Privacy Policy

CE Risk Consultancy (CERC) is committed to protecting the privacy and confidentiality of personal information. 

This Privacy Policy outlines how we collect, use, share, and protect the personal data of our clients, employees, and partners, in compliance with relevant privacy regulations, including but not limited to the General Data Protection Regulation (GDPR)DIFC Data Protection Law and other applicable data protection laws.

  1. Introduction and Scope

This Privacy Policy applies to all personal data collected, processed, and stored by CE Risk Consultancy (CERC) in the course of conducting its business. This policy covers personal data provided by:

  • Clients
  • Contractors and employees
  • Subcontractors
  • Third parties who interact with CERC

By engaging with CERC’s services, you consent to the collection, use, and sharing of your personal data as described in this policy.

  1. Data Collection

CERC may collect personal data through various means, including:

  • Direct Interactions: Information provided through forms, email, phone calls, meetings, or our website.
  • Third-Party Sources: Data collected from subcontractors, partners, or publicly available sources.
  • Automated Technologies: Data collected through the use of cookies and tracking technologies when visiting our website or digital platforms.

2.1 Types of Data Collected

The personal data we may collect includes, but is not limited to:

  • Identification Information: Full name, title, job role, employer, and identification documents (e.g., passport or ID numbers).
  • Contact Information: Email address, telephone number, postal address.
  • Professional Information: Business affiliations, role, and employment details.
  • Financial Information: Billing information, payment details, and transaction history.
  • Sensitive Personal Data: In certain instances, we may collect sensitive personal data, such as health information or biometric data, as required by specific operations or projects.
  • Technical Data: IP addresses, browser type, device information, location data, and website usage statistics.
  1. Purposes of Data Processing

CERC collects and processes personal data for the following purposes:

  • Contractual Obligations: To deliver security services, fulfil contracts, and manage relationships with clients and partners.
  • Legal Compliance: To comply with legal and regulatory obligations, including due diligence, reporting, and auditing requirements.
  • Security Operations: For risk assessment, threat analysis, and incident management as part of our security services.
  • Marketing and Communications: To send newsletters, updates, and promotional material, where consent has been provided.
  • Recruitment and HR: To manage employment and contractor relationships, including recruitment, payroll, performance management, and employee benefits.
  • Website Functionality and Analytics: To enhance user experience and analyse traffic on our website and digital platforms.
  1. Legal Basis for Processing

CERC processes personal data based on the following legal grounds:

  • Consent: Where individuals have provided explicit consent for the processing of their personal data for a specific purpose (e.g., marketing communications).
  • Contractual Necessity: Processing is required to fulfil the terms of a contract or to take pre-contractual steps at the request of the individual.
  • Legal Obligation: Processing necessary to comply with a legal or regulatory obligation (e.g., anti-money laundering, tax laws).
  • Legitimate Interests: Processing based on our legitimate interests, such as maintaining business operations, providing security services, and improving our offerings, provided that such interests are not overridden by the rights and interests of individuals.
  • Vital Interests: In rare cases, we may process data to protect the vital interests of an individual (e.g., emergency situations or medical emergencies).
  1. Data Sharing and Disclosure

CERC only shares personal data with third parties under strict conditions. These third parties may include:

  • Service Providers: Third-party vendors or contractors who provide services on our behalf, such as IT services, payroll management, and legal services.
  • Subcontractors and Partners: Where necessary to provide security or consultancy services.
  • Legal and Regulatory Authorities: Government authorities, law enforcement agencies, or regulators, where disclosure is required by law or necessary to comply with legal obligations.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction, subject to confidentiality agreements.

CERC ensures that all third parties who process personal data on our behalf are subject to appropriate confidentiality and data protection obligations, including Data Processing Agreements (DPAs).

  1. International Data Transfers

As a global organisation, CERC may transfer personal data to countries outside the European Economic Area (EEA) or your jurisdiction. Such transfers will be done in compliance with data protection laws, ensuring appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy Decisions by the European Commission for certain jurisdictions.
  • Binding Corporate Rules (BCRs) for internal transfers within the CE Holdings group.

CERC ensures that international data transfers are secure, and that data subjects’ rights are respected regardless of the location of the processing.

  1. Data Retention

CERC retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by legal or regulatory obligations. Retention periods vary based on:

  • Legal Requirements: To comply with laws and regulations (e.g., tax records, employment laws).
  • Contractual Obligations: For the duration of contractual agreements and for a reasonable period thereafter.
  • Business Operations: As long as necessary to support our business operations, security services, and risk management activities.

Upon the expiration of the retention period, personal data will be securely deleted, anonymised, or archived in compliance with applicable laws.

  1. Data Security

CERC is committed to maintaining the highest standards of data security to protect personal data from unauthorised access, disclosure, alteration, or destruction. Our security measures include:

  • Encryption: Use of encryption technologies to protect personal data during transmission and storage.
  • Access Control: Strict access controls to limit who can access personal data based on their role and responsibilities.
  • Data Anonymisation and Pseudonymisation: Where applicable, we anonymise or pseudonymise personal data to reduce privacy risks.
  • Monitoring and Auditing: Continuous monitoring of our systems and regular security audits to identify and address vulnerabilities.
  • Incident Response: A robust data breach response plan to manage and report security incidents in compliance with data breach notification laws.
  1. Data Subject Rights

Individuals whose personal data is processed by CERC have the following rights:

  • Right to Access: You may request access to the personal data we hold about you, including details of how it is processed and who it has been shared with.
  • Right to Rectification: You may request the correction of inaccurate or incomplete personal data.
  • Right to Erasure: In certain circumstances, you may request that we delete your personal data, such as when it is no longer necessary for the purposes for which it was collected.
  • Right to Restrict Processing: You may request that we limit the processing of your personal data under certain conditions (e.g., if the accuracy of the data is contested).
  • Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format for transfer to another controller.
  • Right to Object: You may object to the processing of your personal data based on legitimate interests or direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.

To exercise any of these rights, please contact our Data Protection Officer (DPO) at ops@cerc.ae We will respond to requests within the applicable statutory timeframe.

  1. Cookies and Tracking Technologies

CERC uses cookies and other tracking technologies on its website to enhance user experience and gather usage statistics. Cookies are small data files stored on your device when you visit our website. The types of cookies we use include:

  • Essential Cookies: Necessary for the functioning of the website.
  • Analytical Cookies: Used to track website performance and user behaviour for optimisation purposes.
  • Marketing Cookies: Used to track browsing habits and serve personalised advertisements, with your consent.

You can manage your cookie preferences through your browser settings or by using our cookie management tool available on our website.

  1. Changes to this Privacy Policy

CERC reserves the right to update or modify this Privacy Policy at any time to reflect changes in our practices or legal obligations. We will notify you of any significant changes by posting the updated policy on our website and indicating the effective date at the top of the policy.

  1. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact our Data Protection Officer (DPO):

Data Protection Officer
CE Risk Consultancy (CERC)
ops@cerc.ae
Central Park Towers, Office 17-11 DIFC, Dubai United Arab Emirates

This Privacy Policy has been designed to comply with applicable privacy regulations and to protect the rights and freedoms of individuals whose personal data is processed by CE Risk Consultancy.