The Policy is meant for use by Royal Financials SAL (hereinafter “the Company” and/or “us” and/or “we”), subject data and relevant authorities.
Royal Financials SAL is a Lebanese Joint-Stock Company formed under the laws of the Republic of Lebanon, registered before the Beirut commercial registry under number 1009065, licensed as a Financial Brokerage Firm and listed under number 15 on the list of Financial brokerage firms published by the CMA and. Royal Financial SAL is headquartered at Berytus Parks Bldg. Block A, 1st floor, Park Avenue Street, Mina El Hosn, Beirut Central District, Lebanon (Hereinafter, “Royal”).
This policy aims to provide data subject and the relevant authorities with the information on what type of information is collected, how it is used and the circumstances where it could be shared with third parties.
It is possible to use our website without having to provide any personal data. However, if a visitor wishes to have access to some specific services offered by Royal, the processing of personal data may become necessary.
The present privacy statement and/or policy:
Through this privacy statement, the data related to subject data may be called either “personal data” or “personal information”. We may also sometimes collectively refer to handling, collecting, protecting and storing the data subjects’ personal data or any such action as “processing” such personal data.
For the purposes of this statement, personal data shall mean any information relating to the data subject which identifies or may identify the data subject, and which includes, for example, their name, address and identification number.
The processing of personal data, such as a data subject's name, address, email address or telephone number, shall always be in line with the General Data Protection Regulation (GDPR) and in accordance with the country-specific data protection regulations applicable to Royal. The aim of our organization’s data protection statement is to inform the general public of the nature, scope and purpose of the personal data we collect, use and process. This data protection statement also informs data subjects of the rights to which they are entitled. As data controller, Royal ,has implemented numerous technical and organizational measures to ensure that personal data processed via its website enjoy the most comprehensive protection possible. However, due to fundamental gaps in the security of data sent over the internet, complete protection cannot be guaranteed. Therefore, data subjects are free to choose alternative means (e.g. the telephone) by which to transfer personal data to us.
Royal ‘s data protection policy uses the terms adopted by the European legislator for the purposes of the General Data Protection Regulation (GDPR). To ensure that our data protection statement is readable and easily understood by the general public, we would like to start by providing definitions for the terms used.
This data protection statement includes use of the following terms:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose data are processed by the data controller. Data subject includes former, existing and potential clients as well in addition to any visitors of the Company’s website.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of possessing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or data controller
Controller or data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of such processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or other body, to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party:
Third party means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them,
The company shall collect information necessary to fulfil their legal and regulatory obligations for the provision of services and to improve our service to the data subject.
Royal collects a range of general data and other information each time a data subject or automated system accesses its website. The general data and information collected are stored in our server’s log files. Data collected may include (1) the type and version of the browser used, (2) the accessing system's operating system, (3) the website from which the accessing system reaches our website (referrers), (4) the subsites accessed by an accessing system, (5) the date and time at which our website is accessed, (6) the IP address, (7) the accessing system’s internet service provider, and (8) any other data and information that may need to be used in the event of attacks on our IT system.
The data subject is responsible for the true and accurate information and to keep us informed of any changes in their personal information or circumstance by emailing us at firstname.lastname@example.org
We are required to evaluate the appropriateness of the financial instruments and suitability based on three basic parameters;
The data subject’s experience in dealing in complex and non-complex financial instruments, especially their investment and risk attitude as they relate to such financial instruments.
The following is an example of personal data that is required from the data subject:
The personal data is used for specific, explicit and legitimate purposes and only as required to provide quality service to the data subject and to comply with applicable legislations as referred to above.
The personal data collected from the data subject is used to verify their identity, to construct their economic and investment profile in order to ensure that we provide the data subject with products and services suitable to their requirements, knowledge and risk appetite, to manage their account with us, to process their transactions, to provide the data subject with post-transaction information, to inform the data subject of additional products and/or services relevant to the data subject’s economic profile, to produce analysis and statistical data which will help us improve our products and services, and for website improvement purposes. These are necessary for the entry into or performance of the contract that is signed between the company and the data subject. We will carry out regular checks to ensure that our systems are working as intended.
The Company needs to perform its due diligence measures and apply the principles of KYC (Know-Your-Client) before entering a client relationship in order to prevent actions, such as money laundering or terrorist financing, and also to perform other duties imposed by law. Therefore, we collect from our clients’ identity verification information (such as images of the clients government issued national ID card or International Passport, or driving license or other government issued proof of identification, as permitted by applicable laws) or other authentication information. We are also requesting from our clients to provide us with a recent Utility Bill in order to verify their address. Further to this, the Company can use third parties which carry out identity checks on its behalf.
There are a number of legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements. There are also various supervisory authorities whose laws and regulations we are subject to.
Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls.
These include amongst others transaction reporting requirements, assessment of the clients’ knowledge and experience, FATCA and CRS reporting.
We process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use the data subject’s information. But even then, it must not unfairly go against what is right and best for the data subject. Examples of such processing activities include:
The Company may use data subject ‘s data, such as location or trading history to deliver any news, analysis, research, reports, campaigns and training opportunities that may interest the data subject, to their registered email address. The data subject always has the right to change their option if the data subject no longer wishes to receive such communications.
We are also obligated to regularly report to the respective authorities on the market share products and the services held by client groups, as well as other financial figures.
The company, and any undertakings being a member of our group, agents which we engage with for the purpose of collecting, storing and processing personal data and any third parties acting on our or their behalf, may collect, process and store personal data provided by the data subject.
The company may also use authorized external processors for client data processing, based on concluded service agreements, which are governed by instructions from our company for the protection of client related data. The contract is important so that both parties understand their responsibilities and liabilities
Third parties will not be promoting our services, products or provide information to clients or potential clients regarding the investment and/or ancillary services and financial instruments that we offer.
We have a regulatory obligation to supervise and effectively oversee the outsourced functions and its obligation to take appropriate measures when it determines that the service provider is not performing the said functions effectively and in accordance with the applicable legislation.
When we are required or permitted to disclose information without consent, we will not disclose more information than necessary to fulfil the disclosure purpose.
We inform all clients to maintain confidentially and not share with others its usernames and private passwords or as provided by us. The company bears no responsibility for any unlawful or unauthorized use of clients’ personal information due to the misuse or misplacement of clients’ access codes (i.e. passwords /credentials), negligent or malicious, however conducted.
Royal collects these data and information to improve data protection, data security within the organization, and to monitor our customers’ behavior; we ensure thereby that the personal data we process enjoy the highest possible protection;
The Company may process the data subjects’ personal data to inform said data subject about products, services and offers that may be of interest to them. The personal data that we process for this purpose consists of information the data subject has provided us and data we collect and/or infer when the data subject uses our services, such as information on their transactions. We study all such information to form a view on what we think the data subject may need or what may interest them. In some cases, profiling is used, i.e. we process data subject’s data automatically with the aim of evaluating certain personal aspects in order to provide the data subject with targeted marketing information on products.
We can only use the data subject’s personal data to promote our products and services to them if we have their explicit consent to do so – by clicking on the tick box during the account opening form – or in certain cases, if we consider that it is in our legitimate interest to do so.
Further, the data subject has the option to choose whether they wish to receive marketing related emails (company news, information about campaigns, the company’s newsletter, the company’s strategic report, etc.) to their provided email address by clicking the relevant tick box during the account opening form.
The data subject has the right to object at any time to the processing of their personal data for marketing purposes or unsubscribe to the provision of marketing related emails by the Company, by contacting our Data Protection Officer via the following email address:
The Company will keep the data subject’s personal data for as long as a business relationship exists with the relevant data subject, either as an individual or in respect of our dealings with a legal entity that the data subject has authorized to represent or are beneficial owner. Once the business relationship with the data subject has ended, we are required to keep the data for a maximum period of ten years to meet our regulatory and legal requirements.
If reasonably necessary or required to meet other legal, contractual or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may also keep the data subjects’ data for an additional ten years, even after the above-mentioned period.
When we no longer need personal data, we securely delete or destroy it.
The data subject has the right to request copies of their personal data.
Information must be provided without delay and at the latest within one month of receipt. The company will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the data subject within one month of the receipt of the request and explain why the extension is necessary.
Can the company charge a fee for dealing with a subject access request?
We must provide a copy of the information free of charge. However, the company can charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive.
The fee if applied will be based on the administrative cost of providing the information.
If at any time we refuse to respond to a request, we will explain to the data subject the reason behind our decision, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
The data subject shall have the right to obtain from Royal any of the below information:
When information is provided:
The company will verify the identity of the person making the request, using reasonable means.
When should personal data be rectified?
Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete.
If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the data subjects about these recipients.
We must respond within one month.
This can be extended by two months where the request for rectification is complex.
Where the company is not taking action in response to a request for rectification, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
The data subjects’ right to erasure;
The right to erasure does not provide an absolute ‘right to be forgotten’. data subjects have the right to have personal data erased and to prevent processing in specific circumstances:
We have a legal obligation to obtain data on the data subject, meeting with the relevant regulatory obligations, based on the legal obligations imposed on us, data subjects may have no right to erasure, no right to data portability or right to object on the information gathered meeting with our legal obligation under our license to provide financial services.
We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the data subjects about these recipients.
When does the right to restrict processing apply?
We will be required to restrict the processing of personal data in the following circumstances:
We may need to review procedures to ensure we are able to determine where we may be required to restrict the processing of personal data.
If the company has disclosed the personal data in question to others, we must contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the individuals about these recipients.
The company must inform the data subjects when we decide to lift a restriction on processing.
Cancellation of the initial registration - When a person cancels the registration process and does not complete it, that person ‘s data will not be retrieved by the company and will, therefore, not be saved for further processing in the future.
Declining the option to be contacted via phone - A data subject always has the right to request not to be contacted via telephone by the company’s representative. This request will be saved within the company’s internal systems and acts as a separate restriction which we will, of course, respect. The request to not to be contacted via telephone does not affect a data subject from using our services. Additionally, this does not restrict said data subject to contact the company by their own initiative.
Data subjects affected by the processing of personal data shall have the right, under European law, to object, on grounds relating to their particular situation, at any time, to the processing of personal data concerning them, which would be based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.
In this case, Royal shall no longer process the personal data unless Royal can demonstrate compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject, or if processing is for the establishment, exercise or defense of legal claims.
Furthermore, where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Any data subject affected by the processing of personal data has the right, under European law, to withdraw consent for the processing of personal data at any time.
A data subject wishing to avail themselves of their rights to withdraw consent may do so at any time by contacting a member of staff of the data controller.
In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of the data subject’s data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with the relevant data subject for data assessments (including on payment transactions) which are carried out in the context of combating money laundering and fraud. An account may be detected as being used in a way that is unusual for the data subject or their business. These measures may also serve to protect the data subject.
We use appropriate technical, organizational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorized access, disclosure, alteration and destruction. Unfortunately, no company or service can guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.
Among other practices, the client’s account is protected by a password for their own privacy and security. The client should prevent unauthorized access to their account and Personal Information by selecting and protecting their password appropriately, and limiting access to their computer or device and browser by signing off after they have finished accessing their relevant account.
Transmission of information via regular email exchange is not always completely secure. The Company however exercises all possible actions to protect clients’ personal data, yet it cannot guarantee the security of client data that is transmitted via email; any transmission is at the clients’ own risk. Once the Company has received the client information it will use. procedures and security features in an attempt to prevent unauthorized access.
When the data subject contacts the Company by email (via the “Contact Us” page), or using the Live Chat feature, a person may be requested to provide some additional personal data, like their name or email address. Such data will be used to respond to their query and verify their identity. Emails are stored on our standard internal contact systems which are secure and cannot be accessed by unauthorized external parties.
The Company reserves the right to modify or amend this Privacy Statement unilaterally at any time in accordance with this provision.
If any changes are made to this privacy statement, we shall notify the data subject accordingly by publishing the updated policy on our website.
The revision date shown on at the end of this page will also be amended. We do however encourage data subjects to review this privacy statement occasionally so as to always be informed about how we are processing and protecting data subjects’ information.
Our website uses small files known as cookies to enhance its functionality and improve the user experience.
The information generated by cookies as part of the pseudonymized user profile will not be used to identify users to our website and will not be linked with personal data being stored in relation to the owner of the pseudonym.
The Company will monitor on a regular basis the effectiveness of this Policy and, in particular, the execution quality of the procedures explained in the Policy and, where appropriate, it reserves the right to correct any deficiencies.
In addition, the Company will review the Policy at least annually. A review will also be carried out whenever a material change occurs that affects the ability of the Company to continue providing the best customer experience possible on a consistent basis using the venues included in this Policy.
The Company will inform its data subjects of any material change to this Policy by posting an updated version of this Policy on its Website(s).