For employees in compliance with Articles 29 & 30 of the DIFC Data Protection Law DIFC Law No. 5 of 2020 (DIFC Data Protection Law) and Articles 13 & 14 of the EU General Data Protection Regulation 2016/679 (GDPR).
This privacy notice explains when and why MUFG Bank, Ltd. (DIFC Branch – Dubai) (“we") collect your personal information, how we use it, how we keep it secure and your rights in relation to Personal Data.
This notice is relevant to you if you are, are applying to be, or were formerly, an employee, consultant, contractor, worker, assignee, secondee, trainee, apprentice, work experience student, director or officer of ours, whether on a temporary or permanent basis. This notice is also relevant to any of your dependents, family members, or beneficiaries whose personal information you have provided to us, and who we require you to share this notice with. By providing us with any Personal Data or Special Categories of Personal Data of any other person, such as your dependents, beneficiaries, and or other family members, you are confirming that you have obtained their prior consent to do so and that you have informed your dependents, beneficiaries, and or other family members (as relevant) of the contents of this privacy notice, including the purpose for which such data has been obtained and how it will be processed.
This privacy notice informs you about how we collect, use, store, transfer and otherwise process your Personal Data for the effective running of our business before, during and after your working relationship with us and about your rights in relation to your Personal Data. This privacy notice does not form part of any contract of employment or other contract to provide services.
Unless otherwise stated herein, terms defined in this privacy notice are as defined under the Data Protection Policy that is applicable to MUFG Bank, Ltd. (DIFC Branch – Dubai). References to “you" shall include your dependents, beneficiaries and or other family members where relevant.
This privacy notice was last updated on 1 July 2020. We may provide you with other privacy notices on specific occasions.
In accordance with Articles 13 & 14 of the DIFC Data Protection Law and GDPR Articles 13 & 14 we would like to inform you that:
1. Identity of Data Controller
MUFG Bank, Ltd. (DIFC Branch - Dubai) is a Data Controller which collects, uses and is responsible for processing your Personal Data and Special Categories of Personal Data in manual and electronic format.
2. Collection of Personal Data
2.1. Since the preliminary steps of our contractual relationship, much of the Personal Data we collect about you will have been given to us directly, but it may also come from other internal sources, such as your manager and colleagues, or in some cases, external sources, such as referees, background check providers and recruitment agencies or from publicly available sources. To the extent permitted by applicable law, we will collect and process your Personal Data which shall include, without limitation, the following:
- Personal details: your title, name, e-mail address, telephone details, home address and contact details, date and place of birth, gender, marital status and family details (which may include details of your dependents, beneficiaries or other family members), emergency contact information, outside business interests, personal account dealings, images of you and /or your dependents, beneficiaries or other family members as may be relevant (i.e. photos);
- Background: your application letters, resume/CV, work references, educational background, professional qualifications, membership of professional associations, employment history, areas of expertise, other skills, information you provide about your personal life, interview feedback, credit check and criminal record check (where authorised by applicable local law);
- Right to work/immigration: your and those of your dependents and other family members' citizenship/nationality, passport/ identity card number/resident permit details / work permit information;
- Role: your position, title, role, job grade, division, department, location, managers, reports, staff identification number, employment status and type, terms of employment including benefits information, employment contract, start date, termination date, length of service, and reason for leaving;
- Pay and benefits: details of salary and benefits; performance appraisals and salary reviews, benefits, benefits selections, details of your beneficiaries, dependents and next of kin, tax/social security identification numbers (if applicable), contributions to social, healthcare and pensions funds, and bank account details
- Performance and conduct: facts and opinions regarding your performance, performance and talent ratings, development plans, promotions, training records, regulatory certifications, correspondence regarding your conduct and activities, performance improvement plans, records of disciplinary and grievance procedures and related correspondence; and
- Work schedule and absences: working time records and other management records, building access, overtime, records relating to holiday, sickness leave and other absence records.
2.2. Please note that in some cases we are required by law or as a consequence of a contractual relationship we have with you to collect certain Personal Data about you and of your dependents, beneficiaries and other family members (as may be relevant), and your failure to provide such Personal Data may prevent or delay the fulfilment of these obligations.
2.3. We may also collect other information relating, for example, to your health, which may amount to Special Categories of Personal Data. Special Categories of Personal Data includes information concerning the race or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health and sexual life and sexual orientation of you and your dependents and other family members (as may be relevant). Purposes for which we process Special Categories of Personal Data may include where the processing is necessary for us to exercise rights or carry out obligations in connection with employment (for example, processing health information for statutory sick pay purposes, making reasonable adjustments for disabilities, complying with health and safety obligations, administering health and life insurance policies (and processing pay/ benefit information to insurance providers for the purposes of procuring such insurance) and equal opportunities monitoring where permitted by local law) and for conducting, establishing, exercising or defending legal claims.
2.4. In addition to Personal Data provided by you, we may also obtain personal information from other sources such as, for example:
- our information technology systems, which record emails, telephone conversations and other electronic communications and web usage on work systems and devices; and
- closed circuit TV systems and building access controls, which may record your attendance at our premises.
3. Lawfulness of processing
3.1. The lawful basis for processing your Personal and Special Categories of Personal Data is the performance of our employment relationship and its obligations including preliminary steps to its establishment, as well as where the processing is necessary to comply with a legal or other regulatory obligation that applies to us, or for our legitimate interests or the legitimate interests of third parties.
3.2. We will inform you in case we need to process your Personal Data for a purpose different than the one mentioned above and seek your consent, if needed.
4. Purposes of Processing your Personal Data and Special Categories of Personal Data
4.1. We process your Personal and Special Categories of Personal Data for a variety of purposes related to our contractual relationship and otherwise to the extent permitted by applicable law and regulation which may include:
- To manage our relationship with you: We process Personal Data for management of work and employees, performing any contract we have with you and for our legitimate interest in administering, managing and exercising rights and obligations in relation to our relationship with you. This includes, but is not limited to, performing background checks and interviews as part of our recruitment process, assessing qualifications or suitability for a particular role or task, applying for work permits and confirming rights to work, immigration processes and requirements, assessing training and development needs, assessment of employees' performance and salary reviews and determining performance requirements, managing absences, determining remuneration, administration of payroll and finance administering payroll and benefits including making required income tax and social security deductions (if applicable), administration and improvement of employee benefits such as leave entitlement, processing work-related claims (for example expenses claims and insurance claims), investigating and managing grievances and disciplinary matters, resolving disputes, providing references, and varying or terminating our relationship.
- To comply with laws and regulation: We process your Personal Data for the purpose of complying with applicable laws and regulation, record keeping and other legal obligations and to pursue our legitimate interests in directly or indirectly facilitating compliance with the requirements of the law, co-operating with our regulators and other authorities, complying with foreign laws, preventing or detecting financial and other crimes and regulatory breaches, and protecting our businesses and the integrity of the financial markets. This includes, but is not limited to, maintaining insider lists, personal account dealings, outside business interests, gifts and entertainment records, managing conflicts of interest, administering and keeping records of training, monitoring compliance with laws and internal policies including through monitoring telephone calls, email and other messaging and web usage, investigating, recording and reporting breaches or potential breaches of laws and internal policies and procedures including suspicious transactions or activities, making available and administering whistleblowing schemes, providing regulatory certifications and references, making registrations with regulatory bodies or other authorities, making conduct-related remuneration adjustments, and complying with information requirements and requests from regulatory, tax, law enforcement and other governmental agencies, exchanges, trading facilities, brokers or other intermediaries or counterparties and courts.
- To ensure our systems and premises are secure: We process your Personal Data for our legitimate interests in ensuring administration of IT and communication systems, network and information security, including preventing unauthorised access to our computer and electronic communications systems, preventing malicious software distribution, testing our cyber resilience and ensuring compliance with our information security policies. This includes, but is not limited to, monitoring of emails, messaging and web usage, and undertaking phishing tests. We also process Personal Data obtained through closed circuit TV systems and building access controls to ensure the security and safety of our premises.
- To manage our workforce and conduct our business: We process your Personal Data for our legitimate interests in managing our workforce and resources, conducting our business, planning for the future and protecting our rights. This includes, but is not limited to, for the purposes of promotions, talent and succession planning, managing staff absences, staff transfers, secondments and assignments, compiling staff directories, investigating and managing staff grievances, disciplinary matters and terminations, making business travel arrangements, administering corporate credit cards, conducting business with our clients and counterparties, processing of expenses, administering our insurance, budgeting, accounting and auditing, managing and reporting our financial and non-financial performance, equal opportunities monitoring, performing workforce analysis and planning, undertaking staff surveys, managing mergers, acquisitions, disposals and business reorganizations, assessing and managing the risks facing our business, managing and improving our systems, processes and productivity, protecting the health and safety of staff and others, facilitating staff communication in an emergency, arranging events, seminars and CSR activities, including staff profiles in our publications, business continuity planning, handling complaints and enforcing and defending our legal rights and those of our clients, staff and affiliates.
4.2 If you provide us with Personal Data (including Special Categories of Personal Data) about others, such as your dependents, beneficiaries, other family members (as the case may be) and emergency contacts, please inform them of the purpose for which you are providing the Personal Data and relevant information from this notice. We will assume, unless otherwise notified to us in writing, that by providing the information as detailed herein, you have obtained consent from those of your dependents, beneficiaries, and other family members (as the case may be) for the collection and processing by us of Personal Data (including Special Categories of Personal Data) as may be applicable to them.
5. Direct Marketing Purposes
5.1. Your Personal Data may be used for direct marketing purposes. In such circumstances, you have the right to object to the processing of your Personal Data. If you would like to discuss or exercise this right, please use the contact details below for further information.
6. Recipients of your Data
6.1. We disclose Personal Data about you, and those of your dependents, beneficiaries, other family members (as the case may be), where reasonably necessary for the various purposes set out above, to a number of categories of recipients. In compliance with the various purposes set out above for which your data have been collected, in accordance with the DIFC Data Protection Law, GDPR, and our Data Protection Policy, we would like to inform you that your Personal and Special Categories of Personal Data may be shared with, and processed by, the following recipients:
- our staff (including but not limited to Human Resources, Immigration, Finance, Compliance, Audit & Risk, Legal, Systems Departments, Management, Corporate Services), agents and third-party service providers who provide services to us or on our behalf. Third-party external consultants or service providers including payroll processors, benefits administration providers (including pension administration, insurance and occupational health and safety service providers, including health, retirement and pension insurance companies or authorities, employment and recruitment agencies, background check providers, training providers, cloud providers of our HR databases, archive service providers, business travel agencies, travel security service providers, corporate credit card providers and providers of emergency staff notification systems;
- other members of the worldwide MUFG group of companies, including for managing staff transfers, secondments and assignments, administering whistleblowing schemes, complying with requests from regulatory authorities, complying with internal policies and procedures, performing workforce analysis and planning, budgeting, accounting and auditing. Details of the MUFG group may be found at http://www.mufg.jp/english/profile/globalnetwork/;
- our auditors and our legal, accounting and other professional advisors;
- regulatory, tax, law enforcement and other governmental agencies, exchanges, trading facilities, brokers or other intermediaries, and courts, including, without limitation, the Dubai Financial Services Authority, the DIFC Authority, Immigration and other relevant or regulatory departments and institutions;
- clients, counterparties and other persons from whom we receive, or to whom we make payments or with whom we conduct transactions;
- and persons who take over our business and assets, or relevant parts of them.
Because we operate as part of a global business, the recipients mentioned above may be located outside the country in which you are based, which may not have similarly strict data privacy laws. Where the recipients are located in countries where data protection laws may not provide an equivalent level of protection to the laws of the country in which you are based, to protect your Personal Data, we will put in place appropriate safeguards. For further information, please contact us using the details provided below.
6.2. A copy of the DIFC Data Protection Law and the DIFC Data Protection Regulations (the Regulations) is available at
- https://www.difc.ae/files/6215/9056/5113/Data_Protection_Law_DIFC_Law_No._5_of_2020.pdf
- https://www.difc.ae/files/7914/5449/6593/Data_Protection_Regulations.pdf
6.3. A copy of the GDPR is available at:
6.4. We recommend that you read the DIFC Data Protection Law, the Regulations, and GDPR.
6.5. A copy of the Data Protection Policy is available internally and on the shared drive, and we recommend that you read the Data Protection Policy, in respect of which training will be provided.
7. Third Party Requests
7.1. We will not share your Personal Data with any third parties without your prior consent (which you are free to withhold in accordance with your data protection rights) except where we are required to do so by law or as set out in paragraph 7.2 below.
7.2. In case we need to share your Personal Data with third parties (for example: service providers, contractors and subcontractors) for purposes related to the performance of our contractual relationship, we will disclose only Personal Data that are necessary for the purpose, ensuring that adequate protection of your Personal Data is in place.
8. Mandatory Disclosure of your Personal Data and Special Categories of Personal Data
8.1. Disclosure of your Personal Data and Special Categories of Personal Data to statutory bodies, judicial bodies and any other governmental authorities or departments in the DIFC, Dubai and or the UAE, among others, will take place only if required by law, judicial body or government authority and in accordance with their requirements.
9. Data retention
9.1. We will hold your Personal Data for the duration of the contractual relationship or for as long as reasonably necessary for the purposes described above in relation to which your data have been collected and processed or for as long as is necessary to comply with our legal obligations or as long as required by law or to resolve potential legal claims or disputes.
10. Individuals' rights
10.1. In line with the DIFC Data Protection Law in force and GDPR, you have the right to:
- a) access your Personal Data
- b) request and obtain information on how your Personal Data is processed
- c) request and obtain correction of your Personal Data
- d) request and obtain erasure or blocking of your Personal Data in certain circumstances (right to be forgotten)
- e) object to processing or request and obtain restriction on the processing of your Personal Data, including processing for direct marketing purposes
- f) be notified in case of data breach which may result in a high risk to your privacy rights and freedom.
- g) withdraw consent to the processing of Personal Data
- h) know the recipients of your Personal Data
- i) upon request and in certain circumstances, receive your Personal Data, in a structured, commonly used and machine-readable format (data portability)
- j) not be subject to solely automated decision making, including profiling
- k) not be discriminated for exercising any of your data protection rights.
10.2. If you would like to discuss or exercise your data protection rights, please contact us at the details provided below. You also have the right to object to our processing of your Personal Data in certain circumstances. If you would like to exercise this right please use the contact details below.
10.3. We encourage you to contact us to update or correct your Personal Data if it changes or if any Personal Data we hold about you is inaccurate.
10.4. You can lodge complaints with the data protection authority in the DIFC (see section 12 below).
11. Protection of your Personal Data
We have implemented technical, operational and organizational measures to protect Personal Data from loss, misuse, unauthorized alteration or destruction and periodically review such measures to ensure they are up to date and suitable to ensure adequate protection of your Personal Data.
We will notify you promptly in the event of any breach of your Personal Data which might expose your privacy rights and freedom to serious risk.
12. Complaints
Any complaints related to alleged breaches of the DIFC Data Protection Law or Regulations can be filed with:
DIFC Commissioner of Data Protection
The Gate, Level 14, DIFC
P.O. Box 74777, Dubai, UAE
Telephone: +971 (0)4 362 2222
https://www.difc.ae/laws-regulations/data-protection
13. Additional Information
Please be informed that, if you are requested to provide us with your consent and you are unable to do so, this may result in us being unable to comply with the relevant laws and regulations imposed on us, as applicable to the intended contractual relationship.
14. Changes
We would like to inform you that we may change this privacy notice from time to time and will inform you accordingly by email.
We are committed to working with you to obtain a fair resolution of any complaint or concerns about privacy.
15. Questions:
Please address any queries, comments and requests regarding processing of your Personal Data to dataprotection@ae.mufg.jp or reach the Data Protection Officer on (+971) (0) 4-387-5010.