Privacy Policy

Last updated: 25 August 2025
Applies to: Peruvian Business Council UAE (the “Council”, “we”, “us”).
Website(s): [insert domain(s)]

This policy is drafted to align with the UAE Federal Decree‑Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”). If the Council is established in a UAE financial free zone (DIFC or ADGM), additional or different requirements may apply. See the “Free‑zone addendum” at the end.

1) Who we are and how to contact us

Controller: Peruvian Business Council UAE
Registered address: [insert address]
Email: [privacy@yourdomain.ae]
Phone: [+971 …]
Data Protection Officer (if appointed): [Name, email, phone]

2) What this policy covers

This policy explains what personal data we collect when you use our website(s), apply for membership, register for events, partner with us, or interact with us by email, phone or social media; how we use and share that data; how we secure it; and your rights under applicable law.

3) Personal data we collect

We collect and process the following categories, depending on your interaction with us:

• Identity & contact data: name, employer/organization, job title, nationality, email, phone, address, country of residence.
• Membership & events data: membership tier, application forms, event registrations, dietary preferences (for catering), photos and videos taken at Council events, attendance history.
• Communications data: emails, messages and inquiries you send us; marketing preferences (opt‑in/opt‑out).
• Payment data: payment instrument details are processed by our payment provider; we receive only limited billing info, status and receipts.
• Technical & usage data: IP address, device and browser, pages viewed, actions on pages, session metadata; cookie identifiers (see Cookie Policy).
• Partner/supplier data: business contact details, invoices, contracts, due‑diligence information.

We do not intentionally collect special categories of data unless you provide them voluntarily for a clear purpose (e.g., accessibility or dietary needs at events). Do not provide more sensitive data than necessary.

4) Purposes and legal bases for processing

We process personal data only with your consent or where an exception under the PDPL permits processing without consent. Our purposes include:

• Operate our websites and online services (website functionality, analytics strictly necessary for operation).
• Membership administration (evaluate and process membership applications; maintain member directory where applicable; deliver member benefits) — based on consent and/or necessity to conclude or perform a contract you request.
• Events & programs (registration, access control, speaker coordination, logistics, security, event photography/recording with appropriate notices) — based on consent and/or contract.
• Communications (respond to inquiries; send service messages) — consent and/or contract.
• Marketing (newsletters, invitations, campaigns) — only with your prior consent. You may withdraw consent anytime.
• Compliance and protection (comply with laws and regulatory requests; record‑keeping; prevent fraud or misuse; protect public interest or the vital interests of individuals) — based on applicable PDPL exceptions (e.g., legal obligation, vital/public interest, judicial/security purposes).

5) Event photography and recording

At our events we may take photos or video to document and promote our activities. Where required, we will provide on‑site notices and/or obtain consents. If you wish to avoid being photographed, please inform a staff member on arrival; we will make reasonable efforts to accommodate.

6) Sharing your data

We share personal data only as needed for the purposes above with:

• Service providers (e.g., hosting, email, CRM, event platforms, ticketing, payment gateway). Providers act under contract and process data on our instructions.
• Partners (e.g., co‑hosted events) where necessary for the specific event or program and subject to appropriate safeguards/notices.
• Authorities and regulators if required by law or to establish, exercise or defend legal claims.
• International transfers: See Section 9.

We do not sell personal data.

7) How long we keep data

We retain personal data only for as long as needed for the purposes collected, then delete or anonymize it. Typical periods include:

• Membership and event records: up to 6 years after last interaction, unless longer is required for legal/accounting purposes.
• Marketing contact details: until you withdraw consent.
• Website logs: up to 12 months, unless security incidents require longer retention.
  Actual periods may vary; feel free to contact us for details.

8) Security

We implement technical and organizational measures appropriate to the risk, including access controls, encryption in transit, secure configuration and vendor due‑diligence. No system is 100% secure; if we believe your data may be affected by a breach, we will take steps in line with applicable law and notify the UAE Data Office and/or you when required.

9) International data transfers

Where data is transferred outside the UAE, we will follow PDPL rules. Transfers occur when our cloud or service providers are located abroad. We will: (a) transfer to jurisdictions recognized as having adequate protection; or (b) apply approved contractual safeguards; or (c) rely on your explicit consent for specific transfers where appropriate; or (d) rely on other PDPL grounds (e.g., contract performance, legal claims, public interest). Details are available on request.

10) Your rights

Subject to legal conditions, you may:

• Request information about our processing activities and data categories relating to you;
• Access your personal data and receive it in a machine‑readable format (portability when processing is based on consent or contract and is automated);
• Correct or complete inaccurate data;
• Request erasure of data in specified cases;
• Request restriction/stop processing in specified cases;
• Withdraw consent at any time (does not affect prior lawful processing);
• Complain to the UAE Data Office if you believe we have infringed your rights.

To exercise rights, use the Data Rights Request form (see separate page below) or contact us at [privacy@yourdomain.ae]. We may need to verify your identity and will respond within applicable timelines.

11) Children

Our services are directed at professionals. We do not knowingly collect data from children. If you believe a child has provided data, please contact us to delete it.

12) Third‑party links

Our sites may link to third‑party sites and services. Their privacy practices are their own; please review their policies.

13) Changes to this policy

We may update this policy from time to time. We will post the updated version with a revised “Last updated” date, and take additional steps if required by law.

14) Free‑zone addendum (if applicable)

If the Council is established in the DIFC or ADGM, local data protection laws (DIFC DP Law 2020 or ADGM Data Protection Regulations 2021) apply. Where there is any conflict with this policy, the applicable free‑zone law prevails. You can contact us for a copy of the free‑zone‑specific notice, including breach notification timelines and supervisory authority contact details.