The Global Climate Finance Centre (“GCFC”) values the trust placed in us by our members, partners, website visitors, and other stakeholders. We are committed to safeguarding the privacy and security of Personal Data (as defined below) in accordance with the Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021 (the “Regulations”) and applicable UAE laws. This Privacy Policy describes how we collect, use, disclose, and protect Personal Data received through any channel, online or offline, in the course of our operations.

This Privacy Policy applies to all Personal Data processed by GCFC, including but not limited to:

• Data collected via our website (www.gcfc.com);
• Information received from members, partner organisations, consultants, and third parties; and
• Data obtained through events, surveys, subscriptions, mailing lists, and direct communications (email, phone, or in person).

This Privacy Policy does not cover Personal Data processed by third parties over which GCFC has no control.

• “Personal Data” means any information relating to an identified or identifiable individual as defined under the Regulations.
• “Processing” means any operation performed on Personal Data, whether or not by automated means.
• “Controller” means the entity that determines the purposes and means of Processing Personal Data. In this context, the Controller means GCFC.

We collect and process Personal Data in various contexts, including but not limited to:

• Identity data: Name, title, organisation, job role;
• Contact data: Email, telephone number, postal address;
• Affiliation data: Member or partner organisation details, membership status;
• Event and Engagement data: Registration details, attendance records, feedback and survey responses;
• Communications data: Correspondence via email, telephone, or other channels;
• Usage data: Website logs (IP address, browser, pages viewed), and analytics data from our digital platforms;
• Financial and Transactional data: Invoices, payment records, sponsorship details;
• Surveillance data: CCTV footage if you visit GCFC offices;
• Socio-professional background data: Education, professional, and employment history;
• Personal identification data: Nationality, residency, date and place of birth, passport numbers and other information available on copies of identification documents such as passports and ID cards; and
• Other data: Any additional information you voluntarily disclose, such as dietary preferences at events or professional interests.

• Directly from you: Through membership applications, event registrations, subscriptions, surveys, and direct communications;
• Automatically: Via cookies, analytics tools, and other tracking technologies on our website and digital platforms; and
• From third parties: Partner organizations, service providers, public records, professional directories and from service providers assisting us with website analytics or communications (e.g., Google Analytics).

We process Personal Data for the following purposes, relying on the legal bases permitted under the Regulations:

As part of any recruitment process we will collect and process the Personal Data of candidates at various stages. This includes personal details, family details, resume information, and interview records. The legal basis for Processing Personal Data is our legitimate interest in screening and evaluating candidates to work at GCFC. Information collected as part of the recruitment process will be shared with third parties on a ‘need to know’ basis, which includes but is not limited to governmental national security agencies for obtaining security clearances, immigration department for processing visas, and medical entities conducting medical checks on prospective staff.

We collect Personal Data for the purposes of receiving and assessing complaints made against us. We have in place procedures to receive, assess, and seek to resolve any formal complaints made in respect of the actions of GCFC or any of our employees in a regulatory matter. While we try to minimise Personal Data that we collect and process for this purpose, we are often required to collect a wide range of information to consider and investigate complaints we receive. That information will include Personal Data relating to the complainant and will often include Personal Data of third parties, such as other individuals involved in the matters giving rise to the complaint. Where you make a complaint to us regarding one of our employees, it may be necessary for the person handling the complaint to contact the employee in question. Although we do not explicitly ask for special categories of Personal Data in our complaints form, it is possible that such information may be included in the details of the complaint by the complainant.

Our website uses cookies. A cookie is a small piece of data that a website stores on a visitor’s computer or mobile device. We use cookies and similar technologies to enhance your experience, analyse website usage, and for marketing purposes. You can manage your cookie preferences through our cookie notice available on our website. Our website may from time to time contain links to and from other websites. This includes websites owned or controlled by third parties not controlled or authorised by GCFC. If you follow a link to any of these websites, please note that these websites have their own privacy policy, data collection practices, and security measures and we do not accept any responsibility or liability for these policies. Please ensure you check these policies before submitting any Personal Data. If you decide to access linked third parties’ websites, GCFC is not liable, nor does it control the process of collecting Personal Data under third parties’ websites.

We may disclose Personal Data to the following third parties:

• Service providers: Vendors supporting website hosting, payment processing, event management, and communications.
• Members and partners: For joint initiatives, event co-organization, network activities, and under confidentiality agreements.
• Regulatory authorities and legal advisors: When required to comply with the Regulations and applicable laws or to protect our rights.

Where we share Personal Data with such parties, we do our best to ensure that the recipients provide equivalent safeguards to those required under the Regulations, but we do not accept any liability for any breach of those equivalent safeguards.

Where Personal Data is transferred outside of the ADGM or the UAE, we put in place appropriate safeguards such as standard contractual clauses approved by the Office of Data Protection (the “ODP”) or rely on adequacy decisions.

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, or reporting requirements. Our retention periods are as follows:

After the retention period, Personal Data is securely deleted or irreversibly anonymized.

Under the Regulations, individuals have rights to:

• Access and obtain a copy of their Personal Data;
• Rectify inaccurate or incomplete information;
• Erase their Personal Data i.e., the right to be forgotten;
• Restrict or object to Processing;
• Port data to another Controller other than GCFC;
• Withdraw consent at any time;
• Lodge a complaint; and
• Be informed.

To exercise your rights, please contact us using the details set out in clause 17 below.

Your right of access can be exercised in accordance with the Regulations. There are circumstances where we may not be able to comply with your request, such as where we have a legal duty to retain Personal Data, or where access to Personal Data would prejudice the proper function of ADGM’s statutory duties. In addition, certain authorities are required to adhere to certain legal requirements of confidentiality.

We implement appropriate technical and organizational measures to protect Personal Data against unauthorised or unlawful Processing, accidental loss, destruction, or damage. Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure. Therefore, GCFC cannot guarantee the security of any Personal Data you transmit to us over the internet, and you do so at your own risk.

If at any point you suspect or become aware of a security incident (e.g., you receive a suspicious communication from someone holding themselves out to be a GCFC employee or from an unauthorised website claiming to be affiliated with GCFC), please report the incident by email to info@gcfc.com as soon as possible.

In the event of a data breach, we will notify affected individuals and the ODP within 72 hours of becoming aware, where required by law.

We may amend this Privacy Policy from time to time to meet changes in the Regulations or business needs, or to satisfy the needs of our customers and service providers. Any changes we make to this Privacy Policy will be posted on our website and date-stamped so that you are always aware of the latest update. You should check this page from time to time to ensure you are happy with any changes.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at info@gcfc.com.