Privacy Policy

1. About this Privacy Policy

Cleveland Clinic Abu Dhabi ("we", "our", or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you receive care or interact with us through our website, App and facilities (“Services”).

This Privacy Policy is important for you to understand so please read this Privacy Policy carefully so that you can make an informed decision about whether to use or continue using our Services.

By using our Services, you consent and agree that we may access, receive, collect, share, use, and disclose (including transfer) your Personal Data in accordance with this Privacy Policy. If you do not agree with any of the terms included in this Privacy Policy, please refrain from using our Services and DO NOT provide us with any Personal Data.

If you provide us with any Personal Data belonging to and/or relating to a third party (e.g. information about your child), by submitting such information to us, you represent to us that you have obtained the relevant consent, or have the right to consent on behalf of any such third party, to provide us with their Personal Data, and you agree and acknowledge that such disclosure of their Personal Data will be governed by this Privacy Policy (as amended from time to time).

This Privacy Policy may from time to time be supplemented by, or subject to, certain terms set out in separate informed consents provided by you prior to provision of treatment, admission to our facility or participation in any research trial or study. This Privacy Policy must be read in conjunction with any such informed consents.

We may amend this Privacy Policy from time to time and will make the updated Privacy Policy available to you. We reserve the right to update or modify this Privacy Policy, or any other policies or practices, at any time with or without notice. However, Cleveland Clinic Abu Dhabi will not use your Personal Data in a way that is materially different than the uses described in this Privacy Policy without giving you an opportunity to opt-out of such differing uses. The updated Privacy Policy will supersede earlier versions and will apply to any Personal Data provided to us previously. Each time you use the Services or transact with us, you acknowledge and agree that the latest version of this Privacy Policy will apply.

2. Scope of this Privacy Policy

This Privacy Policy applies to all patients, visitors, and users of our Services.

This Privacy Policy applies to personally identifiable information (“PII”) that provided to us for purposes of obtaining medical care through our Services (information specifically related to your health and healthcare is also referred to as “Protected Health Information” or “PHI”). This may include information (i) received directly from you, (ii) collected automatically, (iii) obtained through our mobile application, and (iv) provided by third parties.

“Personal Data” includes all PII and PHI but excludes:

1. Anonymised or fully de-identified information (i.e., all information that can be used to identify you as an individual has been removed permanently);
2. Aggregated consumer information (i.e., information combined into fully anonymous groups or categories); and
3. Information about deceased persons.

3. Applicable Laws

Our collection, storage, use, processing, retention and transfer of your personal data is subject to the Abu Dhabi Global Market Data Protection Regulations 2021 and any other laws, regulations and standards applicable to healthcare facilities in the Emirate of Abu Dhabi, including the regulations and standards of the Department of Health Abu Dhabi and the UAE Ministry of Health (the “Applicable Laws”).

Under Applicable Laws, we are required to provide you with certain information about who we are, how we process your Personal Data and for what purposes, and your rights in relation to your Personal Data.

The Applicable Laws also describe your rights with respect to your personal information. This Privacy Policy supplements these laws and regulations. If there is ever any conflict between this Privacy Policy and the Applicable Laws, the Applicable Laws will apply.

4. Types of Personal Data collected

We may collect and process the following types of information about you:

• Identification Data: Name, date of birth, Emirates ID, passport number etc;
• Contact Details: Address, phone number, email address etc;
• Geolocation Data: IP addresses, browser or mobile device location upon access, approximate location data to determine from where you have accesses Services etc;
• Health Data: Height, weight, medical history, medical condition, diagnosis, treatments, test results, prescriptions, reports, lifestyle information etc;
• Financial and Administrative Data: Insurance information, payment information (including credit card details), appointment records etc;
• Technical and Log Data: Cookies, browser type, mobile carrier, web browser configurations; CCTV footage (for safety and security), metadata, search history relating to our Services; and
• Images and Sound: video recordings, voice recordings, photographs, scans etc.

When you use our App, we may monitor your usage of the App. We may use, collect, and share non-personally identifiable information which means information not associated with an identifiable individual.

5. Methods of collection of Personal Data

We may collect data through:

• Direct interactions (e.g., patient registration, consultations etc);
• Third-party referrals (e.g., from other healthcare providers, from payment guarantors etc);
• Third-Party Services (as defined below);
• Other third parties (e.g. your family, government agencies, third parties acting on your behalf in legal proceedings, employers
• Diagnostic devices and medical records systems; and
• Public authorities (when legally required).

We may also collect certain information automatically when you use our website or app, such as your computer’s Internet Protocol (IP) address, device and advertising identifiers, browser type, operating system, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, information about the links you click and pages you view within the Services, and other standard server log information.

If you access the Services from an advertisement on a third-party website, application, or other service (a “Third-Party Service”) we may receive information from the owner of the Third-Party Service related to you or that advertisement.

In connection with Services that involve medical treatment, we may collect medical records from your past, current, and future health care providers (to the extent applicable). This may include information about your diagnosis, previous treatments, general health, laboratory and pathology test results and reports, social histories, any family history of illness, and records about phone calls and emails related to your illness.

We may also receive information about you from other sources, including through third-party services and organizations. We may combine our first-party data, such as your email address or name, with third-party data from other sources and use this to contact you (e.g. through direct mail). For example, if you access third-party services, such as Facebook, Google, or Twitter, through the Services to login to the Services or to share information about your experience on the Services with others, we may collect information from these third-party services.

We may utilize cookies, pixel tags, Local Shared Objects, and similar technologies to automatically gather this information. Cookies are small pieces of data stored by your computer’s web browser. Pixel tags, also known as “web beacons” or “clear GIFs,” are tiny images or data embedded in images that can recognize cookies, record the time and date a page is viewed, describe the page where the pixel tag is placed, and collect similar information from your computer or device. Local Shared Objects (sometimes called “Flash Cookies”) are similar to standard cookies but can be larger and are downloaded to a computer or mobile device by the Adobe Flash media player. By using the Services, you consent to our use of cookies and similar technologies.

From time to time, we may use analytics software installed on mobile devices (e.g. Google Analytics) to help us understand our users better and provide you with a good experience when you use our website and/or App. If you prefer not to be tracked by such software, you can opt out of their advertising tracking cookie or use a browser plugin to disable it.

6. Legal basis for using your Personal Data

We process / use your personal data for multiple purposes, each requiring a legitimate basis. In cases where we handle special category personal data, such as PHI, an additional legal basis is required.

Cleveland Clinic Abu Dhabi processes personal data based on legitimate interests, in compliance with Applicable Laws. You have the right to object to this processing, further details of which are set out below.

When processing PHI, Cleveland Clinic Abu Dhabi relies on (a) express consent to process such information and (b) the necessity of processing for public interest reasons, to ensure high standards in healthcare quality and safety, and the proper management of medical devices, medicalproducts and pharmaceutical products.

In all other cases, Cleveland Clinic Au Dhabi will process your Personal Data pursuant to appropriate legal bases for such processing, in accordance with Applicable Laws, including (but not limited to) the ADGM Data Protection Regulations 2021, Federal Law No. (2) of 2019 Concerning the Use of Information and Communication Technology (ICT) in Health Fields, and the Abu Dhabi Healthcare Information and Cyber Security Standard v2 (ADHICS v2).

7. Processing of Personal Data

For purposes of the Applicable Laws, Cleveland Clinic Abu Dhabi is the “data controller”. This means that we determine the purposes for which, and the way in which your Personal Data is processed.

In accordance with the legal bases for processing under the Applicable Laws, we may use the personal data that we collect about you to:

• provide safe and effective healthcare services;
• maintain accurate medical records;
• process billing and insurance claims;
• comply with our legal and regulatory obligations;
• support medical research or public health initiatives (with appropriate safeguards for any data sharing – see below);
• provide and improve our Services and website content (including personalizing content, creating and improving user preferences and languages);

• send you information about additional clinical services or general wellness from us or on behalf of our affiliates;
• access personal information collected by Apple’s HealthKit or Google Fit (see below);
• prevent potentially prohibited or illegal activities and otherwise in accordance with our Terms of Use and other policies;
  • use your device to temporarily hold copies of documents (e.g. image or a letter) which are deleted when the application is closed; and
  • use your device to temporarily store identifiers and times for your upcoming appointments in your device’s storage to detect when you arrive for an upcoming appointment. When you stop using our mobile application or you disable the feature, such identifiers (and location data, Bluetooth data) are removed from the in-application storage.
  We may use your Personal Data for internal business purposes, including without limitation, to help us improve the content and functionality of our Services, to better understand our patients, security, fraud detection, provide you with customer service, and to generally manage our services and our business, as well as for analysing the services provided by our partners. We may also use your Personal Data for any other purposes disclosed to you at the time we collect your information or pursuant to your consent. We may automatically collect technical data to address and fix technical problems and improve our Services. Your device or browser settings may permit you to control the collection of this technical data. By using the Services, you are consenting to us or any party acting on our behalf collecting this technical data. We may combine newly collected information with information we already have collected about you.

8. Processing and use of Personal Data in relation to Health Apps

We may process your personal data to allow us to access personal information collected by Apple’s HealthKit or Google Fit which is integrated with the Health application on your respective mobile device. This personal data will be encrypted by identifiers to assist with identifying you when you use Apple’s HealthKit or Google Fit personal information and it is then stored on your device. If you choose to stop using Apple HealthKit or Google Fit or delete our mobile application, the encrypted personal information is also deleted and removed.

9. Amendments to Personal Data collected

When there are errors in your PII, e.g., name, mobile number, date of birth, etc., Cleveland Clinic Abu Dhabi will make corrections to ensure that the information is accurate. Upon your authorization, your PII can be changed or updated.

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during our relationship with you. We also have the right to request for documentation and carry out the necessary checks to verify your Personal Data provided as may be required by law.

10. Required Google Play Disclosures for Certain Health Apps

For our application to be available in the Google Play store, we must provide some further information as detailed in the Google Play App Notice.

11. Sharing of Personal Data

We are committed to maintaining your trust, and we want you to understand when and with whom we may share the information we collect.

We may share your information with other entities within the Mubadala Group (including with M42 and its affiliates) where necessary for the purposes of enhancing, centralizing and/or otherwise ensuring high-quality patient care.

We may share your Personal Data with third parties like other healthcare providers, laboratories, vendors or service providers, government authorities, judicial or law enforcement authorities, regulatory bodies, embassies, insurance companies, employers, consultants and advisors and our affiliates. Where we share Personal Data with third party vendors and service providers (i.e. for the purposes of assisting us with specialized services), these third-party vendors and service providers may not use your information for purposes other than those related to the services they are providing to us.

In particular, we may share your Personal Data with the Abu Dhabi Health Information Exchange (‘ADHIE’), (a platform maintained and operated by an affiliate of M42) and the operator of the ADHIE platform and its subcontractors and licensors, which may enable healthcare facilities in the Emirate of Abu Dhabi (and their relevant healthcare professionals and other authorized users) to send, receive, access or otherwise use your Personal Data if they are providing clinical care to you.

With your consent or at your direction, we may share information for any other purposes disclosed to you at the time we collect the information or pursuant to your consent or direction.

If you choose to engage in public activities on the third-party sites that we link to, you should be aware that any information you share there can be read, collected, or used by other users of these sites and forums. You should use caution in disclosing personal information while participating in these areas. We are not responsible for the information you choose to submit in public areas.

No information provided by patients during medical consultations or requests for medical appointments is ever used for marketing purposes.

Third party recipients of your Personal Data might be independent or joint data controllers or processors (depending on the situation). Before transferring your Personal Data to any third party, we will enter into an appropriate agreement with them which contains clarification and binding obligations relating to:

• roles of each Controller and Processor (as applicable);
• purposes for which the transferred personal data may be used or processed; and
• the Applicable Laws to which the third party recipient must adhere in their use of the transferred Personal Data.

12. International data transfers

When transferring Personal Data to jurisdictions outside of the ADGM (including the United Arab Emirates), we will implement appropriate safeguards, such as:

• requiring the recipient to adhere to standard contractual clauses approved by the ADGM Commissioner of Data Protection; or
• a request for your explicit consent to the transfer, following provision of specific information as to the potential risks associated with the transfer.

However, we may transfer Personal Data outside of the ADGM without such safeguards if the transfer is:

• to a jurisdiction considered “adequate” pursuant to a decision of the ADGM Commissioner of Data Protection;
• required to fulfil or enter a contract with you;
• requested by the law enforcement authorities of the UAE or required for judicial or legal claims or proceedings;
• required for public interest purposes; or
• required to protect yours or someone else’s vital interests and no consent can be reasonably obtained.

13. Retention of Personal Data

We adhere to all Applicable Laws in respect of data retention and will not keep your data in an identifiable format longer than is necessary or mandated by law or regulation.

The period for which we retain data collected from you depends on applicable legal requirements, your preferences, and the purposes for which we use it. For example:

• UAE Federal Law No. 2 of 2019 requires that PHI be stored for at least 25 years;
• Certain information may be retained until such time as you request its removal or the purposes for which we collected it are complete (e.g. contact details for marketing purposes, recruitment information, etc.); and
• Certain non-health information may be retained for legal or business purposes such as quality assurance, maintaining proper financial accounts and records and ensuring proper insurance account settlement and claims management.

Even if we delete your Personal Data, it may persist on backup or archival media for an additional period of time for legal, tax, or regulatory reasons or for legitimate and lawful business purposes.

14. Security

We use measures to protect your Personal Data from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction in accordance with Applicable Laws. We use measures designed to protect other information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware that no data storage system or transmission of data over the Internet or any other public network can be guaranteed to be 100% secure.

15. Your rights

Your legal rights in respect of your Personal is subject to Applicable Laws and, potentially, the laws of the jurisdiction in which you are located.

Please note that requests to exercise data protection rights will be assessed by us on a case-by-case basis. There may be circumstances where we are not legally required to comply with your request because of the laws in your jurisdiction or because of exemptions provided for in data protection legislation. Where possible and permissible, we will take reasonable steps to fulfil your request promptly or inform you if we require further information to fulfil your request.

Subject to any exemptions, restrictions and exceptions provided for under Applicable Laws and this Privacy Policy, you have the right to:

1. Access your own Personal Data. Please note that PHI that is disclosed electronically via email will be sent securely via password protected file or secure email;

2. Be informed of (i) how long we expect to keep your Personal Data, and if not possible, the criteria we use to determine that period, (ii) the sources from which your Personal Data was collected and/or (iii) the existence of any automated decision-making and consequences on the Processing of your Personal Data;

3. Direct that we transfer your Personal Data to you or any other data controller in a structured, commonly used, machine-readable format;

4. Request details of the purposes of the processing of your Personal Data and the categories of your Personal Data that we are processing;

5. Raise a complaint to our data protection officer;

6. Request rectification of inaccurate Personal Data (where technically feasible and subject to our verification of accuracy prior to rectification);

7. Request erasure of Personal Data held by us in circumstances where:

(i) it is no longer needed for the purposes for which it was collected;

(ii) the Personal Data was collected solely pursuant to a consent provided by you and you wish to withdraw that consent;

(iii) you object to the processing of your Personal Data by us and there are no overriding legitimate grounds for continuing it;

(iv) your Personal Data was processed unlawfully;

(v) erasure is required to comply with a legal obligation under the ADGM Data Protection Regulations 2021; or

(vi) the Personal Data was collected in relation to the offer of information society services to a child;

7. Request restriction on the processing of your Personal Data where:

(i) its accuracy requires verification;

(ii) the processing is unlawful;

(iii) it is no longer needed for the purposes for which it was collected but it should or can be retained under any Applicable Law; or

(iv) you have exercised the right to object, and verification of overriding legitimate grounds for processing is pending.

In such cases, we may continue to process your Personal Data if we have your consent, we need to establish, exercise or defend legal claims and/or we need to do so to protect the rights of another natural or legal person.

8. Object to the processing of your Personal Data when it is based on our legitimate interests, if you believe that your fundamental rights and freedoms outweigh these interests. In such cases, we will have the option to demonstrate that we have compelling legitimate interests which override your rights and freedoms or that processing is necessary for the establishment, exercise, or defence of legal claims

9. Object to the processing of your Personal Data for archiving and research purposes. In such cases, we may continue to process such data if we performing a task for reasons of public interest.

10. Object to how we use your Personal Data for direct marketing purposes.

11. Withdraw or amend any consent that you have provided. Any such withdrawal or amendment shall not affect the lawfulness of any processing that took place before it.

12. Be informed of the safeguards implemented for any transfers of your Personal Data outside of the ADGM.

13. Raise a complaint with the ADGM Commissioner for Data Protection (in respect of both or either of PHI and PII) by emailing [email protected]

14. Raise a complaint with the Department of Health Abu Dhabi (in respect of PHI) via the TAMM portal here: https://www.tamm.abudhabi/

Complaints made to our data protection officer will be handled in accordance with best practice, internal policies and procedures and Applicable Laws.

You can exercise your rights to access your own PHI (or, if you are a substitute consent giver or next of kin, you may seek to access the PHI of your charge) by emailing us at [email protected].

You can exercise all other rights by sending an email to [email protected].

To exercise your rights, we may need more information to verify your identity or confirm your identity or authorization. We reserve the right to deny access or limit your rights if legally required or if another individual's rights are at risk.

16. Restriction on Children’s Information

We do not collect personal information online from individuals under the age of 18. Adults engaging with Cleveland Clinic Abu Dhabi must have authority to transfer children's data to Cleveland Clinic Abu Dhabi, either as a parent or legal guardian.

17. Your Choices

You may be able to refuse or disable cookies by adjusting your web browser settings. Because each web browser is different, please consult the instructions provided by your web browser (typically in the “help” section). Please note that you may need to take additional steps to refuse or disable Local Shared Objects and similar technologies. For example, Local Shared Objects can be controlled through the instructions on Adobe’s Setting Manager page. If you choose to refuse, disable, or delete these technologies, some of the functionality of the Services may no longer be available to you.

Opt-out. To opt-out of interest-based advertising across browsers and devices from companies that participate in the Digital Advertising Alliance or Network Advertising Initiative opt-out programs, please visit their respective websites. You may also be able to opt-out of interest-based advertising through the settings within the mobile app or your mobile device, but you opt-out choice may apply only to the browser or device you are using when you opt-out, so you should opt-out on each of your browsers and devices. If you opt-out, you will still receive advertisements but they may not be as relevant to you and your interests, and your experience on our Services may be degraded.

18. Third-party Links and Content

Some of the Services may contain links to content maintained by third parties that we do not control. We are not responsible for the privacy practices of these third parties, and the information practices of these third parties are not covered by this Privacy Policy.

19. Do Not Track

Some web browsers transmit “do-not-track” signals to websites. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they even are aware of them. We currently do not act in response to these signals.

Questions and requests

If you have any questions about this Privacy Policy or our practices, please email us at [email protected]

For medical records requests please email us at [email protected]