Privacy policy

EQVILENT DATA PROTECTION AND PRIVACY POLICY

1. CONTEXT AND OVERVIEW

Introduction

Eqvilent Investments Ltd (“Eqvilent”) respects the privacy of Personal Data and is committed to protecting Personal Data for which Eqvilent is a Controller.

This Policy describes how the Personal Data must be collected, handled, disclosed, shared and stored to meet the Eqvilent’s data protection standards — and to comply with the Data Protection Laws.

Why this Policy exists

The Policy ensures Eqvilent:

complies with Data Protection Laws and follows good practice;
protects the rights of staff, customers and partners;
is open about how it stores and Processes Personal Data;
and protects itself from the risks of a Personal Data breach.

Data protection risks

This Policy helps to protect Eqvilent from some very real data security risks, including:

Breaches of confidentiality. For instance, information being given out inappropriately.
Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

2. TERMS AND DEFINITIONS

"Controller" means a natural or legal person, public authority, agency, or other body that, independently or jointly with others, determines the purpose and means of Processing Personal Data, as defined in Data Protection Laws. Controller shall refer to Eqvilent, and with regard to certain Processes, Eqvilent may act as joint Controller with a third-party.

"Compliance Manager'' means Eqvilent`s employees Ilya Poluyakhtov and Vitalii Kulikov accountable for data protection compliance under this Policy. The Compliance Manager is not considered as a data protection officer position for the purpose of Data Protections Laws.

"Cookies" means a small text file that a website stores on a User`s computer or mobile device when he or she visits the Eqvilent`s website and which includes unique identifiers that web servers send to browsers. Cookies help Eqvilent to determine the path the visitor took on our Website. Eqvilent uses Cookies in order to anonymously identify repeated users of the Website and most popular pages. It allows Eqvilent to keep our Website user-friendly and efficient by identifying the information most valued by users.

"Data Protection Laws" means The Data Protection Law DIFC Law No. 5 of 2020, the DIFC Data Protection Regulations 2020.

"User" means a natural person who can be identified, directly or indirectly, by reference to their Personal Data.

"Personal Data" or "Personal Information" means any information attributable to an identified or identifiable natural person (a User), as defined in Data Protection Laws. Personal Data does not include data where the identity has been removed (anonymous data). Personal Data shall encompass Special Category Data.

"Process" or "Processing" means, as applicable, any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collecting, recording, using, organizing, structuring, storing, adapting or altering, retrieving, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, or purging.

"Processor" means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of a Controller, as defined in Data Protection Laws. Processors may include third-party service providers, applications, or agencies utilized by Eqvilent in the course of business.

"Special Category Data" means Personal Data revealing racial or ethnic origin, criminal history, political opinions, religious or philosophical beliefs, sexual orientation, trade union membership, or health, genetic, or biometric data, financial data or data pertaining to a child or minor or other categories of Personal Data pursuant to the applicable Data Protection Laws

3. COMPLIANCE MANAGER

The Compliance Manager`s responsibilities include:

informing and advising Eqvilent and its employees about their obligations to comply with the Data Protection Laws;
monitoring compliance with the Data Protection Laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits;
and acting as the first point of contact for supervisory authorities and for individuals whose data is Processed (employees, customers etc).

4. AUTOMATICALLY COLLECTED INFORMATION

Users` device automatically transmits to Eqvilent its technical characteristics when User uses Eqvilent`s Website. Eqvilent uses the information about location (a set of parameters that determine regional settings of interface, namely, residence country, time zone and the interface language), IP address, cookie files, browser and operating system, date and time of access to the website and the pages requested in order to provide the efficiency, usability and security of Eqvilent`s Website.

The Cookies are used exclusively for the purposes stated hereof. The Users may provide a consent for the use of their Cookies in accordance with the principles provided hereof or refuse in the use of their Cookies.

5. PROCESSING PERSONAL DATA

Grounds for Processing Personal Data

Eqvilent will only use Personal Data when Data Protection Laws allow Eqvilent to do so. Eqvilent’s basis for Processing Personal Data may include:

User giving consent to the Processing of his or her Personal Data for a specific purpose(s);
Processing is necessary for the performance of a contract to which the User is party or in order to take steps at the request of the User prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which Eqvilent is subject;
Processing is necessary to respond to public health emergencies, or protect the life, health, and property safety of natural persons in emergencies;
Processing is necessary in order to protect the vital interests of the User or of an other natural person;
or Processing is necessary for the purposes of the legitimate interests pursued by Eqvilent or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the User which require protection of Personal Data, in particular where the User is a child

Personal Data Eqvilent collects

Examples of Personal Data Eqvilent may collect include:

personal details (such as full name, nationality, gender, photograph and IP address);
identification details (such as passport or identification card, photo ID, national identification number and social security number);
education details (information about schools attended, degrees awarded and academic status);
contact information (such as phone number and postal address);
information in order to comply with our regulatory obligations (such as know your counter party information due diligence checks and anti-money laundering checks);
records of contact you have with us via phone calls, video calls, video conference calls and e-mail and video surveillance for the security of our buildings and systems;
location data includes details about visitor's current address;
or technical data which includes internet protocol IP address, login data, browser type and version, time zone setting and location, browser plug-in type and versions, operating system and platform, and other technologies on the devices visitors use to access the Website and use of Cookies stored on visitor's device

How Personal Data are collected

The Personal Data Eqvilent collects and Processes is directly provided by User or obtained from other third party sources. Eqvilent may use Personal Data collected from third party sources, such as:

regulatory authorities that contain User`s Personal Data;
public sources such as newspapers and the internet;
and data files from other parties that have collected Personal Data about User who contact Eqvilent regarding business activities who may provide Eqvilent with information that relates to User.

Consent

Consent provided by Users shall be freely given by a clear affirmative act that shows an unambiguous indication of consent. The consent cannot be conditional.

If the Processing is intended to cover multiple purposes, described above, consent must be obtained for each purpose in a manner that is clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language.

Prior to providing consent, a User shall be notified by Eqvilent that consent may be withdrawn at any time. Consent may not be permanently binding on Users.

6. RIGHTS AND OBLIGATIONS

User may possess the right to:

Request access to his or her Personal Data that Eqvilent holds to check that it is accurately and lawfully being Processed.
Request correction of his or her Personal Data that Eqvilent holds. This enables User to have any incomplete or inaccurate Personal Data be corrected, though Eqvilent may need to verify the accuracy of any new Personal Data provided.
Request erasure of his or her Personal Data. This enables User to ask Eqvilent to delete or remove Personal Data where there is no legitimate purpose for the Processing of such Personal Data by Eqvilent. Eqvilent may not always be able to comply with the request of erasure for specific legal reasons or other legitimate grounds, which will be notified to User, if applicable, at the time of the request.
Object to Processing of his or her Personal Data where Eqvilent is relying on a legitimate interest (or those of a third party) and he or she would like to object to the Processing because it impacts his or her fundamental rights and freedoms.
Request restriction of Processing of his or her Personal Data. This enables Users to ask Eqvilent to suspend Processing Personal Data in the following scenarios: (a) establishing the accuracy of Personal Data; (b) where Eqvilent's use of Personal Data is unlawful, but there is no request of erasure; (c) where a User needs Eqvilent to hold Personal Data even if retention is no longer required and it is needed to establish, exercise, or defend a legal claim; or (d) a User objects to Eqvilent's use of Personal Data, but Eqvilent needs to verify whether there are overriding legitimate grounds to use it.
Request the transfer of his or her Personal Data. Eqvilent will provide to User, or a third party, his or her Personal Data in a structured, commonly used, machine-readable format. This right only applies to automated information.
Request access, correction, and deletion exercised by the deceased ‘s close relatives (for lawful and legitimate interests of their own), unless there exists other arrangement that is priorly made by the deceased.
Withdraw consent at any time where Eqvilent is relying on consent to Process Personal Data. This will not affect the lawfulness of any Processing carried out before consent is withdrawn.
Be notified of a data breach involving a User's Personal Data.

Eqvilent Data Protection obligations:

Consent: When consent is the lawful basis for Processing, Eqvilent shall obtain the affirmative consent of a User prior to such Processing.
Purpose Limitation: Eqvilent shall restrict the Processing of Personal Data to the intended business purpose(s).
Notification: Eqvilent shall provide notification in clear language to a User at the outset of Processing, which may include: name of Controller or Processor and contact information; purpose of Processing; type(s) of Personal Data Processed; whom has access to Personal Data; Processing location(s); retention period; User’s rights and instructions for exercising such rights; and protections against data breaches.
Access: Upon request by a User, Eqvilent shall provide such User with access to his or her Personal Data in the possession or under the control of Eqvilent and information about the ways in which Personal Data may have been previously Processed.
Correction: Upon request by a User, Eqvilent shall correct any error or omission in a User’s Personal Data in the possession or under the control of Eqvilent. If Personal Data is corrected, Eqvilent must inform (i) third parties to whom data has been disclosed of correction and (ii) Users that their Personal Data has been disclosed to third parties.
Erasure: Upon request by a User, Eqvilent shall erase such User’s Personal Data in the possession or under the control of Eqvilent, if: (i) Personal Data is no longer necessary for the intended business purpose for which it was Processed; (ii) the User withdraws consent and there is no other legitimate basis for the Processing; (iii) the User objects to Processing based solely on Eqvilent’s legitimate interest; (iv) the Processing of Personal Data is unlawful; or (v) Personal Data is related to the offer of information society services to a child.” This is not an absolute right, as Personal Data may be retained to the extent required or permitted under applicable law. If Eqvilent discloses Personal Data to a third-party, Eqvilent shall notify such third parties of any fulfilled request to erase, unless unreasonable or would result in a disproportionate effort.
Accuracy: Eqvilent shall make a reasonable effort to verify that Personal Data Processed by or on behalf of Eqvilent is accurate and complete. Generally, Personal Data is obtained directly from the User.
Protection: Eqvilent shall protect Personal Data in its possession or under its control by securing against unauthorized Processing, as further described in the “Security Measures Taken to Protect Personal Data” Section.
Retention: Eqvilent shall cease to retain documentation containing Personal Data or remove the means by which Personal Data can be associated with a particular User, when (i) the intended purpose for which Personal Data was Processed is no longer applicable and (ii) the retention is no longer necessary for legal or business purposes.
Breach Notification: In the case of a data breach involving any loss, misuse, or alteration of Personal Data that is likely to result in a risk to Users’ rights and freedoms, (i) Eqvilent shall notify the supervisory or data protection authorities immediately; and (or) (ii) Eqvilent shall notify Users without undue delay.

7. USE OF THIRD PARTIES (PROCESSORS) AND DISCLOSURE OF PERSONAL DATA

Eqvilent only discloses Personal Data when necessary to conduct Eqvilent`s business operations as described below. When Eqvilent discloses Personal Data, it will do so in accordance with applicable data protection and security requirements. Access to Eqvilent`s database is limited to explicit human resources professionals, managers/heads, certain persons from the legal, financial and/or compliance department(s) and will only be shared with other personnel or agents on a “need to know basis” for the purposes as set out above.

Third-party suppliers. Eqvilent partners with and is supported by suppliers around the world. Personal Data will be made available to these parties only when necessary to fulfill the services they provide to Eqvilent, such as software, system, and platform support, communication services, recruitment services, clearing services, cloud hosting services, advertising, data analytics, and order fulfillment and delivery third parties for legal reasons. Eqvilent will share Personal Data when Eqvilent believes it is required, such as:

to comply with legal obligations and respond to requests from government agencies, including law enforcement and other public authorities, which may include such authorities outside User`s country of residence;
in the event of a merger, sale, restructure, acquisition, joint venture, assignment, transfer, or other disposition of all or any portion of Eqvilent`s business, assets, or stock (including in connection with any bankruptcy or similar proceedings);
to protect Eqvilent`s rights, systems, and capabilities.

Counter party management. When User is a (prospect) business contact of Eqvilent or is related to or acting on behalf of one Eqvilent`s counter parties, the Personal Data will be shared with a (cloud) software engaged by Eqvilent to manage its counter party administration.

Recruitment. When Users apply to a job, its personal data will be shared with Greenhouse Software, Inc., a cloud services provider located in the United States of America, other third party (cloud) software tools, compliance check agencies or other persons (entities) and services engaged by Eqvilent to help manage its recruitment and hiring process or legal purposes on Eqvilent’s behalf.

8. SECURITY MEASURES TAKEN TO PROTECT PERSONAL DATA

Eqvilent has implemented appropriate elements of privacy by design in conjunction with technical and physical safeguards to protect the security of Personal Data from unauthorized or unlawful Processing. Eqvilent uses a number of systems and applications to protect Personal Data at all times, which also allow for the following capabilities: (i) the anonymization and encryption of Personal Data;(ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing Personal Data; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing, and evaluating, at least annually, the effectiveness of such security measures.

In assessing the appropriate level of security as well as the risks of varying likelihood and severity for the rights and freedoms of Users, Eqvilent assesses the risks presented by the Processing of Personal Data. Such risks may include, but are not limited to, any accidental, unlawful, or unauthorized destruction, loss, disclosure, alteration, or access to Personal Data Processed by or on behalf of Eqvilent, or other factors that may impact User rights and freedoms. Eqvilent shall make reasonable attempts to ensure that any risks presented by the Processing of Personal Data are sufficiently mitigated by technological and/or organizational controls, including limited access of Personal Data utilizing access controls and password protections.

9. RETENTION PERIOD

Personal Data will continue to exist in Eqvilent databases for the period in which Eqvilent must use it (for example, to prepare government tax statements), and then be archived or deleted, with specific timeframes determined by local law sand good business practice.

The Eqvilent would store Personal Data for the period of one (1) year since the moment of collecting Personal Data or terminating contractual or employment relations between the User and Eqvilent.

Eqvilent shall immediately erase all Personal Data of User upon its request or request of the relevant regulatory authority.

10. CONTACTS AND REQUESTS

Eqvilent shall accept, when applicable, any written requests through the appropriate channels from a User to exercise his or her rights and freedoms pursuant to Data Protection Laws. Eqvilent shall use reasonable means to verify the identity of the requester.

A User will not generally have to pay a fee to access his or her Personal Data or to exercise any of the above rights. However, Eqvilent may charge a reasonable fee if the request is clearly unfounded or excessive. Eqvilent will try to respond to all legitimate requests within one (1) month. Occasionally, it may take longer if the request is particularly complex. Alternatively, Eqvilent may refuse to comply with the request in certain circumstances.

If User wishes to request access to his or her Personal Data or exercise data protection rights that he or she may have under applicable data protection laws, or has any other questions in regards to his or her Personal Data Users shall contact Eqvilent`s Compliance Manager:

Ilya Poluyakhtov

ilya.poluyakhtov@eqvilent.com