Privacy policy

Griffin Corporate Services Ltd ("GCS", "we", "us" or "our") is a corporate services provider licensed and registered in the Abu Dhabi Global Market ("ADGM"), United Arab Emirates (“UAE”) bearing registration number: 000002059. We act as Controller of data in respect of all Personal Data processed in the course of our business activities, meaning that we are responsible for deciding how and why your personal data is used.

Our processing of personal data is governed by the ADGM Data Protection Regulations 2021 (the "ADGM Regulations"), the UAE Federal Data Protection Law No. 45 of 2021 and its implementing regulations (the "UAE Federal Law"), and where applicable by reason of the nationality or location of the individuals concerned — the EU General Data Protection Regulation 2016/679 ("EU GDPR"). These laws are collectively referred to in this Policy as the "Applicable Laws".

This Policy applies to:

  • existing, former and potential individual clients of GCS, together with natural persons who are beneficial owners, shareholders, directors, officers, authorised signatories, agents or other representatives of entities that are clients of GCS;
  • counterparties, introducers, intermediaries, business partners and other individuals who interact with GCS in a commercial context; and
  • GCS's workforce, including employees, secondees, contractors and consultants.

The terms “Data Subject”, “Controller”, “Personal Data” and “Processor” used in this Policy carry the meanings given to them under the Applicable Laws unless the context requires otherwise.

Section 1. What Personal Data We Collectg

GCS collects and processes the categories of Personal Data described below. The precise categories collected will depend on the nature of your relationship with us and the services we are providing.

Identity and contact details:

  • full legal name, any former names, and preferred name;
  • date and place of birth;
  • nationality and country of residence;
  • gender;
  • copies of identity documents, including passport, national identity card, Emirates ID, driver's license, Taxpayer Identification Number (TIN) or employee identification;
  • residential, postal and registered address;
  • telephone number(s) and email address(es).

Financial and related background information:

  • employment details, including employer, position, professional history and income;
  • marital status and details of immediate family members where relevant to the services;
  • shareholdings, directorships and other asset holdings legally or beneficially owned by you;
  • details of connected persons and organisations, whether connected by family relationship, business association or otherwise;
  • status of political exposure
  • source of wealth and source of funds documentation, including utility bills and bank statements;
  • tax residency status and tax identification numbers.

Website and technical data: When you visit our website, we may collect your IP address, browser type, device identifiers, pages visited, and timestamp data. This is addressed further in Section 10 of this Policy.

The above list is not exhaustive. We may also collect and process additional Personal Data to the extent necessary or useful for the proper delivery of our services.

Section 2. How We Collect Your Personal Data

We gather Personal Data through several channels:

a) Directly from you: We collect Personal Data directly from prospective and existing clients, employees, and business partners when you:

  • complete onboarding, know-your-client or engagement documentation;
  • correspond with us by email, letter, telephone or video call (which may be recorded where permitted or required by law);
  • attend meetings or events hosted by GCS; or
  • submit applications, forms or other materials in connection with our services.

b) From organisations you represent: We may receive Personal Data about you from the company or other legal entity on whose behalf you are engaged with us, or from an authorised intermediary instructed to act on your behalf.

c) From third parties and public sources: We obtain Personal Data from external sources when we have a legitimate need to do so, including:

  • publicly accessible registers, company databases and commercial records;
  • internet searches and social network profiles (where relevant to customer due diligence);
  • specialist due diligence and screening platforms such as DowJones or equivalent databases; and
  • other persons or entities connected to you, such as organisations in which you hold a shareholding or by which you are employed, where this is relevant to the services we provide.

Section 3. Why We Use Your Personal Data: Purposes and Legal Bases

GCS processes Personal Data only where there is a recognised legal basis under the Applicable Laws. The primary bases on which we rely are:

(a) Necessary for performance of contract: Processing that is required to enter into, perform or conclude a contract with you or, at your request, to take preparatory steps to enter into a contract.

Examples include:

  • preparing service proposals;
  • incorporating or registering a legal entity on your behalf;
  • acting as a corporate service provider or registered agent and supporting ongoing compliance obligations;
  • holding documents, executing instructions and making payments on your behalf;
  • drafting resolutions, statutory registers and legal instruments;
  • opening and administering bank and financial accounts;
  • applying for visas and other government approvals; and
  • administering estates and succession matters.

(b) Legal and regulatory obligations: Instances under which GCS is required to fulfil its obligations under applicable law, including:

  • conducting customer due diligence and ongoing monitoring under anti-money laundering and counter-terrorism financing legislation;
  • responding to formal requests from regulators, courts, financial intelligence units and law enforcement; and
  • satisfying statutory record-keeping requirements.

(c) Legitimate interests: Includes processing that is necessary for GCS's legitimate business interests, provided those interests are not overridden by your interests or fundamental rights.Relevant legitimate interests include:

  • conducting general research and analysis, to develop and improve our service offering;
  • administering our internal systems, including IT infrastructure, billing and invoicing;
  • managing and strengthening client relationships;
  • reviewing and improving our security measures and internal controls;
  • communicating relevant service updates and information that may be of interest to you; and
  • protecting the legal rights and interests of GCS and its clients, including for the purposes of preventing fraud.

You have the right to object to processing based on legitimate interests at any time. Please see Section 8 for further details on how to exercise your rights.

(d) Consent: In limited circumstances where none of the above instances applies, we may request your informed consent to specific processing activities. Where consent is the basis for processing, you may withdraw it at any time, although this will not affect the lawfulness of any processing carried out before withdrawal.

Section 4. Who We Share Your Personal Data With

GCS does not sell, rent or trade Personal Data. We may, however, disclose or transfer Personal Data in the following circumstances:

(a) External service providers: We engage third-party subcontractors and specialist advisers to support the proper performance of the services we provide, including licensed corporate service providers, legal counsel, accountants, corporate administrators, payment processors and technology providers. Where we engage such parties to process Personal Data on our behalf, we enter into written data processing agreements with them requiring them to handle your data with at least the same standard of security and confidentiality that we apply ourselves.

(b) Professional advisers and financial institutions: We may disclose Personal Data to lawyers, accountants, auditors, banks, custodians and insurance or investment companies as necessary for the delivery of your instructions.

(c) Regulatory and public authorities: We may be legally required to disclose Personal Data to government agencies, regulatory bodies, supervisory authorities, financial intelligence units, law enforcement agencies or courts, whether within the UAE or in other jurisdictions, in response to a lawful request, court order or applicable regulatory obligation.

(d) Protection of rights: We may also disclose Personal Data where necessary to protect the rights, property or safety of GCS, our clients, or others, and to detect or prevent fraud.

(e) With Consent: We may share Personal Data with other parties where you have given your prior agreement to us doing so.

Section 5. International Transfers of Personal Data

GCS operates within the UAE, primarily from the ADGM. Where it is necessary to transfer Personal Data to a recipient located in a country outside the UAE or to any jurisdiction that does not provide a level of data protection equivalent to that available under the Applicable Laws, GCS will ensure that appropriate safeguards are in place before the transfer takes place.

Such safeguards may include executing standard contractual clauses or other transfer mechanisms recognised under the Applicable Laws or relying on a specific provision permitted by those laws (for example, where the transfer is necessary for the performance of your contract or for the establishment or exercise of legal claims).

Your Personal Data may be stored on servers managed by GCS or on servers operated by cloud-based database or infrastructure providers engaged by GCS. All such providers are required to maintain security standards consistent with GCS's obligations under the Applicable Laws.

Section 6. Consequences of Declining to Provide Personal Data

Certain categories of Personal Data must be collected by GCS either as a matter of legal obligation, for instance, to comply with customer due diligence requirements or as a prerequisite to performing the contracted services. In all cases, GCS will request only the Personal Data that is genuinely necessary for the relevant purpose.

Where you decline to provide Personal Data that is legally required, or that is necessary for the delivery of specific services, we may be unable to commence, continue or complete those services, or we may be obliged to report the matter to a relevant authority. We will inform you of these consequences at the time of our request.

Section 7. How Long We Keep Your Personal Data

GCS retains Personal Data for the duration of our contractual or business relationship with you. Once that relationship ends, we continue to hold your data for as long as is necessary or required to:

  • comply with our legal, regulatory and statutory obligations, including prescribed minimum retention periods under Applicable Law;
  • fulfil any relevant contractual commitments;
  • support the establishment, exercise or defence of legal claims within applicable limitation periods; or
  • address any other legitimate purpose for which we have a lawful basis to retain the data.

Once Personal Data is no longer needed for any of the above purposes, we will either securely delete it or render it permanently anonymous in a manner that eliminates any reasonable prospect of re-identification.

Section 8. Your Rights as a Data Subject

Subject to the conditions and limitations set out in the Applicable Laws, you have the following rights in relation to your Personal Data:

  1. Right of access: You may request a copy of the Personal Data GCS holds about you, along with information about how it is being used.
  2. Right to data portability: You may ask us to provide your Personal Data in a structured, commonly used and machine-readable format, or to transmit it directly to another controller, where technically feasible and where the processing is based on consent or contractual necessity.
  3. Right to rectification: You may ask us to correct any Personal Data that is inaccurate, misleading or incomplete.
  4. Right to erasure: You may ask us to delete your Personal Data in the following circumstances:
    • the data is no longer needed for the purpose for which it was originally collected and no legal obligation requires us to retain it;
    • you withdraw consent where consent was the only legal basis for processing;
    • you object to processing based on legitimate interests and we have no overriding grounds to continue;
    • the data has been processed unlawfully; or
    • erasure is required to comply with a specific legal obligation.
  5. Right to restriction: You may ask us to suspend active processing of your Personal Data (while continuing to store it) in the following circumstances:
    • you are disputing the accuracy of your data while we carry out a verification exercise;
    • the processing was unlawful, but you prefer restriction to outright deletion;
    • we no longer need the data for our purposes, but you require it to establish, exercise or defend a legal claim; or
    • you have raised an objection, and we are assessing whether our legitimate interests override yours.
  6. Right to object to automated decision-making: GCS does not generally make decisions about individuals by purely automated means without human review. Where we do so in any specific context, you have the right to object, to obtain human intervention, to express your view and to challenge the outcome.

To exercise any of these rights, please contact GCS using the contact details in Section 12 of this Policy. We will acknowledge your request promptly and respond within the timeframe required by the Applicable Laws.

If you are not satisfied with how we have handled your Personal Data or responded to a rights request, you are entitled to escalate the matter to the relevant supervisory authority (see Section 11).

Section 9. Data Breach Notification

If GCS experiences a Personal Data breach that is likely to result in a risk to your rights or interests, we will notify you as promptly as possible after identifying and confirming the incident as per the Applicable Law. Our notification will cover:

  • the date the breach occurred or was first detected;
  • a description of what happened and how the breach arose;
  • the categories and approximate volume of Personal Data involved;
  • the actions GCS has already taken or is taking to contain the incident and limit harm;
  • the remedial measures we plan to implement to prevent recurrence;
  • practical steps you may wish to consider taking to protect yourself;
  • the contact details of the supervisory authority with oversight of the matter; and
  • GCS's designated point of contact for further information.

GCS will also comply with any mandatory breach notification obligations it may have towards the ADGM Office of Data Protection or other competent regulators under the Applicable Laws.

Section 10. Website, Cookies and Digital Tracking

GCS is the Controller in respect of Personal Data collected through its website (the "Website"). When you visit or interact with the Website, we may collect certain information automatically, including:

  • your IP address and approximate geographic location derived from it;
  • browser type, version and operating system;
  • device identifiers and screen resolution;
  • pages visited, links clicked, time spent on each page and referral source; and
  • any information you voluntarily submit through enquiry forms, event registrations, newsletter subscriptions or similar features on the Website.

The Website uses cookies that are small text files written to your device in order to support site functionality, remember your preferences, and help us understand how the Website is being used. By accepting the relevant cookie prompt on the Website, you consent to our placing those cookies on your device. Where you do not consent to certain cookies, some features or areas of the Website may not be available to you.

You may configure your browser to alert you before accepting cookies or to refuse all cookies. Instructions for doing so are available through your browser's settings or help documentation. Where required by applicable law, we will seek your consent before placing non-essential cookies.

Section 11. Supervisory Authorities and Making a Complaint

If you have a concern about the way in which GCS has handled your Personal Data, we encourage you to contact us in the first instance using the details in Section 14[AB1][AN2]. We take all privacy concerns seriously and will investigate and respond to your query as quickly as possible.If you remain dissatisfied with our response, or if you prefer to escalate your concern directly, you have the right to lodge a formal complaint with the supervisory authority that has jurisdiction over the matter. Jurisdiction is determined by reference to your country or territory of habitual residence, your principal place of work, or the territory in which the alleged contravention took place. The supervisory authorities relevant to GCS's activities include:

  • ADGM Office of Data Protection: for matters relating to processing carried out within or from the Abu Dhabi Global Market;
  • EU Data Protection Authorities: in relation to the processing of data concerning individuals located in the European Economic Area; and
  • UAE Federal Authority for Identity, Citizenship, Customs and Ports Security: for matters falling within the scope of the UAE Federal Data Protection Law No. 45 of 2021.

Section 12. How We Protect Your Personal Data

GCS maintains a comprehensive information security programme designed to protect Personal Data from unauthorised access, loss, misuse, alteration and inadvertent disclosure. Our programme encompasses both technical controls — such as access restrictions, encryption and secure hosting environments — and organisational measures, including documented policies, regular security training, and periodic reviews of our security posture.

All GCS personnel with access to Personal Data are trained to handle it securely and in strict confidence. Access to Personal Data is restricted on a need-to-know basis: staff members are granted access only to the extent required to perform their specific role and to fulfil the lawful purposes for which the data is processed.

GCS will not share client information with any third party unless it has received the client's explicit authorisation or is required to do so by law, court order or a binding regulatory obligation.

If you become aware of or suspect any circumstances that may have placed your Personal Data at risk, we ask that you notify GCS promptly at the contact details below.

Section 13. Updates to This Policy

GCS reviews this Policy on a regular basis and will update it as necessary to reflect changes in the Applicable Laws, regulatory guidance, or our internal data processing practices. We encourage you to revisit this Policy periodically to remain informed about how we protect your privacy.

Where we make a material change to this Policy, we will communicate the update to affected individuals through appropriate channels before the change takes effect. The most current version of this Policy will always be accessible on GCS's website.

Section 14. Contact Us

If you have any questions, concerns or complaints in relation to this Policy or the way in which GCS handles your Personal Data, or if you wish to exercise any of your data subject rights, please contact:

Data Protection Officer:

Andrew John Baker
Griffin Corporate Services Ltd
Email: info@griffin-group.ae
Telephone: 02 812 4218
Address: Cloud Suite 401, 11th Floor, Al Sarab Tower, ADGM Square, Al Maryah Island, Abu Dhabi, UAE
Website: www.griffin-group.ae