^{Privacy Notice} Al Hilal Bank PJSC Privacy Notice

1.1. Al Hilal Bank PJSC (“Al Hilal Bank”, “AHB”, “Bank”, “We” or “Our”)

1.2. Data Protection in Al Hilal Bank is regulated by the United Arab Emirates ("UAE") Data Protection Law and the Central Bank of the UAE Consumer Protection Regulation and accompanying Consumer Protection Standards.

1.3. Our Contact Information

Email: [email protected]

2. Introduction - Purpose and Applicability of this Privacy Notice

2.1 Al Hilal Bank is committed to protecting your privacy and your Personal Data.

2.2. This Privacy Notice ("Notice") aims to help you understand what Personal Data we collect, store or process about you, the legal basis on which we do so, the purpose for which we do so, if and whom we share your Personal Data with. This Notice also describes how long we retain your Personal Data.

2.3. This Notice describes your rights and the choices you can make in relation to our collection, use and disclosure of your Personal Data.
This Notice details:

the Personal Data we Process about you
the legal basis and purpose of that Processing
if and whom we share your Personal Data with
how long we retain your Personal Data
your data privacy rights and choices regarding the Personal Data we process about you
the various measures we have in place to protect the security of your Personal Data and minimise the potential for its unauthorised use, disclosure and destruction

2.4. The terms of this Notice will apply to you when you use our products or services, visit our online services at www.alhilalbank.ae and any of its ancillary pages and websites (the "Websites"), or provide us with your Personal Data.

2.5. Please review this Notice periodically as we may update it from time to time to reflect changes in our data practices.

2.6. Al Hilal Bank may change this notice from time to time if required by law or where there are any changes to its business practices.

3. Our Role as Controller and Processor

3.1. Controller
A Controller is an entity who solely, or jointly with others, determines the purposes (“why”) and means (“how”) of Personal Data Processing. In most cases, we will act as the Controller when Processing your Personal Data – this means we will decide on how to collect, process and use Personal Data in this role.

3.2. Processor
A Processor is an entity who processes Personal Data on behalf of another entity, i.e. the Controller, and does so solely based on instructions provided by the Controller.

In some cases, Al Hilal Bank will act as the Processor when Processing your Personal Data on behalf of another group entity. In these cases, Al Hilal Bank will perform the Processing of the Personal Data under the specific instructions from the group entity acting as the Controller.

4. Understanding Personal Data and Processing

4.1. What is Personal Data?
Personal Data means data which relates to a living individual who can be identified directly or indirectly from that data. The definition includes a wide range of personal identifiers that constitute Personal Data, including names, identification numbers, location data or online identifiers, reflecting changes in technology and the way organisations collect information about people.

Examples of Personal Data include the following:

name;
national origin, age, language, birth, education;
date of birth;
gender or sex (for statistical purposes as required by the law),marital status (married, single, divorced);
identification number (e.g. national ID, passport number, NI number, and drivers licence number);
location data (e.g. GPS coordinates);
information about a customer’s location (e.g. geolocation or GPS location);
online identifiers;
social media profiles;
photographs, videos, voice recordings;
employment history and current employment status (for example when a customer applies for finance);
financial data/ financial history (e.g. income, expenses, obligations, assets and liabilities or buying, investing, insurance, banking and money management behaviour or goals and needs based on, amongst others, account transactions);
contact information, telephone, mobile, fax numbers email address; physical address (e.g. residential address, work address or physical location);
biometric information (e.g. fingerprints, signature or voice);
race (for statistical purposes as required by the law);
physical health, mental health, wellbeing, disability, religion, belief, conscience, culture;
medical history, criminal history, employment history;
transactional data;
website technical data: e.g. your internet protocol (IP) address, website login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website; and
website profile and usage data: e.g. your interests, preferences, feedback and survey responses, information about how you use our websites, transaction details while performing online payments: e.g. merchant name, location, device used.

4.2. What is Processing?
Processing means doing anything with Personal Data, e.g. viewing, collecting, using, storing, sharing, manipulating, printing, copying, archiving etc.

Processing activity means any task that involves doing anything with Personal Data.

In this Notice the term “process or processing” explains how we collect, use, store, make available, destroy, update, disclose, or otherwise deal with your Personal Data. As a general rule, we will only process your Personal Data if this is required to deliver or offer a product or service to you or comply to a regulatory requirement. The Bank respects customers’ privacy and ensures its duty of confidentiality is maintained throughout our relationship with you.

5.Personal Data We Collect About You and the Purposes for Which We Do So

Al Hilal Bank will obtain Express Consent from you to serve you with products and services, as per the Central Bank of the UAE’s Consumer Protection requirements. You should be aware that you have the right to withdraw your Consent at any time. You can do this by contacting us at [email protected]. However, this will not affect the lawfulness of any processing carried out before you withdraw your Consent.

We have set out a description of why we process your Personal Data in the table below, including what personal data we collect, and the legal basis for such processing.

Processing Activities		Description	Legal Basis
1	Account Opening	Personal Data processed: name, Emirates ID details, passport details, date of birth, nationality, employment details, transaction pattern (no of credits/no of debits), source of income, income, contact details and address. Processing description: We process your Personal Data in order to consider and process your application for an account with us. This Processing is necessary in order for us to take regulatory steps at your request before we enter into an agreement with you and is also necessary for deciding whether or not we can offer you the product you have applied for. This type of Processing is required in order for you to enter into an agreement with us. Personal Data is also required as part of regulatory financial crime protection, including Know Your Customer ("KYC") process mandated for account opening. We use your Personal Data to prepare KYC forms, CRS forms, W-8 and W-9 forms, application forms, and to evaluate your customer profile. In respect of fraud searches and identity verification, this Processing is necessary for fraud prevention and to comply with our legal obligations. If you do not provide this information, we cannot proceed with your application. Processing form: Al Hilal Bank mobile application.	Consent
2	Account Closing	Personal Data processed: name, account number, bank account number, bank statements, CIF, credit card number, date of birth, debit card number, home address, Emirates ID details, passport details, phone numbers, contact details. Processing description: We process your Personal Data in order to consider and process your account closure request and to handle dormant/inactive accounts. Processing form: Al Hilal bank mobile application.	Consent
3	Credit card	Personal Data processed: name, Emirates ID details, passport details, date of birth, nationality, your mother's name, banking details, home country address details, employment details, income details, name and contact details of two friends. Processing description: We process your Personal Data in order to consider and process your application for a credit card. Such Processing may include credit assessment, Profiling, and cross sales. We will obtain Consent to check your credit score with Al Etihad Credit Bureau ("AECB"). We will obtain Consent to pull a statement from the Central Bank of the UAE. Your Personal Data may be shared with Authorities upon request.	Consent
4	Debit Card Delivery	Only contact and delivery information is shared with a third-party courier for debit card delivery.	Consent
5	Personal Finance & Auto Finance	Personal Data processed: name, Emirates ID details, passport details, date of birth, nationality, mother's name, banking details, home country address details, employment details, income details, name and contact details of two friends. Processing description: We will obtain Consent for checking your credit score with AECB. We will obtain Consent to pull a statement from the Central Bank of the UAE.	Consent
6	Home Finance	Personal Data processed: name, Emirates ID details, passport details, date of birth, nationality, mother's name, banking details, home country address details, employment details, income details, name and contact details of two friends. Processing description: We will obtain Consent for checking your credit score with AECB. We will obtain Consent to pull a statement from the Central Bank of the UAE.	Consent
7	Sukuk	Personal Data processed: name, information on your current investments at Al Hilal Bank, previous experience with investments, liquidity, return expectations, time horizon, and signature. Processing description: The Personal Data is processed to assess your risk profile and tolerance towards investment, and ultimately your investment strategy, and to take instructions to execute on behalf of you. Your Personal Data may be shared with Authorities upon request. Processing form: email, Sukuk form.	Consent
8	Cheques	Personal Data processed: name, account number, bank account information, bank account number, bank statements, CIF, compensation information, date of birth, gender, home address, marital status, Emirates ID details, nationality, parents’ names, passport details, contact information, and signature.	Consent
9	Regulatory and Law Enforcement Requests and Instructions	We may process your Personal Data to handle requests and instructions from the regulator, law enforcement departments and the Ministry of Interior that ask for information about specific individuals.	Compliance with a legal obligation
10	Declined Onboarding	If your application is declined, we will store your personal information in accordance with our record retention procedures and to comply with our legal obligations.	Consent
11	Account Administration	We process your Personal Data in order to administer your account in a number of ways. This will include, for example, providing you with account statements, notices, and other information such as changes to your profit rate, managing any arrears on your account, enforcing any security that we have in place, and dealing with any queries or complaints you may have including data privacy requests and complaints. This type of Processing is necessary for the performance of our contract with you and to comply with our legal obligations. This type of Processing is necessary for the performance of our contract with you and to comply with our legal obligations.	Consent
12	KYC Update	Personal Data processed: Emirates ID, passport copy, income proof, address proof, and Email ID. Processing description: The KYC process is mandatory for identification and verification of your identity when opening an account, and also periodically over time. The objective of the KYC is to prevent the Bank from being used by criminal elements for money laundering activities. Your Personal Data may be shared with Authorities upon request. Processing form: Al Hilal Bank mobile application.	Consent
13	Fraud Investigation	Fraud Investigations – Privacy Notice The Bank conducts fraud investigations as a mandatory and lawful activity to prevent, detect, and respond to fraud, financial crime, misuse of services, and regulatory breaches. Processing is carried out under applicable laws, regulatory obligations, and internal investigation frameworks. Personal Data is processed on a strictly need to know and proportionate basis and may include identification, contact, account, transaction, employment, relationship, and due diligence information. Special category data is processed only where legally required and directly relevant. Personal Data may be shared, where lawful and necessary, with law enforcement, regulators, and judicial authorities. All data is handled securely, subject to access controls, audit trails, and retention limits, and is retained only for as long as required to meet investigation and regulatory requirements.	Consent and compliance with a legal obligation
14	Transactions Processing	We process your Personal Data in order to process transactions to and from your account.	Consent
15	Transaction Disputes	Personal Data processed: Name, audio information, bank account details, CIF contact details, credit card number, debit card number, contact details. Processing description: We may process your personal data to handle your queries and confirm transactions. Processing form: transaction dispute form.	Consent
16	Dispute Resolution	We may process your Personal Data to resolve disputes.	Consent and compliance with a legal obligation
17	Issuance of Certificate	Personal Data processed: Name, account number, age, bank account information, bank statements, CIF, citizenship status, compensation data, contact details, credit card number, credit history, date of birth, debit card number, emergency contact details, gender, home address, marital status, Emirates ID details, passport details, signature. Processing description: We process your Personal Data in order to consider and process requests for certificates related to customer’s relationship with Al Hilal Bank. Processing form: Al Hilal Bank mobile application.	Consent
18	Customer Complaints	Personal Data processed: Name, bank account information, bank statements, CIF, compensation data, contact details, credit card number, credit history, date of birth, debit card number, gender, home address, marital status, Emirates ID details, passport details, relatives’ information, and signature. Processing description: We may process your Personal Data in order to consider and process your feedback and complaints. Processing form: Al Hilal Bank mobile application and call Center.	Consent
19	Al Hilal Bank mobile application	We process your Personal Data in order to facilitate your use of our online banking services mobile applications. We gather information about how you interact with our App, including but not limited to your device type, operating system, IP address, and browsing behaviour within the app. This data helps us improve our services and customise the user experience. For Account opening purposes, the App uses your phone camera to capture your facial biometric data, passport, Emirates ID and signature.	Consent
20	Face pass / Emirates face recognition	We process and share your facial biometric data with a third-party service provider and a UAE Government Authority for verification against UAE Government records, to confirm your identity. The use of FacePass is optional. You may consent and opt-in to use FacePass by turning the feature on or off in the Mobile App. Activation of FacePass will result in FacePass being the sole permitted means of authentication for certain transactions, to which the FacePass applies. Other means of authentication, such as by a One-Time-Password (OTP), may automatically be deactivated once FacePass has been activated. When you activate FacePass, your photograph is collected, processed and stored by Al Hilal Bank for the purpose of identification and verification, in order to authenticate your financial and nonfinancial transactions.	Consent
21	Business Operations	We may process your Personal Data to manage and improve our business operations, for example, our internal governance functions, which may include monitoring communications and activities in relation to your account. Such Processing may be necessary for our business and compliance purposes, accounting and audit purposes and to comply with our legal obligations.	Consent
22	Marketing	We may process your Personal Data for marketing purposes to provide you with information about products and services that you may be interested in. This also includes purposes of conducting market research and related statistical analysis to understand our Customer base and the markets in which we operate, or may wish to operate. We may share your personal data with our social media partners if you have provided us with your explicit consent to receive targeted advertising related to our third-party partner service offerings. This allows us to deliver personalised content and offers that align with your interests and preferences. We will obtain Express Consent before using and sharing your Personal Data for direct marketing or transferring the Personal Data to any third parties for direct marketing. You may place your request to stop receiving marketing messages at any time. To do so, follow guidance in the “Marketing From Us” section of this Notice.	Consent
23	Analysis	We may process your Personal Data for the purposes of performing statistical analysis and conducting market research. This enables us to better understand our customer base and the markets in which we operate or may wish to operate.	Consent
23	Websites	The Personal Data that we process when you are browsing our Websites, such as your Internet Protocol ("IP") address, is processed so that we can create, manage, monitor, improve and maintain your experience on our Websites.	Consent
24	Assisting You in the Exercise of Your Rights	Should you make a request to exercise your legal and regulatory rights, we will respond to you as per our legal obligations and Applicable Law.	Consent
25	Retention	After your agreement has ended we will retain your Personal Data in accordance with our record retention procedures and to comply with our legal obligations and Applicable Law.	Consent
26	Social Media	Al Hilal Bank operates official channels, pages, and accounts on various social media platforms to inform, assist, and engage with customers. Al Hilal Bank may monitor and record comments and posts made on these channels that reference Al Hilal Bank, with the objective of improving its products and services. Please note that you must not share the following types of information with Al Hilal Bank through social media platforms: Confidential personal data, including information about your financial situation, bank account details, transactions, or any other banking-related information. Sensitive personal data, including: Special categories of personal data such as information revealing racial or ethnic origin, political opinions, religious beliefs, or trade union membership; genetic or biometric data used for unique identification; health data. Other sensitive personal data such as criminal convictions or offences, or national identification numbers. Excessive, inappropriate, offensive, or insulting information directed toward any individual. Al Hilal Bank is not responsible for any information posted on social media platforms except for information officially communicated by its authorised employees. Al Hilal Bank is responsible only for its own use of personal data received through these channels.	Consent
27	Open Finance	To share your Personal Data from Al Hilal Bank to Open Finance Providers via the Open Finance Platform upon your instruction; to receive your data into Al Hilal Bank when you instruct us to act as an Open Finance Provider; to initiate payments on your behalf; to record and evidence consent, perform security/fraud controls, support dispute resolution and comply with supervisory and audit obligations. For the purposes of the UAE Central Bank’s Open Finance Framework, Al Hilal Bank may process Personal Data in the following roles: (a) as a Data Holder/Service Owner (Licensed Financial Institution) when responding to your authorised requests via the Open Finance Platform. (b) as a Person Deemed Licensed Open Finance Provider when, upon your instruction, we receive your data from other institutions or initiate payments. In each case, Processing includes recording and evidencing consent, performing authentication and fraud controls, and keeping audit logs required by the Central Bank. Sources: You and participating Licensed Financial Institutions. Recipients: The Open Finance Platform operator (Nebras Open Finance LLC) and Open Finance Providers selected by you, as independent controllers. Types of Personal Data Processed: Identification details (e.g. name, Emirates ID/passport details), account/profile metadata, account balances, transaction data, credit/income information; Open Finance consent artefacts (consent ID, scope, duration, status and revocation timestamps); authentication attributes and device/app identifiers; Open Finance API interaction metadata and audit logs; payment initiation details (beneficiary, amounts, schedules/mandates including variable recurring payments).	Consent and compliance with a legal obligation

6. How We Collect Your Personal Data

We may collect your Personal Data from two primary sources:

6.1. Directly From You

We may collect your Personal Data directly from you in several ways, including the following:

When you apply for any product on our application, through a postal application, telephone or directly with one of our Employees
When you provide your Personal Data online or by any other method of communication, or when you provide it on the merit of your relationship with Al Hilal Bank, for example, if you inform us of a change in your circumstances
When you visit our Websites, technical information, including the IP address used to connect to the internet, may be collected from you

6.2. Indirectly from Other Parties

We may obtain your Personal Data indirectly from third parties in the following ways:

1. Following an introduction to us by another third party, such as an accountancy firm, law firm or management consultancy

2. If another person provides your information to us when they apply to obtain a product from us:

on your behalf
that is to be held jointly with you
on behalf of any other organisation of which you are a director, shareholder, owner, trustee or beneficiary (as applicable)
where they have nominated you as a guarantor under our agreement with them, or to provide any other security, or occupier of any security property

3. When we carry out searches for the purposes of processing your application and/or during the course of your relationship with us

4. In response to our marketing activities, you request information about our products via a third party (e.g. websites and social media platforms)

If you are applying to us through a third party, then they should have provided you with their own privacy notice in order to inform you how they may process your Personal Data.

7. If You Fail to Provide Personal Data

In line with the UAE regulations and those of the Central Bank of UAE we may be inclined to collect and transfer personal data with third parties (such as authorised agents, suppliers, and subcontractors) to provide services or comply with regulatory requirements. Failure to provide this data may result in us declining a request or service, or if we are already providing a service, we may have to suspend or stop the same. In the case of such instances, we shall notify the same to you through Just-in-time notices.

To provide banking and other services to you, we may need to process your Personal Data in order to ensure we comply with our legal and regulatory requirements, for example we are obliged to verify the identity of our customers so we may need to process your passport information. If you fail or refuse to provide us with the requested Personal Data we need, we may not be able to supply, or continue to supply, our services to you, and should this occur, we will notify you. We will only ever process your Personal Data where we have a lawful right to do so.

8. How We Secure Your Personal Data

The security of your Personal Data is important to us. We have designed and implemented appropriate measures to prevent your Personal Data from being disclosed, modified or destroyed without sufficient authorisation. These measures address several dimensions of data security including and not limited to the following:

Asset Security: concepts and principles that ensure the protection of assets, including information assets such as your Personal Data from theft, misuse or destruction
Access Control: techniques that regulate the ability of various entities to interact with your Personal Data (user authentication), and the degree to which they may do so (user authorisation)
Cryptography: the use of mathematical algorithms to protect your Personal Data by rendering it unreadable using methods such as encryption and hashing
Network Security: concepts and principles that secure our telecommunication networks appropriately to ensure your Personal Data flowing through them is not disclosed to unauthorised entities
Application Security: concepts and principles that ensure our software applications that collect, store and otherwise process your Personal Data are securely developed and operated
Communications Security: principles that drive secure transmission of your Personal Data across entities
Physical Security: principles that support a secure physical environment for your Personal Data as it relates to printed hard copy records, for instance
Organisational Security: concepts and principles that ensure security of your Personal Data through policies, segmented access control and employee training & awareness, for instance

9. What Happens if There Is a Personal Data Breach?

Whilst we take measures to secure your Personal Data and have a robust incident response plan in place, risks to data security do exist, and there is always a possibility of unauthorised use, disclosure, modification and/or destruction of your Personal Data. In the event of a data breach, our robust data incident management process will be triggered, and our incident management response team will be assembled. The incident will be assessed to identify whether a data breach has in fact occurred. Upon confirmation of an actual data breach, there are stringent protocols that we follow to ensure the efficient management of data breaches and compliance with our legal requirements. Our internal protocols enable the immediate containment, investigation and remediation of data breach through the implementation of corrective and preventative measures and an assessment of any regulatory reporting and disclosure requirements. We will communicate with affected parties in compliance with our legal obligations, where the circumstances of a data breach may reasonably pose a risk to their financial and personal security and/or where it may pose reputational harm to affected parties. We will ensure all notifications provide clear and concise information to you and contain all relevant information as required by law.

For reporting Personal Data Breaches or further information on how we respond to and handle Personal Data Breaches, please contact us at [email protected].

10. Your Rights in Relation to Our Processing of Your Personal Data

If you want to exercise any of your rights, please write to [email protected]. Your rights in relation to our Processing of your data may differ based on your relationship with us as per Applicable Law. Your rights are outlined in the table below:

Description of Your Relationship with Us	Your Rights
Consumers	Right of access: you are entitled to request access to the information that we process about you. Right to rectification: under certain circumstances, you have the right to have inaccurate Personal Data about yourself rectified or completed if it is incomplete. Right to complain you have the right to contact us with any enquiries or complaints in respect of your Personal Data Processing. Right to Withdraw Consentyou have the right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Unless specified otherwise, the withdrawal will take effect within 30 complete days upon receiving your request.
All Other Data Subjects (e.g. Website Visitors, Contactors)	Right of access: you are entitled to request access to the information that we process about you. Right to request Personal Data portability: if you have provided information to us directly, the right to data portability allows you to obtain and easily reuse (move, copy or transfer) your Personal Data for your own purposes from one IT environment to another, securely and without affecting its usability. Right to rectification: under certain circumstances, you have the right to have inaccurate Personal Data about yourself rectified or completed if it is incomplete. Right to erasure: you have the right to ask to have your Personal Data erased. We may have the right to refuse a request for erasure in some circumstances, for example where the Personal Data is required for compliance with the law or in connection with legal claims. Right to restrict Processing: under certain circumstances, you are entitled to ask us to restrict the processing of your Personal Data. Right to stop Processing: under certain circumstances, you have the right to stop the processing of your Personal Data. For example, if your Personal Data is being used for direct marketing, statistical surveys and/or in contravention with the Applicable Law. Rights in relation to automated decision making and Profiling: you have the right not to be subject to a decision based solely on Automated Processing, including Profiling, which could produce legal effects, i.e. something which adversely affects your legal rights. You have the right to obtain an explanation of a decision made by automated means and to challenge it.

Description of Your Relationship with Us

Your Rights

Consumers

Right of access: you are entitled to request access to the information that we process about you.
Right to rectification: under certain circumstances, you have the right to have inaccurate Personal Data about yourself rectified or completed if it is incomplete.
Right to complain you have the right to contact us with any enquiries or complaints in respect of your Personal Data Processing.
Right to Withdraw Consentyou have the right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Unless specified otherwise, the withdrawal will take effect within 30 complete days upon receiving your request.

All Other Data Subjects (e.g. Website Visitors, Contactors)

Right of access: you are entitled to request access to the information that we process about you.
Right to request Personal Data portability: if you have provided information to us directly, the right to data portability allows you to obtain and easily reuse (move, copy or transfer) your Personal Data for your own purposes from one IT environment to another, securely and without affecting its usability.
Right to rectification: under certain circumstances, you have the right to have inaccurate Personal Data about yourself rectified or completed if it is incomplete.
Right to erasure: you have the right to ask to have your Personal Data erased. We may have the right to refuse a request for erasure in some circumstances, for example where the Personal Data is required for compliance with the law or in connection with legal claims.
Right to restrict Processing: under certain circumstances, you are entitled to ask us to restrict the processing of your Personal Data.
Right to stop Processing: under certain circumstances, you have the right to stop the processing of your Personal Data. For example, if your Personal Data is being used for direct marketing, statistical surveys and/or in contravention with the Applicable Law.
Rights in relation to automated decision making and Profiling: you have the right not to be subject to a decision based solely on Automated Processing, including Profiling, which could produce legal effects, i.e. something which adversely affects your legal rights. You have the right to obtain an explanation of a decision made by automated means and to challenge it.

11. Al Hilal Bank’s Obligations in Relation to Your Rights

Al Hilal Bank will maintain the following obligations in relation to your rights concerning our Processing of your Personal Data:

Modalities to exercise your rights: If you want to exercise any of your rights, please write to [email protected].
Services at no charge: We will not charge you a fee for facilitating the exercise of your rights. In case of a repetitive or excessive request from you, we will either charge you a reasonable fee taking into account the administrative costs, or we may decide to not act on your request.
Notification to third parties if applicable: If you exercise your right to erasure, rectification or restriction of Processing, we will communicate this with applicable Processors or joint Controllers to ensure your wishes are executed as applicable.
Your Identification: If we have reasonable doubts concerning your identity, we may request additional information to verify your identity.
Notification of inaction if applicable: If we are unable to act in response to your requests to exercise your rights, we will inform you along with the reasons for our inability to take action. We will also, in such cases, remind you of your right to lodge a complaint with the relevant Data Protection Regulator and seek a judicial remedy.

12. Cross-Border Personal Data Transfers

Throughout the course of your relationship with Al Hilal Bank and even after its conclusion, your Personal Data may need to be shared with Processors who are both internal and external to Al Hilal Bank. Under certain circumstances, within the permits of Applicable Law, this will involve us transferring your data outside the UAE.

If we need to transfer your Personal Data outside the UAE, we will:

Obtain your Consent for such Personal Data transfers
Comply with all relevant regulatory requirements
Provide you with any additional information (as and when required) for you to be able to make an informed decision.
In addition, we will take such steps as are necessary to ensure appropriate safeguards apply to maintain the same levels of protection as required under Applicable Law. Where we are permitted to transfer your Personal Data outside the UAE, one or more of these safeguards apply, but are not limited to:

1. Equal Data Protection standards: we may transfer your Personal Data to jurisdictions outside the UAE if they have Data Protection legislation in place covering key Data Protection provisions. The country to which the data is being transferred has local legislation that includes the main provisions, measures, controls, conditions and rules for protecting the confidentiality and privacy of the Personal Data, including the Data Subject’s individual rights; A contract or agreement which applies the provisions, measures, controls and requirements of the UAE Data Protection Law will be signed between us and the Data Recipient (entity outside the UAE).

2. Bilateral or multilateral agreements relating to Data Protection are in place between UAE and a state to which Personal Data is transferred.

3. Derogations: we may transfer your Personal Data outside the UAE based on the following derogations:
- the establishment, exercise or defence of legal claims
- the performance of a contract between you and Al Hilal Bank or for the implementation of pre-contractual measures at your request
- the conclusion or performance of a contract concluded in your interest between Al Hilal Bank and another natural or legal person
- the performance of an act relating to international judicial cooperation
- protection of public interest

13. Data Retention

We will only retain your Personal Data in a form that permits your identification for a minimum period of 5 years from the termination of our business relationship (such as closure of your account) or a completion of transaction (in instances where we do not have a business relationship with you) but not longer than necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

At the expiry of the stipulated retention periods, your Personal Data will be destroyed irreversibly (where possible) in order to comply with legal retention obligations or in accordance with applicable statutory limitation periods. Where it is impossible or impractical to delete your Personal Data, we will de-identify (which will limit reconstruction) your Personal Data in accordance with appropriate safeguards to guard against the record being used for any other purpose. Under certain circumstances, we may be required to retain your Personal Data beyond the defined retention period as stated in the initial purposes of processing for legal, regulatory, or legitimate business purposes. In such cases, we apply appropriate security measures to ensure the confidentiality and integrity of archived data. As and when we no longer retain your Personal Data, in accordance with this Notice, we shall ensure its secure destruction or de-identification in accordance with our internal data destruction procedure.

14. Marketing From Us

You will only receive marketing communications from us if you have consented to receive such communications.

You may request to stop receiving marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting the Al Hilal Bank Customer Care Team on [email protected] at any time. When you opt-out of receiving these marketing messages, it will not apply to personal data provided to us for other purposes.

We will only use your personal data for specified, explicit and legitimate purposes which are compatible with the purposes determined at the time we collect the personal data.

If we need to use your personal data for a new and unrelated purpose, we will make all reasonable efforts to collect consent from you for this new processing. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

15. Disclosures of Your Personal Data

We may share your Personal Data with the parties set out below for the purposes set out in this Notice:

Processors and Recipients, as further described in the section “Terms and Definitions” below.
We may share your Personal Data with other companies within the Bank’s group (including Our parent entity, ADCB) so that they can provide you with relevant products and services. This type of processing is necessary to enable us to take steps at your request prior to you entering into a contract with a company within the Bank's group.
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Notice.
Our third-party suppliers and vendors who support us in providing the products and services we offer to our customers, and enable our organisational operations. When we disclose your Personal Data to our third-party suppliers, we take the necessary steps to ensure that these third parties have adequate safeguards in place to protect your Personal Data in the provision of their services to us. Please be aware that should you elect to withhold your consent for such sharing purposes, we may be unable to provide you with the product or service you have requested from us and may discontinue the provision of such product or service; and
We may share your personal data with our regulators such as the Central Bank, government and other entities as we may be required to by law in accordance with our internal processes upon assessment of the legitimacy of such requests.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow third parties to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

16. Terms and Definitions

Term	Definition
ADCB	Abu Dhabi Commercial Bank PJSC, being AHB’s parent company
Authority(ies)	Legal, supervisory, regulatory, governmental and quasi-governmental bodies such as the Central Bank of the UAE, the Securities and Commodities Authority (“SCA”), fraud prevention agencies, tax authorities etc.
Automated Processing	Processing that is conducted using an electronic application or system that operates automatically, either independently without any human intervention or under the supervision and limited intervention of a human.
Applicable Law(s)	All Applicable Law(s) relating to the Processing of Personal Data and privacy that are in force on the date this policy is updated in the UAE, including the UAE Data Protection Law, as well as the Central Bank of the UAE Consumer Protection Regulation and accompanying Consumer Protection Standards, in each case as amended.
Biometric Data	Any Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of the Data Subject, which allow the identification or confirm the unique identification of the Data Subject, such as facial images or fingerprints.
Central Bank of the UAE	The Central Bank of the United Arab Emirates.
Consent	The Consent by which the Data Subject authorises Al Hilal Bank or third parties to process his Personal Data, provided that such Consent is clear, specific and unambiguous indication of the Data Subject's agreement, by a statement or by a clear affirmative action, to the Processing of his Personal Data.
Consumer Protection Regulation or CPR	The Consumer Protection Regulation of the Central Bank of the United Arab Emirates, and accompanying Consumer Protection Standards that apply to all Licensed Financial Institutions licensed by the Central Bank of the UAE in relation to their activities specified in Article 65 of the Decretal Law No. 14 of 2018.
Consumer Protection Standards or CPS	The Consumer Protection Standards of the Central Bank of the United Arab Emirates that accompany the Consumer Protection Regulation and apply to all Licensed Financial Institutions licensed by the Central Bank of the UAE in relation to their activities specified in Article 65 of the Decretal Law No. 14 of 2018.
Consumer Protection Standards or CPS	means the Consumer Protection Standards of the Central Bank of the United Arab Emirates that accompany the Consumer Protection Regulation and apply to all Licensed Financial Institutions licensed by the Central Bank of the UAE in relation to their activities specified in Article 65 of the Decretal Law No. 14 of 2018.
Consumer(s)	A Customer for the purpose of Central Bank of the UAE Consumer Protection Regulation and the accompanying Consumer Protection Standards. A Customer is any natural person or sole proprietor who obtains or may prospectively obtain services and/or products from Al Hilal Bank, with or without charge, to satisfy their personal need or others’ needs.
Controller(s)	As per the CPS, a natural or legal person, public authority, agency, or other body that has the authority over the Processing of Personal Data. This entity is the focus of most obligations under privacy and Applicable Law. It controls the use of Personal Data by determining the purposes for its use and the manner in which the data will be processed specific to their biological, physical, biometric, physiological, mental, economic, cultural or social identity. As per the UAE Data Protection Law, the establishment or the natural person who is in the possession of the Personal Data and who, by virtue of its activity, alone or jointly with other persons or establishments determines the means, methods, criteria and purposes of the Processing of such Personal Data.
Customer(s)	Anyone who uses, participates in, purchases or subscribes to any Al Hilal Bank Offering.
Data Breach(es)	As per the CPS, any unauthorised or accidental loss, misuse, modification, access, disclosure or Destruction of Personal Data. As per the UAE Data Protection Law, a breach of information security and Personal Data through unauthorised or unlawful access thereto, including replication, transmission, distribution, exchange, transfer, communication or Processing in such a manner leading to the disclosure or divulgence to third parties, or otherwise the destruction or modification of such data while being stored, transferred and processed.
Data Protection	The protection of Personal Data.
Data Protection Officer or DPO	means any natural or legal person appointed by the Controller or the Processor who undertakes responsibilities to verify that the entity he belongs to complies with the Personal Data Protection controls, requirements, procedures and rules provided for herein, and to verify the integrity of its systems and procedures to achieve the compliance with the provisions hereof.
Data Protection Regulator	Any governmental or regulatory body or authority with responsibility for monitoring or enforcing Applicable Law, for example the UAE Central Bank, as per the CPS and The Emirates Data Office (“The Office”), as per the UAE Data Protection Law.
Data Subject(s)/ Individual	As per the CPS, any individual, who can be identified (either directly or indirectly) through one or more elements of Personal Data that are collected, used, shared, or otherwise processed as part of Al Hilal Bank’s operations. As per the UAE Data Protection Law, the natural person to whom Personal Data relates.
Data Subject Right(s)	The set of rights afforded to individuals located in UAE, as per Applicable Law, who request information about the Personal Data collected or stored by Al Hilal Bank and to exert choice or control over how that data is used by Al Hilal Bank in accordance with Applicable Law.
Destruction of Personal Data	Personal Data no longer exists.
Employee(s)	Any staff of Al Hilal Bank.
Express Consent	An indication that the Data Subject/ individual has given an active, clear and unambiguous agreement for their Personal Data to be used in a specific way, including, for example by signing a document, sending an email.
Know Your Customer or KYC	Mandatory requirements to ensure updated information about Al Hilal Bank’s Customers, to perform identity verification and prevention of illegal transactions through the business relationship with Al Hilal Bank such as money-laundering and identity theft.
Loss of Personal Data	When the Controller loses control or access to the Personal Data.
Personal Data	Any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his name, voice, image, identification number, online identifier, geographical location, or one or more physical, physiological, economic, cultural or social characteristics. Personal Data includes Sensitive Personal Data and Biometric Data.
Processing	Any operation or set of operations performed upon Personal Data using any electronic means including the Processing or other means, including collection, storage, recording, organisation, adaptation or alteration, communication, modification, retrieval, exchange, sharing, use, description, disclosure by broadcasting, transmission, dissemination, or otherwise making available, formatting, merging, restriction, blocking, erasure, destruction or creation of a model of Personal Data.
Processor(s)	An establishment or a natural person who processes Personal Data on behalf of the Controller and under his supervision and instructions.
Profiling	A form of Automated Processing consisting of the use of Personal Data to evaluate certain personal aspects relating to the Data Subject.
Recipient(s)	The entity to whom Personal Data is transferred. Target sectors to which Personal Data is transferred include, but is not limited to: Bank’s branches, subsidiaries, affiliates or other persons controlled by the Bank, or any person under common control with the Bank, in each case, whether directly or indirectly. Anyone that Al Hilal Bank reasonably believes to be acting on your behalf with authority to do so, such as payment recipients, beneficiaries of your account, nominees, intermediaries, correspondent and agent banks, clearing houses, clearing or settlement systems, market counterparties, upstream withholding agents, swap or trade repositories, stock exchanges or companies in which you have an interest in securities (where such securities are held by Al Hilal Bank for you), a debt charity, power of attorney or your professional advisors. Legal, supervisory, regulatory, governmental and quasi-governmental bodies such as the United Arab Emirates Central Bank of the UAE, the Securities and Commodities Authority (“SCA”), fraud prevention agencies, tax authorities, our professional advisors, tribunals and/or the courts. Government-authorised credit reference/information agencies and bureaus including, but not limited to AECB, for the purposes of obtaining or providing credit references and other information to assess your ability to meet your commitments. Any rating agency, insurer or insurance broker, or direct or indirect provider of credit protection to the Bank in connection with the products and services provided by the Bank. Organisations that provide us with business support services. For example, account service and administration companies, back-up and server hosting, IT software and maintenance and platforms, document storage and management services. This processing is undertaken as it is necessary for the performance of our agreement with you. Any party for the purpose of enforcing or preserving Al Hilal Bank’s rights against you when it is necessary for the establishment, exercise or defence of legal claims. Third parties who have introduced you to us (e.g. an intermediary or broker) in order for them to manage their records about you, to ensure that the type of business that they refer to us is appropriate and to help us to resolve any complaint made by you and/or any dispute between you and us. This type of processing allows us to ensure that the intermediary or broker is fulfilling the terms of their contract with us and in order for us to fulfil our legal obligations (e.g. our complaint-handling obligations). Market research organisations who we engage to assist us in developing and improving our products and services. Any person or entity that provides services to you through Al Hilal Bank as an intermediary, including investment management or insurance services and in relation to additional products and services. Any party to a transaction acquiring an interest in, or assuming risk in, or in connection with, your banking relationship with Al Hilal Bank. Any person or entity that is to provide, or has provided, any security of guarantee (and their professional advisors) in respect of your agreement with us and their professional advisors. This type of processing is necessary for the fulfilment of our contract with you, for example to enable us to recover any sums we have advanced under our agreement with you. Any entity (and their professional advisors) that provides funding to us or members of the Bank's group, any entity that provides us with equity finance and any potential purchasers of any part of our business. This type of processing is necessary to enable us to fund our business. Any entity used for recovery or collection of receivables to the bank from delinquent or defaulted Customers. As required by any relevant legislation.
Sensitive Personal Data	Any data that directly or indirectly reveals a natural person’s family, ethnic origin, political views, religious beliefs, criminal record, Biometric Data, or any data related to such person’s health and consisting of his physical, psychological, mental, cognitive, genetic, including any information related to the provision of healthcare services to him which reveal his health condition.
UAE	The United Arab Emirates.
UAE Data Protection Law	Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data issued by the Cabinet of The United Arab Emirates (as updated)
Document Classification: Public	Date of Publication: 30/4/2026

17. Changes to this notice

The latest version of our privacy notice is available on our Website. We will amend our privacy notice from time to time or as required. Please ensure that you visit our Website to view any changes to our notice.

Who can I contact if I have questions about this Privacy Notice?

If you have any questions about any aspects of this Privacy Notice or your Personal Data or you wish to exercise your data protection rights, please contact our Data Privacy Officer in writing at [email protected].

Text Style

Colors

Text to voice

^{Privacy Notice} Al Hilal Bank PJSC Privacy Notice

Text Style

Colors

Text to voice

Privacy Notice Al Hilal Bank PJSC Privacy Notice

^{Privacy Notice} Al Hilal Bank PJSC Privacy Notice