1. Introduction
BPW Middle East FZE ("BPW Middle East FZE," "we," "us," or "our") is dedicated to safeguarding the personal information of our customers, employees, and partners. This Data Protection Policy ("Policy") outlines our commitment to maintaining the confidentiality, integrity, and security of personal data in line with relevant data protection laws and regulations.
2. Scope of the Policy
This Policy applies to all personal data handled by us, including data related to customers, employees, contractors, and third parties. It encompasses all aspects of data processing activities, including the collection, storage, usage, sharing, and disposal of personal data.
3. Definitions
3.1. Personal Data: Refers to any information related to an identified or identifiable individual ("data subject"). An identifiable individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, or online identifier.
3.2. Processing: Includes any operation or set of operations performed on personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
3.3. Data Controller: Refers to the entity that determines the purposes and means of processing personal data.
3.4. Data Processor: Refers to the entity that processes personal data on behalf of the data controller.
4. Data Protection Principles
We adhere to the following data protection principles:
4.1. Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and transparently in relation to the data subject.
4.2. Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes.
4.3. Data Minimization: Personal data will be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
4.4. Accuracy: Personal data will be accurate and, where necessary, kept up to date. Inaccurate personal data will be rectified or erased without delay.
4.5. Storage Limitation:Personal data will be retained in a form that allows identification of data subjects only for as long as necessary for the purposes for which it was processed.
4.6. Integrity and Confidentiality: Personal data will be processed securely, ensuring protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage through appropriate technical or organizational measures.
4.7. Accountability: We will be responsible for and be able to demonstrate compliance with these principles.
5. Legal Basis for Processing
We process personal data based on one or more of the following legal grounds:
5.1. Consent: When the data subject has given explicit consent for their personal data to be processed for one or more specific purposes.
5.2. Performance of a Contract: When processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract.
5.3. Legal Obligations: When processing is necessary for compliance with a legal obligation to which we are subject.
5.4. Legitimate Interests: When processing is necessary for our legitimate interests, provided these interests are not overridden by the data subject’s rights and interests.
6. Data Subject Rights
Data subjects have the following rights regarding their personal data:
6.1. Right to Access: Data subjects have the right to request access to their personal data and obtain a copy of the information we hold about them.
6.2. Right to Rectification: Data subjects have the right to request correction of inaccurate or incomplete personal data.
6.3. Right to Erasure Data subjects have the right to request deletion of their personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
6.4. Right to Restriction of Processing: Data subjects have the right to request restriction of processing in certain circumstances, such as when they dispute the accuracy of the data.
6.5. Right to Data Portability: Data subjects have the right to request transfer of their personal data to another organization, where technically feasible.
6.6. Right to Object: Data subjects have the right to object to the processing of their personal data based on legitimate interests or for direct marketing purposes.
6.7. Right to Withdraw Consent: Where processing is based on consent, data subjects have the right to withdraw their consent at any time.
To exercise these rights, data subjects should contact us using the contact details provided below. We will respond to requests in line with applicable data protection laws.
7. Data Security
We implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. These measures include, but are not limited to:
7.1. Access Controls: Limiting access to personal data to authorized personnel only.
7.2. Encryption: Employing encryption to protect personal data during transmission and storage.
7.3. Data Anonymization: Anonymizing or pseudonymizing personal data where possible to reduce the risk of identification.
7.4. Security Assessments: Conducting regular security assessments and audits to identify and address vulnerabilities.
7.5. Incident Response: Implementing an incident response plan to manage data breaches and other security incidents promptly and effectively.
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, regulatory, accounting, or reporting requirements. When personal data is no longer needed for these purposes, we will securely delete or anonymize it.
9. Data Sharing and Transfers
We may share personal data with the following categories of recipients:
9.1. Service Providers: Third-party service providers who perform services on our behalf, such as payment processing, data analysis, and customer support.
9.2. Business Partners: Business partners to provide certain products, services, or promotions.
9.3. Legal and Regulatory Authorities: Law enforcement, regulatory agencies, or other authorities if required by law or to protect our rights and comply with legal obligations.
9.4. Affiliates and Subsidiaries: Our affiliates and subsidiaries for business purposes and to deliver our Services to you.
9.5. Corporate Transactions:In the event of a merger, acquisition, or sale of all or part of our assets, personal data may be transferred as part of the transaction.
When transferring personal data internationally, we ensure that appropriate safeguards are in place to protect the data, such as standard contractual clauses approved by relevant regulatory authorities.
10. Training and Awareness
All employees and contractors are required to undergo data protection training upon hire and periodically thereafter. The training covers data protection principles, recognizing and reporting data breaches, and best practices for safeguarding personal data.
11. Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our data protection compliance and to serve as a contact point for data subjects and regulatory authorities.
The DPO is
Holger Schneider
BPW Bergische Achsen Kommanditgesellschaft
Ohlerhammer
51674 Wiehl
12. Data Breach Notification
In the event of a data breach that poses a risk to the rights and freedoms of data subjects, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. We will also inform affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
13. Policy Review and Updates
This Policy will be reviewed and updated regularly to ensure its effectiveness and compliance with applicable laws and regulations. The DPO is responsible for initiating and overseeing this review process.
14. Contact Information
For any questions or concerns about this Policy or our data protection practices, please contact us at:
BPW Middle East
FZE P.O. Box 79736
RA08-XB07 & XB08, Jafza North Zone
Near Roundabout 8,
Jebel Ali Free Zone,
Dubai, UAE