Privacy Policy

Purpose:


The objective of this Privacy Notice is to create a structured framework that defines the process by which Personal Data of all present and former employees, as well as vendors and clients, shall be handled. This Privacy Notice should cover methods for dealing with Personal Data, storing Personal Data, the mechanism for its destruction, data sharing controls with external parties, and the rights of the Data Subject and the Company with respect to this matter, so long as this is done in accordance with the laws and regulations established by the appropriate government agencies, including those applicable in the Personal Data Protection Law (PDPL), its Implementing Regulations, General Data Protection Regulation (GDPR), as well as any other applicable privacy laws, with respect to the following subjects:

  • The purpose behind the collection of Personal Data.
  • The categories and types of Personal Data collected.
  • The approach taken to gather Personal Data.
  • Methods of processing and storing Personal Data.
  • The process by which Personal Data is destroyed or erased.
  • The Data Subject in regard to their Personal Data.

Scope:


This Privacy Notice is applicable to all individuals or entities that maintain a connection with alfanar Company, encompassing all present and former employees, as well as vendors and clients. The applicable in the Personal Data Protection Law (PDPL), its Implementing Regulations, General Data Protection Regulation (GDPR), as well as any other applicable privacy laws, governs the handling and preservation of Personal Data encompassing all categories and classifications that could potentially disclose and identify the Data Subject.

Definition & Abbreviations:


For the purpose of applying this policy, the following terms and phrases—wherever they appear in this policy—shall have the meanings specified beside each, unless the context indicates otherwise.


Company: alfanar Company and all subsidiary entities and companies, whether in their entirety or in partial.


Personal Data: Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.


Sensitive Data: Each personal statement encompasses details such as the holder's religious, intellectual, or political affiliations, racial or ethnic heritage, criminal and security records, genetic information, credit and health records, biometric information utilized for identity verification, and genetic information. Therefore, it indicates that the individual's parents, or at least one of them, remain unknown.


Consent (Acceptance): A mutual agreement between the Data Subject and the Company that authorizes the Company to retain and process the Data Subject's Personal Data in order to fulfil the intended purpose of the Consent.


Data subject: An individual to whom the Personal Data relate, including but not limited to all present and former employees, as well as vendors and clients.


Processing (Data Processing): Data processing encompasses any operation, whether manual or automated, that is carried out on Personal Data. Such operations include but are not limited to the following: collection, recording, preservation, indexing, arrangement, coordination, storage, modification, updating, merging, retrieval, use, disclosure, and transfer; dissemination; data sharing or interconnection; blocking; erasure; and destruction.


Controlling party: Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.


Processing party: Any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller.


DPO (Data Protection Officer): is an individual appointed by the Company to ensure compliance with the Personal Data Protection Law (PDPL), its Implementing Regulations, General Data Protection Regulation (GDPR), as well as any other applicable privacy laws. The DPO is responsible for monitoring adherence to data protection laws, providing guidance on best practices, and ensuring timely reporting of data breaches.

Purpose, collection, Retain, and processing of Personal Data:


The primary objective behind gathering this personal and sensitive data is to fulfill the company's obligatory duties and responsibilities towards the aforementioned Data Subject. These obligations and responsibilities have been duly documented in adherence to the applicable in the Personal Data Protection Law (PDPL), its Implementing Regulations, General Data Protection Regulation (GDPR), as well as any other applicable privacy laws. For instance, but not limited to, they encompass the registration of expatriate employees, the issuance of residence cards and work permits under the company's sponsorship, and employee employment contracts. Obtaining medical insurance coverage and concluding agreements, contracts, and purchase orders with suppliers, customers, and others on behalf of the General Insurance Organization.


The Company collects, processes, and retains all categories of Personal Data pertaining to individuals who are Data Subjects. This data will collect and processing in a manner that is fully transparent with Data Subjects and in accordance with the law.

Means of collection:


This data is obtained from a variety of sources, including, but not limited, directly from the Data Subjects themselves, or in digital format through Company-affiliated databases or servers, as well as from third parties and in paper format that is archived and stored within the company's control centers.


alfanar Company may collect Personal Data from other than the Data Subject, and may process Personal Data for purposes other than the ones for which they have been collected in the following situations:


  • Data is utilized in a lawful, equitable, and transparent manner.
  • The data is gathered exclusively for the objectives delineated in this policy.
  • In a manner that is pertinent to and restricted to the objectives that necessitated the gathering of observed data.
  • Precise and up to date.
  • Securely stored.

Neither the method of processing personal data nor the purpose of that processing may be altered without the consent of the data subject, except in the following cases, processing of Personal Data shall not be subject to the consent:

  • If the Processing serves actual interests of the Data Subject, but communicating with the Data Subject is impossible or difficult.
  • If the Processing is required for security purposes or to satisfy judicial requirements.
  • If the Processing is pursuant to another law or in implementation of a previous agreement to which the Data Subject is a party.

The retain:


The Company retains the Data Subject's Personal Data in a manner consistent with relevant regulations and maintains records of Personal Data processing activities for the period required under the regulations.

The Company may retain data after the purpose of the Collection ceases to exist, in the subsequent two circumstances:

  • In the event that its preservation is mandated by law for a particular timeframe, it shall be disposed of subsequent to the expiration of said timeframe or the intended purpose of its collection, whichever occur afterwards.
  • Personal data that is inextricably linked to a case pending before a judicial authority and for which retention is necessary, will be erased once the judicial proceedings associated with the case have concluded.

Provided that it does not contain anything that may lead to specifically identifying Data Subject pursuant. Accordingly, The Data Subject's Personal Data should not be recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.

To prevent unauthorized access or disclosure, the Company is dedicated to retaining the data provided by the Data Subject in a secure and protected manner. To this end, the company has implemented suitable administrative and electronic protocols to safeguard and protect the data against unauthorized access, modification, misuse, and interference.

Disclosure of Personal Data by the Company:


The data subject must be informed that their personal data will not be processed in a manner inconsistent with the purpose of its collection. Additionally, they should be made aware of the entities to which their Personal Data will be disclosed, the roles of those entities, and whether their Personal Data will be transferred, disclosed, or processed outside the Kingdom.


The Company may disclose personal data only in the following situations:


  • Consent: The Data Subject has given consent for the disclosure in accordance with the law.
  • Public Source: The personal data has been collected from a publicly available source.
  • Anonymized Data: The disclosure will only involve subsequent processing in a way that prevents the identification of the data subject.
  • Legitimate Interests: The disclosure is necessary to achieve the legitimate interests of the Controller, provided it does not infringe on the rights of the Data Subject and does not involve sensitive data.

The Company must not disclose Personal Data in the situations mentioned previously if the disclosure:


  • Threatens security or harms the reputation of the Kingdom.
  • Compromises individual safety.
  • Violates the privacy of individuals other than the data subject.
  • Violates legally established professional obligations.

Circumstances in which obtaining the Data Subject's consent prior to publishing his Personal Data on channels is necessary include:


  • On social media platforms.
  • Both digitally and physically on business premises, on internal websites.
  • Data sharing with alfanar Company subsidiaries, both domestically and internationally.
  • Third-party entities that necessitate the acquisition of Personal Data for the purpose of contracting, such as hotels, travel and airline agencies, and recruitment firms.

Circumstances in which the consent of the Data Subject is not necessary prior to the publication of his or her Personal Data should the Personal Data have been obtained from a publicly accessible source.

  • In the event that disclosure is requested by a governmental entity (including agencies, organization of professions, directorates, ministries, and other pertinent entities), it is done so for security purposes, system implementation, or to satisfy judicial requirements in adherence to the regulations' provisions.
  • In situations where disclosure is required to safeguard public health or safety, the life or health of a particular individual or individuals, or both.
  • In the event that the disclosure is limited to subsequent processing in a way that does not lead to the identification of the Data Subject or any other individual specifically.

Categorization of Personal Data:


This Privacy Notice applies to all Personal Data collected by the Company, including, but not limited to all present and former employees, as well as vendors and clients, in the form of digital data, paper records, audio recordings, and video footage.


This Personal Data can be:

  • Mandatory Personal Data
    • The provision of this Data is necessary to fulfill regulatory requirements in alignment with relevant laws and regulations.
  • Optional Personal Data
    • The Data Subject may choose to participate in the Company-provided benefits; doing so is not mandatory.

Personal Data will be collected:

  • Data Subject full name and contact information.
  • Personal Data that collected indirectly through (cookies) when you visit the Website.
  • Contractual agreements and payment information.
  • Address
  • National IDs.
  • Passport
  • Employment information

Data destruction and deletion:


The Company is obligated to promptly erase Personal Data once the intended purpose of its collection has been fulfilled. However, that data may be retained beyond the intended purpose of collection, as we mentioned previously. or in any of the following cases:

  • Upon Data Subject's request.
  • If the Personal Data is no longer necessary to achieve the purpose for which it was collected.
  • If the Data Subject withdraws their consent, and consent was the sole legal basis for Processing.
  • If the Company becomes aware that the Personal Data is being processed in a way that violates the Data Protection Law.

When destroying Personal Data, the Company shall take the following steps:

  • Take appropriate measures to notify other parties to whom the Controller.
  • disclosed the concerned Personal Data and request their Destruction.
  • Take the appropriate measures to notify the individuals to whom the personal
  • Data has been disclosed by any means and request its Destruction.
  • Destroy all copies of the Personal Data stored in the Controller's systems, including backups, in accordance with relevant regulatory requirements.

Data Subject rights:


The Data Subject has the right to request a copy of their Personal Data held by the company at any time. They may also engage directly with the DPO for any inquiries or concerns related to their personal data.

Right to access their Personal Data


When destroying Personal Data, the Company shall take the following steps:

  • The right to be informed, including notification about the legal basis or actual necessity for collecting your personal data, the purpose of such collection, how it will be processed, stored, destroyed, and with whom it will be shared. Your data should not be processed later in a manner conflicting with the purpose for which it was collected and for which you provided implicit or explicit consent.
  • The right to access your personal data held by the Company, to review it, obtain a clear copy of it.
  • The right to correct any of your personal data that you find inaccurate, incorrect, or incomplete.
  • The right to have your personal data destroyed unless there is a legal provision specifying a particular retention period or contractual requirements.
  • The right to withdraw your consent for the processing of your personal data at any time unless there are legitimate purposes requiring otherwise.

Transfer of Personal Data outside the geographical borders of the Kingdom:


The Company may transfer personal data outside the Kingdom or disclose it to external parties for specific purposes, such as fulfilling obligations under agreements involving the Kingdom, serving its interests, or meeting obligations related to the data subject.


Transfers or disclosures must meet certain conditions:

  • They must not compromise national security or the vital interests of the Kingdom.
  • There is an adequate level of protection for Personal Data outside the Kingdom.
  • Transfers or disclosures should be limited to the minimum necessary personal data.

These conditions do not apply in cases of extreme necessity to protect the life or vital interests of the data subject or to address medical emergencies.

The Data Subject is duly notified that their Personal Data may be transferred to alfanar Company subsidiaries, regulatory bodies, government agencies, and third-party service providers that assist alfanar Company employees. Additionally, the Data Subject will be informed if their Personal Data is transferred outside the Kingdom of Saudi Arabia (KSA).

Privacy Notice Updates:


To ensure that we continue to offer the best possible experience and the highest level of protection to you and your personal data held by us, we reserve the right to update this Privacy Notice as and when necessary and appropriate to comply with the requirements of the KSA PDPL and the Regulations in case of any changes in the legal framework governing alfanar Projects. Therefore, we encourage our beneficiaries to regularly review the privacy notice to be informed of any updates made to it. The privacy notice was last updated on 18/9/2024.

DPO Contact information:


The Data Subject may initiate direct communication with the DPO, regarding any inquiries or concerns pertaining to his Personal Data, and the DPO is required to provide appropriate means to process requests related to Data Subject rights as stipulated in the Data Protection Law. The Data Subject shall have the choice to use one or many among the following means according to their preference considering options made available by the Company:

Queries and complaints:


If you have any inquiries regarding our privacy notice or concerns about how we handle your personal data, please contact us at
Toll free: 800-124-1333
Outside KSA: 00966-11-494-5400
We will respond to you as promptly as possible.