1. 6.1.1.1Pursuant to Article (120) in Decretal Federal Law No. (14) of 2018, Regarding the Central Bank & Organization of Financial Institutions and Activities, Licensed Financial Institutions must have policies, procedures and control frameworks regarding the collection, protection, confidentiality and authorized use of Consumers’ Data. Consumers must be informed in Writing with respect to how their personal information will be processed, e.g. collected, used, disclosed, Data mined and profiled.
2. 6.1.1.2Licensed Financial Institutions must protect Consumer Data and maintain the confidentiality of the Data, including when it is held, accessed or used by Authorized Agents.
3. 6.1.1.3Licensed Financial Institutions are responsible for ensuring Data protection and individual Consumer confidentiality with respect to any profiling, Data mining, marketing and sale of financial services through use of new technologies and social media.
4. 6.1.1.4Licensed Financial Institution must provide a safe, secure and confidential environment in all of its delivery channels to ensure a high level of confidentiality and privacy of Personal Data.
5. 6.1.1.5Licensed Financial Institutions have a legal obligation of confidentiality towards a Consumer except:
   1. a.When disclosure of Consumer Data is properly imposed by a legal authority; or
   2. b.When disclosure is made with the expressed consent of the Consumer, or through a representative nominated by the Consumer.
6. 6.1.1.6Licensed Financial Institutions must have a proper Data Management Control Framework with policies, procedures, system controls, and checks and balances to protect Consumer Data and to identify and resolve any incidents of information security breaches, when they may occur.
7. 6.1.1.7Where the Consumer’s identity verification is conducted online, the Licensed Financial Institution must apply more than one evidence of identity verification for electronic services. Licensed Financial Institutions must advise Consumers regarding any directed and repeated attempts of online fraud on their accounts for the Consumers to take additional precautions.
8. 6.1.1.8Licensed Financial Institutions must secure digital transaction processing and controls, implement detailed activity monitoring and enhance Consumer identification methods in accordance with the Central Bank’s requirements for strengthening Digital Channels.
9. 6.1.1.9Licensed Financial Institutions must provide employee training and awareness programs on their Data control framework for accessing and handling Consumer Data and reporting security and policy breaches. The Licensed Financial Institution must promote the importance of protecting Consumer’s Data as an ongoing responsibility of Staff with reminders sent on an annual basis.
10. 6.1.1.10Licensed Financial Institutions must ensure that access to personal information and Personal Data of Consumers is limited to authorized business lines and their Staff only. Licensed Financial Institutions must maintain logs for audit and supervisory purposes, recording the names of Staff who have accessed Consumer databases and the timing. Such records must be provided to the Central Bank as and when requested.

1. 6.1.2.1The Board must designate responsibility and accountability for the Data Management and Protection function to a senior position in management who reports directly to Senior Management. The function is responsible for ensuring oversight of and compliance with the Data Management Control Framework and any related requirements for Data protection and privacy laws of the UAE and the Central Bank.
2. 6.1.2.2The Data Management and Protection function must ensure that:
   1. a.Adequate monitoring and preventive controls are in place to detect any unauthorized or accidental loss, misuse, modification, access, disclosure or destruction of Personal Data;
   2. b.Verifications are regularly carried out on the legitimacy of Data collection, access to Data, Data integrity and the electronic procedures and address any issues identified;
   3. c.Controls are commensurate with the criticality and sensitivity of the relevant systems and Data handled; and
   4. d.Detailed monitoring of records and the actions taken are maintained for 5 years.
3. 6.1.2.3The Data Management and Protection Function must:
   1. a.Annually review and improve the adequacy of the Data Management Control Framework for the collection, classification, storage, usage, transfer, protection, correction and destruction of Personal Data;
   2. b.Monitor, investigate and report to Senior Management any material incidents of accidental or unauthorized access, loss, alteration, transfer, destruction, use, modification or disclosure of Data; and
   3. c.Participate in the handling and investigation of privacy related Consumer Complaints and must report the conclusion of the investigation to the head of the Complaint Management function, who will then correspond with the Consumer and provide the Institution’s findings in Writing.
4. 6.1.2.4The Data Management and Protection function must issue reports to the Senior Management and the Board on significant Data management violations and breaches immediately. Senior Management must ensure proactive measures are taken to address the violation / breach and to improve Data management systems and safeguard the confidentiality and privacy of Consumers’ Personal Data.
5. 6.1.2.5Licensed Financial Institutions must, without delay, inform their Consumers of unauthorized access to, and/or loss, destruction or alteration of Consumers’ Personal Data where it may reasonably pose a risk to the Consumer’s financial and personal security and/or where it may pose reputational harm to a Consumer.
6. 6.1.2.6Licensed Financial Institutions must notify the Central Bank immediately of all significant breaches of Personal Data.

1. 6.1.3.1Licensed Financial Institutions must ensure Personal Data is:
   1. a.Collected for a lawful purpose directly related to the Licensed Financial Activities of the Licensed Financial Institution;
   2. b.Adequate and not excessive in relation to the stated purpose; and
   3. c.Collected with appropriate security and protection measures against unauthorized or unlawful processing and accidental loss, destruction, or damage.
2. 6.1.3.2Before requesting the consent of a Consumer to share Personal Data, the Licensed Financial Institution must proactively disclose in Writing to a Consumer its intent to use and/or share Personal Data and with whom the Consumer’s Personal Data will be shared.
3. 6.1.3.3The Consumer must give his/her expressed consent freely and explicitly to a request for the use and/or sharing of Personal Data by the Licensed Financial Institution. The request for consent must be expressed in clear and plain language and inform the Consumer of his/ her right to refuse to provide expressed consent.
4. 6.1.3.4Licensed Financial Institutions must obtain informed and expressed consent before using and sharing a Consumer’s Personal Data for direct marketing or transferring the Personal Data to Authorized Agents for direct marketing. A copy of the expressed consent must be retained for 5 years after the relationship with the Consumer has terminated.
5. 6.1.3.5The Consumer shall have the right to withdraw expressed consent for the following at any time:
   1. a.The processing of Personal Data by the Licensed Financial Institution except where Persona Data is required for business operations related to the Consumer’s Products and Services; and
   2. b.Personal Data sharing with Authorized Agents and other third parties for purposes such as but not limited to sales and marketing.
6. 6.1.3.6Prior to a Consumer entering any contract with a Licensed Financial Institution, the Licensed Financial Institution must provide the following disclosures to the Consumer:
   1. a.That Licensed Financial Institutions will only collect Data / Personal Data for a lawful purpose directly related to a function or activity of the Consumer;
   2. b.Whether the collection is obligatory or voluntary for the Consumer to provide the Data / Personal Data;
   3. c.Where it is obligatory for the Consumer to provide the Data / Personal Data, the consequences for the Consumer for failing to provide the Data / Personal Data as required;
   4. d.A future withdrawal of expressed consent by a Consumer shall not affect the lawfulness of Data processing based on the prior expressed consent. Unless specified otherwise, the withdrawal must take effect within complete 30 calendar days of the Consumer requesting the withdrawal with the Licensed Financial Institution;
   5. e.When Data / Personal Data of the Consumer is being processed by or on behalf of the Licensed Financial Institution, provide a description of the Data / Personal Data being processed;
   6. f.When other external information on the Consumer is collected by the Licensed Financial Institution and the source of that Data / Personal Data;
   7. g.The Consumer’s right and means to request access to and to request correction of the Data / Personal Data and how to contact the Licensed Financial Institution with any inquiries or Complaints in respect of the Data / Personal Data; and
   8. h.The choices and means the Licensed Financial Institution offers the Consumer for limiting the processing of Data / Personal Data.

1. 6.1.4.1Licensed Financial Institutions must ensure that any Authorized Agent to whom some part or the entire delivery of the Financial Product and/or Service is outsourced meet the fit and proper policy regarding Data management and protection including secure handling procedures and applying proper controls.
2. 6.1.4.2Licensed Financial Institutions must ensure that access to a Consumer’s Personal Data by Authorized Agents is properly authorized in Writing by the Licensed Financial Institution, regularly monitored, and appropriately restricted in line with the purpose of the access given. All legal contracts with Authorized Agents relating to the Outsourcing of functions and services must include appropriate provisions for safeguarding confidentiality of Personal Data and must prohibit the unauthorized disclosure of confidential Personal Data by Authorized Agents. The Authorized Agents must report to the Licensed Financial Institutions Data Management and Protection function significant breaches of Personal Data. The Licensed Financial Institution’s obligation to protect all Consumer Data extends to the actions of all Authorized Agents.
3. 6.1.4.3Where Personal Data is shared and retained outside of a Licensed Financial Institution’s own network such as with Authorized Agents, Licensed Financial Institutions and Authorized Agents must use encryption techniques to suitably encrypt Consumer Data and take measures for the secure transfer of Data.
4. 6.1.4.4Licensed Financial Institutions are responsible for ensuring any outsourced technology using or retaining Personal Data meets the highest standards of security, encryption and protection and are regularly audited and verified for vulnerabilities.
5. 6.1.4.5In the event of a termination of an Outsourcing contract with a Third Party, Licensed Financial Institutions must ensure and be able to demonstrate that all Personal Data is either retrieved from the Third Party and/ or is destroyed.
6. 6.1.4.6Where the Consumer provided expressed consent to the Licensed Financial Institution for sharing Data to a Third Party, the Licensed Financial Institution must confirm in any contract with a Third Party that the Third Party has no further right to share the Data or use it for other unauthorized purposes unless required by the laws in UAE.

1. 6.1.5.1Licensed Financial Institutions are required to provide Consumer Data to government-authorized Credit Information Agencies as may be prescribed. Consumers must be informed of this requirement and be advised as to the possible limitations of accessing future Financial Products and/or Services based on the Consumer records provided to these agencies.
2. 6.1.5.2Correction of Reported Credit Information:
   1. a.With respect to any Errors, omissions or inaccuracies of Consumer information and Personal Data provided to the Credit Information Agencies by a Licensed Financial Institution, the Licensed Financial Institution must correct any Errors, omissions and inaccuracies within 7 complete business days of becoming aware of it;
   2. b.For Personal Data unlawfully collected and reported by Licensed Financial Institutions, the Licensed Financial Institution must request the deletion of such Data in order to reduce the permanence of erroneous Personal Data in the Credit Information Agencies; and
   3. c.When Consumers notify and request a Licensed Financial Institution to make updates or corrections to their Data reported to Credit Information Agencies, the Licensed Financial Institution must acknowledge receipt and verify if the request is accurate. If an update or correction is required, the Licensed Financial Institutions must report the update or correction to the Credit Information Agencies within 7 complete business days of the Licensed Financial Institution having been notified by the Consumer.

1. 6.1.6.1All Personal Data, documents, records and files must be securely retained for a minimum of 5 years. The retention period begins, depending on the circumstances, from the date of the most recent of any of the following events:
   1. a.Termination of the Business Relationship or the closing of a Consumer’s account with the Licensed Financial Institution; and
   2. b.Completion of a casual transaction (in respect of a Consumer with whom no Business Relationship is established).

All Standards related to confidentiality and security must be maintained after the termination of the relationship until the Personal Data is destroyed.

1. 6.1.6.2Licensed Financial Institutions must not process or use Personal Data for any period longer than is necessary for the fulfillment of the purpose for which that Personal Data is required. After the lapse of the mandatory retention period for retaining Consumer records, Licensed Financial Institutions must take all reasonable steps to ensure that all Data / Personal Data is destroyed or permanently deleted if it is no longer required for the purpose for which it was collected and processed or no longer required by law.
2. 6.1.6.3All Licensed Financial Institutions must hold and store all Consumer and transaction Data within the UAE as prescribed by the Central Bank. At a minimum, Licensed Financial Institutions must also establish a safe and secure backup of all the Consumer Data and transactions in a separate location for the required period of retention specified in Section 6.1.6.
3. 6.1.6.4Licensed Financial Institutions must ensure there is secure retention of Consumer Data that would prevent any unauthorized or accidental loss, misuse, modification, access, disclosure or destruction. Licensed Financial Institutions must review their procedures and methods for retention of Consumer Data on an annual basis.

1. 6.1.7.1Where breaches of the Data Management Control Framework occur regarding the unauthorized access or release of Consumer Personal Data, the Licensed Financial Institution must record any disciplinary actions taken against any Staff, agents or contractors responsible for the breach. The Licensed Financial Institution must maintain records of such events for 5 years after the event being recorded. The records must be made available to Central Bank upon request.
2. 6.1.7.2Licensed Financial Institutions must notify the Central Bank of any material Data breaches, losses, destruction or alteration when they occur, in a manner, as may be prescribed by the Central Bank.