Privacy Notice

1. Purpose:

• 1.1 To describe how Bascom Palmer Eye Institute Abu Dhabi (BPEI-AD) collects, uses, processes, and discloses the data of our patients and Website users in compliance with UAE Federal Decree-Law No. 45 of 2021 (PDPL) and the standards of the Department of Health – Abu Dhabi (DOH) and ADHICS-compliant security measures.

2. Applicability:

• 2.1. These Terms apply to all patients and people who access or use BPEI Website.
• 2.2. This policy applies to information we collect:
  • 2.2.1. On this Website.
  • 2.2.2. In email, text, and other electronic messages between you and this Website or its employees or representatives (including communications through the Contact Us tab).
  • 2.2.3. Through mobile and desktop applications you download from this Website, which provide dedicated non-browser-based interaction between you and this Website.
• 2.3. It does not apply to information collected by:
  • 2.3.1 Us offline or through any other means, including on any other website operated by BPEI-AD or any third party [ (including our affiliates and subsidiaries)]; or
  • 2.3.2. Any third party (including our affiliates and subsidiaries), including through any application or content (including advertising) that may link to or be accessible from [or on] the Website.
• 2.4. By using the Website, you agree to the collection and use of information in accordance with this Policy.
• 2.5. We reserve the right to change this Policy at any given time, if the change was material; you will be promptly updated if you approved receiving notifications from our Website. If you want to make sure that you are up to date with the latest changes, we advise you to frequently visit this page. Please note that your continued use of the Website after we post any modifications to the Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Policy.

3. Abbreviations and Definitions:

• 3.1 BPEI: Bascom Palmer Eye Institute

  Document Title	Code No.	Revision Number	Date Developed	Revision Date	Next revision Date
  Privacy policy for the website	BPEI POL MRK 001	00	Oct-25	Oct-25	Oct-27

• 3.2 BPEI-AD: Bascom Palmer Eye Institute Abu Dhabi (“BPEI-AD,” “we,” “us”)
• 3.3 Data Controller: BPEI-AD is the Data Controller for data processed under this policy.
• 3.4 DOH: Department of Health – Abu Dhabi
• 3.5 DPO: Data Protection Officer
• 3.6 Malaffi: Abu Dhabi Health Information Exchange
• 3.7 MOHAP: Ministry of Health and Prevention
• 3.8 PDPL: UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data
• 3.9 ADHICS v2 (2024) – Abu Dhabi Healthcare Information and Cyber Security Standard
• 3.10. Personal Data: Any data relating to an identified or identifiable natural person
• 3.11. Processing: Any operation performed on Personal Data, such as collection, storage, use, or disclosure.
• 3.12. Sensitive Personal Data: Any data that directly or indirectly reveals a person’s family, racial or ethnic origin, political opinions, religious beliefs, criminal record, or any data related to their health, biometric, or genetic data.
• 3.13. Website: this website [https://www.bascompalmer.ae/]

4. Policy/Guideline:

• 4.1 Introduction
  Bascom Palmer Eye Institute Abu Dhabi (“BPEI-AD,” “we,” “us”) is committed to protecting the privacy and confidentiality of our patients and Website users.
• 4.2 Data We Collect
  We may collect the following types of data:
  • 4.2.1. Data You Provide: Name, email address, phone number, date of birth, and other information you submit through our contact forms or appointment request forms.
  • 4.2.2. Patient Health Information (Sensitive Personal Data): During the provision of medical services, we collect your medical history, test results, diagnoses, and treatment plans. This data is subject to the highest level of protection.
  • 4.2.3. Technical & Usage Data: IP address, browser type, operating system, and data on how you interact with our website (e.g., pages visited). We collect these using cookies and similar technologies (see Section 4.9).
• 4.3. Lawful Basis for Processing
  We only process your data when we have a lawful basis to do so:
  • 4.3.1. Explicit Consent: For processing your Sensitive Personal Data (health information) for medical treatment, we will obtain your explicit, clear, and unambiguous consent, as required by the PDPL. By using this website and clicking (TBD) your consent is assumed granted to all other Personal Data.
  • 4.3.2. Contractual Necessity: To provide you with the medical services you have requested.
  • 4.3.3. Legal Obligation: To comply with our legal and regulatory obligations, such as mandatory reporting to the DOH or MOHAP, and participating in the Abu Dhabi Health Information Exchange (Malaffi).
  • 4.3.4. Legitimate Interest: For non-sensitive data, such as improving our website analytics or for marketing communications (where you have not opted out).
• 4.4. How We Use Your Data
  • 4.4.1. To provide medical services, diagnosis, and treatment.

    Document Title	Code No.	Revision Number	Date Developed	Revision Date	Next revision Date
    Privacy policy for the website	BPEI POL MRK 001	00	Oct-25	Oct-25	Oct-27

  • 4.4.2. To schedule appointments and communicate with you about your care.
  • 4.4.3. To process payments and manage insurance claims.
  • 4.4.4. To comply with legal, regulatory, and reporting requirements (e.g., DOH, Malaffi).
  • 4.4.5. To improve our website, services, and patient experience.
  • 4.4.6. For marketing and communication purposes, subject to your consent where required by law.
• 4.5. Data Sharing and Disclosure
  We do not sell your Personal Data. We may share your data with:
  • 4.5.1. Healthcare professionals (doctors, nurses) are involved in your treatment.
  • 4.5.2. Insurance providers for billing and claims.
  • 4.5.3. The Abu Dhabi Health Information Exchange (Malaffi), as required by DOH.
  • 4.5.4. Regulatory authorities (DOH, MOHAP) as required by law.
  • 4.5.5. Third-party service providers (e.g., IT systems, analytics partners) who are contractually bound to protect your data and comply with the PDPL.
  • 4.5.6. International Data Transfers: We may transfer Personal Data to parties outside the UAE (e.g., our partners in the United States) only after we (BPEI-AD) have obtained approval from the UAE Data Office and ensured the recipient country provides an adequate level of data protection as required by the PDPL.
• 4.6. Data Securitye
  We have implemented appropriate technical, administrative, and physical security measures to protect your Personal Data from unauthorized access, use, or disclosure. Please note, however, that transmission of information via the internet is not completely secure. While we strive to protect your Personal Information, we cannot guarantee the absolute security of information transmitted to or from our website. Once received, we apply strict security controls and procedures to prevent unauthorized access or disclosure.
  We also encourage users to maintain appropriate cybersecurity practices, such as using up-to-date antivirus and security software on their devices.
• 4.7. Data Retention
  We retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations.
  Medical records are retained in accordance with the DOH’s retention schedules.
• 4.8. Cookies and Tracking Technologies (For Social Media like Meta Business Suite) Our website uses “cookies” and similar technologies (like the Meta Pixel) to collect Technical & Usage Data. This helps us:
  • – Analyze website traffic and performance.
  • – Understand user behavior to improve our services.

    Document Title	Code No.	Revision Number	Date Developed	Revision Date	Next revision Date
    Privacy policy for the website	BPEI POL MRK 001	00	Oct-25	Oct-25	Oct-27

  • – Deliver targeted advertising about our services on other platforms (like Meta).
  You can manage your cookie preferences through your browser settings. For more information on how to manage cookies across different browsers, you can visit allaboutcookies.org.
• 4.9. Your Data Protection Rights
  Under the PDPL, you have the right to:
  • 4.9.1. Access your Personal Data.
  • 4.9.2. Request correction of inaccurate or incomplete data.
  • 4.9.3. Withdraw your consent at any time (this will not affect the lawfulness of processing done before withdrawal).
  • 4.9.4. Request the erasure (“right to be forgotten”) of your data, subject to our legal and medical record-keeping obligations.
  • 4.9.5. Restrict or object to certain types of processing.
  • 4.9.6. Lodge a complaint with the UAE Data Office if you believe your rights have been violated.
• 4.10. Policy Updates
  We update this Privacy Policy every 2 yearswhenever is necessary as explained above. The “Revision Date” at the top of this policy will indicate the latest revision.

5. Procedures and Responsibility:

• 5.1. The Data Protection Officer (DPO) is responsible for overseeing questions and requests related to this policy.
• 5.2. The web development team (currently Red Berries) is responsible for designing and implementing the Cookie Consent Tool.

6. Department / Committee Involved in Policy Development / Revision

• 6.1. Owner – Marketing
• 6.2. Committee – Information Security Governance Committee
• 6.3. Department Involved – IT

7. References

• 7.1. UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)
• 7.2. ADHICS v2 (2024) – Abu Dhabi Healthcare Information and Cyber Security Standard
• 7.3. https://allaboutcookies.org/

8. Attachments/Tools:

• 8.1. Cookie Consent Tool

9. Amendments:

10. Approval: