1. Introduction
The purpose of this policy is to explain how the controller handles the personal data it collects, and to provide guidelines and procedures to ensure that such data is protected in accordance with the best national standards and laws. The company seeks to promote transparency and accountability in the management of personal data, in order to achieve trust between the company and the individuals to whom it provides its services.

2. Scope of application
This policy applies to all personal data collected by the controller or its contracting parties, including all employees, contractors, and external partners who deal with personal data.

3. Basic definitions

A – Controller: The party that determines the purposes of processing personal data and the method of processing it. In this case, the company is the controller that bears responsibility for collecting, processing, and protecting personal data.

B – Personal data: Personal data means any information related to a natural person through which he can be identified directly or indirectly, such as name, ID number, address, email, etc.

C – Public data: This data is available to the public and does not require permissions to access it. This data is usually non-sensitive.

D – Restricted data: Data that requires specific controls to be accessed, but does not contain high sensitivity.

E – Confidential data: Data that is highly sensitive and must be protected from unauthorized access.

F – Sensitive data: Data that contains personal or confidential information and the disclosure of which would violate privacy or harm the individual or entity.

G – Critical data: Data that, if disclosed or manipulated, would have a serious negative impact on national or economic security.

K – Credit data: Credit data is financial and personal information related to the data and history of credit transactions of an individual or institution.

L – Health data: Information related to an individual’s health, which includes any information related to his health condition, diagnoses, treatments he receives, or medical records in general.

4 – Basic principles of personal data protection

A – Transparency: The collection and processing of personal data is carried out lawfully and transparently in accordance with applicable laws and regulations.

B – Data minimization: Collecting only the personal data necessary to achieve the stated objectives.

C – Accuracy: Ensuring that personal data is accurate and up-to-date, while enabling individuals to correct incorrect data.

D – Limited storage: Retaining personal data only for the period necessary for the purposes for which it was collected.

E – Protecting the confidentiality of information: Protecting data from unauthorized access, loss, modification or disclosure.

5 – Governance of personal data protection and compliance with the data protection system

A. Documenting the governance model: Adopting a plan for personal data governance in accordance with the personal data protection system and its regulations. The plan includes clear mechanisms in the form of multiple policies that cover all required aspects and aim to regulate the process of processing personal data in accordance with national laws.

B. Defining roles and responsibilities: Policy files include defining the roles and responsibilities for personal data governance, with the tasks of each entity or employee being clearly distributed, so that each role contributes to achieving full compliance with the system.

C. Reporting Lines: Clear and specific reporting lines must be established to allow for continuous monitoring of compliance with the Personal Data Protection Law and its implementing regulations. These lines contribute to supporting transparency within the organization and facilitating reporting of any violations or challenges.

H. Handling conflicts: In the event of internal conflicts regarding the implementation of the Personal Data Protection Law, the organization must adopt effective mechanisms to identify and address these conflicts quickly and efficiently, ensuring that policies are applied consistently and in line with the requirements of the law.

6 – Disclosure of Personal Data

A – Disclosure of data collected from publicly available sources must be in compliance with the law and its regulations.

B – When disclosing, it must:

– The disclosure is related to a specific and clear purpose.

– The privacy of the data subject is preserved.

– Disclosure is limited to the minimum data necessary to achieve the purpose.

C – When disclosing to a public body for security or health purposes:

– The request is accurately documented.

– Specifies the type of data to be disclosed.

D – If the data is related to a person other than its owner, the following shall be done:

– Balancing the rights of individuals.

– Encoding the identity of the other person when possible.

E. All disclosures shall be documented in special records.

7 – Collection of Personal Data

A. Sources of Personal Data: The controller collects personal data from several sources, including:

– The data owner directly when providing services, and he shall be required to notify the following:

* Name of the controller and contact details.

* Data Protection Officer data, if any.

* Statutory justification and purpose of data collection.

* Data retention period or criteria for determining it.

* The rights of the data subject and the mechanism for exercising them.

* How to withdraw consent.

* If data collection is mandatory or optional.

– Third parties such as business partners.

– Publicly available sources, as necessary.

B. Consent

– Consent is requested from data subjects in an explicit manner without misleading.

– The consent must be explicit in the event that the data to be processed is sensitive or fiduciary, or a decision will be made based on the automated processing of personal data.

– Clarify the purposes of collection and processing before requesting approval.

– Authentication of consent by technical means that can be returned to in the future.

– Obtain independent consent for each collection and processing purpose.

– The approval must be issued by the data subject with full capacity, or by his legal guardian.

– If the subject of personal data is deficient or incapacitated, the following is entitled to his legal guardian:

– Exercise the rights of the data subject in accordance with the law and regulation.

– Consent to the processing of his data in accordance with the provisions.

When processing data that is deficient or disqualified:

– Validation of legal jurisdiction.

– Ensure that the interests of the data subject are not harmed.

– Enable the data subject to exercise his rights upon completion of eligibility.

c. Collection of sensitive data: The processing of sensitive data requires special consent and is collected only when necessary, with the highest levels of protection applied.

D. Minimum collection

– The controller must collect the minimum amount of personal data necessary to achieve the purpose of the processing.

– The data must be directly related to the purpose of the processing.

– Take due care to ensure that unnecessary data is not collected.

–Identify and record the immediate need for this data and stop using this data if the necessity has passed.

(e) Collecting data from non-direct owners

– The processing must be necessary and proportionate to the specified purpose, and not affect the rights and interests of the data subject, and the controller must keep proof that the data subject cannot be contacted or difficult to reach.

– The data collection process must be communicated to the owner within a period not exceeding thirty days.

When collecting data from a publicly available source, it should be systematic.

– In the case of processing, anonymity must be taken into account in accordance with Article IX of the Executive Regulations of the Personal Data Protection Law.

8 – Controls for processing personal data

1.Processing purposes

– Personal data is processed to:

– Providing services agreed upon with partners.

– Administrative purposes within the company such as recruitment and evaluation.

– Compliance with regulatory acts.

B. Processing Restrictions

– Personal data is used only for the specified and declared purposes, and data subjects are informed if there is additional processing for another purpose.

– It is prohibited to use the data for illegal purposes or conflict with the rights of data subjects.

c. Security measures during processing

– Apply encryption techniques when processing sensitive data.

– Assign specific roles and powers to access personal data.

– Monitor access activities to prevent any abuses or unauthorized use.

(d) In the event of choosing a processor, the controller shall include in the agreement with the processor the following:

– The controller shall issue the data instructions to the processor, and in the event that it violates the instructions, the processor must notify the controller in writing immediately.
– Purpose of processing.
–Duration of processing.
–The obligation of the processor to notify the controller in the event of leakage of personal data without delay.

– Clarify whether the processor is subject to regulations in other countries, and the impact of this on its compliance with the provisions of the system in force within the Kingdom.
– The processor is not required to obtain prior approval of the mandatory disclosure by the controller, and the first must notify the second on the disclosure.

– The controller must ensure that the processor complies with the regulations and laws on data periodically, and the first has the right to use an external party to verify this.

– The processor shall be treated as the controller in case of violation of the controller’s data regulations and laws.

(e) If the processor uses a sub-party:
– Ensure that the integrity and security of the processed data is not affected.
– Obtaining prior consent from the controller to use the sub-party.

9. Personal Data Processing Record

Detailed records regarding the processing of personal data are kept, and this record must be kept for a period of (five years) after the end of the processing process, and the processor must provide them if requested by the data subjects and the competent authorities. Records include:

(a) The identity of the person responsible for data processing.

(b) Details of the control body.

(c) Bodies that have the authority to access such data.

(d) Description of the data category.

(e) The purpose of collecting such data.

(f) Data retention period.

10. Storage of Personal Data

A. Digital Platform and Cloud Storage

– Personal data is stored on secure systems that ensure data protection from cyberattacks.

– If using cloud storage services, it is ensured that the provider complies with security and data protection standards.

B. Authorized Access

– A strict policy is in place to ensure that only authorized individuals have access to personal data.

– Every data access is recorded and documented to ensure transparency.

C. Time Constraints

– Personal data is kept only for the necessary periods of time, and after it is no longer needed, it is destroyed securely.

11. Sharing personal data with third parties

A. Data Sharing Agreements

– Do not share personal data with third parties except on the basis of formal agreements that ensure prior consent, confidentiality of information and compliance with laws.

– The agreements include clauses on data protection and compliance with legal requirements.

B. Third Party Security Measures

– Third-party security measures are evaluated before agreements are signed.

– Compliance is monitored periodically through periodic audits.

12 – Protection of credit data

A- Taking measures for protection: The controller must implement organizational, technical and technical measures to ensure that credit data is protected from any illegal use, and to ensure that it is not viewed by unauthorized persons, and that it is used only for the purposes for which it was collected, and prevents its leakage.

B- Compliance with the requirements of the Central Bank: The controller must adopt and apply the requirements and controls issued by the Saudi Central Bank and other relevant authorities.

c. Data Subject Consent: The controller must obtain the consent of the personal data subject and inform him when there is any request to disclose his credit data.

13. Protection of health data

If the controller needs to handle health data, the following is required:

(a) Taking measures for protection: Taking organizational, technical, and technical measures to protect health data from illegal use, use for purposes other than those for which it was collected, or leakage, and ensure the privacy of data subjects.

B. Adopting and applying the requirements and controls: issued by the Ministry of Health, the Saudi Health Council, the Saudi Central Bank, the Council of Health Insurance, and other relevant authorities.

C. Include the provisions contained in the Law and its regulations in the internal policies of the controller, and clearly distribute tasks and responsibilities to avoid overlapping competencies.

d. Documenting all stages of health data processing and identifying those responsible for each stage.

14 – Anonymity

According to the Executive Regulations of the Personal Data Protection Law, the data whose identity has been concealed is not considered personal data, and the controller must ensure the following:

(a) the inability to re-identify his identity.

(b) Impact assessment to ensure that identity cannot be re-identified.

(c) Take the necessary measures to avoid risks, while updating technologies in accordance with developments.

(d) Evaluating the impact of the effectiveness of anonymity techniques and modifying them when necessary.

15. Rights of Data Subjects

A. Access to Personal Data

The data subject has the right to:

– Request access to personal data held by the Company.

– Receive information about how data is processed.

B- Correction and deletion of data: The data subject has the right to request the correction or deletion of incorrect personal data if it is no longer needed.

C. Right to object: Individuals have the right to object to the processing of their personal data for specific purposes, such as direct marketing.

(d) The controller shall provide appropriate means to enable the subject of personal data to exercise his rights, including: e-mail, text messages, national address, electronic applications, or any other regular means of communication.

16. Data Protection Security Measures

A- Technological Solutions

Encryption and firewalls technologies are used to protect data from hacking.

– Backup solutions are used to save files from any accident that may cause data loss.

– Restore tests (test drill) are performed to ensure the success and continuity of backup operations.

Access control is used to ensure that only authorized employees can access sensitive data.

B. Regulatory Measures

– Employees are trained on data protection and awareness of associated risks.

– Carry out periodic reviews to ensure compliance with policies and standards.

17. Compliance

A. Incident Response Plans: Comprehensive response plans for data breaches are developed that include notification to the competent authorities and concerned individuals.

B. Compliance Review

– The Company conducts periodic audits to ensure compliance with all policies and regulations related to the protection of personal data.

– Periodic reports are prepared for compliance review and submitted to senior management.

C. Corrective actions: If any policy violations or violations are discovered, corrective action will be taken.

18. Withdrawal of consent

The subject of personal data has the right to withdraw his consent to the processing of his data at any time, informing the controller accordingly. The controller shall:

(a) Provide easy procedures for revoking consent, which are easier than obtaining approval.

(b) Stop treatment immediately after the admission.

c) Notify those to whom the data has been disclosed and request its destruction.

Reversal does not affect the legality of the previous treatment or the treatment based on other statutory grounds.

19 – Impact Assessment

(a) The controller shall prepare a written and documented evaluation to assess the effects and risks that may be incurred by the personal data subject as a result of the processing of his data.

(b) Impact evaluation shall be carried out in the following cases:

– When processing sensitive personal data.

When collecting or linking two or more sets of data from different sources.

– When processing data for incomplete or incapacitated, using emerging technologies, or making decisions based on automated processing.

– When providing products or services that may significantly affect the privacy of individuals.

(c) The impact assessment shall include the following elements:

– The purpose and legal basis of the processing.

– A description of the data types and scope of processing.

– The relationship between data subjects and processors.

d. Measures must be identified to ensure that the minimum required data is processed.

e. Assess potential negative impacts, whether social, financial, or other.

f. Take appropriate measures to prevent or reduce risks.

G- In the event that the evaluation shows that the treatment will harm the privacy of individuals, these causes must be addressed and re-evaluated.

20- Accident and leakage management

A. Incident Response Plan

– In the event of any incident related to leakage of personal data or unauthorized access, an incident response plan must be implemented.

– Immediate notification to the Central Bank within 72 hours of the discovery of the incident.

b. The notice includes:

– A description of the data leak incident, specifying the time, date, how it occurred and when the controller became aware of it.

– The actual or approximate categories and numbers of the affected personal data subjects, and the type of data that was leaked.

– A description of the potential risks resulting from the incident, with an explanation of the measures taken to mitigate

(f) The provisions of this policy shall not prejudice any other obligations of the control or processor to submit reports of leakage incidents as determined by the National Cybersecurity Authority or other applicable systems.

(g) The controller shall notify the owner of personal data without undue delay if the incident would cause damage to his data or conflict with his rights.

(k) The notice to the data subject shall include:

– A description of the incident.

– Describe potential risks and measures taken to reduce them.

– Name and contact details of the controller or personal data protection officer.

– Recommendations or tips to avoid risks and mitigate their effects.

(l) The notice shall be in plain and clear language to the data subject.

(m) The controller shall cooperate with the competent authorities to ensure that the incident is addressed and that the necessary measures are taken to prevent its recurrence.

21. Training and Awareness

A- Training programs: Continuous training programs are organized for employees to raise their awareness about data protection policies and how to deal with them safely.

B- Awareness campaigns: Internal awareness campaigns are carried out to increase employees’ understanding of how to protect personal data and comply with policies.

C- Performance Appraisal: The performance of employees in dealing with personal data is evaluated within the framework of performance indicators to ensure continuous improvement.

22. Data Disposal (Destruction)

A- Destruction Policy

– When personal data is no longer necessary for the purposes for which it was collected or the business relationship with partners ends, it must be securely destroyed.

– At the request of the data subject.

– If the data subject retracts his consent, and consent is the only reason for processing.

– If the data processing is detected in violation of the system.

– Actions such as the final deletion from systems or the destruction of media containing data are used.

B- Documentation: All data destruction processes are documented to ensure compliance with policies.

C – Formation of a destruction committee: from within the company’s management ensures the implementation of the aforementioned policy and issues a letter stating the implementation of the destruction in full. The controller must destroy personal data in the following cases:

(d) Upon destruction, the other parties to whom the disclosure has been made must be notified and the data must be destroyed, in addition to the destruction of all copies, including backup copies, taking into account the statutory requirements.

23. Updates and Amendments to the Policy

A- Periodic Review: This policy is regularly reviewed to ensure compliance with new laws and developments in the field of data protection.

B- Emergency amendments: The policy is amended immediately if the need arises as a result of legal or regulatory changes affecting the protection of personal data