Prometheus Privacy Statement


The following Personal Data Privacy Statement is provided to you pursuant to the Dubai International Financial Centre Data Protection Law and Regulations (‘DIFC DP Legislation’) in connection with your dealings with, and providing of personal data or information (“Data”) to, Prometheus Capital Finance Limited (‘Prometheus’).

1.DIFC DP Legislation:

The DIFC DP Legislation ( controls how your personal information is used by Prometheus.

Everyone responsible for using personal data has to follow strict rules known as ‘data protection principles’. They must ensure that:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful unauthorized
  • processing, access, loss, destruction or damage


Under the DIFC DP Legislations, the lawful bases we rely on for processing this information are:

  • Your consent. You are able to remove your consent at any time. You can do this by contacting us [see contact details provided in this Privacy Statement]
  • We have a contractual obligation.
  • We have a legal obligation.
  • We have a vital interest.
  • We need it to perform a public task.
  • We have a legitimate interest.


2.Information collected:

Examples of data we may collect from you:

  • Passport
  • National ID
  • Proof of address
  • Educational certificates
  • Financial data i.e., bank statements, title deeds, valuation reports, portfolio statement etc.
  • Curriculum vitae
  • If a corporate entity (including market counterparties, PIVs, trust etc.) – Certificate of Incorporation, commercial license, Memorandum and Articles of Association, list of shareholders, audited financial statements, bank statements, portfolio statement, for directors, shareholders and authorized signatories, relevant identification documents.


There are separate safeguards for personal data relating to criminal convictions and offences.

Personal data are processed manually, electronically or by computer in such a way as to ensure full protection and privacy also when the use of traditional and/or electronic or innovative distribution channels is involved.

3.How we get the information and why do we have it:

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • Opening accounts for asset management activity
  • Conducting execution and advisory services


If you are a business introducer we may enter into relevant agreements prior to accepting your services.

We may also receive personal information, indirectly, from other sources.

4.What we do with the information:

We use the information that you have given us in order to communicate within Prometheus Group companies on a need to know basis (i.e., Prometheus Investment Management Ltd., London regulated by the UK FCA and Prometheus Finance S.a.rl., Luxembourg).

As part of our services to our clients, we are engaged with external parties such as banks, financial institutions, sub-custodians (typically banks and financial institutions), IT service providers (by way of subscribing to various services, solutions, compliance tools providers, business partners.

Furthermore, Prometheus may disclose your personal data to external parties, some of which may be based abroad, which operate in the following areas:

  • banking, financial and insurance services, management of payment systems;
  • detection of financial risks to prevent and control insolvency risk;
  • management of communications addressed to the clients as well as archiving electronic data and documents;
  • disclosures and alerts with regard to money laundering regulations;
  • management of national and international systems for the detection of frauds;
  • supply and management of information procedures and systems, telecommunication networks, protection and security systems;
  • management of voice recording and video recording services;
  • expertise, external auditing, balance sheet certification, professional consulting services and customer assistance.


When the above parties transfer personal data to a non-EU state for the aforesaid purposes, the relevant judicial or government authorities may gain access thereto in accordance with local legislation.

Those external parties or service providers of those external parties to which data can be communicated, but who have not been appointed as “Person in charge of the processing” or “Processor” by ourselves, will use the data as “Controllers” pursuant to the privacy law, handling same on a fully independent basis and/or in connection with the handling performed by Prometheus.

5.How we store your information:

Your information is securely stored with our IT service provider on a server space allocated to Prometheus. All the data is secured and retrieval is only by way of our explicit permission.

We keep all data captured for six (6) years from the date of termination of the relationship or conclusion of the specific transaction. We will then dispose your information by deleting the date from the server and any hard copies are shredded by us in the DIFC.

6.Your rights:

Under the DIFC DP Legislation, you have the right to find out what information Prometheus stores about you. These include the right to:

  • be informed about how your data is being used
  • access personal data
  • have incorrect data rectified
  • have rectified incorrect data
  • have data erased
  • stop or restrict the processing of your data
  • data portability (allowing you to get and reuse your data for different services)
  • object to how your data is processed in certain circumstances


You also have the rights identified herein above (“Your rights” under above) when we are using your personal data for:

  • automated decision-making processes (without human involvement)
  • profiling, for example to predict your behavior or interests


7.Find out what data Prometheus as an organization has about you and our contact details:

Write to Prometheus to ask for a copy of the information we hold about you.

As Prometheus is not a public organization, we do not have an appointed Data Protection Officer (DPO). However, Prometheus has a Data Supervisor who can be reached at:

Prometheus Capital Finance Ltd

Damac Park Towers – A Tower #110, DIFC – DUBAI, UAE

PO Box 65909 Dubai

Landline: +971 (4) 3784205

Fax: +971 (4) 3784299


8.How long it should take:

Prometheus shall revert to your request as soon as possible, and within 1 month in most cases.

In certain circumstances, for example particularly complex or multiple requests, Prometheus can take a further 2 months to provide data. In this case, we will revert to you:

  • within 1 month of your request


9.When information can be withheld:

There are some situations when Prometheus is allowed to withhold information, for example if the information is about:

  • the prevention, detection or investigation of a crime
  • national security or the armed forces
  • the assessment or collection of tax
  • judicial or ministerial appointments


Prometheus does not have to say why we are withholding information.

10.How much it costs:

Requests for information are usually free. However, Prometheus may charge an administrative cost in some circumstances, for example if:

  • you’re asking for a large amount of information
  • your request will take more than one hour to process


11.Make a complaint:

If you think your data has been misused or that Prometheus has not kept it secure, you should contact us at

If you’re unhappy with the response or if you need any advice you should contact the Commissioner of Data Protection Office.

By Phone: +971 4 362 2222

By email:

By Mail:

DIFC Commissioner of Data Protection

The Gate, Level 14

PO Box 74777

DIFC, Dubai, UAE


The Commissioner’s office can investigate your claim and take action against anyone who has misused personal data.

You can also visit the website for information on how to make a data protection complaint (

My Account