Citix logo
Privacy NoticeVideo Analytics Privacy Notice
>

Privacy Notice

Effective date: 27 February 2026

Last updated: 27 February 2026

Introduction

This Privacy Notice describes how Citix BILLBOARDS ADVERTISING LLC (“Citix”, “we”, “us”) processes personal data in connection with its business operations and service delivery in the United Arab Emirates.

Citix BILLBOARDS ADVERTISING LLC is the “Controller” as defined in Article 1 of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”), read together with Cabinet Decision No. 44 of 2023 (the “Executive Regulations”), for the processing described in this notice.

Citix has appointed an independent external Data Protection Officer (DPO) in accordance with Article 10 of the UAE PDPL. The DPO can be contacted at [email protected].

What we do

We provide outdoor and digital advertising services and related solutions. Our processing is primarily limited to managing business operations and delivering services to corporate customers.

Where we deploy video analytics for measurement purposes, the processing involves the transient analysis of live video images within the field of view of optical sensors. Live video images constitute personal data within the meaning of the UAE PDPL. The system processes this data in real time on the device only, without recording or storing footage, and produces only anonymised, aggregated statistics. No identifiable images are recorded, stored, or transmitted. Video analytics processing is described in detail in the separate Video Analytics Privacy Notice.

What Personal Data We Process

Citix generally processes limited personal data in the ordinary course of business. Depending on your relationship with Citix, we may process:

A. Business contact and relationship data

           Name, business email, business phone number

           Job title, company name, department

           Business communications and correspondence

B. Contracting and service administration data

           Authorised signatory details and signatures

           Contract, purchase order, invoice and billing details (where these contain personal data)

           Service delivery and support communications

C. Recruitment, employment and workforce administration data

           Candidate information (CVs, interview notes, references where provided)

           Employment or contractor administration data (payroll and benefits related data, work eligibility information where required, access management records)

D. Technical and security data (where applicable)

           IP address, device or browser information

           Access logs, security logs, audit trails and system usage records

           Incident and troubleshooting records

E. Video analytics (where deployed)

           Live video images may be processed transiently in device memory to generate anonymised, aggregated metrics.

           Identifiable images are not recorded, stored, or transmitted, and outputs are anonymised and aggregated only, as described in the separate Video Analytics Privacy Notice.

We do not currently collect consumer-style onboarding information from customers and do not routinely request personal identification documents as part of customer onboarding.

Under Article 1 of the UAE PDPL, sensitive personal data includes data revealing family or ethnic origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, and data relating to health, genetic, sexual, or psychological conditions. Citix does not routinely process sensitive personal data. Where sensitive personal data is exceptionally processed (for example, work eligibility information that may reveal nationality or health information provided voluntarily by an employee), we apply enhanced safeguards including stricter access controls, limited retention, and processing only where a specific lawful basis applies under the UAE PDPL.

The video analytics system does not process sensitive personal data and does not perform biometric identification, as described in the separate Video Analytics Privacy Notice.

How We Collect Personal Data

We may collect personal data from:

  • You directly (for example via email, phone, meetings, forms, recruitment submissions).
  • Your employer or organisation (for example when you are a contact person or signatory).
  • Service providers acting on our behalf (for example recruitment platforms, payroll providers).
  • Public or professional sources (for example company websites or professional networking platforms) where relevant and lawful.

We do not knowingly collect personal data from children (individuals under the age of 18, or such other age as defined under applicable UAE law). Our services are directed at businesses and business professionals.

How We Use Personal Data

We use personal data only as necessary for legitimate business activities and to operate our services, including to:

           Provide services and manage customer relationships, including communications, contract administration, service delivery, billing, and support.

           Manage suppliers and business partners, including procurement, vendor management, and operational administration.

           Recruit and hire, including evaluating candidates, communicating during recruitment, and maintaining recruitment records.

           Manage workforce relationships, including payroll, benefits administration, access management, internal administration, and workforce communications.

           Maintain security and integrity, including access control, fraud and misuse prevention, incident response, risk assessment, and troubleshooting.

           Comply with legal and regulatory requirements, including accounting and tax obligations, employment-related obligations, and legally binding requests from competent authorities.

Where video analytics is deployed, any processing of video images is solely to generate anonymised, aggregated statistics and not to identify individuals, as described in the separate Video Analytics Privacy Notice.

Legal Basis for Processing Personal Data

We process personal data on lawful grounds under the UAE PDPL (Articles 4 and 5). Depending on the context and your relationship with Citix, we rely on the following:

           Consent (Article 4): Where we rely on your consent, it will be obtained in a clear, specific, and unambiguous manner. You have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. We will inform you of how to withdraw consent at the time it is collected.

           Contract necessity (Article 5(1)): Where processing is necessary to perform a contract to which you are a party, or to take steps at your request prior to entering into, amending, or terminating a contract. This applies to employment contracts, service agreements, and supplier arrangements.

           Legal obligations (Article 5(1)): Where processing is necessary to comply with specific legal and regulatory obligations in force in the UAE, including employment law, tax and accounting requirements, anti-money laundering obligations, and legally binding requests from competent authorities.

           Employment, social security, and social protection (Article 5(1)): Where processing is necessary for Citix or the data subject to carry out obligations and exercise legally established rights in the field of employment, social security, or social protection laws.

           Statistical studies (Article 5(1), read with Article 12 of the Executive Regulations): For our video analytics function only, where processing is necessary to generate anonymised, aggregated statistics about how spaces are used, with adequate safeguards. This is described in the separate Video Analytics Privacy Notice.

           Protecting the interests of the data subject (Article 5(1)): In exceptional cases where processing is necessary to protect a data subject’s vital interests.

We document the lawful basis relied upon for each processing activity in our records of processing activities (ROPA), as required by Article 7(4) of the UAE PDPL.

Where applicable, we rely on the specific lawful bases set out above. If the Executive Regulations or UAE Data Office guidance introduces a legitimate interests basis, we will update this notice accordingly.

Information Sharing and Disclosure

Access to personal data is restricted to authorised Citix personnel who need it for the purposes described in this notice.

We may share limited personal data with trusted service providers that support our operations, such as:

           IT and hosting providers.

           Business communications and collaboration tools.

           Payroll and HR administration providers.

           Recruitment platforms and professional advisors (legal, audit, accounting).

In accordance with Article 7(5) of the UAE PDPL, we ensure that all service providers (data processors) acting on our behalf provide sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the UAE PDPL and the Executive Regulations. Service providers are governed by Data Processing Agreements that include documented instructions, confidentiality obligations, security requirements, sub-processing controls, assistance with data subject rights and breach notification, and return or deletion of data on termination.

We may disclose personal data to regulators, public authorities, or law enforcement where disclosure is legally required.

We do not sell personal data to third parties for commercial purposes.

Video analytics: No recorded footage is stored or shared, and only anonymised, aggregated outputs are used, as detailed in the separate Video Analytics Privacy Notice.

Transfers to Third-Party Countries

We may transfer personal data outside the UAE where required for business operations (for example, where service providers host systems or provide support from other countries).

Under Article 22 of the UAE PDPL, personal data may only be transferred outside the UAE to countries or organisations that maintain an adequate level of data protection, or where one of the following safeguards or conditions applies:

           A contract or agreement that obligates the recipient to adopt measures, controls, and requirements consistent with the UAE PDPL (standard contractual clauses or equivalent).

           The data subject’s explicit consent, provided the transfer does not contradict the public or security interest of the UAE.

           The transfer is necessary for the performance or conclusion of a contract with or in the interest of the data subject.

           The transfer is necessary to comply with UAE legal obligations or for the establishment, exercise, or defence of legal claims.

Where we transfer personal data outside the UAE, we implement appropriate safeguards which may include contractual data protection clauses, due diligence of service providers and their security measures, access controls, encryption, and other technical measures appropriate to the risk.

Our video analytics system does not transfer personal data outside the UAE. Only anonymised aggregated metrics (which do not constitute personal data) are transmitted to a cloud platform hosted in the European Union, as described in the separate Video Analytics Privacy Notice.

You may contact us at [email protected] to request further information about the safeguards used for specific transfers, including the countries to which personal data is transferred and the transfer mechanism relied upon.

How We Protect Personal Data

Data Security Measures

We implement technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, and destruction. Measures may include:

           Encryption and secure transmission where appropriate.

           Role-based access controls and multi-factor authentication for administrative access where feasible.

           Logging, monitoring, vulnerability management, and security testing.

           Security policies, incident response planning, and staff awareness training.

Our security approach is aligned with recognised industry practices and may be informed by frameworks such as ISO/IEC 27001.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Notice, including to meet legal, accounting, audit, and regulatory requirements, and to resolve disputes. Retention periods vary depending on the type of data and the context in which it is processed.

Automated Decision-Making and Profiling

Citix does not currently make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects on individuals.

If this changes in the future, we will update this Privacy Notice and inform affected individuals of the logic involved, the significance, and the envisaged consequences of such processing, in accordance with Article 18 of the UAE PDPL. You will have the right to object to such processing and to request human review of any automated decision.

Data Breach Notification

We take security incidents seriously and have measures in place to detect, contain, and respond to them in accordance with Article 9 of the UAE PDPL. If a security incident involves personal data that could prejudice the privacy, confidentiality, or security of individuals’ data, we will:

  • Assess the nature, scope, and potential impact of the breach.
  • Contain and mitigate the incident to prevent further unauthorised access.
  • Notify the UAE Data Office (the Bureau) within the timeframe and in the manner required by the PDPL Executive Regulations, including a description of the breach, approximate number of records affected, DPO contact details, expected effects, and corrective actions taken.
  • Notify affected individuals where the breach is likely to prejudice the privacy, confidentiality, or security of their personal data, including a description of the breach, its likely consequences, measures taken to address it, and recommended protective steps.

Where Citix acts as a data processor, it will notify the relevant controller as soon as it becomes aware of a breach.

Your Rights and Choices

Under Articles 13 to 18 of the UAE PDPL, you have the following rights in relation to the processing of your personal data:

  • Right to be informed (Article 13): You have the right to know whether we process your personal data and to obtain clear information about the purposes, lawful basis, categories of data, recipients, retention periods, and your rights. This Privacy Notice is provided to fulfil this right.
  • Right of access (Article 13): You may request a copy of the personal data we hold about you, together with information about how it is processed.
  • Right to correction (Article 14): You may request correction of inaccurate personal data or completion of incomplete data without undue delay.
  • Right to erasure (Article 14): You may request erasure of your personal data in the circumstances set out in the UAE PDPL, including where data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and no other lawful basis applies.
  • Right to restrict or stop processing (Article 15): You may request restriction or cessation of processing where it is inconsistent with agreed purposes, carried out in violation of the UAE PDPL, or for marketing or statistical purposes (unless processing is essential for public interest reasons).
  • Right to object to automated processing (Article 16): You have the right to object to decisions made solely through automated processing, including profiling, that have legal effects or similarly significant impacts on you, and to request that a human element be included in reviewing the decision. Citix does not currently make automated decisions with legal or similarly significant effects about individuals.
  • Right to data portability (Article 17): Where processing is based on consent or contract necessity and carried out by automated means, you may request to receive your personal data in a structured, commonly used, machine-readable format, or request transfer to another controller where technically feasible.
  • Right to withdraw consent (Article 6): Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Right to complain (Article 19): You have the right to lodge a complaint with the UAE Data Office (the Bureau) if you believe that the processing of your personal data violates the UAE PDPL. Citix will cooperate with the Bureau in accordance with the PDPL.

How to exercise your rights:
Please contact our Data Protection Officer at [email protected]. We may request information to verify your identity before fulfilling a request. We will acknowledge your request within 5 working days and respond substantively within 20 working days (or such period as required by the Executive Regulations). If the request is complex or voluminous, we will inform you of any extension and the reasons for it.

There is no fee for exercising your rights. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request, providing an explanation of the reasons.

For the video analytics system specifically, no identifiable personal data is retained. Further details about how rights apply to video analytics are provided in the separate Video Analytics Privacy Notice.

Changes to This Privacy Policy

We review and update this Privacy Notice periodically and at least annually, or whenever material changes occur (for example, changes in our services, processing activities, applicable law, or regulatory guidance).

Any changes will be posted on citixmena.com. Where changes materially affect how we process your personal data or your rights, we will take reasonable steps to notify you (for example, by email or a prominent notice on our website) before the changes take effect.

Contact

Email: [email protected]