PRIVACY NOTICE – R.E. LEE INTERNATIONAL (MIDDLE EAST) LTD.

This Privacy Notice is provided by R.E. LEE INTERNATIONAL (MIDDLE EAST) LTD. (RE Lee International, 'we' or 'us'). We are a 'Controller' for the purposes of the DIFC Data Protection No 5 of 2020 (also referred to as the "Data Protection Law"). We take your privacy very seriously. We ask that you read this Privacy Notice carefully as it contains important information about our Processing and your rights.

How to contact us
If you have any questions about this Privacy Notice, how we handle your personal data, or would like to exercise any of your rights, please contact:

Data Protection Manager	Mary Wilson
Address:	Al Fattan Currency House Tower 1, Mezzanine Level, Office M07 DIFC, Sheikh Zayed Road, Dubai
Telephone number:	+ 971 4388 9040
Email:	data@releeinternational.com

Changes to the Privacy Notice
The latest version of the Privacy Notice can be found here on our website at https://www.releeinternational.com/en/ We may change this Privacy Notice from time to time. We therefore recommend that you check this Privacy Policy on a regular basis.

Current Version: June 2021

USEFUL WORDS AND PHRASES

We have listed below certain words and phrases that have particular meanings in the Data Protection Law and are used throughout this Privacy Notice:

Term	Definition
Commissioner	This means the DIFC commissioner, appointed by the President of the DIFC pursuant to article 43 (1) of the Data Protection Law to administer and enforce the Data Protection Law.
Controller	This means any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data. In this case, we are the Controller.
Data Protection Law	This means the DIFC Data Protection Law No. 5 of 2020 as may be amended.
Data Subject	This means the person to whom the personal data relates.
Identifiable Natural Person	This means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted accordingly).
Personal Data	This means any information any information referring to an identified or Identifiable Natural Person.
Processing	This means any operation or set of operations performed upon personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored personal data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on personal data by: (a) a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or (b) law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.
Special Categories of Personal Data	This means any information relating to: racial or ethnic origin or communal origin; political affiliation or opinions; religious beliefs or beliefs of a similar nature; criminal record; trade union membership; physical or mental health or condition; sexual life; and genetic data or biometric data to uniquely identify you.

WHAT PERSONAL DATA WE COLLECT AND WHAT WE USE IF FOR:

We may collect, use, store and transfer different kinds of personal data about you, which we have been provided with as follows:

Direct Interactions: You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when:
you fill in our application form to enquire about our services: we may collect information from you including your name, your date of birth, your marital status, details of your assets and liabilities, details of your health history, name of your doctors and/or consultants, the name and contact details of your beneficiary (ies), your billing address, payment information (including credit card numbers), email address and phone number).
you fill in the insurability questionnaire we provide to you: we may collect your name, your contact details, personal postal address, gender, passport details, health data, financial and employment data (including bank details, salary and details of your assets and liabilities, source of income and wealth), family details and details about your hobbies.
we enter into a contract with you to provide you with our advisory services: we may collect your name, your contact details, personal postal address, bank details, family details and details about you beneficiary(ies).
we communicate with each other: we may collect your name, your email address, your phone and/or mobile number and any other information you may provide to us.
give us feedback or contact us: When you contact us, we will collect your name, your email address, your phone number and any other information you may provide us with.
Information automatically collected when you use our website: As you interact with our website, we will automatically collect information about your device, browsing actions and patterns, IP address, time zone and some of the cookies that are installed on your device ("Device Information"). We collect this Personal Data by using cookies, server logs, web beacons, tags, pixels and other similar technologies.

Third parties or publicly available sources. We will receive Personal Data about you from various third parties as set out below:
- Technical Data from the Refinitiv World-Check Risk Intelligence for the purpose of carrying out Customer Due Diligence screening;
- Health Data from your healthcare provider (based inside or outside the DIFC and the UAE) and the examining physician we may engage to see you before we enter into any contracts with you (based inside the UAE); and
- Financial data from our clients' referral source (i.e. private banks, wealth management and financial planning firms).

HOW WE KEEP YOUR PERSONAL DATA SECURE:

We implement appropriate technical and organisational measures in order to protect your Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of Processing. We aim to ensure that the level of security and the measures adopted to protect your Personal Data are appropriate for the risks presented by the nature and use of your Personal Data.

WHY DO WE PROCESS YOUR PERSONAL DATA:

We use your Personal Data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is Processing your data lawful' for further detail):

Origin of Data	Why do we need it?	Lawful basis for Processing
Application Form and Insurability Questionnaire	to respond to your enquiries, to provide you with our advisory services	Processing is necessary for the performance of a contract we have with you; Processing is necessary to fulfil our legitimate business interests; Processing is necessary to comply with a legal obligation (Tax and VAT collection); Processing is required for the purposes of preventive or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or the treatment or the management of health or social care systems and services; Processing is required for protecting members of the public against dishonesty, malpractice, incompetence or other improper conduct of persons providing insurance, investment, management consultancy including any resulting financial loss.
	to communicate with you	We have your consent to do so; Processing is necessary for the performance of a contract we have with you; Processing is necessary to fulfil our legitimate business interests.
	to screen the information you provided for potential risk or fraud	Processing is in our business legitimate interests; To comply with our legal obligation; Processing is required for protecting members of the public against dishonesty, malpractice, incompetence or other improper conduct of persons providing insurance, investment, management consultancy including any resulting financial loss.
Device Information	to help us screen for potential risk and fraud (in particular, your IP address)	Processing is in our business legitimate interests; To comply with our legal obligation.
Device Information	to improve and optimise our Site (for example, by generating analytics about how our customers browse and interact with the Site..	Processing is in our business legitimate interests.
Information collected via comments/feedback	to manage and improve our services and the way we communicate with you.	Processing is in our business legitimate interests.

HOW IS PROCESSING YOUR PERSONAL DATA LAWFUL:

We are allowed to Process your Personal Data and any Special Categories of Personal Data based on the following legal bases for the purposes explained in this Privacy Policy.

Legitimate Interests We are permitted to Process your Personal Data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for Processing your Personal Data which is in our interests. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. The table in the previous section "Why do we Process your Personal Data" explains the Personal Data Processed on this basis.

You can object to Processing that we carry out on the grounds of legitimate interests. See the section headed "Your Rights" to find out how.

Contract It is necessary for our performance of the contract you have agreed to enter with us. If you do not provide your Personal Data to us, we will not be able to carry out our obligations under the terms of your contract.

Legal obligation We are subject to legal obligations to Process your Personal Data for the purposes of complying with applicable regulatory rules and to make mandatory disclosures to government bodies and law enforcement agencies.

Prevention of Financial Crime We are subject to anti-money laundering and counter-terrorist financing obligations and we may Process your Personal Data for the prevention, detection or prosecution of any crime;

Consent Sometimes we want to use your Personal Data in a way that is entirely optional for you, such as when you give consent for us to place cookies on your device. On this occasion, we will ask for your consent to use your information. You can withdraw this consent at any time.

ORGANISATIONS THAT WE MAY SHARE YOUR DATA WITH:

We use processors to support our IT systems and operate our website, such as website hosting and our IT services providers. Some of these service providers may Process your Personal Data as part of the services they offer to us. We take steps to ensure that our service providers treat your Personal Data in accordance with the law, only use it in accordance with our contract with them and keep it secure. If you would like to know the names of our other service providers, please contact us (see section "How to Contact Us").

Your Personal Data is transferred outside of the DIFC and the UAE for us to provide you with our services :

to our group company based in Hong-Kong that will seek quotations and proposals from various insurance providers; and
onto our Group's client relationship management system, which is located on a server based in the USA and on the Cloud;

Any transfer of your Personal Data outside the DIFC and the UAE will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms.]

RETENTION AND DELETION OF YOUR PERSONAL DATA:

We only retain your Personal Data for as long as we need it by law. The following categories of Personal Data will be kept for the following periods and will be securely deleted/ destroyed after the expiry of the retention period:

Data we Process	How long this will be held for
Device Information (cookies/analytics data)	Thirty (30) days.
Contract Information	Six (6) years after the last of the following: an application is withdrawn or declined; a claim is settled; a policy is surrendered or cancelled; the policy service obligations are transferred to another distributor or service provider.
Information from enquiry forms	Until the enquiry has been completed and no further responses are received for a reasonable period. If you are an existing customer, the enquiry may be added to the other contract information that we hold about you as a customer.
Complaints data	For a period of up to 6 years after resolution of the complaint. If you are an existing customer, the complaint and its resolution may be added to the other contract information that we hold about you as a customer.

YOUR RIGHTS:

You have the following legal rights under the Data Protection Law in relation to your Personal Data. You can exercise these rights free of charge, by contacting us (please see "How to contact us"). We will respond to any rights that you exercise within a month of receiving the request unless the request is particularly complex, in which case we will respond within three months (in accordance with Article 33 (7) of the Data Protection Law).

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Please be aware that there are exceptions and exemptions that apply to some of these rights, which we will apply in accordance with the Data Protection Law.

YOUR DATA PROTECTION RIGHTS	WHAT DOES THIS MEAN?
Right to be informed	You have the right to be provided with clear, transparent and easily understandable information about how we use your Personal Data and what your rights are. This is why we are providing you this Privacy Notice.
Right of access	You have the right to obtain access to your personal data we Process and certain other information (similar to that provided in this Privacy Notice). This is so you are aware and can check that we are using your information in accordance with Data Protection Law. You may ask for: A copy of your information; Details of the purpose for which it is being Processed; Details of the recipients or classes of recipients to whom it is or could be disclosed, including if they are overseas and what protections they have in place; The period for which it is held (or the criteria which determines this); Any information available about the source of the data; and Whether we carry out any automated decision-making or profiling, and where we do information about the logic involved and the outcome or consequences of that decision or profiling. To help us find the information, please give us as much information as possible about the type of Personal Data you would like to see.
Right to rectification	You are entitled to have your information corrected if it is inaccurate or incomplete. If you would like us to do this, please contact us (see section "How to Contact Us").
Rights to ask us to stop contact you with direct marketing	You can ask us to stop contacting you for direct marketing purposes. If you would like to do so, please contact us. Alternatively, you can also click the 'unsubscribe' button at the bottom of the email newsletter. It may take up to 7 days for this to take place.
Right to erasure	This is also known as the 'right to be forgotten' and, in simple terms, enables you to request the deletion or removal of your information where: You do not believe that we need your data in order to Process it for the purposes set out in this Privacy Notice; If you had given us consent to Process your Personal Data, you withdraw that consent and we cannot otherwise legally Process your Personal Data; You object to our Processing and we do not have any legitimate interests that mean we can continue to Process your Personal Data; or Your Personal Data has been Processed unlawfully or have not been erased when it should have been.
Right to restrict Processing	You have rights to 'block' or suppress further use of your information. When Processing is restricted, we can still store your information, but may not use it further. You may request that we stop Processing your Personal Data temporarily if: You do not think your Personal Data is accurate. We will start Processing again once we have checked whether or not the Personal Data is accurate; The Processing is unlawful but you do not want to erase your Personal Data; We no longer need the Personal Data for our Processing, but you need the data to establish, exercise or defend legal claims; or You have objected to the Processing because you believe that your interests should override RE Lee International's legitimate interests.
Right to data portability	You have rights in certain circumstances to obtain and reuse your Personal Data for your own purposes across different services.
Right to object to Processing	You have the right to object to certain types of Processing, including Processing based on our legitimate interests only.
Right to withdraw consent	If you have given your consent to anything we do with your Personal Data, you have the right to withdraw your consent at any time (although if you do so, that does not mean anything we have done with your Personal Data with your consent up to that point is unlawful.) We will contact you via electronic means (SMS or email) to allow you to assess the consent, which you have given us.
Non-Discrimination	You have the right not to be discriminated against if you decide to exercise any of the rights mentioned above, including being: denied any products or services; charged different prices or rates for goods or services; provided with a less favourable level or quality of products or services; or suggested that you will receive a less favourable price or rate for products or services because of your exercising of your rights.

Notification to the Commissioner

It is important that you ensure you have read this Privacy Notice. If you do not think that we have Processed your Personal Data in accordance with this Privacy Notice, you should let us know as soon as possible. You also have the right to notify the Commissioner's Office of our breach by phone: +971 4 362 2222 or by email: commissioner@dp.difc.ae