DATA
PROTECTION
POLICY

Policy brief & purpose

Our Company Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.

With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.

Excellence Group (hereinafter referred to as the "Company") needs to collect personal information to effectively carry out our everyday business functions and activities and to provide the services defined by our business type. Such data is collected from employees, suppliers and clients and includes (but is not limited to), name, address, email address, data of birth, identification numbers, private and confidential information, sensitive information, excluding bank/credit card details.

In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to processing all personal information in accordance with the various legislation including the UAE Constitution, Penal Code, Cyber Crimes Law, Civil Code and the E-Commerce Lawand any other relevant the data protection laws and codes of conduct (herein collectively referred to as "the data protection laws").

The Company has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category data is one of our top priorities and we are proud to operate a 'Privacy by Design' approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.

Scope

This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UAE or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

Who is covered under the Data Protection Policy?

Employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.

Policy Elements

As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, financial data etc.

Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.

Our data will be:

• Accurate and kept up-to-date
• Collected fairly and for lawful purposes only
• Processed by the company within its legal and moral boundaries
• Protected against any unauthorized or illegal access by internal or external parties

Our data will not be:

• Communicated informally
• Stored for more than a specified amount of time
• Distributed to any party other than the ones agreed upon by the data's owner (exempting legitimate requests from law enforcement authorities)

In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Specifically we must:

• Let people know which of their data is collected
• Inform people about how we will process their data
• Inform people about who has access to their information
• Have provisions in cases of lost, corrupted or compromised data
• Allow people to request that we modify, erase, reduce or correct data contained in our databases.

Individuals have an expectation that their privacy and confidentiality will be upheld and respected whilst their data is being stored and processed by the Company. We therefore utilize several measures and tools to reduce risks and breaches for general processing. However, where processing is likely to be high risk or cause significant impact to a data subject, we utilize proportionate methods to map out and assess the impact ahead of time.

Where the Company act as the Controller and must or are considering carrying out processing that utilizes new technologies, and/or where there is a likelihood that such processing could result in a high risk to the rights and freedoms of data subjects, we always carry out a Data Protection Impact Assessment (DPIA) (sometimes referred to as a Privacy Impact Assessment).

Actions

To exercise data protection we're committed to:

• Restrict and monitor access to sensitive data
• Develop transparent data collection procedures
• Train employees in online privacy and security measures
• Build secure networks to protect online data from cyber attacks
• Establish clear procedures for reporting privacy breaches or data misuse
• Include contract clauses or communicate statements on how we handle data
• Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)

Encryption

We utilize encryption as a further risk prevention measure for securing the personal data that we hold. Encryption with a secret key is used to make data indecipherable unless decryption of the dataset is carried out using the assigned key.

Our data protection provisions will appear on our website.

Disciplinary Consequences

All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action. The general principle is that, apart from certain exceptional circumstances, disclosure or misuse of private information without consent can results in fines (which can be up to AED 1M) and imprisonment (of up to 1 year).