at any time, please let us know by contacting us at firstname.lastname@example.org
Specifically, we use Google Analytics, and other similar products to track unique visitors to our website and app (storing a unique visitor ID, the date and time of first visit, the time their current visit started and the total number of visits they have made); to register session details (so as to attribute visit information, including conversions and transactions to a traffic source); and to register that a website visit has ended and the browser closed. Most internet browsers have a mechanism notifying you when you receive a new cookie and telling you how to reject new cookies or disable cookies altogether (if you wish to do so).
Sharing your Personal Information
We may disclose your personal information to a recipient (i) for the purposes of outsourcing one or more of the purposes-related functions described above; (ii) to confirm or update information provided by you; (iii) to inform you of events, information about our services, and other important information, or (iv) for other purposes disclosed at or before the time the information is collected. If we re-organize our business, we may need to transfer your personal information to other group entities or to third parties.
If you tell us you wish to attend an event, your name and organization may appear on a list which we provide to other delegates at the event. We also take photographs and videos of our events, and this may result in your image being captured and used while reporting on the event (e.g., via social media or other means); we will draw this to your attention in materials relating to the specific events. Additionally, we may process contact details and attendance data in the interests of public health efforts to help tackle COVID-19.
In relation to any other disclosures to third parties, we will only do so where you have given your consent, where we are required to do so by law, or where it is necessary for the purpose of or in connection with legal proceedings or in order to exercise or defend legal rights. We do not sell, rent, distribute, or otherwise make, personal information commercially available to any third party.
How long do we keep personal data for?
If you contact us with an enquiry about our professional services but you do not subsequently become a client (or the company or other person you represent does not do so), it is our policy to delete your personal data after twelve months.
If you are or become a client (or the company or other person you represent is or becomes a client), we normally retain contract information (including personal data) for a minimum period after the end of the relevant contract or client relationship, or for longer where it is necessary for us to do so for compliance with regulatory or other legal obligations, or for the establishment, exercise or defense of legal claims, or where we agree with you to do so. In some cases, it may be necessary for us to retain records indefinitely. Personal data relating to our professional contacts will be retained for so long as is necessary, or until you indicate otherwise to us, but we will aim to update our contacts’ preferences on a periodic basis. In certain cases, it may not be physically possible to delete certain data (for instance, where it is stored on a secure external server), in which case we will take appropriate steps to ensure that it is not available for re-use or disclosure to third parties.
Your rights as a data subject
As a data subject, you have certain legal rights (subject to certain exceptions under the Data Protection legislation) including the right:
- To access the personal data held about you and request a copy of it.
- To ask us not to process your personal data for marketing purposes.
- To withdraw at any time any consent you have given to receive marketing material from us, or in any other case where we process your personal data on the basis of a consent that you have given (and not on some other legal basis).
- To ask us to rectify inaccurate personal data about you.
- To ask for the restriction of personal data about you that is inaccurate, unlawfully processed, or no longer required.
- To ask for the transfer of your personal data in a structured, commonly used and machine-readable format where appropriate.
- To ask for the erasure of personal data about you where processing is no longer necessary, or the legitimate interests we have in processing your personal data are overridden by your interests, rights, and freedoms as the data subject; and
- To make a complaint to a supervisory authority (see below).
Our Director of Risk & Compliance administers compliance with data protection within CVML. If you have any questions about this Privacy Notice, or our processing of your personal data, please contact our Director of Risk & Compliance using the contact details set out below:
Director of Risk & Compliance
Dubai International Financial Centre,
104, 1st Floor, Al Sukook Street, DIFC, PO Box 482025, Dubai, United Arab Emirates
Telephone: +971 4 587 5333
Changes to this Privacy Notice
We may from time to time make changes to this Privacy Notice. Where these are likely to be material, we will communicate these in advance. Otherwise, these will become effective once the amended Privacy Notice is posted on our website. Please check back regularly to keep informed of updates to this Privacy Notice.