1 Policy statement
2 Compliance and Administration
3 Definitions 3
4 Data collection and protection principles
5 Disclosure and sharing of Personal Data
6 Dealing with Data Subjects’ rights and requests
7 Questions about this Policy

  1. Policy statement
  2. Onezeroonezeroone Art Gallery Limited (“COMPANY”) is a Private Company incorporated in the Dubai International Financial Centre having its registered office at Unit SAHAB, Level G, Ritz Carlton, DIFC, Dubai, United Arab Emirates. The COMPANY is committed to safeguarding the privacy of the Personal Data received by it.
  3. This Data Protection Policy applies to Personal Data and to the management of that Personal Data in any form – whether oral, electronic or written.
  4. This policy gives effect to COMPANY’s commitment to protect any Personal Data, including that of its employees and third parties, and has been adopted by the COMPANY Board. “Personal Data”, further defined below, for the purposes of this policy includes individuals’ names, dates of birth and other personal information from which they can be identified.
  5. This policy and any other documents referred to in it sets out the lawful bases on which we will process Personal Data we collect from any Data Subjects, or that is provided to us by Data Subjects or other sources. It sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store Personal Data.
  6. This policy may be amended at any time, regardless of employees’ contractual terms.
  7. Compliance and Administration
  8. Our customers ( i.e. persons who avail our art gallery for displaying their work) and employees have rights with regard to the way in which their Personal Data is collected, stored and processed. We recognise that the fair and lawful treatment of this Data will maintain confidence in COMPANY and will support successful operations.
  9. All COMPANY employees and contractors must comply with this policy when processing Personal Data on COMPANY’s behalf. Any breach of this policy may result in disciplinary action.
The Personal Data, which we hold in relation to our customers, employees, suppliers and other third parties is subject to certain legal safeguards specified in applicable data protection laws and regulations, including the Data Protection Law, DIFC Law No. 5 of 2020 (“DIFC DP Law 2020” and collectively, the “Applicable Laws”). The COMPANY has taken the steps ensuring necessary to comply with the DP Law 2020 and all Applicable Laws.
  1. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Director who can be reached at
  2. Definitions
  3. Data Subjects for the purpose of this policy include all living individuals about whom we hold Personal Data. All Data Subjects have legal rights in relation to their Personal Data.
  4. Controllers are the people who or organisations which determine the purposes for which, and the manner in which, any Personal Data is processed. They are responsible for establishing practices and policies in line with the Applicable Laws. We are the Controller of all Personal Data collected or used in connection with the activities of the COMPANY.
  5. Processors include any person or organisation that is not a Data user that processes Personal Data on our behalf and on our instructions. We do not engage any Processors.
  6. Personal Data means Data relating to a living individual who can be identified from that Data (or from that Data and other information in our possession). Personal Data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
  7. Processing is any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Processing also includes transferring Personal Data to third parties.
  8. Special Categories of Personal Data is information revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life. Special Category Data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned. We do not collect any Special Categories of Personal Data.
  9. Data collection and protection principles
  10. The COMPANY may in the ordinary course of business collect and process information about anyone who:
  • is employed by us, including contractors and temporary employees;
  • uses our art gallery for displaying their art works;
  • attends our business development, marketing or other COMPANY sponsored events;
  • contacts us for information about our art gallery and our services; and
  • interacts and communicates with us in a business capacity.

  1. Such information may include, but is not limited to:
  • Name, gender, home address, and telephone number, date of birth, marital status, emergency contacts;
  • Residency and visa status, nationality and passport information;
  • Emirates ID number, banking details;
  • Information required to comply with laws, the requests and directions of law enforcement authorities;
  • Information captured on security systems, including CCTV and key card entry systems;

  • Employee information, including:
  • ncluding the gender, age, nationality and passport information for spouse, minor children or other eligible dependents and beneficiaries);
  • Dates of hire, date(s) of promotion(s), work history, technical skills, educational background, professional certifications and registrations, language capabilities, training courses attended;
  • Where permitted by law and proportionate in view of the function to be carried out by an employee or prospective employee, the results of credit and criminal background checks, health certifications.

  1. Anyone processing such information must adhere to the following principles of lawfulness, transparency and accountability:
  2. Personal Data must be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject.
  3. Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
  4. Personal Data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.
  5. Personal Data must be accurate and, where necessary, kept up to date.
  6. Personal Data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
  7. Personal Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  8. Fair processing
  9. The Applicable Laws are not intended to prevent the processing of Personal Data, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject.
  10. For Personal Data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the Applicable Laws. These include, among other things, the Data Subject's consent to the processing, or that the processing is necessary for the performance of a contract with the Data Subject, for the compliance with a legal obligation to which the Controller is subject, or for the legitimate interest of the Controller or the party to whom the Data is disclosed.
  11. When processing Personal Data as Controllers in the course of our business, the COMPANY and its employees will ensure that those requirements are met.
  12. In the absence of any other applicable basis for fair and lawful processing of Personal Data, COMPANY processes Personal Data on the basis that the processing is necessary for the purposes of pursuing the COMPANY’s legitimate interests, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation
  13. Processing for limited purposes
  14. In the course of our business, we may collect and process Personal Data. This may include Data we receive directly from a Data Subject and Data we receive from other sources.
  15. We will only process Personal Data for specific purposes or for any other purposes specifically permitted by the Applicable Laws. We will notify those purposes to the Data Subject.
  16. Adequate, relevant and non-excessive processing
  17. We will only collect Personal Data to the extent that it is required for the specific purpose notified to the Data Subject.
  18. Accurate, Complete and Up-to-Date Data
  19. We will ensure that Personal Data we hold is accurate and kept up to date. We will take reasonable steps to destroy or amend inaccurate or out-of-date Data.
  20. Timely processing
  21. We will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all Data which is no longer required or which a Data Subject has asked that we destroy or modify.
  22. We will conduct timely reviews of our processing operations with respect to Data that is collected and stored in our systems.
  23. We will to the extent required by law comply with any statutory retention periods.
  24. Where the basis for processing changes for any reason, processes are in place for ensuring one of the following actions is taken with respect to the Personal Data:
  25. securely and permanently deleted;
  26. securely encrypted; or
  27. properly archived / put beyond further use.
  28. Data security
  29. We will take appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.
  30. We will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data will only be transferred to a Processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
  31. All COMPANY employees are responsible for ensuring the security of our systems by adhering to this and related policies including the COMPANY IT and Security policies, which contain details about your appropriate use and security of the devices and systems that are in the COMPANY IT environment.
  32. We implement as part of our security policies and processes an incident management policy in order to address personal data breaches and how to manage / report them in accordance with Articles 41 (and where required, Article 42 of the DP Law 2020)

  1. Transferring Personal Data
  2. We do not transfer any Personal Data outside DIFC jurisdiction.
  3. Accountability to Data Subjects
  4. Our use or disclosure of Personal Data must be necessary for the purpose(s) or compatible with the purpose(s) for which we collect and keep the Data. Except in certain limited circumstances (including where we are required by law) we should only use and disclose the Data in ways consistent with such purpose(s).
  5. Disclosure and sharing of Personal Data
  6. We may share Personal Data we hold with any member of our group, but must do so confidentially in all instances.
  7. We may also disclose Personal Data we hold to third parties:
If we are under a duty to disclose or share a Data Subject's Personal Data in order to comply with any legal obligation, or in order to enforce or apply any contract with the Data Subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others.
We may share Personal Data we hold with selected third parties for the purposes including but not limited to fulfilling employee contract requirements such as payroll and medical insurance.
  1. Dealing with Data Subjects’ rights and requests
  2. With some limited exceptions, any Data Subjects are entitled to:
  3. Request access to any Personal Data that COMPANY holds about them (known as a subject access request);
  4. Request that we stop processing their Personal Data, including automated processing of personal data;
  5. Request that we rectify, block or erase any Personal Data we hold about them; or
  6. Make a complaint to the Commissioner of Data Protection regarding the processing of their Personal Data.

Data Subjects should make the request by writing to any of the COMPANY employees or email to or alternatively can make the request through the website .
  1. Anybody at COMPANY who receives a written or verbal request or complaint from a Data Subject should immediately bring the request to the notice of senior management for necessary action.
  2. Questions about this Policy
  3. If you have any questions about this Policy, or any concerns or complaints with regard to the administration of this policy, or if you would like to submit a request as described in Section 6 above for access to the Personal Data that we maintain about you, please contact us by any of the following means:
  4. and
  6. Complaints or further escalation at the Data Subject’s option, to the Commissioner of Data Protection at DIFC