DIFC Representative Office Online Privacy Notice

CRDB BANK PLC (DIFC REPRESENTATIVE OFFICE) ONLINE PRIVACY POLICY

EFFECTIVE: December 2025

In this data protection policy, ‘we’, ‘us’, ‘our’, ‘ourselves’, ‘CRDB DIFC’, and ‘The Office’ means:

CRDB BANK PLC (DIFC REPRESENTATIVE OFFICE), a company with Registration Number 10729 registered by the Registrar of Companies of the Dubai International Financial Centre under the Companies Law, DIFC Law No. 5 of 2028 with its registered office at Level 14, The Gate Building P.O. Box 74777, Dubai, United Arab Emirates. 

The ultimate owner is CRDB Bank PLC, a public limited company duly incorporated in Tanzania Mainland under the Companies Act No. 12 of 2002 and licensed under the Banking and Financial Institutions Act, 2006 (Act No. 5 of 2006) as amended, to carry on the business of banking and whose registered office is at Plot No. 25 & 26 Ali Hassan Mwinyi Road and Plot No. 21 Barack Obama Drive of P.O. Box 268, 11101 Dar es Salaam.

CRDB DIFC  values your security and privacy. We are required to comply with DIFC Authority’s Data Protection Law, DIFC Law No. 5 of 2020 (the “DP Law”), and may for certain types of personal data processing, be subject to laws from other jurisdictions.

As such, it is the policy of CRDB DIFC  to respect the privacy of its website services users.  In accordance with DIFC DP Law and, as applicable, our Personal Data Protection and Privacy Policy, CRDB DIFC collects information about you when you use or access our websites, use the office’s email addresses for contact purposes, or you avail of other web-based products, information or services such as the office’s Wi-Fi (collectively, the “Website Services”) as well as through other interactions and communications you have with us.

This online data protection policy (the “Policy") sets out the basis on which any information, including any personal data, we collect from you, or you provide to us, will be processed byCRDB DIFC . Each time you access or use the Website Services or provide us with information, by doing so you acknowledge the practices described in this Policy.  For use of specific services, i.e., the office’s Wi-Fi, you may be asked to opt-in to our use of the information you submit there.  Your rights described herein apply in these instances as well.

1. Scope and Application

This Policy applies to persons anywhere in the world who access or use CRDB DIFC ’s Website Services (“Users”).

2. Collection of Information

We obtain personal information about you through your interactions with us generally, including by telephone calls (which may be recorded and you will be made aware of the recording before it happens), by email, via our websites, or any other digital or electronic forms or face to face (e.g., in meetings). 

If you contact us, we will keep at least an electronic record of such correspondence, including personal information shared at that time, in order to reply or process it as per your request. The personal information you give us may include your name, address, e-mail address and phone number, certain device information, username, password, residential building, work address, photograph, and other information you choose to provide (“Personal Information” or “Personal Data”).

The Website Services collect and process Personal Data in accordance with the DP Law and applicable laws, including for specific, lawful purposes explained herein or at the time of collection, or for the performance of tasks carried out in your interests or the legitimate interests of CRDB DIFC .

2.1 Managing Minor’s Information

We recognize the importance of safeguarding personal data related to minors/children. If we collect information about minors/children, we do so only with the consent of a parent or guardian. We encourage parents and guardians to be actively involved in their children's online activities.

2.2 Information we collect about you and your device

We collect information about you by monitoring your access to our premises (e.g. CCTV). We also collect information about you when each time you use our Website Services we may and often will automatically collect the following information:

• Technical information, including the type of mobile device you use, a unique device identifier (for example, mobile network information, your mobile operating system, the type of mobile browser you use, device token, device type, time zone setting (“Device Information”);

• Details of your use of our Website Services including, but not limited to traffic data, weblogs and other communication data, and the resources that you access (“Log Information”);

• Location information if the Website Services uses GPS technology to determine your current location. If you wish to use the particular feature, you may be asked to opt-in to your data being used for this purpose.

If you do not wish to share certain data with us or do not want us to use / share it for certain purposes (to the extent possible, in accordance with applicable laws and information in this notice), you can alter your preferences at any time.  Where applicable, please check with your device provider's instructions for further information about how to do this.

2.3 Other Information We May Collect Through Your Use of the Website Services.

When you use any Website Services, we may collect Personal Data including demographic information, for example information that you submit, or that we collect, which may include, but is not limited to, post code, age/birth date, current residence, hometown, gender, username, mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting, device location, IP address, SMS data, transaction information, business activities and services / distribution locations, browsing history information, searching history information, and registration history information (“Demographic Information”).

3. Use of Personal Data

We may use Personal Data which you provide to us or we collect from you to:

3.1 Provide, maintain, and improve our Website Services, including, for example, provide products and services you request (and send related information about them), develop new features that will enhance your user experience and our efficiency, provide customer support to users, authenticate users, and send administrative messages, whether information-only or required by applicable law.

3.2 Perform internal regulatory, administrative and operational requirements, including, for example, to prevent fraud or abuse of our Website Services; to troubleshoot software bugs and operational problems; to conduct permitted data analysis, testing, and research; to ensure you and CRDB DIFC are complying with internal or external legal requirements, including those that necessitate use of digital systems; and to monitor usage and activity trends.

3.3 Send you communications we think will be of interest to you based on your previous interactions with us, including information about products, services, marketing promotions and CRDB DIFC events, where permissible under DIFC Laws and guidance, and according to any other applicable laws.

3.4 Notify you about changes to this Policy, or our Website Services.

3.5 Allow you to participate in any interactive features of our Website Services.

3.6 Keep our Website Services safe and secure or

3.7 Personalize and improve the Website Services, including to provide or recommend features, content, social connections, referrals, and advertisements, in accordance with your preferences, to the extent permissible by law.

4. Processing, Storage and Transfer of Personal Data

We will take all steps reasonably necessary to ensure your Personal Data is processed fairly and lawfully, in accordance with the DP Law, other applicable laws and this Policy.  By submitting your Personal Data (including Log, Device and / or Demographic Information), we expect you to understand that such transfer, storing or processing in order for CRDB DIFC to perform its general administrative functions is necessary and will be done in a proportionate, lawful manner, including but not limited to responding to enquiries you raise via the Website Services, oversight of the business entities registered in DIFC’s jurisdiction and maintaining contacts for future informational or promotional activities. Unless otherwise notified, CRDB DIFC does not ordinarily rely solely on automated decision making when processing your Personal Data. 

In order to conduct our operations or fulfil regulatory obligations, we may transfer the Personal Data described in this Policy to and from, and process and store it in, the United Arab Emirates and (where applicable or required) with processors in other countries where CRDB Bank Plc has operations, some of which may have less protective privacy laws than those where you reside. In all such cases, and generally for any processing operations, we take appropriate security measures to protect your Personal Data in accordance with this Policy. CRDB Bank Plc  is ISO 27001 certified and all information security policies are strictly enforced. 

To preserve the integrity of our databases, to carry out on-going Website Services on behalf of all Users, for research, analytics and statistics purposes and to ensure compliance with applicable laws and regulations, we retain Personal Data submitted by Users for a reasonable length of time unless otherwise prescribed by applicable law.

CRDB DIFC is not responsible for the accuracy of the information you provide and will modify or update your Personal Data in our databases when you provide updated information or ad hoc upon your request, as further outlined below.  We will erase or put beyond active use your Personal Data upon request, unless we are required to retain it in accordance with DIFC or other applicable laws or to perform agreed services, in which case we align with applicable principles such as purpose specification and data minimization.

If it is not disproportionate or prejudicial, and required beyond this policy’s notices, we will contact you to let you know we are processing your personal information.

By accessing or using the Website Services to which this Policy applies, we can reasonably expect that you understand that all information submitted by you through the Website Services or otherwise to CRDB DIFC may be used by the office to support these processing operations, in accordance with applicable laws and its policies.

5. Sharing of Personal Data

We may share Personal Data which we collect about you as described in this Policy or as described at the time of collection or sharing, including as follows:

5.1 Through Our Website Services

We may share Personal Data which we collect about you as described in this Policy or as described at the time of collection or sharing, including as follows:

• With third parties to provide you a service that you requested through a partnership or promotional offering made by a third party or us; or

• With third parties with whom you choose to let us share your Personal Data, for example other apps or websites that integrate with our API or Website Services, or those with an API or Service with which we integrate.

5.2 Other Types of Data Sharing

We may share your Personal Data:

• With CRDB Bank PLC (ultimate owner) and its subsidiaries to the extent permissible by law;

• With vendors, consultants, marketing and advertising partners, and other service providers who need access to such Personal Data to carry out work on our behalf or to perform a contract we enter into with them;

• If we otherwise notify you and you provide your affirmative opt-in to share your data, where needed;

• In response to a request for information by a competent authority or government entities if we determine that such disclosure is in accordance with, or is otherwise required by any applicable law, regulation, or legal process;

• With law enforcement officials, government entities or authorities, or other third parties as required by applicable law;

• With third parties in an aggregated and/or anonymized or pseudonymized form that cannot reasonably be used to identify you

5.3 Government Data Sharing

In some circumstances we are legally obliged to share information with public authorities or law enforcement. For example, we may be required to provide information related to a court order or where we must cooperate with supervisory authorities in handling complaints or investigations. In any scenario, we’ll attempt to satisfy ourselves that we have a lawful basis on which to share the information, document our decision making, and satisfy ourselves we have a legal basis on which to share the information.

All sharing of Personal Data aligns to the extent possible with CRDB DIFC ’s Personal Data Protection and Privacy Policy which is an internal policy that governs fair and lawful sharing of Personal Data requested by government entities within the UAE and elsewhere.

6. Your Rights and Choices 

▪ You have the right to access information held about you. Your right of access can be exercised for any reason, at any time, in accordance with DIFC and other applicable laws.

▪ You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

▪ You may also request that we restrict the processing of, erase, transfer the information you gave us from one organisation to another, or otherwise process your Personal Data in line with the relevant articles providing for such rights set out in the DP Law or other applicable laws.

▪ Any access request generally comes at no cost to you and we must respond within one month unless provided otherwise by the DP Law or other applicable laws.  We may, where permissible, impose a reasonable fee to meet any extraordinary administrative costs in providing you with details of the information we hold about you.

▪ When you contact us about a potential Personal Data error or query, we will endeavor to confirm or verify the information in question, then correct verified inaccuracies and respond to the original inquiry. We will endeavor to send a correction notice to businesses or others whom we know to have received the inaccurate data, where required and / or appropriate. However, some third parties and third-party sites may continue to process inaccurate data about you until their databases and display of data are refreshed in accordance with their update schedules, or until you contact them personally to ensure the correction is made in their own files.

▪ As set out in Article 39 on the DP Law, we may not discriminate against you for exercising your rights by denying services or changing prices or quality of service, unless reasonable to do so in general, as objectively determined, and applicable to all individuals offered or receiving such benefits. 

7. Cookies

A cookie is a small text file that is unique to the web browser on your computer or mobile device, which is used to retain user preferences, and enhance browsing experience ("Cookie"). CRDB DIFC uses Cookies to track overall site usage and enables us to provide a better user experience. We do not use Cookies to “see” other data on your computer or determine your email address.

Types of cookies we drop, and the information collected using them include but are not necessarily limited to Targeting cookies which collect information about your browsing.

Most browsers accept and maintain Cookies by default. The DIFC Data Protection Law requires entities that set such collection methods to collect the bare minimum, necessary cookies in order to operate the relevant website.  Check the ‘Help’ or ‘Settings’ menu of your browser to learn how to change your Cookie preferences. You can choose to alter Cookiessettings related to the use of our Website Services, but this may limit your ability to access certain areas of the Website.

Alternatively you may wish to visit an independent source ofinformation, www.aboutcookies.org, which contains comprehensive information on how to alter settings or delete Cookies from your computer as well as more general information about Cookies. For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual or network operator for advice.

8. Changes to this Policy 

CRDB DIFC may change this Policy from time to time and without notice. If we make significant changes in the way we treat your Personal Data, or to the Policy, we will endeavourto provide you notice through the Website Services or by some other means, such as email. Your continued use of the Website Services after such notice constitutes your understanding of the changes. We encourage you to periodically review this Policy for the latest information on our privacy practices. We provide links to it through Website Services.

Contact Us

If you have any questions, comments and requests related to this Policy, or if you have any complaints related to how CRDB DIFC processes your personal data, please contact:

CRDB BANK PLC (DIFC REPRESENTATIVE OFFICE)

Office 45, Gate Village Building 04, DIFC, Dubai, United Arab Emirates

Tel: 04 401 9127

[email protected]  

You may also contact the DIFC Commissioner of Data Protection’s Office at:

Dubai International Financial Centre Authority

Level 14, The Gate Building

+971 4 362 2222
[email protected]

CRDB Bank Plc has appointed a Data Protection Officer for CRDB DIFC in accordance with Article 16 of the DP Law. He may be contacted via the following email address: [email protected]