Data Protection Policy – KSA Brokers

Contents

  1. Introduction
  2. Definitions
  3. Objective
  4. Purpose
  5. General Provisions of Data Subject Rights
  6. Right to be Informed
  7. Right to Access Personal Data
  8. Right to Request Personal Data
  9. Right to Request Correction of Personal Data
  10. Right to Request Destruction of Personal Data
  11. Anonymization
  12. Means of Communication
  13. Consent
  14. Consent Withdrawal
  15. Legal Guardian
  16. Processing in the Data Subject’s Actual Interest
  17. Data Collection from Third Parties
  18. Processing for Legitimate Interest
  19. Choosing a Processor
  20. Further Processing of Personal Data
  21. Data Minimization
  22. Disclosure of Personal Data
  23. Controls for Processing Personal Data for Public Interest
  24. Correction of Personal Data
  25. Information Security
  26. Notification of Personal Data Breach
  27. Impact Assessment
  28. Processing Health Data
  29. Data Protection Officer
  30. Records of Personal Data Processing Activities

1.     Introduction

  1. ACE Re Gallagher Arabia Brokers (“ACE Re” or “the Company”) is committed to protecting the privacy of individuals whose personal data we process. This Personal Data Protection Policy (“Policy”) outlines our practices regarding the collection, use, disclosure, and protection of personal data in accordance with the Personal Data Protection Law of Saudi Arabia (“PDPL” or “the Law”).
  2. ACE Re recognizes the importance of personal data privacy and is dedicated to handling personal data responsibly and in compliance with all applicable laws and regulations. This Policy sets forth our principles and practices for protecting the personal data of our clients, employees, business partners, and other individuals whose information we process. The policy must be reviewed and approved annually.

2.     Definitions

  1. The Regulation: The Implementing Regulation of Personal Data Protection Law
  2. Personal Data: Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.
  3. Processing: Any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.
  4. Collection: The collection of Personal Data by Controller in accordance with the provisions of this Law, either from the Data Subject directly, a representative of the Data Subject, any legal guardian over the Data Subject or any other party.
  5. Data Subject: The individual to whom the Personal Data relate.
  6. Controller: Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.
  7. Processor: Any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller.

3.     Objective

  1. The primary objective of this policy is to comply with the PDPL and ensure that the Company’s practices align with the requirements of the PDPL and any applicable regulations. Also, to implement measures to safeguard the privacy and security of personal data entrusted to ACE Re and to provide transparency to individuals about how their personal data is collected, used, and protected.
  2. These objectives collectively aim to ensure that ACE Re processes personal data in a manner that is lawful, ethical, and respectful of individual privacy rights.

4.     Purpose

  1. The purpose of this policy is to provide a clear and comprehensive framework for ACE Gallagher to handle personal data in accordance with the PDPL and best practices.

5.     General Provisions of Data Subject Rights

The Company shall, upon receiving a request from the Data Subject regarding their rights as stipulated in the Law, do the following:

  • Must respond to data subject requests within 30 This period can be extended by 30 days with prior notification. Must take measures to ensure prompt responses and verify the identity of the May refuse repetitive or unfounded Legal guardians may exercise rights on behalf of those lacking legal
  • Must respond to data subject requests within 30 This period can be extended by 30 days with prior notification.
  • Must take measures to ensure prompt responses and verify the identity of the
  • May refuse repetitive or unfounded
  • Legal guardians may exercise rights on behalf of those lacking legal

6.     Right to be Informed

  1. When collecting personal data directly from the data subject, the Company must inform the data subject of:
    • Company’s identity and contact
    • Data protection officer’s contact
    • Purpose of data collection and
    • Data retention period or
    • Data subject’s rights and how to exercise
    • How to withdraw
    • Whether data collection is mandatory or
  2. The above requirements do not apply if the information is already known to the subject or conflicts with existing laws.
  3. If data is collected from a third party, the Company must inform the data subject within 30 days, providing the information from paragraph 1 and details about the data categories and source.
  4. The 30-day notification does not apply if:
    • The subject already knows the
    • Notification is impractical or requires excessive
    • The Company obtained the data
    • The Company is a public entity collecting data for security, judicial, or public interest
    • The data is subject to professional confidentiality
  5. Processing data on individuals lacking legal capacity, continuously monitoring subjects, using new technologies, or making automated decisions, additional information must be provided, including:
    • Methods of collecting and processing sensitive
    • Data protection
    • Whether automated decisions will be
  6. If the data being processed for a purpose different from the original one, the data subject should be informed before proceeding.

7.     Right to Access Personal Data

  1. Data subjects have the right to access their personal data held by the Company, except as limited by Articles 9 and 16 of the Access should not infringe on the rights of others, such as intellectual property or trade secrets. The Company may provide direct access to the data subject’s personal data.
  2. When granting access, the Company shall ensure that personal data of other individuals is not disclosed.

8.     Right to Request Personal Data

  1. Data subjects may request a copy of their personal data in a readable format, except as limited by Article 16 of the Regulation. Access should not infringe on the rights of
  2. The above requirements do not apply if the information is already known to the subject or conflicts with existing laws.
  3. If data is collected from a third party, the Company must inform the data subject within 30 days, providing the information from paragraph 1 and details about the data categories and source.
  4. The 30-day notification does not apply if:
    • The subject already knows the
    • Notification is impractical or requires excessive
    • The Company obtained the data
    • The Company is a public entity collecting data for security, judicial, or public interest
    • The data is subject to professional confidentiality
  5. If the data being processed for a purpose different from the original one, the data subject should be informed before proceeding.

9.     Right to Request Correction of Personal Data

  1. Data subjects may request a restriction on processing their personal data if they dispute its accuracy. This restriction remains in place until the Company verifies the data’s accuracy, unless doing so violates the law.
  2. The Company may request supporting documents to verify the data’s These documents must be destroyed after verification.
  3. If the data gets corrected, all parties who previously received it should be

10.  Right to Request Destruction of Personal Data

  1. The Company shall destroy personal data when:
    • The data subject requests
    • The data is no longer needed for its original
    • The data subject withdraws consent, which was the only legal basis for
    • The Company discovers the data is being processed
  2. When destroying data, the Company shall:
    • Notify other parties who received the data and request its
    • Notify individuals who were disclosed the data and request its
    • Destroy all copies of the data, including backups, in compliance with
  3. This does not override the requirements of Article 18 of the Law or those set by competent authorities.

11.  Anonymization

  1. When anonymizing personal data, the Company shall ensure that the data subject cannot be re-identified.
  2. The Company shall evaluate the potential for re-identification under the circumstances specified in Article 25(1) of the Regulation.
  3. The Company must implement organizational, administrative, and technical measures to prevent re-identification, considering technological advancements and anonymization
  4. The Company must assess the effectiveness of anonymization techniques and adjust to ensure irreversibility.

12.  Means of Communication

The Company provides multiple options for data subjects to submit requests related to their rights. These options include:

  • Email: DPO@ace-com
  • Phone: +966 920051009
  • National address: 8200 Salah ad Din Al Ayyubi Rd, King Abdul Aziz, Building No 1, 4313, Riyadh 12233, Saudi Arabia.

13.  Consent

  1. The Company will obtain the data subject’s explicit consent for processing their data in any appropriate form. Consent must be freely given, clear, and specific. The Company must document the consent process.
  2. Explicit consent is required for processing sensitive

14.  Consent Withdrawal

  1. Data subjects can withdraw their consent for data processing at any time by notifying the
  2. The Company has established procedures for withdrawing consent that are similar to or easier than obtaining it.
  3. Upon withdrawal, the Company must stop processing the data without However, processing that occurred before withdrawal remains lawful.
  4. The Company must notify parties who received the data and request its
  5. Withdrawing consent does not affect processing based on other legal

15.  Legal Guardian

  1. The legal guardian of a data subject lacking legal capacity may exercise the subject’s rights and consent to data processing, acting in the subject’s best interests.
  2. When processing data of a data subject lacking legal capacity, the Company must verify the legal guardian’s authority.
  3. When obtaining consent from a legal guardian, the Company must:
    • Avoid harming the data subject’s
    • Ensure the subject can exercise their rights when they reach legal

16.  Processing in the Data Subject’s Actual Interest:

When processing data to serve the data subject’s actual interest, the Company must retain evidence demonstrating:

  • The existence of that
  • The difficulty of contacting or communicating with the data

17.  Data Collection from Third Parties:

  1. When processing data collected from third parties, the Company must ensure:
    • The processing is necessary and
    • The processing does not harm the data subject’s rights or
  2. When processing data from publicly available sources, the Company must ensure the collection is lawful.

18.  Processing for Legitimate Interest

  1. processing for legitimate interest requires:
    • Compliance with Kingdom
    • Balancing the Company’s interests with the data subject’s
    • Avoiding processing sensitive
    • Aligning with the data subject’s reasonable
  2. Examples of legitimate interests include fraud detection, network security, and other lawful interests.
  3. Before processing for legitimate interest, the Company must assess:
    • Proposed processing and its
    • Legality and compliance with Kingdom
    • Necessity of processing for the legitimate
    • Potential harm to data subjects or their
    • Measures to mitigate
  4. If the assessment reveals potential violations or harms, the Company must modify the processing and conduct a new assessment or consider an alternative legal basis.

19.  Choosing a Processor

  1. The Company must ensure the processor provides sufficient data protection guarantees and that their agreement includes:
    • Processing
    • Data
    • Processing
    • Breach notification
    • Compliance with foreign
    • Disclosure
    • Identification of
  2. The Company must provide clear instructions to the The processor must notify the Company of any violations.
  3. The Company is responsible for assessing and monitoring the processor’s The Company may appoint a third party for this purpose.
  4. If a processor violates instructions or the law, they become a controller and are directly
  5. Before contracting with sub-processors, the processor must:
    • Ensure adequate data
    • Select compliant sub-
    • Obtain prior controller

20.  Further Processing of Personal Data

  1. When processing data for a purpose other than the original one, the Company must:
    • Clearly define the new
    • Document procedures to limit data processing to what is necessary for the new purpose, using data maps.
    • Minimize data collection and processing to achieve the new
  2. For processing data for a new purpose (except as specified in Article 10(3) of the Regulation), the Company must:
    • Clearly define the new purpose and document
    • Minimize data collection and
    • Identify the type of data to be processed and ensure appropriate

21.  Data Minimization

  1. The Company must collect only the minimum amount of personal data needed to achieve the processing purpose. This includes:
    • Collecting only necessary data directly related to the
    • Using data maps to link data to processing
    • Minimizing unnecessary data
  2. The Company must retain only the minimum amount of personal data necessary to achieve the processing purpose.

22.  Disclosure of Personal Data

  1. Disclosure of publicly available data must comply with the
  2. When disclosing personal data (except as specified in Article 15(3-4) of the Regulation), the Company must:
    • Ensure the disclosure is for a specific
    • Protect the privacy of the data subject and
    • Minimize the amount of disclosed
  3. When disclosing data to public authorities for security, legal, or public health purposes, the Company must:
    • Document the disclosure
    • Identify the necessary
  4. When disclosing data related to another person, the Company must:
    • Balance the rights of the data subject and the third
    • Consider data encryption if
    • When disclosing data for a legitimate interest, the Company must comply with Article 16 of the Regulation.
    • The Company must document disclosure operations, including dates, methods, and

23.  Correction of Personal Data

  1. Corrections include correcting incorrect data, completing incomplete data, and updating outdated data.
  2. When correcting data, the Company must:
    • Verify data accuracy using supporting
    • Notify parties who received the
    • Notify the data subject when the correction is
    • Document all
  3. If inaccurate or incomplete data may harm the data subject, the Company must suspend processing until the data is corrected.
  4. The Company must promptly correct, complete, or update inaccurate, outdated, or incomplete data.
  5. The Company must:
    • Develop and update internal policies for data
    • Periodically review data accuracy and

24.  Information Security

The Company must implement organizational, administrative, and technical measures to protect personal data and ensure data subject privacy. These measures include:

  • Implementing necessary security and technical measures to limit data breach
  • Complying with cybersecurity standards and best practices, as

25.  Notification of Personal Data Breach:

  1. The Company must notify the competent authority within 72 hours of discovering a data breach that may harm data subjects or their rights. The notification must include:
    • Breach description, date, and
    • Data categories, affected subjects, and data
    • Breach risks, mitigation measures, and future
    • Whether the data subject has been
    • Contact information for the Company or data protection
  2. If the Company cannot provide all information within 72 hours, it must do so as soon as possible and explain the delay.
  3. The Company must keep a copy of the notification and document corrective
  4. The Company must notify the data subject without delay if the breach may harm them or their rights. The notification must include:
    • Breach
    • Potential risks and mitigation
    • Contact
    • Recommendations for the data

26.  Impact Assessment:

  1. The Company must conduct an impact assessment for:
    • Processing sensitive
    • Combining data from different
    • Processing data of individuals lacking legal capacity, continuously monitoring subjects, using new technologies, or making automated decisions.
    • Offering products or services that may seriously harm
  2. The impact assessment must include:
    • Processing purpose and legal
    • Nature, types, and sources of
    • Processing scope and geographical
    • Context of processing, including relationships and
    • Necessity and proportionality of
    • Potential impact on data subjects, including severity and
    • Measures to prevent or limit
    • Suitability of measures to avoid
  3. The Company must provide a copy of the assessment to any processor involved in the
  4. If the assessment indicates potential harm to privacy, the Company must address the reasons and conduct a new assessment.

27.  Processing Health Data

The Company must implement measures to protect health data from unauthorized use, misuse, and breaches. These measures include:

  • Adhering to regulations from the Ministry of Health, Saudi Health Council, Saudi Central Bank, Council of Health Insurance, and related entities.
  • Incorporating legal requirements into internal
  • Distributing tasks to prevent overlapping responsibilities and ensure appropriate data access levels.
  • Documenting all stages of health data processing and assigning
  • Including health data protection provisions in processor
  • Limiting health data processing to what is necessary for healthcare services or

28.  Data Protection Officer:

  1. The Company must appoint a data protection officer in the following cases:
    • Public entity providing large-scale personal data
    • Large-scale continuous monitoring of
    • Processing sensitive personal
  2. The officer is responsible for:
    • Monitoring law and regulation
    • Overseeing Company procedures and handling data subject
    • Acting as the contact point for the competent
    • Supervising impact assessments, audits, and
    • Assisting data subjects in exercising their
    • Notifying the authority of data
    • Responding to data subject requests and
    • Monitoring and updating data processing
    • Handling Company violations and taking corrective

29.  Records of Personal Data Processing Activities

  1. The Company must retain records for the processing period plus five years.
  2. Records must be written.
  3. Records must be accurate and up-to-date.
    • The Company must provide access to records upon request from the competent authority.
    • Records must include:
    • Company’s name and contact information
    • .Data protection officer information.
    • Processing purposes.
    • Data categories and subject categories.
  4. Retention periods.
  5. Recipient categories.
    • Cross-border transfer descriptions.
    • Security measures.
  6. The competent authority will provide record templates.