Skip to main content

Data Processing Addendum

Last updated: January 2025

1. Introduction

This Data Processing Addendum ("DPA") forms part of the engagement agreement ("Agreement") between:

  • (a) AURNÉ Private Advisory ("AURNÉ", "Processor"),
  • and
  • (b) The client entity or individual engaging AURNÉ ("Client", "Controller").

This DPA governs AURNÉ's processing of Personal Data on behalf of the Client and is designed to ensure compliance with applicable data protection laws, including:

  • UAE Federal Decree-Law No. 45 of 2021 (PDPL)
  • EU GDPR (Regulation (EU) 2016/679), where applicable
  • UK GDPR, where applicable
  • Relevant free zone data protection frameworks (if any)

This DPA overrides any conflicting terms in the Agreement unless explicitly stated otherwise.

2. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person.

"Processing"

Any operation performed on Personal Data, including collection, storage, transmission, and deletion.

"Controller"

The party determining the purpose and means of processing (the Client).

"Processor"

The party processing data on behalf of the Controller (AURNÉ).

"Sub-processor"

A third party engaged by AURNÉ to assist with processing Personal Data.

"Data Protection Laws"

All applicable laws relating to data protection, privacy, and processing.

3. Purpose of Processing

AURNÉ processes Personal Data solely for the purpose of providing its services, including:

  • Corporate structuring & company formation
  • Accounting & bookkeeping
  • VAT & Corporate Tax advisory and filings
  • UBO, ESR, and compliance submissions
  • Regulatory support
  • KYC/KYB verification
  • Document management
  • Client communication and administration

No processing occurs outside the scope of documented Client instructions.

4. Roles & Responsibilities

4.1 The Client (Controller) Is Responsible For:

  • Determining the lawful basis for processing
  • Providing accurate and lawful instructions
  • Ensuring the Personal Data shared with AURNÉ is necessary and correct
  • Ensuring compliance with all applicable data protection laws

4.2 AURNÉ (Processor) Is Responsible For:

  • Processing Personal Data only under Client instructions
  • Maintaining the confidentiality, security, and integrity of Personal Data
  • Complying with UAE PDPL, GDPR (if applicable), and other laws
  • Ensuring lawful handling, retention, and access control
  • Notifying the Client of data breaches

5. Instructions for Processing

AURNÉ will only process Personal Data:

  • As necessary to deliver contracted services
  • In accordance with written or electronic Client instructions
  • As required by applicable law
  • For compliance obligations (AML, KYC, tax, regulatory)

If AURNÉ believes an instruction violates the law, it will notify the Client promptly.

6. Confidentiality

AURNÉ ensures that:

  • All personnel accessing Personal Data are bound by confidentiality obligations
  • Access is strictly limited to individuals with legitimate operational need
  • Confidentiality obligations continue after termination of the Agreement

7. Security Measures

AURNÉ implements industry-standard technical and organizational security measures, including:

  • Encrypted data storage and transmission
  • Access controls and authentication protocols
  • Role-based user permissions
  • Firewalls and intrusion monitoring
  • Secure cloud infrastructure
  • Regular internal audits
  • Data minimization and retention compliance

Upon request, AURNÉ will provide a summary of its security controls.

8. Sub-processors

8.1 Use of Sub-processors

AURNÉ may engage Sub-processors for services such as:

  • Cloud hosting
  • Accounting platforms
  • KYC tools
  • Document management systems
  • Email and communication platforms
  • IT security providers

All Sub-processors must sign agreements ensuring:

  • Strict confidentiality
  • Adequate data protection
  • Compliance with UAE PDPL and GDPR (if applicable)

8.2 Client Objection Right (GDPR scenario)

For Clients subject to GDPR, AURNÉ will:

  • Provide a list of Sub-processors upon request
  • Allow objections where a legitimate risk is demonstrated

9. Cross-Border Data Transfers

As AURNÉ operates in the UAE, data transfers outside the EU/EEA may occur.

Transfers are made only when:

  • Necessary to perform the contract
  • Appropriate safeguards are in place (SCCs, encryption, access controls)
  • The Client has consented or instructed the transfer
  • Required by UAE law for regulatory filings

10. Assistance to Client (GDPR & PDPL Obligations)

AURNÉ will assist the Client with:

  • Responding to data subject rights requests
  • Conducting DPIAs (if applicable)
  • Regulatory consultations
  • Breach notifications
  • Providing required processing information

Costs may apply for excessive, repetitive, or unreasonable requests.

11. Data Subject Rights

AURNÉ will not respond directly to EU/EEA or PDPL-based data subject requests unless authorized by the Client.

Requests received by AURNÉ will be forwarded promptly to the Client.

12. Personal Data Breach Notification

In the event of a Personal Data Breach:

  • AURNÉ will notify the Client without undue delay
  • Provide known details and remediation steps
  • Cooperate with investigations
  • Support Client obligations under UAE PDPL and GDPR

AURNÉ is not responsible for delays if the breach was caused by:

  • Client systems
  • Client negligence
  • Third-party services not contracted by AURNÉ

13. Data Retention & Deletion

13.1 Retention

AURNÉ retains Personal Data as required by:

  • AML/CTF mandatory retention periods (minimum 5 years)
  • Tax regulations
  • Corporate compliance laws
  • Engagement requirements

13.2 Deletion

Upon Client request and where not prohibited by law:

  • AURNÉ will securely delete or anonymize data
  • Provide a confirmation of deletion

Deletion is restricted where UAE laws mandate retention.

14. Audits & Inspections

AURNÉ will:

  • Provide supporting documentation demonstrating compliance
  • Participate in remote audits where reasonable
  • Not allow disruption of operations or exposure of unrelated systems

On-site audits may incur fees and require prior notice.

15. Liability

Liability under this DPA:

  • Is limited to the extent permitted by law
  • Cannot exceed the fees paid for the relevant service
  • Does not apply to unavoidable obligations required by law

AURNÉ is not liable for Client mismanagement, inaccurate information, or misuse of processed data.

16. Term, Termination & Survival

This DPA remains valid while the Agreement remains in force

Upon termination, AURNÉ will return or delete Personal Data unless prohibited by law

Confidentiality, security, and retention obligations survive termination

17. Governing Law & Jurisdiction

This DPA is governed by:

  • The laws of the UAE
  • GDPR where applicable
  • Relevant free zone regulations, if contractually agreed

Disputes shall be resolved through UAE courts or arbitration (if specified in the Agreement).

18. Contact Information

For privacy, data protection, or DPA matters, contact:

AURNÉ Private Advisory – Data Protection Office
Email: contact@aurne.org
Phone: +971 56 497 5840 (WhatsApp)
Phone: +971 56 615 8490 (WhatsApp)
Address: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.