Introduction

NMC Healthcare Group have developed this Privacy Statement to explain how we collect, retain, use, process, share and transfer your personal data when you visit our facilities, use our services, or visit our websites. It has also been designed to help you understand your privacy choices whenever you interact with the NMC Healthcare Group.

About NMC Healthcare Group

NMC Healthcare Group is owned and operated by NMC OpCo Ltd who’s registered office is located at DD # 16 – 109 – 001, 16th Floor, WeWork Hub71, Al Khatem Tower, ADGM Square, Al Maryah Island, PO Box: 764659, Abu Dhabi, UAE. It comprises several related businesses operating under the NMC, Cosmesurge, Fakih IVF, Provita, Americare, Aesthetics, brands in the UAE, Oman, and Kuwait.

NMC Healthcare Group (also referred to as “we” or “us” elsewhere in this Privacy Statement) together are responsible for your personal data as Independent Controllers, Joint Controllers or Data Processors, depending on the purpose for which your data is being processed. Please see the section on Transferring Your Data Within the NMC Healthcare Group below for details.

Our Commitment to Privacy

Our privacy commitments are fundamental to the way we run our business. These commitments apply to everyone who has a relationship with us – including patients, partners, and website visitors. NMC Healthcare Group is committed to delivering personalised care that matters and to giving you the best overall experience whenever you use any of our services or interact with us. We strive to strike the right balance between using your data to ensure the quality of those experiences and protecting your privacy. We have thought through each aspect of our business and have determined just the right amount of data we need to create the best experience for you.

Scope

This Privacy Statement applies to all information we collect about you. It includes information we collect directly from you, information collected automatically, information we collect through our mobile application(s) and information we collect from third parties.

Personal, Anonymous and Aggregate Information

Personal data, also referred to as personally identifiable information (PII) is information that identifies or can reasonably be used to identify you. Anonymous information (i.e., information that doesn’t or can’t be reasonably used to identify you specifically) and aggregate information (i.e., information taken from many peoples’ data that is combined into groups or categories) are not considered personal data.

Examples of personal data include your:

  1. Name and contact information – For example, your first and last name, email address, mailing address, phone number, photo, beneficiary and emergency contact details and other similar contact data.
  2. Demographic data – For example, your date of birth and gender. We may also ask about your parental status and military status.
  3. National identifiers – For example, your national ID/passport, citizenship status, residency and work permit status, social security number or other taxpayer/government identification number.
  4. Employment details – For example, your job title/position, employer name and similar.
  5. Spouse’s/partner’s and dependents’ information – For example, your spouse and dependents’ first and last names, dates of birth and contact details.
  6. Background information – For example, your academic and professional qualifications, education, CV/Resume.
  7. Video, voice, and image – We may collect and use your video, voice, and image data, subject to the requirements of local law, or internal policy.
  8. Financial information – For example, your bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes, and benefits.
  9. Geo-location data – such personal data refers to information that identifies or can be used to identify your geographic location often using data processed by personal devices you may be using such as mobile phones, laptops, tablets, and similar.
  10. Social media information – collected or generated through your use of social media platforms. This may include profile information, interactions with us or comments made on our social media accounts, and data related to private messages between you and us.
  11. Information contained in online identifiers such as cookies and similar technologies.

We may also process more sensitive personal data (also known as Special Category Data) including information relating to racial and ethnic origin, religious, political, or philosophical beliefs, trade union membership or information about your health, disabilities, and sexual orientation.

Personal information does not include:

  1. De-identified or anonymised information (i.e., information about you where information that can be used to identify an individual has been removed permanently).
  2. Aggregated consumer information (i.e., information taken from many people’s data and combined into anonymous groups or categories).
  3. General business contact information that does not identify an individual.
  4. Information about deceased persons.
The Personal Data We Use

We want you to know exactly what data we collect and use. NMC Healthcare Group may collect and use the following information:

  •  Your name and other personally identifying information
  • Communication preferences and details
  • Login and authentication information
  • Online profile information
  • Online activity
  • Purchasing information
  • Payment information, methods, and history
  • Information about the device(s) you use
  • Information about the service usage
  • Support information
  • Cookies
  • Social media information
  • Date of birth
  • Copy of identification document
  • Subscription preferences
  • Financial and credit history
  • Location information and GPS data
Special Categories of Personal Data

We also collect and use more sensitive personal data (known as “Special Category Data”) about you, such as information relating to your physical and mental health or your religion

Special category data must be handled even more sensitively than “standard” personal data. Your special category personal data will be managed in accordance with the Abu Dhabi Global Market (ADGM) Data Protection Regulations (ADGM DPR), this Privacy Notice and all applicable professional standards and laws including those issued by the UAE Federal Ministry of Health and Prevention, the Department of Health – Abu Dhabi, Dubai Health Authority, and those issued by the health authorities in Oman and in the other countries where we operate.

The special category personal data we hold about you may include some or all the following:

  • Details of your physical or mental health. This may include personal data about any healthcare services you have received (both from NMC Healthcare Group directly and other healthcare providers) or need, including about clinic and hospital visits and medicines administered. We provide further details below on the way we handle such personal data.
  • Details of care you have received from us including any images taken in relation to your care.
  • Details of your religion
  • Details of any genetic or biometric data relating to you.
  • Data concerning your sex life and/or sexual orientation.

The confidentiality of your medical information is important to NMC Healthcare Group. We make every effort to prevent unauthorised access to and use of information relating to your physical and mental health. In doing so, we comply with UAE and Oman data protection law, as well as other data protection laws in the jurisdictions where we operate.

How we Use Personal Data

We use your personal data in a variety of ways in order deliver you with the healthcare services that you need. We also use personal data belonging to our patients, and business partners to run our business and to comply with our legal obligations. Where you apply for a job at NMC Group, we need to process your personal data as part of our recruitment process.

How we Collect Your Personal Data

Directly From You

We may collect personal data directly from you when you:

  • enter a contract with us for the provision of your care.
  • use that care.
  • have remote or virtual consultations with a healthcare professional, for instance by telephone or some other communications method.
  • interact with us via email, phone, and other means of communication.
  • complete enquiry forms on our website.
  • send us a question including through our website, by email or by social media.
  • correspond with us by letter, email, telephone (all incoming and outgoing calls from/to patients are recorded) or social media, including where you reference NMC Healthcare Group in a public social media post.
  • attend our hospitals, clinics, pharmacies, or other healthcare facilities and are recorded on the CCTV systems we have installed.
  • apply for a position at one of the NMC entities.
  • take part in our marketing activities.
  • enrol in healthcare campaigns championed by health authorities.

From Other Healthcare Providers

Our patients will often receive healthcare services from other organisations in addition to NMC Healthcare Group, and so to provide you with the best care possible we may have to collect personal data about you from these other organisations. This may include medical records from:

  • your physician
  • your dentist
  • mental health providers
  • other healthcare professionals (including their medical secretaries) Medical records include personal data about your tests and diagnosis, clinic and hospital visits and medicines administered.

Health Data Exchange Platforms (UAE)

If you are a patient in the UAE, your health data will most likely also be held and processed in either Emirate’s Health Data Information Exchange Platform. These are known as Malaffi in Abu Dhabi, Nabidh in Dubai, and Riayati in the Northern Emirates (Sharjah, Ajman, Umm Al Quwain, Fujairah, and Ras Al Khaimah). Your profile in either or each of these platforms holds an electronic record of your patient information, including medication, allergies, bad reactions to medicines, and where available past and present medical information, created from your NMC Healthcare Group medical record. They can be seen and used by authorised staff, within NMC Healthcare Group and in other areas of the UAE health and care system, who are directly involved in your care. Access to your record in these systems optimises patient safety allowing us to make the most clinically informed decisions. You can find more information about Malaffi here, about Nabidh, here and Riayati here.

From Other Third Parties

We may also collect personal data about you from other third parties in the following ways:

  • solicitors or other third parties acting on your behalf in connection with medico-legal proceedings.
  • your current or former employer, healthcare professional or other healthcare services or benefit provider
  • your family
  • your health insurance policy provider
  • experts (including medical experts) and other service providers about your care
  • government agencies,

In such cases, we will inform you that we have received your personal data from third parties, along with required information under applicable data protection laws.

 

Legal Basis for Using Your Personal Data

We use (or “process”) your personal data for several different purposes but in all cases, we must have a legal basis for doing so. When we use Special Category personal data such health data, (see section on Special categories of personal data above) we must have a specific additional legal basis to do so.

Below we have outlined the purposes for which NMC Healthcare Facilities process your personal data and the legal bases for doing so.

NMC AssetCo processes personal data jointly with NMC Healthcare Facilities as a joint controller, as both parties participate in the determination of the purposes and means of the processing of personal data of NMC Group patients. For all the processing activities NMC AssetCo relies on legitimate interest as its basis for processing of personal data. Please note that you have the right to object to processing based on legitimate interest. Please see Section Your Rights, Right to Object to the Processing of Your Personal Information for More Information.

When it comes to a condition for processing Special Category (Health) Data, NMC AssetCo relies on processing that is necessary for reasons of public interest in the area of public health to ensure continued high standards of quality and safe health care, of medicinal products or medical devices.

No. Purpose Details Legal Basis Special Category (Health) Data:
1 To set you up as a patient and process your data in NMC Healthcare Group’s systems. We use your personal data to create a Medical Record within our systems in which we will hold your medical history.

We also use it to establish your identity and the method you will use to pay for the services that we provide you with (i.e., via your insurance provider, cash, or some other means).

Contract 

We need to use your personal data to take steps so that you can enter a contract with us and/or a healthcare.

Providing personal data is a requirement to enter a contract. Failure to provide personal data would prevent us from entering a contract with you.

Performance of Contract

Processing is required for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering into a contract.

2. To provide you with healthcare and related services This is the primary reason you are likely to visit any of our facilities or use our services. We will therefore process your personal and health data for that and related purposes.

We may also need to carry out diagnostic tests or imaging procedures, some of which may be conducted within the facility you visit while others may be conducted at other NMC Healthcare Group facilities or by specially vetted third parties in compliance with local regulations. This means that some of your data might need to be shared with other hospitals within NMC group or other third parties.

Contract
We need to process your health information to perform our healthcare contract with you.

You are required to provide personal data to perform our contract with you. If you do not provide us with your personal data, we will be unable to perform our contract with you.

Health Purposes
Processing is necessary for health purposes.
3. To provide you with medical services in cases of emergency Where there is a risk to your life or other consequences may occur that would cause you great harm, we need to process personal and health data to protect your vital interests. Sometimes, we need to share your data with third parties in order the achieve that. Vital Interests

We may also need to process your health information to protect your vital health interests for instance, in life threatening emergencies.

 

Vital Interests Processing is necessary to protect vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent
4. To settle your account We will use your personal and health data to ensure that your account and billing is fully accurate and up to date. This may include sharing your personal information with your health insurance provider or employer both before and after you receive treatment at any of our healthcare facilities. Contract
We need to process your personal and health information to perform our healthcare contract with you.
Performance of Contract

Processing is required for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering a contract. Processing is required for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering a contract.

Processing is required for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering a contract.

5. For internal or government clinical audit related to our Abu Dhabi Hospitals We may share your personal data with government auditors, Clinical Outcome Review Programmes and other government led quality improvement projects. We may also share your personal data with other audit programmes set up by clinical standards accreditation bodies such as Joint Commission International. Legal obligation

To comply with our regulatory or legal obligations.

Legal Obligation The exercise of a function or requirement conferred on a person by Applicable Law
6. For internal or government clinical audit at our hospitals outside of the Emirate of Abu Dhabi We may share your personal data with government auditors, Clinical Outcome Review Programmes and other government led quality improvement projects. We may also share your personal data with other audit programmes set up by clinical standards accreditation bodies such as Joint Commission International. Legitimate Interest
To make improvements to our procedures and practices provided that we have put appropriate safeguards in place to protect your privacy so that this use does not override your interests unduly.

Please note that you have the right to object to processing based on legitimate interest. Please see Section Your Rights, Right to Object to The Processing of Your Personal Information for more information.

Public Interests
Processing is necessary for reasons of public interest in the area of public health to ensure continued high standards of quality and safe health care, of medicinal products or medical devices.
7. Contacting you and resolving queries or complaints There may be times when you raise queries, or even complaints, with us. We take those communications very seriously and will usually need to use your personal data to resolve them fully. Legitimate Interests It is in our interest to improve our standards of care, service delivery, in any other way that will benefit our patients and other stakeholders provided that these interests are not overridden by your own interests.

Please note that you have the right to object to processing based on legitimate interest. Please see Section Your Rights, Right to Object to the Processing of Your Personal Information for more information.

Public Interests Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
8. Providing you with service information We will use contact information you have given us to get in touch and remind you about appointments you have booked with us, to inform you about test results, or to otherwise follow up with you about an appointment you have attended with us. We will generally do this by telephone, SMS, email or by messenger app (such as WhatsApp). Contract
In order to fulfil our contractual obligations, we need to process personal data to fulfil our contractual obligations.

Providing personal data is a contractual requirement. Failure to do so might prevent us from perform our contract with you.

Performance of Contract
Processing is required for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering into a contract.
9. Medical research We also participate in medical research and may share personal data with government approved research projects. Your Consent

We will obtain your consent before using your personal data for any medical research purposes to bring healthcare improvements to the public.

Explicit consent You can withdraw your consent at any time. Please see Section “Your Rights”, “Right to object to How we Use Your Personal Information for Direct Marketing Purposes” and the “Right to Withdraw Your Consent” for more information.
10. Medical research where your consent has not been obtained We also participate in medical research and may share personal data with government approved research projects where allowed by regulatory bodies in the country. Legitimate Interest
It is in our legitimate interest to process personal data obtained from you for medical research purposes and share with government approved research projects where allowed by regulators provided that these interests are not overridden by your own interests.

Please note that you have the right to object to processing based on legitimate interest. Please see Section Your Rights, Right to Object to the Processing of Your Personal Information for more details.

Research Purposes
Processing is necessary for Archiving and Research Purposes in accordance with Applicable Law
11. Clinical referrals In order to provide you with comprehensive and high-quality health care, it may be necessary to refer your clinical case to other healthcare professionals at other facilities within the NMC Healthcare Group. In rare instances, it may also be necessary to refer your case outside of our network. Contract 

We need to process your health information to perform our healthcare contract with you and fulfil your request.

Performance of Contract Processing is required for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering into a contract.
12. Patient transfer In order to continue your treatment, we may need to transfer you to another health care facility in the country. Contract
We need to process your personal and health information in order to fulfil our contract with you and transfer you to another facility where you can continue your treatment
Health Purposes
Processing is necessary for health purposes.
13. Patient transfer at your request To continue your treatment at another facility or in another country at your request Contract

We need to process your personal and health information in order to fulfil the contract with you and transfer you to another facility where you can continue the treatment

Performance of Contract Processing is required for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
14. Patient transfer when there is insufficient insurance coverage or where your treatment cannot be continued at our facility To protect your life, we may need to transfer you to another healthcare facility outside the country. By doing so we have to communicate your personal and health data to third parties. The healthcare facility outside the country. Vital Interests
We need to process your personal and health information to protect your vital health interests for instance, in life threatening emergencies.
Vital Interests
Processing is necessary to protect vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent
15. Providing improved quality services We take measures to continually improve the quality of the services we provide. This includes monitoring or recording telephone calls to our contact numbers for training and security purposes and conducting pre and post treatment surveys. Legitimate Interests It is within our legitimate business interests to take measures to improve the quality and efficiency of the services we provide to you provided that our interests are not overridden by your interests.

Please note that you have the right to object to processing based on legitimate interest. Please see Section Your Rights, Right to Object to the processing of your personal information for more details.

Public Interests Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
16. Recruiting new staff We will process your personal data if you apply for a job at NMC Healthcare Group. This includes all phases of the recruitment process including shortlisting, assessment, and interview, and offers of a position made to successful candidates. Contract
We need to process your personal data to take steps to enter into a contract of employment with you.
17. Recruiting new staff: processing your application We may use external vendors to provide cloud-based video interviewing, assessment, and scheduling services. NMC Healthcare Group currently has currently engaged HireVue Inc. to provide these services. You can learn more about them by reading their privacy policy. Legitimate Interests It is within our legitimate business interests to employ increasingly efficient processes and technology when searching for and assessing new talent to join our business provided that our interests are not overridden by your interests. Please note that you have the right to object to processing based on legitimate interest.

Please see Section Your Rights, Right to Object to the Processing of Your Personal Information for more details.

18. Vetting and onboarding new business partners and vendors Before engaging with new suppliers, vendors, or business partners, it is NMC Healthcare Group’s policy to conduct appropriate due diligence to ensure that we know who we are doing business with. These checks may require us to process personal data belonging to board directors, officers or other employees of these companies or organisations. Legitimate Interests
It is in our legitimate business interest to use your personal data to conduct proper due diligence before we engage in any business venture with you or your organisation, provided that these interests are not overridden by your own interests.

Please note that you have the right to object to processing based on legitimate interest. Please see Section Your Rights, Right to Object to the Processing of Your Personal Information for more details.

19. Marketing We may use your personal data to bring information about our services and products. This may include contact information you have given us to contact you by phone, by email, SMS, or other messaging platform you agree to. Consent We will only contact you if you consent to us doing so and have not withdrawn that consent.

You can withdraw your consent at any time. Please see Section Your Rights, Right to Object to How We Use Your Personal Information for Direct Marketing Purposes and the Right to Withdraw Your Consent for more information.

Explicit consent You can withdraw your consent at any time. Please see Section Your Rights, Right to Object to How We Use Your Personal Information for Direct Marketing Purposes and the Right to Withdraw Your Consent for more information.
20. Law enforcement requests There may be times when we are required to provide the personal data of our patients or employees to law enforcement agencies such as the police, public health authorities and others. We will cooperate with these agencies when we receive such requests. Legal Obligation
In these situations, we are compelled to process your personal data to comply with a legal obligation to which we are subject.
Legal Obligation
The exercise of a function or requirement conferred on a person by Applicable Law
21. Appointment bookings In order for us to book your appointment we must process your personal and health information. Contract We must process your personal information to enter a contract with you if you are our new patient or fulfil our contractual obligations if you are our existing patient.

You are required to provide personal data in order to enter or perform our contract with you. If you do not provide us with your personal data, we will be unable to perform our contract with you.

Performance of Contract Processing is required for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
22. Processing for financial and accounting purposes Analysis of financial results, internal and external audit requirements, receiving professional advice (e.g., tax, financial, legal, or public relations advice) Legitimate Interests
It is in our legitimate business interest to use your personal data conduct to, where necessary, conduct internal audits, consult with public relations experts and other experts to maintain efficient and effective operations, provided that these interests are not overridden by your own interests.

Please note that you have the right to object to processing based on legitimate interest. Please see Section “Your Rights”, “Right to Object to the Processing of Your Personal Information” for more details.

Public Interest
Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
23. CCTV Recordings Storing and reviewing CCTV images is necessary to maintain our facilities safe Legal Obligation To comply with our legal and regulatory obligations to maintain safe and secure premises for visitors to our premises and our employees.
24. Managing our accounting records We need to maintain our accounting records Legal Obligation
To comply with relevant financial accounting and tax requirements.
25. Keeping your records We need to keep your medical records to comply with relevant laws Legal Obligation To comply with laws regulating the duration of storage of medical records. Legal Obligation The exercise of a function or requirement conferred on a person by Applicable Law.
26. Incident Reporting You can always reach out to NMC and report a complaint Legitimate Interest
It is in our legitimate interest to know about incidents that happen within our hospitals provided that these interests are not overridden by your own interests.

Please note that you have the right to object to processing based on legitimate interest. Please see Section “Your Rights”, “Right to Object to the Processing of Your Personal Information” for more details.

Public Interest
Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
27. Communicating with embassies and agencies about your treatment Sometimes NMC AssetCo will need to communicate with your home country’s embassy or an agency about your treatment. Contract We need to process your personal and health data to enter a contract with you Performance of Contract Processing is required for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
28. Occupational health We need to process your personal information in order to assess your work capacity, whether you can perform the specific work or perform other employment related health service Contract
We need to process your personal and health data to perform our healthcare contract with you and provide you with requested services
Health Purposes
Processing is necessary for health purposes, including preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health care or treatment or the management of health care systems or services or pursuant to a contract with a health professional provided that Processing is by or under the responsibility of a health professional subject to the obligation of professional secrecy or duty of confidentiality
29. Sharing your data with Health Information Exchange in Dubai, Sharjah, Ras Al Khaimah, Umm Al Quwain, Fujairah Where you give us your consent, we can share your personal and health information with the Health Information Exchange. By doing so all healthcare providers involved in your treatment can access your information. Consent Please note that for us to share your personal and health data with HIE systems in Dubai, Sharjah, Ras Al Khaimah, Umm Al Quwain, Fujairah, we need your consent.

You can withdraw your consent at any time. Please see Section “Your Rights”, “Right to Object to the Processing of Your Personal Information” for more details.

Explicit consent You can withdraw your consent at any time. Please see Section “Your Rights”,”Right to Object to the Processing of Your Personal Information” for more details.
30. Sharing your data with Abu Dhabi Health Information Exchange Where you give us your consent, we can share your personal and health information with the Health Information Exchange. By doing so all healthcare providers involved in your treatment can access your information. However, even if we do not receive your consent, we must share your personal and health information with Abu Dhabi Health Information Exchange. Legal Obligation
We need to share your personal data with Abu Dhabi Health Information Exchange platform as a legal requirement.
Legal Obligation
The exercise of a function or requirement conferred on a person by Applicable Law

 

 

Opting Out of Processing

We will do our best let you know in advance what will happen to your personal data. We will not use your personal data for a purpose that is materially different from the purposes listed in this Privacy Statement. In order to assess whether the new purpose(s) are materially different we will carry out a so-called compatibility test to assess whether the new purposes is compatible with the old one and inform you of the new purpose.

Third-Party Processing and Transfers Outside of ADGM

We may share your personal data with third parties to provide you with the best healthcare services and experiences possible, to run our business more efficiently, or to comply with the law. These entities might be other healthcare providers, laboratories, service providers such as technology or manpower providers, government agencies, authorities, and regulatory bodies. These may also include embassies, insurance companies, your employers, organisations that help us run our business such as consultancy firms, talent acquisition agencies, entities within NMC group and similar. These third parties may be independent or join data controllers or processors with whom we share your personal data for the following reasons:

If you are our patient,

to:

  1. refer you to other specialist healthcare providers.
  2. provide you with diagnostic testing and imaging services.
  3. send you information about our services and products.
  4. store your data.
  5. provide you with requested service.
  6. run our business.

If you are our business partner,

to:

  1. run our enterprise resource planning systems such as procurement systems.
  2. provide other general IT services.

If you are applying for a job at NMC,

to:

  1. make use of technology platforms for recruitment purposes such as to conduct video interviews.
  2. facilitate the candidate selection process.

Before transferring your personal data to any third party, we will carry out proper due diligence and, where possible, will ensure that we enter into an appropriate agreement with them. The agreement will clearly set out the respective roles of each Controller to the agreement or will instruct Data Processors on the purposes for which they can process the personal data, as well as the standards they must adhere to.

Where we transfer personal data to another jurisdiction, we use appropriate safeguards such as contractual clauses adopted by the ADGM Commissioner of Data Protection. This will not however be necessary if the transfer is necessary to enable a contract between you and the recipient Controller to be performed or when you have asked us to take steps to enable you to enter into such a contract.

Retention of Personal Data

We follow all applicable laws governing the retention of your data and will not keep it in an identifiable format for longer than reasonably necessary.

We retain the data we collect from you for different periods depending what is required by law, on your preferences, where applicable, and the purposes we use it for. The personal data that we retain falls into the following categories:

  1.  Information we keep for periods set by law such as UAE Federal Law No. 2 of 2019 which requires patient health data to be stored for at least 25 years.
  2. Information retained until you remove it – we keep this data until you ask us to delete it. Types of information included in this category are contact details used for marketing or research purposes, information we hold about you for recruitment purposes, etc.
  3. Non-health information retained for specific business or legal purposes. For example, when we process a payment to or from you, we will retain this data for periods that may be required for tax or accounting purposes. Examples of this include:

 

  1. Financial information: such as invoices, receipts to enable us to maintain proper accounts and tax records.
  2. Insurance information: such as your insurance claims and related records to ensure that your accounts are settled and that we maintain proper accounting records.
  3. Incident Reports: we may retain your personal data for quality assurance purposes set by local regulations.
Your Rights

You may have certain legal rights regarding your personal information depending upon the jurisdiction in which you are located or how we interact with you. You can exercise your rights by sending an email to the NMC Healthcare Group Data Protection Officer at dpo@nmc.ae. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information to fulfil your request.

You can learn more about these rights here.

Subject to the terms of this Privacy Statement you have the right to:

To access your personal information.

You have the right to request that we provide you with a copy of your personal information that we hold, and you have the right to be informed of,

  1. (a) the purposes of the processing and the categories of personal data being processed;
  2. who will receive the personal data;
  3. where possible, how long we expect to keep the personal data, and if not possible, the criteria we use to determine that period;
  4. where the Personal Data was not collected from you, any available information as to its source; and
  5. the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.

     

To lodge a complaint with us.

We will receive and handle your complaints in accordance with best practice and depending on where you are and whether we are subject to it, any applicable law.

Right to rectify or erase personal information.

You have the right to ask us to rectify inaccurate personal information we have collected from you where it is technically feasible for us to do so. In so doing, we may however take steps verify the accuracy of the personal information before rectifying it.
You can also ask us to erase your personal information in limited circumstances where:

  1.  it is no longer needed for the purposes for which it was collected; or
  2. you have withdrawn your consent (where the data processing was based on consent); or
  3. following a successful exercise of the right to object; or
  4. it has been processed unlawfully; or
  5. to comply with a legal obligation to which NMC Healthcare Group is subject; or
  6. for the establishment, exercise, or defence of legal claims.

Right to restrict the processing of your personal information.

You can ask us to restrict your personal information, but only where:

  1. its accuracy is contested, to allow us to verify its accuracy; or
  2. the processing is unlawful, but you do not want it erased; or
  3. it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  4. you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where:

  1. we have your consent; or
  2. to establish, exercise or defend legal claims; or
  3. to protect the rights of another natural or legal person.

Right to transfer your personal information.

You can ask us to give your personal information to you in a structured, commonly used, machine-readable format. You can also ask to have it transferred directly to another data controller, but in each case only where:

  1. the processing is based on your consent or on the performance of a contract with you; and
  2. the processing is carried out by automated means.

Right to object to the processing of your personal information.

You can object to any processing, including profiling, of your personal information which has our legitimate interests as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests. This can be done at any time.

If you raise an objection, we have the option to demonstrate that we have compelling legitimate interests which override your rights and freedoms or that processing is necessary for the establishment, exercise, or defence of legal claims. Where we cannot do this, we will cease to process your personal data.

Where your personal Data is Processed for archiving and research purposes, you have the right to object to having your personal data processed, unless it is necessary to perform a task we are carrying out for reasons of public interest.

Right to object to how we use your personal information for direct marketing purposes.

You can request that we change the way we contact you for marketing purposes. See Right to withdraw consent Section for more information on withdrawing consent.

You can request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.

Right to withdraw consent.

You can withdraw your consent at any time. The withdrawal of Consent will not affect the lawfulness of processing based on consent before it was withdrawn.

Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction.

You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the ADGM or for any other restricted transfer. We may redact data transfer agreements to protect commercial terms.

Right to lodge a complaint with your local supervisory authority.

Where your personal data is processed by a member of NMC Healthcare Group that is registered within the ADGM, you also have the right to lodge any complaints or concerns regarding the use of their personal data with the ADGM Commissioner for Data Protection (both health and non-health personal data) the local data protection authority at data.protection@adgm.com

Verifying your identity

Where you decide to exercise any of these rights, we may request additional information from you to help us verify your identity or to confirm that you have given authority to another person to exercise these rights on your behalf.
We do however reserve the right not to restrict access to your information or to limit your rights (e.g., if such disclosure is prohibited by law or if the rights of another individual might be violated). In some instances, this may mean that we are able to retain your personal data even if you withdraw your consent. Please contact the Data Protection Officer at dpo@nmc.ae for more information about your rights or to exercise any of them.

Conflicts between Law and this Privacy Statement

If there is a conflict between this Privacy Statement and an applicable law, applicable law will apply to you. We will determine whether there is a conflict, so you do not have to.

Impact of Automated Decisions

We will not make any decision, policy, or assessment that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Getting in Touch With Us

Your main point of contact for all issues arising from the use of your personal data, is the NMC Healthcare Group Data Protection Officer. The Data Protection Officer can be contacted in the following ways:

By email:

dpo@nmc.ae

By Post:

The Data Protection Officer,
NMC AssetCo,
10th Floor,
Al Ain Tower,
Khalidiya,
Abu Dhabi, UAE.
If you have any questions, concerns, or complaints regarding our compliance with this Privacy Statement and the data protection laws, or if you wish to exercise your rights, we encourage you to first contact us. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by data protection laws.

Restriction on Children’s Information

We do not knowingly collect personal data online directly from individuals under the age of 18 years. Adults who interact with NMC Healthcare Group should ensure that they have proper authority to transfer personal data belonging to children to NMC Healthcare Group (under 18 years). This means that the adult must either be the parent of the child in question or the legally recognised guardian.

 

Transferring Your Data Within NMC Healthcare Group

We will transfer your personal data to other entities within the NMC Healthcare Group where necessary.

Patients

If you are a patient, the facility where you had your initial consultation, we may share your personal data (including health data) with other NMC Healthcare Group facilities in certain circumstances and for specific purposes that are related to the delivery of health care services to you. These may include:

  1. To refer your medical case to a more appropriate facility.
  2. To refer your medical case to a more specialised or experienced healthcare professional within our extensive network.
  3. To enable you pick up pharmacy prescriptions.
  4. At your request, and with your consent, to enable you use any of our optional ancillary health care services using our Cosmetic Surgery or IVF providers.

Data Controller vs Data Processor
In most cases, your data will be accessed by the corresponding health provider through NMC Healthcare Group’s Health Information system. Both will be Joint Controllers with joint responsibility for processing your data. NMC AssetCo is a joint Controller for all the processing activities, outlined in section on ‘How we Use Your Personal Data’ above. NMC AssetCo will be responsible for facilitating the exercise of data subjects’ rights and will serve as a primary point of contact.

Definitions

“Personal data”, “personal information”, or “PII” means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly — in particular, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity.

“Special Categories of Personal Data” refers to personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of data concerning health or sexual orientation.

“Sensitive personal data” either indicates “special categories” (see above) or is personal data of which the sensitivity level has been assessed and classified, indicating potential severe impact on an individual when confidentiality of such data is breached.

“Anonymised” is the deletion or changing of personal data in such a way that it can no longer be foreseeably assigned to a certain or ascertainable individual or only with a disproportionately high effort in terms of time, cost, and work.

“Consent” is any freely given, specific and transparently, unambiguous, well-informed indication of the will of the individual, whereby the individual agrees that his or her personal data may be processed. Particular requirements about consent can arise from the respective national laws. Where possible, consent is obtained in an explicit manner (unambiguously).

“NMC Healthcare Group” means, NMC OpCo Ltd and its subsidiaries. Click here for a detailed listing.

“NMC Healthcare Facility” means, a facility that is providing healthcare services such a hospital, clinic and similar.

NMC Healthcare Group Company Directory

NMC Healthcare Group comprises the following companies
ADGM Registered Entities

Company Name Company Number Country
Bait Al Shifaa Pharmacy Ltd 000004236 UAE
Eve Fertility Center Ltd 000004206 UAE
Fakih IVF Fertility Center Ltd 000004224 UAE
Fakih IVF Ltd 000004220 UAE
Fakih Reproductive Medical Holding Ltd 000006623 UAE
Grand Hamad Pharmacy Ltd 000004238 UAE
Hamad Pharmacy Ltd 000004209 UAE
New Medical Centre Ltd 000004214 UAE
New Medical Centre Ltd 000004216 UAE
New Medical Centre Pharmacy Ltd 000004253 UAE
New Medical Centre Pharmacy Ltd 000004255 UAE
New Medical Centre Speciality Hospital Ltd 000004228 UAE
New Medical Centre Trading Ltd 000004218 UAE
New Pharmacy Company Ltd 000004230 UAE
New Sunny Medical Centre Ltd 000004202 UAE
NMC Assetco Limited 000006769 UAE
NMC Family Medical Centre Ltd 000004242 UAE
NMC Healthcare Ltd (In Administration) 000004210 UAE
NMC Holdco SPV Ltd 000005914 UAE
NMC Holding Ltd 000004211 UAE
NMC Newco SPV Limited 000006553 UAE
NMC Opco Ltd 000005918 UAE
NMC Provita International Medical Center Ltd 000004240 UAE
NMC Royal Family Medical Centre Ltd 000004243 UAE
NMC Royal Hospital Ltd 000004225 UAE
NMC Royal Hospital Ltd 000004245 UAE
NMC Royal Hospital Ltd 000004237 UAE
NMC Royal Medical Centre Ltd 000004197 UAE
NMC Royal Women’s Hospital Ltd 000004235 UAE
NMC Speciality Hospital Ltd 000004217 UAE
NMC Speciality Hospital Ltd 000004241 UAE
NMC Trading Ltd 000004233 UAE
Reliance Information Technology Ltd 000004234 UAE
Sharjah Pharmacy Ltd 000004239 UAE
Sunny Al Buhairah Medical Centre Ltd 000004199 UAE
Sunny Al Nahda Medical Centre Ltd 000004232 UAE
Sunny Dental Centre Ltd 000004198 UAE
Sunny Halwan Speciality Medical Centre Ltd 000004204 UAE
Sunny Maysloon Speciality Medical Centre Ltd 000004205 UAE
Sunny Medical Centre Ltd 000004231 UAE
Sunny Sharqan Medical Centre Ltd 000004203 UAE
Sunny Specialty Medical Centre Ltd 000004200 UAE

 

Non-ADGM Registered Entities

Company Name Company Number Country
Al Seha Al Kubra Pharmacy LLC 742464 UAE
Alpha Care Pharmacy LLC CN-2202520 UAE
Alpha Medical Center LLC CN-1034169 UAE
Amala Medical Center LLC 635023 UAE
Americare LLC CN-1514123 UAE
Bareen International Hospital CN-1471391 UAE
Bareen Pharmacy CN-1472890 UAE
Bright Point Pharmacy LLC CN-1795337 UAE
Centurion Medical Facilities Management Group LLC CN-2182569 UAE
Cosmesurge & Emirates Clinics for One Day Surgery LLC CN-1045650 UAE
Cosmesurge Clinics LLC, Conrad 509266 UAE
Cosmesurge Investment LLC 801368 UAE
Cosmesurge Plastic Surgery Hospital And Clinics L.L.C 785984 UAE
Cosmesurge Zakher Medical Center LLC CN-2108872 UAE
Cytomed Middle East LLC (Sharjah) 525053 UAE
Fajar Alsatwa Pharmacy LLC 797745 UAE
Fakih Medical Center L.L.C CN-1660157 UAE
Fakih Medical Center Pharmacy LLC CN-2235922 UAE
Family Clinic (Br. Of Oxford Medical Centre LLC), Satwa 116968 UAE
Golden Sands Medical Center LLC CN-1023217 UAE
Hamad Al Ihterafeya Pharmacy L.L.C 751424 UAE
Hamad Al Mumayazah Pharmacy LLC 744681 UAE
Hamad Al Oula Pharmacy LLC 747559 UAE
Lotus Pharmacy LLC CN-1766692 UAE
Medical Specialty Center LLC CN-1037153 UAE
Mesk Al Madina Medical Centre L.L.C CN-1778982 UAE
NMC Medical Professional Training Centre LLC CN-2417299 UAE
NMC Pharmacy CN-1100258 UAE
NMC Provita Medical Storehouse LLC CN-2761983 UAE
NMC Real Estate-Sole Proprietorship LLC CN-2278435 UAE
NMC Royal Dental Centre Opc (Rak) 38678 UAE
NMC Royal First Aid Clinic LLC CN-2391784 UAE
NMC Royal Medical Center Opc Rak) 21518 UAE
NMC Royal Pharmacy LLC Opc(Rak) 21669 UAE
NMC Wholesale Drug Store And Supplies L.L.C. CN-4825376 UAE
Oxford Medical Center LLC CN-1079694 UAE
Oxford Pharmacy LLC CN-1087009 UAE
Poly Clinic Aesthetic Dermatology Plastic Surgery Dental LLC CN-1027668 UAE
Reaya Mumayaza Specialized for Medical Home Care LLC CN-2157940 UAE
Royal Arsom Wellness Centre LLC CN-2217742 UAE
Sands Pharmacy LLC CN-1024388 UAE
The American Surgecenter LLC CN-1074061 UAE
The American Surgecenter Pharmacy LLC CN-1077415 UAE
Zanbaq Al Madina Pharmacy L.L.C CN-2030045 UAE

 

Policy Reference Number: NMC/DS/E&C/016/01