Data
Protection Policy
1.
Introduction and Purpose of Data
Protection Policy
This
Privacy Policy (“Policy”) describes the practices Karty (“we” or “us”) have
adopted with respect to processing Personal Data (as defined below)
including the collection, use, storage or disclosure of Personal Data, (i) on
our mobile application and websites that link to this Policy (collectively the
“Platforms”); (ii) when you interact with our support centre or other
online forums; (ii) when you participate in our webinars, events and
demonstrations; (iii) when you purchase our products or services (“Services”);
or (iv) when you interact with us as a vendor, partner or sub-contractor. Karty
regards the lawful and correct treatment of Personal Data as integral to its successful
operations and to maintain the confidence of customers, consumers, prospects,
registered users, clients, employees, contractors and any other parties we may
work with (“you “or “Users”).
2.
Scope
In
order for Karty to conduct its business operations, Karty may disclose personal
data to third party service provider, agents, affiliates, subsidiaries,
regulators, whether sited in Qatar or outside. Karty will ensure that
appropriate technical and organisational measures, are in place in such cases
and that appropriate contracts and security controls are used to protect our customer’s
personal data. Karty will invest in the latest technologies where possible and
training of all employees to ensure that the confidentiality and integrity
aspect of Data Subject information and data are assured, and to ensure that Karty
maintain high standards of data protection to meet all applicable laws and
regulations protecting the privacy of Personal Data in the jurisdictions where
Karty conducts business. Karty is required to comply with all applicable laws
and regualtions including the QFC Data Protection
Regulations, December 2021 and Qatar Financial Centre Authority Data Protection
Rules, 2021 (hereinafter collectively referred to as “Law”) and the core principles maintained in
the EU General Data Protection Regulation 679/2016 (“GDPR”). We may amend this Policy
from time to time, should it become necessary or advisable to do so to comply
with regulatory requirements or best practices. If we materially change our
practices in processing Personal Data, we will post an updated policy in place
of this Policy.
3.
General
Definitions
These
definitions may vary slightly according to local data privacy laws
3.1
“Accountability” shall mean the ability to demonstrate
compliance. The Law explicitly
states that this is the organization’s responsibility. In order to demonstrate
compliance, appropriate technical and organizational measures have to be
implemented.
3.2
“Data Subjects” shall mean the Individuals
or entities that are identified or identifiable by Personal Information.
3.3
“DPO” or “Data Protection Officer” shall mean an
enterprise security leadership role required by the GDPR. Data protection officers are
responsible for overseeing data protection strategy and implementation to
ensure compliance wit GDPR
requirements.
3.4
“Personal data”
includes any data which relates to a living individual who can be identified:
(a)
from that data; or
(b)
from that data and
other information which is in the possession of Karty.
In
addition to factual information Personal Data also includes any expression of
opinion about an individual and any indication of the intentions of Karty or
any other person in respect of an individual.
3.5
“Sensitive Personal Data” are certain
personal data that is
considered to be particularly sensitive and is subject to stricter processing
rules. These categories of Personal Data are referred to as Sensitive Personal Data and include any Personal Data relating to:
(a)
the racial or ethnic
origin of the data subject;
(b)
their political
opinions;
(c)
their religious (or
similar) beliefs;
(d)
their physical or
mental health condition;
(e)
details of criminal
offences or criminal convictions, including details of any alleged offence, any
proceedings for any offence (alleged of otherwise), and the disposal of such
proceedings or the sentence of any court in such proceedings; and
(f)
genetic and biometric
data.
Within
this Policy any reference to Personal Data shall also include Sensitive Personal
Data. Karty only holds Personal Data which is directly relevant to its dealings
with a given Data Subject. That Personal Data will be held and processed in
accordance with the Law and this Policy. It is unlikely that customer data
would include Sensitive Personal Data although information on criminal
proceedings may be obtained as part of due diligence procedures. Please note
that information about an individual’s financial position does not normally
constitute Sensitive Personal Data as defined by the Law.
3.6 “Law” shall
mean QFC Data Protection Regulations,
December 2021 and Qatar Financial Centre Authority Data Protection Rules, 2021.
3.7
“Processing” shall mean any operation that is performed on
Personal Data,
whether or not by automatic means, such as collection, recording, organization,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, blocking, disabling
or destruction.
3.8
“Transfer” shall mean the transfer of personal data
to countries outside the EEA or to international organizations that is subject to restrictions. As with the
Data Protection Directive, data does not need to be physically transported to
be transferred.
3.9
"Third party” shall mean any natural or legal
person, public authority, agency, or any other body other than the Data Subject, the controller, the processor,
and the persons who, under the direct authority of Karty, are authorized to process the data.
4.
The Information We Collect
4.1 Personal Data Karty
collects or has about its Users come from different sources. This includes
Personal Data relating to the business relationship or a prospective business
relationship with Karty or any of Karty’s Services that the User has applied
for or held previously.
4.2 Some of the Personal
Data will come directly from the User. Some might be obtained from other Third
parties. Personal Data might also be obtained lawfully by accessing publicly
available sources or combining different sets of information.
4.3 Personal Data
collected may include, in particular:
(a)
information
that User provides to Karty such as:
(i)
account
registration, management, profile creation and modification;
(ii)
account
access and use, as well as uploading content to the Services and other
associated activities;
(iii) access to and use of the Platforms;
(iv) submission of payment information;
(v)
participation
in surveys, contests, sweepstakes and promotions sponsored by Karty;
(vi) signing up to receive alerts or other
information via email, text or instant messages from Karty;
(vii) customer service, technical support, and
related communications;
(viii) participation in communities, commenting
on blog entries, interacting with use on social media, and participation in
other forums.
(ix) contact details
(e.g., name, address and other contact details such as date and place of birth,
nationality and credit card and billing details);
(x)
information about User's given to Karty by filling in
forms or by communicating with Karty, whether face-to-face, by phone, e-mail,
on-line or otherwise;
(xi) information
concerning a User’s identity (e.g., passport information which may contain a
photograph) or which is relevant for authentication purposes
(b)
information that Karty collects or generates about the
User’s, such as:
(i)
client relationship data (e.g., products held, and
services rendered), securities and payment transaction data and other financial
information;
(ii)
information regarding User’s financial situation;
(iii) information Karty
collects or generates to comply with its obligations under the anti-money
laundering regulatory framework (e.g., information on origin of assets,
beneficial ownership);
(iv) information Karty
collects or generates for risk management purposes such as client due diligence
data (including periodic review results), client risk profiles, data to assess
suitability/appropriateness, client qualification data (e.g., status as
business client), screening alerts (transaction screening, name screening), tax
data or complaint information;
(v)
geographic information;
(vi) information included
in relevant client files and client documentation and other comparable
information;
(vii) marketing and sales
information (e.g., newsletters, documents received, invitations to and
participations at events and special activities, personal preferences and
interests, opt-in and opt-out declarations);
(viii) information used in
'cookies' and similar technologies on websites, mobile applications and in
emails to recognize a data subject, remember a data subject’s preferences and
show a data subject content Karty thinks he/she/it is interested in.
(c)
information about the User that Karty collects from
other sources, for example:
(i)
communication information (e.g., information contained
in emails, chat messages or other digital communications);
(ii)
information from publicly available sources and
combined information from external sources (e.g., corporate and media
broadcasts, information pertaining to social interactions between individuals,
organizations, prospects and other stakeholders acquired from companies that
collect combined information).
4.4 Karty may also
collect and process additional Personal Data about which Karty will inform you
from time to time.
The
below principles are adhered to by Karty with respect to processing Personal Data:
5.1
Lawfulness, Fairness
and Transparency: Personal data must be processed fairly,
transparently and lawfully. An individual’s Personal Data must not be processed unless there
are lawful grounds for doing so and the Data Subject must be informed as to how
and why their personal data is being processed either upon or before collecting
it.
Processing of Personal Data shall only be lawful if one
of the following applies (Article 7 of QFC Data Protection Regulation):
(a)
it is necessary to perform a contract or
to enter a contract at the data subjects request;
(b)
it is necessary for compliance with a
legal obligation;
(c)
it is necessary to protect the interests
of the Data Subject;
(d)
it is necessary for the legitimate
interests of Karty or a third party; and
(e)
the Data Subject has given their consent.
5.2
Purpose Limitation:
Personal data must be processed only for specified and lawful purposes.
Personal data must not be processed in any manner which is incompatible with
the specified and lawful purpose.
5.3
Data Minimisation: The
Personal Data that is processed must be adequate,
relevant and limited to the minimum data necessary for the lawful purposes for
which it is processed.
5.4
Accuracy:
Personal Data
must be accurate and, where appropriate, kept up-to-date. Any Personal Data which is incorrect must be rectified
as soon as possible.
5.5
Data Retention: Personal
Data must be kept for
no longer than is necessary in light of the lawful purpose(s) for which it is
processed.
5.6
Rights of the Data
Subject: Personal Data
must be processed in accordance with the rights of Data Subjects. Data Subjects
will have the right to see copies of their Personal Data, to have inaccuracies corrected and
to object to the processing of their Personal
Data or to have their Personal Data deleted if it is no longer required
by Karty for another reason.
5.7
Security:
Personal Data
must be protected against unauthorised or unlawful Processing, unauthorized disclosure, accidental
loss, destruction or damage through appropriate technical and organisational
measures.
5.8
International Data
Transfers: Personal data must not be transferred to a country or
territory outside Qatar that has, at least, equivalent data protection
legislation in place. This will ensure an adequate level of protection for the
rights and freedoms of data subjects in relation to the processing of personal
data.
5.9
Accountability: Karty
is responsible for and shall demonstrate compliance with this Policy. This
includes ensuring third party service providers are acting in accordance with the Law.
5.10
Integrity and
confidentiality of Processing: Personal Data must be processed in a way that ensures that the
data are appropriately secure, using appropriate technical and organisational
measures. In particular, the data must be protected against unauthorised or
unlawful Processing and against accidental loss, destruction or damage
6.
Processing of Personal Data
6.1
Personal data
collected by Karty is generally collected in order to:
(a)
ensure Karty can facilitate efficient
transactions with, and perform its obligations and exercise its rights under
contracts with third parties including, but not limited to, its clients and
affiliates;
(b)
efficiently manage its employees;
(c)
efficiently and effectively manage its
business; and
(d)
meet all relevant obligations imposed by
the Law.
6.2
Personal Data must only be processed if the
purpose of the processing satisfies one of the lawful grounds permitted under
the Law. The below details the lawful ground for processing which are most
likely to be relevant to Karty processing activities. The Processing of
Personal Data is lawful only if, and only to the extent that, at least one of
the following paragraphs applies:
(a)
the Data Subject
concerned has given their consent to the Processing of their Personal Data for
one or more specific purposes;
(b)
the Processing is
necessary:
(i)
to perform a contract
to which the Data Subject is a party; or
(ii)
in order to take
steps at the Data Subject’s request before entering into a contract.
(c)
the Processing is
necessary to comply with an obligation imposed on Karty by law;
(d)
the Processing is
necessary to protect the vital interests of the Data Subject or another
individual;
(e)
the Processing is necessary to perform a task
carried out:
(i)
in the public
interest; or
(ii)
by any of the
following in the performance of its functions:
(A)
the QFC Authority;
(B)
the QFC Regulatory
Authority;
(C)
the Civil and
Commercial Court;
(D)
the Regulatory
Tribunal; or
(E)
a QFC Institution.
(f)
the Processing is
necessary for the purposes of the legitimate interests of Karty or another Person to whom the data are
disclosed (unless those interests are overridden by the rights and legitimate
interests of the Data Subject that require the data to be protected, in
particular if the Data Subject is a child).
6.3
If one of the lawful
grounds for processing cannot be achieved, then Karty must obtain the consent
of the Data Subject. If consent has not been received, then Karty must
discontinue any further processing of the personal data.
7.
Non
Sensitive Personal Data:
7.1
The legal grounds for
processing non-sensitive personal data include:
(a)
where the processing
is in KARTY's legitimate interests and does not cause unwarranted prejudice to
the Data Subject;
(b)
where the processing
is necessary for the performance of a contract to which the Data Subject is a
party, or for the taking of steps with a view to entering into a contract;
(c)
where the processing is required by law
or other regulation to which Karty is subject to.
7.2
If none of the above
are satisfied, then Karty must have consent from the Data Subject to the
processing of their Personal
Data.
8.
Sensitive Personal Data:
As
detailed previously, sensitive or special category personal data is subject to
stricter controls and the circumstances in which it can be processed are more
limited than personal data. The legal grounds for processing sensitive personal
data include:
(a)
where the processing is necessary for the
purposes of carrying out the obligations and exercising the rights of Karty or
the Data Subject for employment law purposes;
(b)
for the purposes of occupational health
of the assessment of the working capacity of an employee;
(c)
for
equal opportunity purposes, where the processing is necessary for the purpose
of identifying or keeping under review the existence or absence of equality of
opportunity or treatment between persons of difference racial or ethnic origins
with a view to enabling such equality to be promoted or maintained;
(d)
where the processing is necessary for the
purpose of, or in connection with, any legal proceedings, obtaining legal
advice, or establishing, exercising or defending legal rights; or
(e)
where the data subject has given their
explicit consent.
9.
High
Risk Processing Activities:
A
high risk processing activity may include activities which are particularly
intrusive to a Data Subject’s privacy, the monitoring or profiling of Data
Subjects and the processing of sensitive personal data on a large scale.
Wherever the processing of personal data is likely to result in a "high
risk" to the Data Subject, Karty will need to, before carrying out the
processing activity, perform an assessment of the potential impact of the
intended processing on the rights and freedoms of the Data Subject. Karty Shall
maintain a Records of Processing Register as per Article 17 QFC Data Protection
regulation.
10.
Fair
Processing Information
Any
process which involves the gathering of data on an individual should contain a
statement explaining what the information is to be used for and to whom it may
be disclosed. Regardless of how personal data is obtained (whether it is
obtained from the data subject or from a third party) the Data Subject must be
provided with certain information about the processing of their personal data
by Karty. This information must be provided either before or upon collection of
the Personal
Data. If the Personal Data is obtained from a third party, then
the information must be provided within a reasonable time period from obtaining
the personal data or at the time of the first communication with the Data
Subject, whichever is earlier.This information will be provided in the form of
a Privacy Notice found on Karty’s website. The Privacy Notices must include the
following:
(a)
the identity and contact details of a
Data Protection contact;
(b)
the categories of Personal Data collected in relation to the Data
Subject;
(c)
if the Personal Data was not obtained from the Data
Subject, the source(s) of the personal data;
(d)
the purpose(s) for which personal data
will be processed, including the legal grounds for the processing. If the legal
ground involves a specific legal or regulatory requirement then a description
of these must also be provided;
(e)
if personal data is processed based on
the Data Subject’s consent, an explanation of the Data Subject’s right to
withdraw their consent at any time;
(f)
the categories of personal data that may
be disclosed to third parties and the reasons for these disclosures;
(g)
information about the existence of any
automated decision making, for example profiling, which may be undertaken by Karty
based on the Personal
Data provided. The
disclosure needs to include details of the logic involved and its impact on the
Data Subject;
(h)
the period for which the Personal Data will be retained or the criteria
that will be used to determine the retention period;
(i)
The existence of the
Data Subject’s rights;
(j)
The above information
must be provided in a concise, transparent, intelligible and easily accessible
form, using clear and plain language that will be easy for the Data Subject to
understand.
In
the case of a personal data breach, the DPO (Data Protection Officer) shall notify the personal
data breach to the relevant regulatory
bodies or competent
authorities, unless the personal data breach is unlikely to result in a risk to
the rights and freedoms of natural persons. Where the notification to the regulatory bodies is not made within 72 hours, it
shall be accompanied by reasons for the delay. Such notification will include
at least:
(a)
description of the nature of the personal
data breach including where possible, the categories and approximate number of
data subjects concerned and the categories and approximate number of personal
data records concerned;
(b)
communicating the name and contact
details of the Data Protection Officer or other contact point where more
information can be obtained;
(c)
description of the likely consequences of
the personal data breach;
(d)
description of the measures taken or
proposed to be taken by Karty
to
address the personal data breach, including, where appropriate, measures to
mitigate its possible adverse effects; and
(e)
Karty shall document any personal data
breaches, comprising the facts relating to the personal data breach, its
effects and the remedial action taken. That documentation shall enable the
Regulatory Bodies to verify compliance with this Policy.
12. How We Protect Your Information
We
take technical, physical and organizational security measures to protect your
information against accidental or unlawful destruction or accidental loss,
alteration, unauthorized disclosure or access. However, no method of
transmission over the Internet, and no means of electronic or physical storage,
is absolutely secure.
We
have appropriate security measures in place on our Websites, Mobile App and
electronic devices to prevent personal information from being accidentally
lost, used or accessed in an unauthorized way. Access will be limited to those
who have a genuine business interest and/ or a need to know, and will only
process your information in an authorized manner and they will be subject to a
duty of confidentiality. We also have procedures to deal with any suspected
data security breach. We will notify you and any applicable regulator of
a suspected data security breach, as required by law.
We
encourage you to take steps to protect your information and prevent
unauthorized access to your password or account by, among other things, signing
off after using a shared computer, choosing a robust password that nobody else
knows or can easily guess, and keeping your log-in and password private. We are
not responsible for any lost, stolen, or compromised passwords, or for any
activity on your account via unauthorized password activity.
13. Data Protection Officer (DPO)
Karty
shall ensure that the Data Protection Officer is involved, properly and in a
timely manner, in all issues which relate to the protection of Personal Data. The
Data Protection Officer shall have at least the following tasks:
(a)
inform and advise Karty Management and
employees who carry out Processing
of their obligations pursuant to this Policy;
(b)
monitor compliance with this Policy, including the assignment of
responsibilities, awareness-raising and training of staff involved in Processing operations, and the related
audits;
(c)
provide advice where requested as regards
the data protection impact assessment and monitor its performance;
(d)
act as the focal point for the regulatory bodies on issues relating to
processing of Personal Data;
and
(e)
The DPO shall in the performance of his or her
tasks have due regard to the risk associated with processing operations, taking
into account the nature, scope, context and purposes of processing.
14.1
Under the applicable data protection laws, you may have the
following rights:
(a)
right of access and
erasure (as defined in Articles 16
and 18 of the Law);
(b)
right to request from
Karty the rectification of inaccurate Personal Data concerning him, taking into account
the purposes of the processing
(Article 17 of the Law).
(c)
right to require Karty to restrict processing of
Personal Data, if any of the conditions stipulated under Article 20 (1) of the Law is applicable;
(d)
right to object to the data
processing at any time on
reasonable grounds relating to your
particular situation (Article 19 of the Law);
(e)
subject to applicable laws, right to
be informed within a reasonable period, but no longer than 30 (thirty)
days after obtaining the Personal Data from a third-party, details of which are
not disclosed herein and if Karty envisages that the Personal Data will be disclosed to a third
party, save and except as provided herein, no later than when the Personal Data
is first disclosed (Article 15 (2) of the Law);
(f)
right to data portability (Article 21 of the Law);
(g)
right not to be subjected to a
decision that is based solely on automated processing, including
profiling, if the decision would have a legal effect on you or would
otherwise significantly affect you (Article 22 of the Law);
(h)
right to lodge a complaint
with the Data Protection Office (Article 34 of the Law); and
(i)
right to receive compensation
if you suffer material or non-material damage due to an infringement of the Law
by Karty. (Article 35
of the Law);
14.2
Where Karty processes Personal Data based on your granted consent, you may
revoke your consent specifically granted to the processing of Personal Data at
any time. If you object to processing of your
Personal Data for any reason whatsoever, Karty will no longer process your
Personal Data for such reasons (Article 19 (2) and (3) of the Law), unless as
otherwise required by Law. Please be advised that the revocation will only take
effect in the future. Any Processing that was carried out prior to the revocation shall not
be affected thereby. Please note however that Karty may still be entitled to process
your Personal
Data if it has another legitimate
reason for doing so.
15.
Transfers
of Personal Data
Karty
shall ensure that any transfer of Personal Data within or outside the QFC shall
be carried out in accordance with the provisions of Articles 23 and 24 of the Law.
16. Contact Information
You
may exercise your rights or make a request regarding your information held by
us, request further information about your legal rights under applicable law,
or submit a complaint about our privacy practices by contacting us at any time,
using the contact details set forth in this section below.
We
will consider all requests and provide our response within the time period
stated by applicable law. Please note, however, that certain information may be
exempt from such requests in some circumstances. If we need to keep processing
your information to provide services to you or to comply with a legal
obligation. Moreover, you will not be permitted to examine the information of
any other person or entity. We also may request you provide us with information
necessary to confirm your identity before responding to your request.
If you
have any questions about this Privacy Policy, would like to exercise your
rights regarding your information that we hold, or would like to raise a
complaint with us related to your information, you should contact us as
follows:
Privacy
Team: (ILC Comment: Client to insert details herein)