Data Protection Protocol for Falcon Bridge Advisors FZE
1. Introduction
This Data Protection Protocol outlines the measures taken by Falcon Bridge Advisors FZE (“FBA”) to ensure the confidentiality, integrity, and security of personal and sensitive data in compliance with UAE data protection regulations, including the UAE Federal Law No. 45 of 2021 on the Protection of Personal Data (PDPL), and relevant international standards (e.g., GDPR if applicable).
2. Scope
This protocol applies to all employees, contractors, third-party service providers, and other stakeholders handling personal or sensitive data within FBA. It covers all data collection, processing, storage, and sharing activities within the company.
3. Definitions
– Personal Data: Any information related to an identified or identifiable natural person (e.g., name, contact details, ID number, etc.).
– Sensitive Data: Data that includes race, religion, political opinions, health, biometric data, or other sensitive aspects of a person’s identity.
– Data Subject: Any individual whose personal data is processed by FBA.
– Processing: Any operation on personal data, including collection, storage, use, and sharing.
4. Data Collection and Processing
4.1 Legal Basis for Processing
– Personal data must only be collected and processed with the data subject’s consent, as required by law, or in accordance with the legitimate interests of the company.
– FBA will ensure transparency by informing data subjects of the purpose for data collection and their rights.
4.2 Data Minimization
– Only data necessary for specific, legitimate purposes may be collected. Unnecessary or excessive data will not be gathered.
4.3 Data Accuracy
– Data collected will be kept accurate and up to date. Inaccurate data will be corrected or deleted.
4.4 Data Retention
– Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected, in compliance with the company’s data retention policy. After this period, data will be securely deleted or anonymized.
5. Data Security
5.1 Data Security
– Passwords that are at least 8 characters long containing letters and numbers are used to access FBA’s computers, laptops, and other electronic devices or accounts. FBA’s employees are reminded to change their passwords at regular intervals.
5.2 Access Control
– Access to personal data is restricted to authorized personnel on a need-to-know basis. Role-based access controls (RBAC) will be implemented.
5.3 Physical Security
– Paper-based record that contain personal data are kept under lock and key when not in use. Papers containing confidential personal data must not be left unattended or left anywhere else where there is general access.
5.4 Data Breach Response Plan
– In case of a data breach, the company will follow a clear incident response plan to mitigate risks, notify affected parties and report to relevant authorities within the legal timeframe (72 hours if under GDPR).
6. Data Sharing and Transfer
6.1 Third-Party Processors
– Before sharing data with third-party service providers, due diligence will be conducted to ensure they comply with applicable data protection laws.
– Contracts with third-party processors will include data protection clauses ensuring compliance with this protocol.
6.2 Cross-Border Data Transfers
– If personal data is transferred outside of the UAE, appropriate safeguards will be in place, including:
– Adequate protection standards in the receiving country, or
– Standard contractual clauses approved by counsel for FBA to ensure proper data protection policies are in place to be effectuated.
7. Data Subject Rights
7.1 Right to Access
– Data subjects have the right to access their personal data upon request, and the company will respond within the legally mandated timeframe.
7.2 Right to Rectification and Erasure
– Data subjects can request correction of inaccurate data or deletion of their data if it is no longer needed for the original purposes.
7.3 Right to Object and Restrict Processing
– Data subjects may object to the processing of their personal data in certain circumstances or request restrictions on processing activities.
7.4 Data Portability
– Upon request, data subjects will be provided with their personal data in a commonly used format to facilitate transfer to another service provider.
8. Employee Responsibilities
8.1 Training
– All employees will undergo data protection training to stay informed about their responsibilities and emerging privacy risks.
8.2 Confidentiality Agreements
– Employees with access to personal data must sign confidentiality agreements to ensure they understand their obligations.
8.3 Reporting Data Incidents
– Employees are required to report any data security incidents or suspicious activities to the Data Protection Officer (DPO) immediately.
9. Governance and Compliance
9.1 Data Protection Officer (DPO)
– FBA will appoint a DPO responsible for monitoring compliance with data protection laws, handling data subject requests, and overseeing data security measures.
9.2 Audits and Compliance Reviews
– Regular audits will be conducted to ensure compliance with this protocol and relevant legal standards.
9.3 Penalties for Non-Compliance
– Non-compliance with the data protection protocol may result in disciplinary action, including termination of employment or contractual agreements.
10. Monitoring and Review
– This protocol will be reviewed annually or whenever there are significant changes in data protection laws or the company’s operations.
– The DPO is responsible for ensuring that updates are communicated to all employees and stakeholders.
11. Personal Data Breach Procedure
In the event of a personal data breach, FBA will follow the procedure outlined below to ensure timely containment, investigation, and notification of the breach.
11.1 Definition of a Data Breach
A personal data breach occurs when personal data is lost, accessed, disclosed, altered, or destroyed without authorization, either accidentally or unlawfully. Examples include:
– Unauthorized access to personal data (e.g., hacking, phishing)
– Loss or theft of devices containing personal data
– Accidental sharing of personal data with unauthorized recipients
– Malicious attacks (e.g., ransomware)
11.2 Immediate Response
Upon identifying or suspecting a personal data breach, the following steps must be taken:
1. Containment and Recovery
– Immediately isolate the breach to prevent further access or exposure of personal data.
– Take steps to recover any lost or compromised data (e.g., restoring backups, changing passwords, revoking access).
– If a third-party service provider is involved, contact them immediately to ensure their cooperation in mitigating the breach.
2. Assessment of the Breach
– Conduct a preliminary assessment to determine:
– The nature of the breach (e.g., hacking, accidental disclosure, etc.).
– The categories and volume of personal data affected.
– The potential impact on data subjects.
– Document the breach, including when it occurred, how it was discovered, and the actions taken.
11.3 Notification of the Breach
1. Internal Reporting
– All breaches, regardless of severity, must be reported immediately to the DPO or the designated data breach response team.
– The DPO will log the breach in the company’s data breach register and initiate the formal investigation process.
2. Notification to Supervisory Authorities
– If the breach poses a significant risk to the rights and freedoms of individuals, the DPO must notify the UAE data protection authority (or relevant supervisory authority), as may be required by law, within 72 hours of becoming aware of the breach.
– The notification must include:
– A description of the nature of the breach (e.g., the type and volume of personal data affected).
– The likely consequences of the breach.
– The actions taken or proposed to address the breach and mitigate potential harm.
3. Notification to Affected Data Subjects
– If the breach is likely to result in a high risk to the rights and freedoms of data subjects (e.g., identity theft, fraud), FBA will notify the affected individuals without undue delay.
– The notification will include:
– A description of the breach and its potential impact.
– Information on steps taken to mitigate the risk.
– Guidance on how data subjects can protect themselves (e.g., password changes, monitoring accounts).
– Contact details of the DPO or relevant contact for further information.
11.4 Investigation and Risk Assessment
1. Full Investigation
– The DPO will lead a full investigation to identify the cause of the breach, its scope, and potential consequences.
– The investigation will involve key stakeholders, including IT, legal, and risk management teams, as needed.
2. Risk Assessment
– Evaluate the severity of the breach, considering:
– The sensitivity of the data involved (e.g., financial data, health records).
– The volume of data affected.
– The potential harm to data subjects (e.g., identity theft, loss of privacy).
3. Root Cause Analysis
– Conduct a root cause analysis to identify the underlying factors contributing to the breach, such as technical vulnerabilities or procedural gaps.
11.5 Mitigation and Preventive Measures
1. Immediate Mitigation
– Implement immediate corrective actions to minimize the impact of the breach and prevent further data loss. This may include:
– Patching software vulnerabilities.
– Revoking access or changing system configurations.
– Updating security measures (e.g., implementing multi-factor authentication).
2. Long-Term Preventive Measures
– Based on the findings of the investigation, FBA will introduce new measures to prevent future breaches. These may include:
– Enhancing employee training on data security and breach response.
– Reviewing and updating access controls and data encryption practices.
– Conducting regular security audits and penetration testing.
11.6 Record-Keeping and Reporting
1. Data Breach Register
– All personal data breaches, regardless of their impact, will be recorded in the company’s Data Breach Register. The record will include:
– Details of the breach (date, nature, and scope).
– Actions taken to contain and mitigate the breach.
– Notifications made to authorities and data subjects.
– Lessons learned and preventive measures implemented.
2. Annual Review
– The DPO will conduct an annual review of all reported breaches and the effectiveness of the company’s response measures. Any identified trends or recurring issues will be addressed through policy updates and additional safeguards.
11.7 Legal and Disciplinary Action
1. Compliance with Legal Obligations
– FBA will comply with all applicable UAE data protection laws and regulations when handling breaches, including timely reporting to authorities and cooperation in any investigations.
2. Disciplinary Action
– Employees found to have negligently or intentionally caused a data breach may face disciplinary action, up to and including termination of employment.
By following this personal data breach procedure, FBA ensures that any breach is managed effectively to protect the rights of data subjects, comply with legal obligations, and minimize reputational damage.
12. Contact Information
For any questions regarding this protocol or to exercise data protection rights, contact the Data Protection Officer at:
Falcon Bridge Advisors FZE
Attn: Data Protection Officer
legal@falconbridgeadvisors.com
This Data Protection Protocol was approved by the management of FBA and deemed effective as of September 1, 2024.