Data Privacy Notice
1. Introduction
Ejada Systems (“we” or “our”) is committed to protecting your personal data. This privacy notice (“Notice”) is addressed to our employees based in the Kingdom of Saudi Arabia (“KSA”). This Privacy Notice will help you to understand what personal data we collect about you as an employee, why we collect and use (process) it and what we do with it. We determine how and why your personal data is collected and used for employment purposes. Therefore, we act as the controller of your personal data under the KSA Personal Data Protection Law approved by the Royal Decree No. 19/m, dated 1443/2/9 (corresponds to 16 September 2021) (“Law”). In case of any major changes in how we collect and process your personal data, we will notify you by updating this Privacy Notice.
2. Contact Details
If you have any questions or comments regarding our use of your personal data, please contact us via dpo@ejada.com.
3. What is Personal Data and Processing
What is Personal Data? Personal data means any data by which you may be identified as an individual. The personal data that we collect from you may be different, depending on the circumstances. For example, it may include the following:
▪ Name, personal address, contact details (e.g. phone number, email), signature
▪ Age, date of birth, gender, nationality, national ID, passport, visa information, Iqama
▪ Marital status, number of children, National ID of dependents
▪ Sensitive data, including information relating to your health, criminal records
▪ Information indicated in your resume, cover letter, LinkedIn profile, interview notes, job title, qualifications/certifications, education, employment history, bank account details, and previous salary amount
▪ Investigation records, video recordings
What is Processing?
Processing means doing anything with personal data, e.g. viewing, collecting, using, storing, sharing, modifying, printing, copying, archiving, erasing, etc.
4. When, How & Why Do you Process Your Personal Data?
We may process your personal data in many ways. We will choose ways of processing your personal data depending on the purpose of processing, as specified below. The ways in which we may process your personal data include, but are not limited to: viewing, collecting, using, storing, sharing, modifying, printing, copying, archiving, and erasing Please see in the table below the types of possible processing activities and their purposes.
Collecting and processing your personal data is mandatory in order for us to provide high quality services to you. Please note that if we do not complete the collection of personal data for the above purposes, we will not be able to provide you with a high level of service. As for the method of collecting your personal data, we may collect it directly from you and, in some circumstances, from third parties, for example, government services, , etc. We will collect your personal data from such third parties only in cases specified in section 6 below. If there is a change in your personal data, please let us know as soon as possible by contacting us through the “Contact details” section of this Notice.
5. What Legal Bases Do We Use For Processing Your Personal Data
We will use a legal basis to process your personal data. This means we will have a legal justification to use your personal data, as required by the Law.
We may rely on the following legal bases to process your personal data under the Law:
▪ Your consent (we will let you know on a case-by-case basis should we require your consent).
▪ Processing achieves a definite interest for you, and it is impossible or difficult to contact you.
▪ Processing is required by applicable laws and is performed in accordance with them.
▪ Processing is performed in order to perform an agreement to which you are a party.
▪ Processing is necessary for the purpose of our legitimate interest.
6. Processing Personal Data for Other Purposes
We aim to ensure that as a general rule we will use your personal data in accordance with the purposes, as specified in section 5 above.
However, please note that pursuant to the Law we may process your personal data for purposes other than specified in section 5 above. It may happen in the following cases:
▪ If you give your consent to such collection and processing.
▪ If your personal data is publicly available, or if it was collected from a publicly available source.
▪ If collection and processing is required for your vital interests.
▪ If collection or processing of your personal data is necessary to protect public health or safety, or to protect the life or health of you or other individuals.
▪ If your personal data is recorded or stored in a form that makes it impossible to identify you directly or indirectly.
▪ Collection of your personal data is necessary to achieve our legitimate interests (in this case we will not process your sensitive data, e.g. health data).
7. Storing Personal Data
We will arrange safe storage of your personal data in our information systems.
We will determine the period of storage of your personal data in accordance with our Data Retention Policy.
In particular, when determining the period of storage of your personal data we will take into account:
▪ Requirements to the storage period, as such requirements are specific in applicable laws and regulations.
▪ Specific purposes for which we require your personal data.
8. Disposal of Personal Data
If your data is deemed as not necessary and we do not longer need your personal data or if we do not have any legal basis to hold it further, we will arrange for necessary actions (e.g. its erasure (destruction), anonymization etc.).
We will ensure that:
▪ In case of anonymization: you will not be further re-identified after anonymization;
▪ In case of erasure (destruction): the personal data will not be reconstructed after it was erased.
9. Disclosure of Your Personal Data
We may, as could be required for the purposes listed in section 4 above, disclose your Personal Data to the following organizations:
▪ Our professional advisors or other contractors who provide us with data processing, professional or management services, such as Customer Relationship Management Platforms.
▪ Suppliers, subcontractors, business partners in the IT sector or other third parties involved in the management of our business;
▪ Any member of our group for our legitimate interest purposes (e.g. managing operational activities in the group); and
▪ Any applicable regulatory authorities (governmental and other public bodies, for example, SAMA, Ministry of Human Resources and Social Development, judicial authorities, courts, committees etc.) or other third parties as could be required by law or in accordance with other regulatory obligations or policies applicable to us or to you (e.g. Absher, GOSI, etc).
We may disclose your personal data in the following cases:
▪ You consent to the disclosure.
▪ Your personal data has been collected from a publicly available source.
▪ The entity requesting disclosure is a public entity, and the collection or processing of your personal data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
▪ The disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
▪ The disclosure will only involve subsequent processing in a form that makes it impossible to directly or indirectly identify you.
▪ The disclosure is necessary to achieve our legitimate interests (in this case no sensitive data (e.g. health data) will be processed).
When providing your personal data to our Group companies and/or legal entities with whom we have contractual relations, we request a confirmation of the security measures these legal entities take to protect the personal data we provide. We do not share the personal data with public authorities or other third parties without a proper lawful request of the authorities. We make best efforts to ensure we have relevant contractual agreements in place with the parties with whom we share your personal data with and that they comply with data protection requirements of Ejada Systems.
10. Your Rights in Relation to Processing of Your Personal Data
In accordance with the Law, you may exercise the following rights:
We inform you that you may submit a complaint to the Competent Authority i.e Saudi Data and Artificial Intelligence Authority (SDAIA), if you believe your rights have been violated. Please contact us if you would like to know more about your rights or if you would like to exercise any of them through the “Contact details” section of this Notice.
11. Protecting Personal Data
We protect your personal data by using a range of methods, procedures and techniques. For example:
▪ We have assigned responsibility for the organisation of personal data processing to specific employees;
▪ We have in place policies and procedures in the area of protection of personal data to ensure that our personal data processing activities comply with the Law;
▪ We have implemented the necessary organizational and technical measures to protect personal data (access control, encryption);
▪ We have organized a process of collecting and processing controlling data subjects’ requests;
▪ We keep up to date the Records of Processing Activities (RoPA);
▪ We carry out a Data Protection Impact Assessment (DPIA) for personal data processing activities that results a high risk;
▪ We ensure security of third parties (controllers, processors, joint controllers);
▪ We carry out planned and unscheduled audits of personal data processing activities.
12. Cross Border Personal Data Transfer
We may transfer your personal data outside KSA and in such cases we will comply with the requirements of the Law regarding the cross-border personal data transfers, as well as with the requirements of other laws and regulations, where applicable.
13. Withdrawal of Consent
In some cases, we may request your consent to processing of your personal data. When we request your consent, we will also explain to you how you can withdraw your consent. If you have any questions regarding the consent that you may provide to us (or already provided), as well as how you can withdraw it - you may contact us with the use of the contact details, specific in section “Contact details” of this Notice.
14. Linking to Other Websites
Our website or marketing email messages sometimes include links to other websites which are not within our control. Once you have left our website/marketing email message, we cannot be held responsible for the content of other websites or the protection and privacy of any information which you provide to those websites. You should exercise caution and look at the privacy notice applicable to the website in question.