PRIVACY NOTICE FOR CLIENTS – DUBAI

INTERNATIONAL FINANCIAL CENTRE (DIFC)

DATA PROTECTION UNDER THE DIFC DATA PROTECTION LAW 2020
To run our business, UBS processes information about individuals (“Personal Data”), including information
about our current and former clients (“you”).

UBS takes your privacy seriously. This Privacy Notice (“Notice") contains information on what Personal Data UBS
entities in DIFC referred to in Section 10 (“UBS”, “we”, “our”, or “us”) and other companies of the group to
which we belong (the “UBS Group”) collect(s), what we do with that information, and what rights you have.

As part of our commitment to protect your Personal Data in a transparent manner, we want to inform you:

• why and how UBS collect, uses and stores your Personal Data;

• the lawful basis for the use of your Personal Data; and

• what your rights are in relation to such processing and how you can exercise them.

Table of Content
1 What does this Notice cover? 6 How long do we store your data?

2 What types of Personal Data do we collect? 7 What are your rights and how can you exercise
them?

3 For which purpose do we process your Personal 8 Changes to your Personal Data
Data and what legal basis do we rely on?

4 How do we protect Personal Data? 9 Updates to this Notice

5 Who has access to Personal Data and with whom 10 List of UBS entities covered by this Notice
are they shared?

1. What does this Notice cover?

This notice applies to any and all forms of use of Personal Data (“processing”) by us in the DIFC if you are a
former, current or prospective client of any of the UBS entities listed in Section 10.

2. What types of Personal Data do we collect?

For prospective clients with whom we have not yet made contact, we may collect (to the extent permitted by
applicable law):

• personal identification details (such as name, address, gender, nationality), contact information (such as
telephone, e-mail address), and family details (such as marital status);

• information related to the professional profile (such as directorship / positions and professional
networks) and information related to company ownership and financial background.

1
For former and current clients or prospective clients with whom we are taking steps to enter into a contractual
relationship, we collect, depending on the product or service we provide to you (if any), we collect Personal Data
about you including (to the extent permitted by applicable law):

• personal details such as your name, identification number, date of birth, compliance related documents
(including a copy of your national identity card or passport), phone number, address and domicile,
electronic address, and family details such as the name of your spouse or partner;

• financial information, including payment and transaction records and information relating to your assets
(including fixed properties), financial statements, liabilities, taxes, revenues, earnings, and investments
(including your investment objectives);

• tax domicile and other tax-related documents and information;

• where relevant, professional information about you, such as your job title and work experience;

• your knowledge of and experience in investment matters;

• details of our interactions with you and the products and services you use, including electronic
interactions across various channels such as e-mails and mobile applications;

• any records of phone calls between you and UBS, specifically phone log information such as your phone
number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and
messages, duration of calls, routing information, and types of calls;

• Where applicable, details of your nomination of a mandate;

• identifiers we assign to you, such as your client, business relation, partner or account number, including
identifiers for accounting purposes;

• when you access UBS websites or our applications, data transmitted by your browser or device you are
using and automatically recorded by our server, including date and time of the access, name of the
accessed file as well as the transmitted data volume and the performance of the access, your device,
your web browser, browser language and requesting domain, and IP address (additional data will only
be recorded via our Website if their disclosure is made voluntarily, e.g., in the course of a registration or
request). When you visit a UBS website, that website will contain additional information about how we
use your information while you are visiting that website; and

• in some cases (where permitted by law), special categories of Personal Data, such as your biometric
information, political opinions or affiliations, health information, and, to the extent legally possible,
information relating to criminal convictions or offences.

We may use cookies, tracking technologies and other means (e.g., web beacons, pixels, gifs, tags, unique
identifiers) to collect and process the above information from different channels, including email, and devices
that you use to interact with us.

For our usage of cookies and other tracking technologies in relation to UBS websites please also refer to the UBS
Website Usage and Cookie Notice available here.

We may use Personal Data for analytics and measurement (incl. machine learning) to process the above
information, including profiling based on the processing of your Personal Data, for instance by looking at
information we obtain via cookies and tracking technologies.

In some cases, we collect this information from public registers (which, depending on the product or service you
receive and the country of the UBS entity with which you have a contractual relationship, may include beneficial
ownership and other registers), public administration or other third-party sources, such as wealth screening
services, credit reference agencies, fraud prevention agencies, intermediaries that facilitate data portability, and
other UBS Group entities.

2
If relevant to the products and services we provide to you, we will also collect information about your additional
account holder, your business partners (including other shareholders or beneficial owners), dependants or family
members, representatives, and agents.

Additionally, where you are an institutional or corporate client or investor, we will also collect information about
your directors, employees, or shareholders. Before providing UBS with this information, you should provide a
copy of this notice to those individuals.

3. For which purposes do we process your Personal Data and what legal basis do we rely on?

3.1 Purposes of processing

We always process your Personal Data for a specific purpose and only process the Personal Data which is relevant
to achieve that purpose. In particular, we process Personal Data, within applicable legal limitations, for the
following purposes:

a) Client Onboarding. For example:

• to verify your identity and assess your application (including the need for guarantees or other
securitisation tools) if you apply for credit. For legal and regulatory compliance checks (for example,
to comply with anti-money laundering regulations, and prevent fraud), please see Section e) below.

b) Client Relationship Management. For example, to:

• manage our relationship with you, including communicating with you in relation to the products
and services you obtain from us and from our business partners, handling customer service-related
queries and complaints, facilitating debt recovery activities, making decisions regarding credit or
your identity, tracing your whereabouts, and closing your account (in accordance with applicable
law) if it remains dormant and we are unable to contact you after a period of time;

• help us to learn more about you as a client, your preferences on the products and services you
receive, and other products and services, including those offered by us, UBS Group entities, and our
business partners, you may be interested in receiving, including profiling based on the processing of
your Personal Data, for instance by looking at the types of applications, platform, products and
services that you use from us, information we obtain via tracking technology and how you like to
be contacted;

• collect and analyse your individualized and personal or anonymous and group-based activity and
potential interests in the use of our products and services, of UBS websites, our applications for
mobile devices and UBS platforms, multimedia portals and social networks.

c) Product implementation and execution. For example, to:

• provide products and services to you and ensuring their proper execution, for instance by ensuring
that we can identify you and make payments to and from your accounts in accordance with your
instructions and the product terms;

• perform underwriting.

d) Engaging in prospecting and business development and / or protecting and enhancing the UBS brand.
For example, to:

• evaluate whether and how UBS may offer products, services and events, including those offered by
us, UBS Group entities, and our other business partners, that may be of interest to you;

• provide individualised and personal or anonymous and group-based matching of offers on UBS
websites, on our applications for mobile devices, on UBS platforms, on multimedia portals and
social networks and other UBS products and services you may use;

3
 • contact you for direct marketing purposes about products and services we think will be of interest
to you, including those offered by us, UBS Group entities, and our other business partners, and
facilitating competitions and promotions.

e) Compliance and Risk Management and / or Crime Prevention, Detection and Investigation. For example,
to:

• carry out legal and regulatory compliance checks as part of the onboarding process, including to
comply with anti-money laundering regulations and fraud prevention;

• meet our on-going regulatory and compliance obligations (e.g., laws of the financial sector, anti-
money laundering and tax laws), including in relation to recording and monitoring communications,
apply a risk classification to ongoing business relationships, disclosures to tax authorities, financial
service regulators and other regulatory, judicial, and governmental bodies or in proceedings and
investigating or preventing crime;

• receive and handle complaints, requests, or reports from you or third parties made to designated
units within UBS or the UBS Group;

• reply to any actual or potential proceedings, requests, or the inquiries of a public or judicial
authority; and

• prevent and detect crime, including fraud or criminal activity, misuses of our products or services as
well as the security of our IT systems, architecture, and networks.

f) Supporting, Enhancing and Maintaining UBS’s technology. For example, to:

• take steps to improve our products and services and our use of technology, including testing and
upgrading of systems and processes, and conducting market research to understand how to
improve of our existing products and services or learn about other products and services we can
provide;

• analyse the results of our marketing activities to measure their effectiveness and relevance of our
campaigns.

g) Other purposes. For example:

• for the UBS Group’s prudent operational management (including credit and risk management,
technological support services, reporting, insurance, audit, systems and products training and
administrative purposes);

• to enable a transfer, merger or disposal to a potential buyer, transferee, merger partner or seller
and their advisers in connection with an actual or potential transfer, merger or disposal of part or all
of UBS’s business or assets, or any associated rights or interests, or to acquire a business or enter
into a merger with it;

• to collect data to ensure the security of buildings, safety of staff and visitors, as well as property and
information located, stored on or accessible from the premises, to prevent, and if necessary
investigate, unauthorized access to secure premises (e.g., maintaining building access logs and
CCTV system images to prevent, detect and investigate a theft of equipment or asset owned by
UBS, visitor or staff, or threats to the safety of personnel working at the office);

• undertake transactional and statistical analysis, and related research; or

• to exercise our duties and/or rights vis-à-vis you or third parties.

4
 3.2 Basis for processing of Personal Data

Depending on the purpose of the processing activity (see Section 3.2), the legal basis for the processing of your
Personal Data will be one of the following:

• necessary for taking steps to enter into or executing a contract with you for the services or products you
request, or for carrying out our obligations under such a contract;;

• required to meet our legal or regulatory responsibilities, including when we conduct the legal and
regulatory compliance checks and make the disclosures to authorities, regulators, and government
bodies;

• necessary for the legitimate interests of UBS, without unduly affecting your interests or fundamental
rights and freedoms and to the extent such Personal Data is necessary for the intended purpose. See
below for more examples of legitimate interests of UBS);

• in limited circumstances, and as may be requested from you from time to time, we have obtained prior
consent (for instance where required by law) or processed with your explicit consent in the case of
special categories of Personal Data.

Examples of the ‘legitimate interests’ referred to above are:

• manage our relationship with you and to help us to learn more about you as a client, the products and
services you receive, and other products and services you may be interested in receiving

• evaluate whether and how UBS may offer products, services and events that may be of interest to you);

• to prevent fraud or criminal activity, misuses of our products or services as well as the security of our
information, IT systems, architecture and networks and security of UBS premises

• to receive and handle complaints, requests, or reports from you or third parties made to designated
units within UBS or the UBS Group);

• to take steps to improve our products and services and our use of technology and to conduct market
research);

• to cooperate with a request made in any actual or potential proceedings or the inquiries of a public or
judicial authority); and

• certain situation when we make the disclosures referred to in Section 5 below, providing products and
services and assuring a consistently high service standard across the UBS Group, and keeping our
clients, employees, and other stakeholders satisfied;

in each case provided such interests are not overridden by your privacy interests.

To the extent UBS has obtained your consent to process Personal Data in the past in any product-specific terms
and conditions for the purposes of data protection law only, UBS will, unless explicitly stated otherwise in this
notice, no longer rely on such consent, but instead will rely on lawful grounds of compliance with a legal
obligation, contractual necessity, or legitimate interests (as specified in this notice), and UBS' ability to rely on that
consent is hereby waived or extinguished. For the avoidance of doubt, any consent given for any other reason
remains unaffected by this paragraph.

To the extent that we process any special categories of data relating to you, we will do so because:

• the processing is necessary to meet our legal or regulatory responsibilities;

• the processing is necessary for our regular exercise of rights, including in judicial, administrative or
arbitration proceedings;

• the processing is necessary to protect the vital interests of the relevant individual or of another natural
person;

5
 • the processing is necessary for reasons of substantial public interest;

• processing relates to Personal Data that has been made public by you; or

• you have given your explicit consent to us to process that information (where legally permissible).

Where the Personal Data we collect from you is needed to meet our legal or regulatory obligations or enter into
an agreement with you, if we cannot collect this Personal Data there is a possibility, we may be unable to on-
board you as a client or provide products or services to you (in which case we will inform you accordingly).

4. How do we protect your Personal Data?

All UBS employees accessing Personal Data must comply with our internal rules and processes in relation to the
processing of your Personal Data to protect them and ensure their confidentiality.

UBS and the UBS Group have also implemented adequate technical and organisational measures to protect your
Personal Data against unauthorised, accidental, or unlawful destruction, loss, alteration, misuse, disclosure or
access and against all other unlawful forms of processing.

5. Who has access to Personal Data and with whom are they shared?

5.1 Within UBS and the UBS Group

We usually share Personal Data with other UBS Group companies for the purposes indicated in Section 3 to
ensure a consistently high service standard across our group and to provide services and products to you.

5.2 Outside UBS and the UBS Group

5.2.1 Third Parties

We share Personal Data with other credit and financial services institutions, comparable institutions and to our
professional advisers and consultants to perform the business relationship with you. In particular, when providing
products and services to you, we will share personal data with persons acting on your behalf or otherwise involved
(depending on the type of product or service you receive from us), including, where relevant the following types of
companies:

• a party acquiring interest in, or assuming risk in or in connection with, the transaction (such as an insurer);

• (if you hold a credit card with us) credit card associations, and other card payment and platform providers;

• issuers of securities (including third parties appointed by them) in which you have an interest, where
such securities are held by third party banks for you;

• payment recipients, beneficiaries, account nominees, intermediaries, correspondent and agent banks
(including custodian banks);

• clearing houses, and clearing or settlement systems and specialised payment companies or institutions
such as SWIFT;

• market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges;

• other financial institutions, credit reference agencies or credit bureaus (for the purposes of obtaining or
providing credit references);

• any third-party fund manager who provides asset management services to you; and

• any introducing broker to whom we provide introductions or referrals;

• lawyers, auditors, accountants, and insurers providing legal, audit, consultancy, accounting or insurance
services to us.

6
5.2.2 Service Providers

In some instances, we also share Personal Data with our suppliers, who are contractually bound to confidentiality,
such as IT and hosting providers, marketing providers, communication services and printing providers, debt
collection, tracing, debt recovery, fraud prevention, and credit reference agencies, and others. When we do so
we take steps to ensure they meet our data security standards, so that your Personal Data remains secure.

Service providers are thereby mandated to comply with a list of technical and organisational security measures,
irrespective of their location, including measures relating to: (i) information security management; (ii) information
security risk assessment and (iii) information security measures (e.g., physical controls; logical access controls;
malware and hacking protection; data encryption measures; backup and recovery management measures).

5.2.3 Public or regulatory authorities

If required from time to time, we disclose Personal Data to public authorities, regulators or governmental bodies,
where we are required to disclose information by applicable law or regulation, under a code of practice or
conduct, at their request, or to safeguard our legitimate interests.

5.2.4 Others

• A potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or
potential transfer or merger of part or all of UBS’s business or assets, or any associated rights or
interests, or to acquire a business or enter into a merger with it;

• Any legitimate recipient required by applicable laws or regulations.

5.3 Data transfers to other countries

The Personal Data transferred within or outside the UBS Group as set out in Sections 5.1 and 5.2, is in some
cases also processed in other countries. We only transfer your Personal Data abroad to countries which are
considered to provide an adequate level of data protection, or in the absence of such legislation that guarantees
adequate protection, based on appropriate safeguards (e.g., standard contractual clauses or another statutory
exemption provided by local applicable law).

A copy of these measures can be obtained by contacting the Group Data Protection Office, if and to the extent
required by applicable law, we implement the necessary legal, operational and technical measure and/or enter
into an agreement with you before such transfers.

A list of the countries in which UBS operates can be found here.

6. How long do we store your data?

We will only retain Personal Data for as long as necessary to fulfil the purpose for which it was collected or to
comply with legal, regulatory or internal policy requirements. To help us do this, we apply criteria to determine
the appropriate periods for retaining your Personal Data depending on its purpose. In general, although there
may be limited exceptions, data is kept for the time period defined in the UBS Records Retention Schedule.

As far as necessary, we will keep your data for the duration of our banking relationship subject to applicable legal
and regulatory requirements. In addition, we might process your data after the termination of our banking
relationship for compliance or risk management in accordance with the applicable laws as well as pursuant to
various retention and documentation obligations or if it ins in UBS’ legitimate interest.

However, if you wish to have your Personal Data removed from our databases, you can make a request as
described in Section 7 below, which we will review as set out therein.

7
7. What are your rights and how can you exercise them?

7.1 Your rights

You have a right to access and to obtain information regarding your Personal Data that we process. If you believe
that any information we hold about you is incorrect or incomplete, you may also request us to rectify inaccurate
Personal Data.

You also have the right to:

• object to the processing of your Personal Data;

• request the erasure of your Personal Data;

• request restriction on the processing of your Personal Data; and/or

• withdraw your consent where UBS obtained your consent to process Personal Data (without this
withdrawal affecting the lawfulness of any processing that took place prior to the withdrawal).

In certain circumstances UBS may process your Personal Data through automated decision-making. Where this
takes place, you will be informed of such automated decision-making that uses your Personal Data and be given
information on criteria and procedures applied. You can request an explanation about automated decision
making carried out and that a natural person review related decisions where such a decision is exclusively based
on such processing.

We will honour such requests, but these rights are not absolute: they do not always apply, and exemptions may
be engaged. We will usually, in response to a request, ask you to verify your identity and/or provide information
that helps us to understand your request better. If we do not comply with your request, we will explain why.

7.2 Exercising your rights

For clients of UBS Switzerland AG please send your request to:

• Quality Feedback / Direktion, UBS Switzerland AG, Postfach, 8098 Zürich, Switzerland or
[email protected]

For clients of UBS AG Singapore Branch please send your request to:

• Complaints Handling Unit, UBS AG Singapore Branch, 9 Penang Road, 238459, Singapore, or sec-sh-
[email protected]

If you are not satisfied with how UBS processes your Personal Data, please let us know and we will investigate
your concern. Please raise any concerns by contacting the Group Data Protection Office at: [email protected].

8. Changes to your Personal Data

We are committed to keeping your Personal Data accurate and up to date. Therefore, if your Personal Data
changes, please inform us of the change as soon as possible.

9. Changes to this Privacy Notice

This Privacy Notice was published in August 2022. We reserve the right to amend it from time to time. Any
amendment or update to this Notice we will make available to you here. Please visit the UBS website frequently
to understand the current Notice, as the terms of this Notice are closely related to you.

8
10. List of UBS entities covered by this Notice

The provisions herein apply to you if you have a contractual relationship with the following UBS entity in the DIFC

Entity Name Registered Address

ICD Brookfield Place, Level 39, Al Mustaqbal Street,

UBS AG Dubai Branch Dubai International Financial Centre, Dubai, 506542,
United Arab Emirates

If you have any questions or comments about this notice, please contact the UBS Group Data Protection Office at
[email protected].