Policy

Policy's in Details
Data Privacy Notice
Code Of Conduct
Data Protection Impact Assessment

  • Data Privacy Notice

    1.Policy Statement

    Sunshine Solutions is committed to protecting the privacy and confidentiality of personal data in compliance with the UAE Personal Data Protection Law (PDPL) and other applicable regulations. This policy ensures that individuals (data subjects) are informed about how their personal data is collected, used, stored, shared, and protected. The organization is dedicated to transparency, security, and accountability in data processing activities, ensuring that individuals rights and freedoms are safeguarded.

    2. Purpose

    The purpose of this Data Privacy Notice Policy is to:

    • Clearly communicate how Sunshine Solutions processes personal data.

    • Ensure compliance with UAE PDPL and other applicable privacy laws.

    • Establish transparency regarding data collection, retention, and sharing practices.

    • Inform data subjects of their rights and how they can exercise them.

    • Maintain trust and confidence among customers, employees, vendors, and other stakeholders.

    3.Scope

    This policy applies to:

    • All personal data processed by Sunshine Solutions, whether collected directly or indirectly.

    • All employees, contractors, third-party service providers, and partners handling personal data.

    • Personal data collected through digital and physical means, including websites, mobile applications, and customer service interactions.

    4. Categories of Personal Data Processed

    Sunshine Solutions collects and processes personal data that includes but is not limited to:

    4.1 Customer Data

    • Name, address, email, phone number, and other contact details.

    • Financial data, such as payment details and transaction history.

    • Communication records, including email and phone interactions.

    4.2 Employee Data

    • Name, date of birth, contact information, and job details.

    • Salary, benefits, and performance records.

    • Background verification and compliance-related information.

    4.3 Vendor and Partner Data

    • Business name, registration details, and contact information.

    • Payment and contract details.

    • Performance and compliance information.

    5. Lawful Basis for Processing Personal Data

    Sunshine Solutions processes personal data on the following legal bases:

    • Consent: When explicit permission is obtained from the data subject.

    • Contractual Necessity: To fulfil contractual obligations with customers, employees, or vendors.

    • Legal Obligation: Compliance with legal and regulatory requirements.

    • Legitimate Interest: When processing is necessary for the company’s operations without infringing on the rights of data subjects.

    6. How Personal Data is Collected

    6.1 Direct Interactions

    Personal data is often collected directly from individuals when they interact with Sunshine Solutions. This occurs in various scenarios, including:

    a. Customer Inquiries

    • When individuals contact Sunshine Solutions for inquiries about services, products, or complaints, they may be required to provide their name, contact details, and relevant information to facilitate a response.

    • Communication methods include phone calls, emails, live chat, or physical visits to offices.

    b. Job Applications

    • Individuals applying for employment submit personal details, resumes, and references either through the company’s HR portal, email, or in person.

    • Background verification may also involve collecting additional details such as educational qualifications and previous employment history.

    c. Service Contracts and Agreements

    • When customers or vendors enter into a contract with Sunshine Solutions, contractual documents contain personal data such as names, addresses, bank details, and signatures.

    • Legal and compliance requirements mandate the collection of identification documents (e.g., Emirates ID, passport copies) for verification.

    • This method ensures transparency, as individuals voluntarily provide their information while engaging with Sunshine Solutions.

    6.2 Digital Platforms

    With the increasing use of technology, Sunshine Solutions collects personal data through various digital touchpoints, ensuring seamless interaction with customers, employees, and business partners.

    a. Websites

    • Personal data is collected when users fill out contact forms, service requests, or subscribe to newsletters.

    • Data may include IP addresses, browser types, and location data, used for analytical purposes and to enhance website functionality.

    • Cookies and tracking technologies may collect user preferences and browsing behaviour (with consent).

    b. Emails and Communication Systems

    • Emails sent to or received from Sunshine Solutions may contain personal data such as names, addresses, transaction details, and support requests.

    • Email interactions are securely stored and monitored for compliance, security, and customer service improvements.

    6.3 Third-Party Sources

    • Sunshine Solutions may also collect personal data from third-party sources to enhance services, conduct due diligence, or fulfil regulatory requirements. These sources include:

    a. Financial Institutions

    • Banks and financial service providers may share credit reports, transaction history, or debt-related information to support debt collection and recovery processes. Compliance with banking regulations and contractual agreements ensures responsible data handling.

    b. Business Partners and Affiliates

    • Data may be obtained from business affiliates for customer referrals, service collaborations, or shared business initiatives. This exchange of information is governed by data-sharing agreements, ensuring that privacy rights are respected.

    c. Regulatory and Government Authorities

    • Government agencies may provide access to public records or compliance-related data, particularly for identity verification, fraud prevention, or legal compliance.

    7. Purpose of Data Processing

    Sunshine Solutions processes personal data for the following purposes:

    • Providing services to customers and responding to inquiries.

    • Managing employee records and HR functions.

    • Processing payments, invoices, and financial transactions.

    • Compliance with legal and regulatory obligations.

    8. Data Retention and Storage

    • Personal data is retained only for as long as necessary to fulfil its intended purpose.

    • Data retention periods are determined based on legal, regulatory, and business requirements.

    • Secure disposal or anonymization is applied when data is no longer needed.

    9. Data Security Measures

    Sunshine Solutions implements technical and organizational measures to protect personal data, including:

    • Encryption of sensitive information.

    • Role-based access control to limit unauthorized access.

    • Regular security audits and compliance assessments.

    • Incident response mechanisms to address data breaches promptly.

    10. Sharing and Disclosure of Personal Data

    Personal data may be shared with:

    • Regulatory authorities to comply with legal obligations.

    • Third-party service providers that process data on behalf of Sunshine Solutions (under contractual agreements ensuring data protection compliance).

    • Business partners where necessary for service delivery, with appropriate safeguards.

    • We do not sell or share personal data with third parties for marketing purposes without explicit consent.

    11. Cross-Border Data Transfers

    Where personal data is transferred outside the UAE, Sunshine Solutions ensures that:

    • The destination country has adequate data protection laws.

    • Data transfer agreements include appropriate safeguards (e.g., Standard Contractual Clauses).

    • Data subjects are informed about such transfers and their rights regarding them.

    12. Data Subject Rights

    Under the UAE PDPL, individuals have the right to:

    1. Access their personal data and request a copy.

    2. Rectify inaccurate or incomplete data.

    3. Erase their personal data if no longer necessary for processing.

    4. Restrict processing under certain conditions.

    5. Object to processing based on legitimate interests.

    6. Withdraw consent for data processing where applicable.

    13. Handling Data Rights Requests

    • Requests will be acknowledged within 7 days and processed within 30 days unless exceptional circumstances apply.

    • If additional time is needed, data subjects will be informed with reasons for the delay.

    14. Personal Data Breach Notification

    In the event of a data breach:

    • Affected data subjects will be notified if the breach poses a significant risk.

    • Regulatory authorities will be informed within 72 hours of breach discovery.

    • Corrective actions will be taken to prevent future incidents.

    15. Compliance and Monitoring

    • Sunshine Solutions will conduct regular privacy audits to ensure compliance.

    • Employees will receive mandatory privacy training to enhance data protection awareness.

    • Non-compliance with this policy may result in disciplinary action or legal consequences.

    16. Review and Updates

    This policy is reviewed annually or as required by changes in legal or regulatory requirements. Updates will be communicated to all relevant stakeholders.

  • CODE OF CONDUCT

    ADDENDUM STAFF CODE OF CONDUCT
    Collection & Recovery Guidelines-Do’s & Don'ts

    • Your Identity and authority to represent should be made known to the customer at the first instance.

    • Interaction with the customer should be in a civilized manner. Treat the customer with respect and never raise your voice in a communication.

    • Language is very important. Any sort of offensive language should not be used in communication (Oral or Written) nor should the customer be ill-treated based on Nationality/Religion/Racially. Never scream or raise your voice on customer, never speak to the customer in a sarcastic tone.

    • Telephone etiquette should be followed: Try to attend the call within first 3rings; Identify yourself (Name & Dept, Mention your designation if the customer enquires); Do not leave any calls unattended; make sure to call back the customer if he’s requested; Never keep dialing the customers number continuously at a stretch; Do not put the customer on hold for long and never hang or close the Phone with disrespect while customer is on line.

    • False Identity or usage of any other names including law firms/courier firms is forbidden. Ensure to use your own name to interact with the customers. We aren’t authorized to use pseudonym/alias name while on calls with the customers

    • In no circumstance should the collection agent misrepresent himself as a lawyer or a police official or any one belonging to government agency.

    • Use office recorded telephone lines only to establish contact with customers. No calls should be made to customers using personal mobile phones

    • Personal mobile phones shouldn’t be used at any given point in time to send SMS to customers

    • Use only approved SMS template while sending SMS to customers, use of unauthorized SMS is prohibited

    • Do not send innumerable or unwanted messages to customer.

    • Usage of personal mail address or social networking messengers to correspond with the customers is strictly prohibited

    • Establishing any personal relationship/advances with any customer is forbidden. We must restrict our communication strictly for the business purpose only

    • Customer’s request to avoid calls at a particular time or at a particular place should be honored as far as possible.

    • If the customer has left the company, collect all available information, update the notes and take care the company is not contacted again and again for the same purpose.

    • While contacting customer references like Friend/colleague/relative; treat them with respect and enquire details in a very polite manner.

    • At any given point in time we must not take Money / Gifts or enjoy services from any customer for personal use or benefit

    • Ensure that cash/cheques are not collected from customers either during visit of from walk-in customers

    • Never deposit / transfer money in the customer’s card / loan agreement or bank account from your own pocket / account. This is a breach of policy. Anyone caught for the same will have the strictest actions.

    • Under any circumstances we mustn’t accept mobile balance transfers from the customers. This isn’t an authorized mode of payment by any bank

    • Customer’s privacy should be respected at all times. Any information including customer liability or dues should never be disclosed to any third party including Spouse/Parents.

    • Refrain from the use of threat of violence or other criminal means to harm the reputation or property of any person.

    • Refrain from any act that results in insulting, harassing or embarrassing the customer in a public place

    • Sharing of Screen shots of any Bank/Customer related information on Whatsapp or Email is prohibited

    • Legal Terms should be avoided outright for Regular / Front end Bkt’s, especially Bucket 1

    • Never Misguide/Mislead the customer with wrong Information on financials.

    • Customer should not be given any False Promises/Commitments on Settlements/ Restructure and no document should be collected from the customer without prior approval.

    • Walk in customer’s should be immediately attended to, and should not be kept waiting / in Custody for long hours at the reception or office premises.

    • Maintain decency and decorum while visiting a customer. Do not Harass, Misbehave or Physically Assault the customer.

    • Avoid calling customers during inappropriate occasions such as bereavement in the customer’s family or similar calamitous occasions.

    • Provide all assistance to the customer to resolve disputes or differences regarding dues in a mutually acceptable and orderly manner.

    • Never send any document to a customer that looks official.

    • Never collect more than what customer owes the bank.

    • Collection officers are not authorized to issue any letter on behalf of the company. All legal actions for recovery dues will be initiated by the bank only.

    • Do not engage in tampering or falsification of any bank authorization documents.

    • No false compliant should be filed on the customer for the purpose of intimidation.

    • Do not make any false commitment to the customers on behalf of the bank, to induce the customer to make any payments.

    All collection and recovery staff have to comply with the above guidelines. Any deviations from the set guidelines can lead to severe repercussions including dismissal of services. The organization or the Management will not, in any way be responsible, nor in any way be able to defend or justify the employee with internal or other government departments, if any escalations occur. Above mentioned are only general guidelines

    any other act which is against the policy or could tarnish the reputation of the Company should never be undertaken and on any doubts on any of the above or if in doubt on any subject refer your immediate Manager.

    By working with Sunshine Solutions, all employees, partners, and vendors agree to abide by this Code of Conduct.

  • Data Protection Impact Assessment

    1. Policy Statement

    Sunshine Solutions is committed to protecting the privacy and personal data of individuals in compliance with the UAE Personal Data Protection Law (PDPL) and other applicable data protection regulations. This Data Protection Impact Assessment (DPIA) Policy establishes a structured approach to assess, identify, and mitigate risks associated with personal data processing activities. By conducting DPIAs, Sunshine Solutions ensures transparency, accountability, and the implementation of appropriate safeguards to prevent data breaches or privacy violations.

    2. Purpose

    The purpose of this policy is to:

    • Identify and evaluate risks related to personal data processing.

    • Ensure compliance with the UAE PDPL and industry best practices.

    • Implement measures to reduce privacy risks before initiating data processing activities.

    • Maintain transparency in how personal data is collected, processed, stored, and shared.

    • Promote a privacy-by-design and privacy-by-default approach in all data processing activities.

    This policy serves as a mandatory requirement for all departments handling personal data and ensures that privacy risks are proactively managed before introducing new data processing systems, technologies, or changes to existing processes.

    3. Scope

    This DPIA policy applies to:

    • All employees, contractors, third-party vendors, and partners handling personal data on behalf of Sunshine Solutions.

    • Any process, system, or technology that involves the collection, storage, processing, sharing, or transfer of personal data within or outside the UAE.

    • New projects, services, applications, or major modifications to existing data processing activities that may pose risks to individuals' privacy rights.

    A DPIA must be conducted whenever personal data processing:

    • Involves the use of new technologies.

    • Carries a high risk to individuals (e.g., financial data, biometric data).

    • Includes automated decision-making or profiling.

    • Entails large-scale processing of sensitive or special category data.

    • Requires cross-border data transfers.

    4. Data Protection Impact Assessment (DPIA) Process

    The DPIA process consists of the following key steps:

    4.1 Identifying the Need for a DPIA

    • Determine if the data processing activity falls under the criteria requiring a DPIA.

    • Consult the Data Protection Officer (DPO) if there is uncertainty regarding DPIA requirements.

    • Evaluate potential privacy risks before launching new data processing activities.

    4.2 Describing the Data Processing Activity

    • Identify the purpose of data processing.

    • Specify the categories of personal data involved (e.g., employee data, customer data).

    • Describe how data is collected, stored, used, shared, and retained.

    • Identify third parties or service providers with whom personal data is shared.

    4.3 Assessing Privacy Risks

    • Evaluate potential security vulnerabilities, unauthorized access risks, or data breaches.

    • Assess whether individuals' privacy rights may be negatively affected.

    • Determine the likelihood and severity of data protection risks.

    4.4 Mitigating Identified Risks

    • Implement security controls such as encryption, anonymization, access restrictions.

    • Ensure compliance with UAE PDPL principles (lawfulness, fairness, transparency, purpose limitation).

    • Introduce technical and organizational measures to safeguard personal data.

    4.5 Reviewing and Approving the DPIA

    • The DPO must review and validate the DPIA findings.

    • Senior management must approve mitigation measures before the data processing begins.

    Regulatory authorities may be notified if the risk remains high despite mitigation efforts.

    4.6 Continuous Monitoring and Updates

    • Conduct periodic reviews of DPIAs for ongoing compliance.

    • Update the DPIA if new risks emerge or processing activities change.

    • Maintain documentation of all DPIAs for regulatory audits.

    5. Roles and Responsibilities

    5.1 Data Protection Officer (DPO)

    • Oversees DPIA implementation and ensures compliance with UAE PDPL.

    • Provides guidance on privacy risks and mitigation strategies.

    • Ensures DPIAs are conducted before new data processing activities begin.

    5.2 Business Units & Project Owners

    • Initiate DPIAs for projects involving personal data.

    • Ensure that DPIA recommendations are implemented before proceeding.

    • Document changes made based on DPIA findings.

    5.3 IT and Security Team

    • Implement security measures recommended in the DPIA.

    • Ensure that data minimization, encryption, and access controls are in place.

    • Assist in risk identification and mitigation related to technology use.

    5.4 Legal and Compliance Team

    • Ensure DPIA compliance with UAE PDPL and contractual obligations.

    • Advise on legal risks associated with personal data processing.

    • Support in preparing regulatory filings if required.

    6. Compliance with UAE Regulations

    Sunshine Solutions adheres to the UAE Personal Data Protection Law (PDPL), ensuring:

    • Lawful, fair, and transparent data processing.

    • Obtaining explicit consent for data collection and usage.

    • Data processing activities align with contractual, legal, or legitimate business purposes.

    • Protection of data subject rights (e.g., access, correction, deletion).

    • Secure handling of personal data, including cross-border data transfers.

    Failure to conduct a DPIA when required may result in regulatory penalties or operational risks.

    7. Documentation and Record-Keeping

    • All DPIAs must be documented and retained for audit purposes.

    • The DPIA report should include:

    • Project details and purpose of data processing

    • Risk assessment and mitigation measures

    • Approval and decision-making process

    • DPIA records should be available for regulatory authorities upon request.

    8. Review and Updates

    • This DPIA policy is reviewed annually to ensure it reflects the latest regulatory requirements.

    • Updates to the policy will be communicated to all employees, stakeholders, and third parties.

    9. Enforcement and Penalties

    • Non-compliance with this DPIA policy may result in disciplinary actions, regulatory fines, or legal consequences.

    • Employees or third-party vendors found violating this policy will be subject to investigation and remedial actions.

    10. Conclusion

    The Data Protection Impact Assessment (DPIA) Policy is a crucial element in Sunshine Solutions' data protection framework. By proactively assessing privacy risks, implementing robust security measures, and ensuring compliance with the UAE PDPL, Sunshine Solutions safeguards personal data and upholds its commitment to transparency and accountability.