SUMMARY
Effective Date: April 18, 2024, until further notice.
This communication aims to provide clear and comprehensive information about data processing. Pre-registration documents available on the website include Terms and Conditions, Privacy Policy / Data Protection, and Cookie Regulations.
This notice on data protection adheres to clarity guidelines outlined in the Transparency Guidelines, ensuring thorough information provision alongside additional annexes.
Issued by: Beautyfinder.ae Email: info@beautyfinder.ae Website: beautyfinder.ae and its country-specific versions. Privacy Contact: For enforcing data rights, contact info@beautyfinder.ae. Refer to the communication for data processor details.
By providing personal data, you acknowledge understanding and acceptance of the current version of this data processing communication.
The legal basis for this notice is the United Arab Emirates’ data protection laws.
Purpose of the Website
The website facilitates posting advertisements, reviews, and reports related to the beauty industry. It enables registered members to access other registered individuals’ data sheets or contact them.
Our websites are SSL security-certified.
Principles of Personal Data Management
Personal data is handled lawfully, fairly, transparently, and for specific purposes. It’s collected with consent, stored securely, and for a limited duration.
Purposes of Data Processing
- Fulfilling contractual obligations
- Enhancing service efficiency and user experience
- Creating and managing accounts
- Sending newsletters and advertisements
- Meeting legal obligations
Rights Related to Personal Data
Users have the right to access, rectify, delete, transfer, object to, and lodge complaints regarding their personal data.
Data Protection Availability
To validate data protection rights, email info@beautyfinder.ae.
Conclusion
For comprehensive information on data processing, refer to the full communication available at beautyfinder.ae and its subdomains.
INTRODUCTION
This information ensures compliance with UAE data protection laws regarding data processing principles and rules before using our services.
The webpage beautyfinder.ae is an international service with multilingual adaptations.
Its objective is to facilitate beauty-related advertisements. Registered members can access other persons’ data sheets and communicate with them.
By providing personal data, users acknowledge awareness and acceptance of data processing information.
We prioritize protecting clients’ and partners’ personal data, treating it confidentially and implementing security measures.
During registration, users consent to legal personal data use. Unsubscribing from newsletters is possible at any time.
The webpage’s security is SSL certified, and protection of children’s personal data is paramount.
Pre-registration documents include General Business Conditions (GBC), Data Processing Information, and Cookie Regulations.
CHAPTER I: APPOINTMENT OF THE DATA PROCESSOR
The service provider or data processor, as designated, agrees to adhere to the provisions outlined in this legal notice. The company assumes responsibility for its actions, ensuring compliance with all relevant national regulations and UAE legislation.
CHAPTER II: DATA PROCESSORS
A data processor is any entity that manages personal data on behalf of the data controller. We use several data processors for IT services, accounting, and online payments, ensuring they comply with our stringent data protection standards.
CHAPTER III: DEFINITIONS USED IN THE INFORMATION DOCUMENT
Handling Personal Data: Any operation performed on personal data, whether automated or not, including collection, recording, organization, storage, alteration, use, dissemination, and destruction.
Personal Data: Information relating to an identified or identifiable individual, such as name, ID number, location data, or online identifier.
Special Data: Data concerning racial or ethnic origin, political opinions, religious beliefs, health, or sexual orientation.
Data Processing: Any operation on personal data, including collection, storage, retrieval, use, and deletion.
Controller: The entity that determines the purposes and means of processing personal data.
Data Processor: The entity that processes personal data on behalf of the controller.
Recipient: The entity to which personal data is disclosed.
Consent of the Data Subject: Voluntary, specific, informed, and unambiguous agreement to the processing of personal data.
Data Breach: A security breach leading to accidental or unlawful destruction, loss, or unauthorized access to personal data.
CHAPTER IV: PRINCIPLES OF DATA PROCESSING
Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently.
Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes.
Data Minimization: Data collected should be adequate, relevant, and limited to what is necessary.
Accuracy: Personal data must be accurate and kept up to date.
Storage Limitation: Data should be stored only as long as necessary for the purposes for which it was collected.
Integrity and Confidentiality: Data must be processed securely to ensure protection against unauthorized or unlawful processing and accidental loss.
Accountability: The controller must demonstrate compliance with these principles.
CHAPTER V: DIRECTIONS FOR DATA SECURITY
Security Measures: We implement necessary safety, organizational, and technical measures to ensure the highest level of personal data protection and to prevent illegal modifications, destruction, and usage blockage.
SSL Security Certificates: Our websites are secured with SSL certificates, creating a secure and encrypted channel between clients and servers. This encryption ensures that sensitive information, such as credit card data and account authorization, is transferred securely to prevent data leakage. Transactions are conducted using PIN codes and other encryption methods.
Data Storage: Data collected by us is stored in various locations within our infrastructure, including system logs, backend databases, and analytical systems. When transferring data from the UAE to other countries, we adhere to the directives of the relevant UAE authorities and comply with individual compliance provisions for each country.
Third-Party Links: Some of our services may include links to other websites, such as commercial banners or social media platforms. As we do not control the data protection principles and practices of these third-party websites, we advise users to review their respective data protection policies to understand how personal data is collected and used. Payments made through our services via credit cards or e-vouchers are handled by third-party providers who fulfill stringent security measures.
Email and Text Message Security: Data transfer via email or text message over the internet is not entirely secure. While we take measures to protect your personal data, we cannot guarantee the safety of data transferred through our services or email. Users are responsible for safeguarding their data, and we recommend using strong passwords and implementing proper technical and organizational measures to protect against loss, theft, unauthorized access, or modifications.
CHAPTER VI: HANDLING PERSONAL DATA
DATA PROCESSING RELATED TO CONTRACTS, TERMS AND CONDITIONS, WEBSITE
Management and Register of Data Related to Contracting Persons, Advertisers
Objective: The company manages data of clients and suppliers for contract conclusion, fulfillment, termination, and advertisement provision.
Processed Personal Data: Name, birth name, date of birth, address, telephone number, email, website, bank account number, client ID, online ID number.
Legal Basis: Contract fulfillment rights.
Addressees: Company employees in customer service, accounting, and data processors.
Duration of Storage: Until withdrawal of consent or up to 5 years after account termination, or 8 years if obligated by law.
Stakeholders Concerned: Website customers, clients, suppliers, advertisers.
Legal Person Clients, Customers, Suppliers, Data Related to Representatives
Objective: Fulfillment of contracts with legal partners, business contacts.
Processed Personal Data: Name, phone number, email, online ID.
Legal Basis: Contract fulfillment.
Addressees: Company employees in customer service, accounting, and data processors.
Duration of Storage: 5 years post-business relationship.
Data Subjects: Business representatives of advertisers, clients, customers.
Data Processing Related to Visitors (Cookies) on the Company’s Website
Objective: Enhance user experience, prevent fraud.
Data Subjects: All visitors.
Addressees: Company’s IT provider and service participants.
Types of Cookies: Session cookies, use-related cookies, performance cookies.
Management of Cookies: Users can adjust browser settings; certain functions may not operate without cookies.
Registration of an Advertiser Profile on the Company’s Website
Objective: Establishing new contacts, providing services, and storage space.
Processed Personal Data: Email, user type, login, IP address, date of registration, automatic entry cookie.
Legal Basis: User consent.
Addressees: Company employees in customer service, marketing, data processing.
Duration of Storage: Until withdrawal of consent or up to 5 years post-account deletion.
Personalized Advertisement Profile Account on the Company’s Website
Objective: Present advertised services.
Processed Personal Data: Various personal details provided by advertisers.
Legal Basis: User consent.
Addressees: Company employees in customer service, marketing, data processing.
Duration of Storage: Until withdrawal of consent or 6 months post-account deletion.
Data Processing Related to Newsletter Services
Objective: Sending newsletters and marketing materials.
Processed Personal Data: Name, email, spoken language, user interests.
Legal Basis: User consent.
Addressees: Company employees in customer service, marketing, data processing.
Duration of Storage: Until withdrawal of consent or service provision.
Automated Decision Making: Data may be used for automated decisions to identify potential business opportunities.
Tracking: Users’ interactions with newsletters are tracked to identify content of interest.
CHAPTER VII: DATA PROCESSING BASED ON LEGAL OBLIGATIONS
Data Processing for Taxation and Accounting Obligations
Objective: Compliance with taxation and accounting obligations as stipulated by law.
Processed Personal Data: Tax number, name, address, tax status, information on economic transactions, signatures, business license number, tax ID number.
Legal Basis: Accounting Act requirements.
Duration of Storage: 8 years post-termination of legal relation.
Addressees: Company employees and data processors handling taxation, accounting, and related tasks.
CHAPTER VIII: SHARING DATA WITH PARTNERS
The Company operates its website globally and shares information internally and with external partners in compliance with regulations and Terms and Conditions.
Data Transfer: Information is transferred to countries such as the United Kingdom, United States, or others for service provision and operational purposes.
Transfer Safeguards: Transfers follow the relevant UAE data protection guidelines.
Sharing with Partners: Personal information shared with partners includes name, email, and relevant details for service provision, marketing, or product offerings.
Consent Requirement: Sharing requires user consent, and sharing via hidden tools like VPNs is prohibited.
Partner Restrictions: Partners are strictly forbidden from using data beyond agreed-upon purposes without notice.
Third-Party Services: Contracts with third-party partners are limited to the agreed-upon service scope, prohibiting data use for other purposes.
Third-Party Disclosure: Personal data is not disclosed to third parties like media, observers, or marketing partners except for aggregated, non-personal data for analysis or industry best practices.
CHAPTER IX: INFORMATION ON DATA SUBJECT RIGHTS
Individuals have the right to inquire about how their personal data is managed. They can request corrections, deletions, or withdrawals, except for when data processing is mandatory. Additionally, they can exercise their right to data transfer and objection as outlined in the data registration and contact details provided by the Data processor.
Right to Preliminary Information: Data subjects have the right to receive preliminary information about the processing of their personal data, as outlined in UAE data protection laws.
Access Rights: Data subjects are entitled to access their personal data, as specified in UAE data protection laws.
Right to Correction: Data subjects have the right to request the correction of their personal data, according to UAE data protection laws.
Right to Deletion (Right to Erasure): Data subjects possess the right to request the deletion or erasure of their personal data, as stated in UAE data protection laws.
Right to Limitation of Data Processing: Data subjects have the right to limit the processing of their personal data, outlined in UAE data protection laws.
Right to Data Portability: Data subjects have the right to data portability, as described in UAE data protection laws.
Right to Object: Data subjects can object to the processing of their personal data, in accordance with UAE data protection laws.
Automated Decision-Making Processes: Data subjects have rights regarding automated decision-making processes, including profile creation, as outlined in UAE data protection laws.
Limitations: There are limitations on these rights, in accordance with UAE data protection laws.
Information on Data Protection Incidents: Data subjects have the right to be informed about data protection incidents, as stated in UAE data protection laws.
Right to Make Complaints: Data subjects have the right to make complaints to the supervisory authority, with the right to appeal to a judicial authority, in line with UAE data protection laws.
Right of Appeal to a Supervisory Authority: Data subjects possess the right to appeal to a supervisory authority, as specified in UAE data protection laws.
Right of Appeal to a Judicial Authority: Data subjects have the right to appeal to a judicial authority against the data processor or data controller, according to UAE data protection laws.
Communication of Data Subject Rights
The data processor is obligated to ensure that data subjects receive comprehensive information regarding the processing of their personal data, adhering to the guidelines outlined in UAE data protection laws. Additionally, data subjects have the right to access their personal data and related information, including:
- Objectives of data processing.
- Categories of personal data involved.
- Recipients and categories of recipients informed about or with whom the data will be shared, including third countries and international organizations.
- Planned duration of data storage.
- Options for correction, deletion, or limitation of data processing, as well as the right to object.
- Procedures for appeals and claims to the supervisory authority.
- Information on data sources.
- Details about automated decision-making, including profile creation and its potential consequences.
The data processor must provide this information promptly, within one month of receiving the request.
Right to Data Correction and Deletion
Data subjects have the right to request the correction of inaccurate personal data and the deletion of data under certain circumstances. These circumstances include situations where:
- The data are no longer necessary for the intended purpose.
- Consent for data processing has been withdrawn with no alternative legal basis.
- The data subject objects to the processing, and there is no legitimate reason for continuing.
- Data processing has occurred unlawfully.
- Legal requirements dictate data deletion.
However, data deletion may be restricted in cases where it is necessary for:
- Exercising freedom of expression and information rights.
- Complying with legal obligations or performing tasks in the public interest.
- Reasons of public health, historical or statistical research, or legal claims.
Limitation and Withdrawal of Data Processing
Data subjects can request the limitation of data processing under specific conditions, such as disputing the accuracy of the data or objecting to their deletion. In such cases, data processing can only continue with the data subject’s consent or for certain legal purposes.
Data Portability and Objection
Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller. They also have the right to object to certain types of data processing, including for direct marketing purposes.
Appeals and Complaints
Data subjects can appeal to the supervisory authority if they believe their data rights have been violated. If unsatisfied with the supervisory authority’s response, they have the right to seek judicial remedy. This includes the right to an effective judicial review of decisions made by the supervisory authority or against the data controller or processor.
Communication of Data Breaches
In the event of a personal data breach posing a risk to individuals’ rights and freedoms, the controller must promptly inform the data subjects without undue delay.
Submission of Data Subject's Request and Controller's Measures
Upon receiving a request from a data subject to exercise their rights, the controller must promptly inform the data subject of the actions taken, without any undue delay and within one month of receiving the request at the latest. However, this period may be extended by two months if necessary, considering the complexity and number of requests. If such an extension is needed, the controller must inform the data subject of the delay and reasons within one month of receiving the request.
If the data subject submits the request electronically, the controller should provide the information electronically if possible, unless otherwise requested by the data subject.
If the controller decides not to take action on the request, they must inform the data subject promptly and no later than one month after receiving the request. This communication should include reasons for not taking action and information on the data subject’s right to lodge a complaint with a supervisory authority or seek judicial remedy.
The data processor is responsible for providing information to the data subject as per UAE data protection laws and communicating the data subject’s rights free of charge. However, if the data subject’s request is evidently unfounded or excessive, the data processor may refuse to act on the request, considering the administrative costs involved.
If the controller has doubts about the identity of the data subject making the request, they may request additional information to confirm the data subject’s identity.
The controller may refuse to fulfill the request if they can prove that the data processing is justified by compelling legitimate grounds that override the data subject’s interests, rights, and freedoms, or are related to the presentation, exercise, or defense of legal claims.
If the data subject disagrees with the controller’s decision or if the deadline is not met, they have the right to bring the case before the court within 30 days of receiving the decision or the last day of the deadline.
CHAPTER XI: OTHER DISPOSITIONS AND INFORMATION
Enforcement Proceedings The fact that the data processing complies with the law has to be proven by the data controller. The legitimacy of data transmission has to be proven by the data importer. The court is in charge of making a decision at the end of the proceedings. The legal proceedings – based on the choice of the data subject – can be brought to the competent court according to the place of residence or place of stay of the data subject.
Communication of a Personal Data Breach to the Data Subject When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The data subject does not need to be informed if any of the following conditions are met:
- The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
- The controller has taken subsequent measures after the incident which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
- The information would require a disproportionate effort. In such cases, the data subjects concerned should be informed by way of published information or similar measures should be taken to ensure stakeholders in an equally efficient way.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with UAE data protection laws, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Compensation and Grievance Fees If the controller causes harm by the unlawful processing of data related to the data subject or by breaching the data security regulations, the controller is liable to compensate this breach. If the controller causes harm by the unlawful processing of data related to the data subject or by violating the civil rights of the data subject, the data subject is entitled to a grievance fee from the data controller.
You do not have to compensate for the damage and the grievance fees if the impairment caused by civil rights violation was due to deliberate or seriously obvious negligence of the party concerned.
Legal Remedies Privacy Contact: If you wish to enforce your rights related to your data, please email info@beautyfinder.ae and we will handle your request.
The data subject is entitled to initiate a legal procedure by the National Authority for Data Protection and Freedom of Information that is competent at the place of residence in case if legal remedy needs to be sought related to the processing of personal data or if there is a direct danger concerning that.
Any data subjects are entitled to turn to the court in case they wish to seek legal remedy related to their personal data. The judgment at the end of the legal proceedings belongs to the competence of the court. The legal action – according to the choice of the data subject – can be brought to the court that is competent in the place of residence.
Modification of the Communication on Data Processing The Data Processor reserves the right to modify the present communication on data processing. After the webpage’s modification has entered into force, the modified communication on data processing shall be accepted.