Modern Freight Company Contact

Group Data Privacy Policy

Data Privacy Policy

MFC Group (MFC) is committed to ensuring that compliance with the General Data Protection Regulation (GDPR) and other relevant data protection legislation is clear, demonstrable, and embedded within our data processing practices. We maintain robust policies, security measures, and ongoing training to ensure that all employees, contractors, and third parties understand and uphold their responsibilities in protecting personal data.

This Data Protection Policy sets out the principles, responsibilities, and procedures governing the collection, processing, storage, and sharing of personal data within MFC.

This Policy is intended to:

  • ensure that personal data is processed lawfully, fairly, and transparently;
  • protect the rights and freedoms of individuals whose data is processed;
  • establish clear guidelines for handling personal data securely and responsibly; and
  • demonstrate compliance with data protection laws and best practices.

This Policy applies to:

  • all employees, contractors, and third-party service providers who process personal data
  • on behalf of MFC;
  • all personal data processed by MFC in electronic or manual formats; and
  • all subsidiaries and operational units within MFC across global regions.

MFC recognises the importance of data protection in today’s digital landscape and is committed to continuous improvement in the safeguarding of personal information.

Definitions

For the purposes of this Policy, key terms are defined as follows:

Personal Data

Personal Data refers to any information relating to an identified or identifiable natural person (Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing 

Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller

A Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. When MFC acts as the Data Controller, we decide why and how Personal Data should be processed.

Data Processor

A Data Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller. This may include external service providers, cloud storage providers or outsourced IT support handling Personal Data under instruction from MFC.

Personal Data Breach

A Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

 

Principles Relating to Processing of Personal Data

MFC is committed to ensuring that all Personal Data is processed in a lawful, fair and transparent manner. The following principles guide our approach to the collection, use, storage and protection of Personal Data:

Lawfulness, Fairness and Transparency

Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

Purpose Limitation

Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data Minimisation

Only Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy

Personal Data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

Storage Limitation

Personal Data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed.

Integrity and Confidentiality

Personal Data must be processed in a manner that ensures appropriate security of the Personal Data including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability

MFC shall take responsibility for compliance with these principles and be able to demonstrate our adherence to them through appropriate governance measures, policies and documentation

 

Lawful Basis for Processing

There are six alternative ways in which the lawfulness of a specific case of Processing of Personal Data may be established under the GDPR. It is MFC’s policy to identify the appropriate basis for Processing and to document it.

Consent

Unless it is necessary or otherwise permitted for a reason allowable in the GDPR, MFC will always obtain explicit consent from a Data Subject to collect and process their data. In the case of children below the age of 16 (a lower age may be allowable in specific EU member states) parental consent will be obtained. Transparent information about our usage of Personal Data will be provided to Data Subjects at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge.

Performance of a Contract

Where the Personal Data collected and processed is required to fulfil a contract with the Data Subject, explicit consent is not required. This will often be the case where the contract cannot be completed without the Personal Data in question e.g. a delivery cannot be made without an address to deliver to.

Legal Obligation

If Personal Data is required to be collected and processed to comply with the law, then explicit consent is not required. This may be the case for some Personal Data related to employment and taxation for example and for many areas addressed by the public sector.

Vital Interests of the Data Subject

If Personal Data is required to protect the vital interests of the Data Subject or of another natural person, then this may be used as the lawful basis of the Processing. GAC will retain reasonable, documented evidence that this is the case whenever this reason is used as the lawful basis of the Processing of Personal Data. As an example, if there was a serious accident in the workplace leaving the victim incapable of consent, Personal Data may be disclosed to the hospital to protect the victim’s vital interests.

Task Carried Out in the Public Interest

Where MFC needs to perform a task that we believe is in the public interest or as part of an official duty then the Data Subject’s consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.

Legitimate Interests

If the Processing of specific Personal Data is in the legitimate interests of MFC and is judged not to affect the rights and freedoms of the Data Subject in a significant way, then this may be defined as the lawful reason for the Processing. Again, the reasoning behind this view will be documented.

 

Rights of the Individual

The Data Subject has rights under the GDPR as follows:

  • Right to be informed: Data Subjects have the right to be provided with clear and transparent information about how their Personal Data is being collected, used and processed.
  • Right of access: Data Subjects have the right to request confirmation of whether Personal Data concerning them is being processed and, if so, access to that data.
  • Right to rectification: Data Subjects have the right to request the correction of any inaccurate or incomplete Personal Data.
  • Right to erasure: Data Subjects have the right to request the deletion of their Personal Data, subject to certain conditions.
  • Right to restrict Processing: Data Subjects may request the restriction of Processing under certain circumstances, such as when the accuracy of data is contested.
  • Right to data portability: Data Subjects have the right to receive their Personal Data in a structured, commonly used and machine-readable format and to transmit that data to another Data Controller.
  • Right to object: Data Subjects may object to the Processing of their Personal Data on the basis of legitimate interests or for direct marketing purposes.
  • Rights in relation to automated decision making and profiling: Data Subjects have the right not to be subject to automated decisions that have significant effects, unless certain conditions are met.

You must verify the identity of an individual requesting data under of the rights listed above. Do not allow third parties to persuade you into disclosing Personal Data without proper authorisation.

 

Privacy by Design and Data Protection Impact Assessment

MFC is required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures, like pseudonymisation, in an effective manner to ensure compliance with data privacy principles.

You must assess what Privacy by Design measures can be implemented on all programmes, systems and processes that process Personal Data by ensuring that:

  • data protection is embedded into the design and architecture of MFC's information systems and business practices;
  • appropriate safeguards including encryption, access controls and secure communication channels are integrated into MFC’s IT systems and operational workflows from the earliest stages of development.
  • default settings on systems are configured to provide the highest level of privacy protection without requiring user intervention; and
  • training and awareness are provided to all employees to ensure that data protection is considered at every level within MFC and throughout the data lifecycle.

Data Controllers must also conduct Data Protection Impact Assessments (DPIA) in respect to high-risk Processing. A DPIA must include:

  • a description of the Processing, its purposes and the Data Controller’s legitimate interests if appropriate;
  • an assessment of the necessity and proportionality of the Processing in relation to its purpose;
  • an assessment of the risk to individuals; and
  • the risk mitigation measures in place and demonstration of compliance.

 

Direct Marketing

MFC is subject to certain rules and privacy laws when marketing to our customers. As part of our business operations, MFC may use your Personal Data to provide you with information about our products, services and/or events that may be of interest to you. MFC relies on your consent as the legal basis for this processing, in accordance with applicable data protection laws.

You have the right to object to or opt out of receiving direct marketing communications from MFC at any time. You can do this by following the unsubscribe link in our emails, adjusting your communication preferences or contacting us at mfcgroup@mfc.ae.

We do not share your Personal Data with third parties for marketing purposes without your explicit consent.

 

Third-Party Processors

Generally, MFC is not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place. MFC may only share the Personal Data we hold with another employee, agent or representative of MFC (which includes our subsidiaries and our ultimate holding company) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

You may only share the Personal Data MFC holds with third parties if:

  • they have a need to know the information for the purposes of providing the contracted services;
  • sharing the Personal Data complies with the privacy notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
  • the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
  • the transfer complies with any applicable cross border transfer restrictions; and
  • a fully executed written contract that contains GDPR approved third party clauses has
  • been obtained.

 

International Transfers of Personal Data

Personal Data may be transferred to other jurisdictions in which MFC operates. MFC ensures that such transfers comply with applicable laws and are safeguarded by appropriate contractual or legal mechanisms (e.g. Data Transfer Agreements).

 

Personal Data Breach Notification

MFC endeavours to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of Personal Data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.

 

Changes to this Policy

MFC reserves the right to change this Policy at any time so please check back regularly to obtain the latest copy of this Policy. This Policy was last revised during April 2025. This Policy does not override any applicable national data privacy laws and regulations in countries where MFC operates. No policy can cover all eventualities. Questions in relation to this Policy or application of this Policy should be directed to the GDPR Team (mfcgroup@mfc.ae).

Logo
MFC BSI Logo
Logo
wca
Logo
Logo
Logo
Reversemi - MFC
mfc trace certified
clc projects' width=
heavy lift group
LOGIFEM