Data Protection Policy – KSA Consultants

ACE Gallagher Arabia Insurance Consultants

Contents
1. Introduction
2. Definitions
3. Objective
4. Purpose
5. General Provisions of Data Subject Rights
6. Right to be Informed
7. Right to Access Personal Data
8. Right to Request Personal Data
9. Right to Request Correction of Personal Data
10. Right to Request Destruction of Personal Data
11. Anonymization
12. Means of Communication
13. Consent
14. Consent Withdrawal
15. Legal Guardian
16. Processing in the Data Subject’s Actual Interest
17. Data Collection from Third Parties
18. Processing for Legitimate Interest
19. Choosing a Processor
20. Further Processing of Personal Data
21. Data Minimization
22. Disclosure of Personal Data
23. Controls for Processing Personal Data for Public Interest
24. Correction of Personal Data
25. Information Security
26. Notification of Personal Data Breach
27. Impact Assessment
28. Processing Health Data
29. Data Protection Officer
30. Records of Personal Data Processing Activities

1.Introduction
a.ACE Gallagher Arabia Insurance Consultants (“ACE ” or “the Company”) is committed to protecting the privacy of individuals whose personal data we process. This Personal Data Protection Policy (“Policy”) outlines our practices regarding the collection, use, disclosure, and protection of personal data in accordance with the Personal Data Protection Law of Saudi Arabia (“PDPL” or “the Law”).
b.ACE recognizes the importance of personal data privacy and is dedicated to handling personal data responsibly and in compliance with all applicable laws and regulations. This Policy sets forth our principles and practices for protecting the personal data of our clients, employees, business partners, and other individuals whose information we process. The policy must be reviewed and approved annually.
2.Definitions
a.The Regulation: The Implementing Regulation of Personal Data Protection Law
b.Personal Data: Any data, regardless of its source or form, that may lead to identifying anindividual specifically, or that may directly or indirectly make it possible to identify anindividual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.
c.Processing: Any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.
d.Collection: The collection of Personal Data by Controller in accordance with the provisions of this Law, either from the Data Subject directly, a representative of the Data Subject, any legal guardian over the Data Subject or any other party.
e.Data Subject: The individual to whom the Personal Data relate.
f.Controller: Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.
g.Processor: Any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller.
3.Objective
a.The primary objective of this policy is to comply with the PDPL and ensure that the Company’s practices align with the requirements of the PDPL and any applicable regulations. Also, to implement measures to safeguard the privacy and security of personal data entrusted to ACE and to provide transparency to individuals about how their personal data is collected, used, and protected.
b.These objectives collectively aim to ensure that ACE processes personal data in a manner that is lawful, ethical, and respectful of individual privacy rights.
4.Purpose
a.The purpose of this policy is to provide a clear and comprehensive framework for ACE to handle personal data in accordance with the PDPL and best practices.
5.General Provisions of Data Subject Rights
a.The Company shall, upon receiving a request from the Data Subject regarding their rights as stipulated in the Law, do the following:
-Must respond to data subject requests within 30 days. This period can be extended by30 days with prior notification.
-Must take measures to ensure prompt responses and verify the identity of the requester.
-May refuse repetitive or unfounded requests.
-Legal guardians may exercise rights on behalf of those lacking legal capacity.
6.Right to be Informed
a.When collecting personal data directly from the data subject, the Company must inform the data subject of:
-Company’s identity and contact information.
-Data protection officer’s contact information.
-Purpose of data collection and processing.
-Data retention period or criteria.
-Data subject’s rights and how to exercise them.
-How to withdraw consent.
-Whether data collection is mandatory or optional.
b.The above requirements do not apply if the information is already known to the subject orconflicts with existing laws.
c.If data is collected from a third party, the Company must inform the data subject within30 days, providing the information from paragraph 1 and details about the data categories and source.
d.The 30-day notification does not apply if:
-The subject already knows the information.
-Notification is impractical or requires excessive effort.
-The Company obtained the data legally.
-The Company is a public entity collecting data for security, judicial, or public interest purposes.
-The data is subject to professional confidentiality laws.
e.Processing data on individuals lacking legal capacity, continuously monitoring subjects, using new technologies, or making automated decisions, additional information must be provided, including:
-Methods of collecting and processing sensitive data.
-Data protection measures.
-Whether automated decisions will be made.
f.If the data being processed for a purpose different from the original one, the data subject should be informed before proceeding.
7.Right to Access Personal Data
a.Data subjects have the right to access their personal data held by the Company, except as limited by Articles 9 and 16 of the Regulation. Access should not infringe on the rights of others, such as intellectual property or trade secrets. The Company may provide direct access to the data subject’s personal data.
b.When granting access, the Company shall ensure that personal data of other individuals is not disclosed.
8.Right to Request Personal Data
a.Data subjects may request a copy of their personal data in a readable format, except as limited by Article 16 of the Regulation. Access should not infringe on the rights of others.
b.The Company shall provide personal data in a commonly used electronic format. The subject may request a printed copy if feasible.
c.When granting access, the Company shall ensure that personal data of other individuals is not disclosed.
9.Right to Request Correction of Personal Data
a.Data subjects may request a restriction on processing their personal data if they dispute its accuracy. This restriction remains in place until the Company verifies the data’s accuracy, unless doing so violates the law.
b.The Company may request supporting documents to verify the data’s accuracy. These documents must be destroyed after verification.
c.If the data gets corrected, all parties who previously received it should be notified.
10.Right to Request Destruction of Personal Data
a.The Company shall destroy personal data when:
-The data subject requests it.
-The data is no longer needed for its original purpose.
-The data subject withdraws consent, which was the only legal basis for processing.
-The Company discovers the data is being processed illegally.
b.When destroying data, the Company shall:
-Notify other parties who received the data and request its destruction.
-Notify individuals who were disclosed the data and request its destruction.
-Destroy all copies of the data, including backups, in compliance with regulations.
c.This does not override the requirements of Article 18 of the Law or those set by competent authorities.
11.Anonymization
a.When anonymizing personal data, the Company shall ensure that the data subject cannot be re-identified.
b.The Company shall evaluate the potential for re-identification under the circumstances specified in Article 25(1) of the Regulation.
c.The Company must implement organizational, administrative, and technical measures to prevent re-identification, considering technological advancements and anonymization methods.
d.The Company must assess the effectiveness of anonymization techniques and adjust to ensure irreversibility.
12.Means of Communication
a.The Company provides multiple options for data subjects to submit requests related to their rights. These options include:
-Email: DPO@ace-gallagherconsultants.com
-Phone: (+966) ) 9200-51000
-National address: 8200 Salah Ad Din Al Ayyubi – King Abdulaziz
Unit no.2 – Riyadh 12233-4313, Kingdom of Saudi Arabia
13.Consent
a.The Company will obtain the data subject’s explicit consent for processing their data in any appropriate form. Consent must be freely given, clear, and specific. The Company must document the consent process.
b.Explicit consent is required for processing sensitive data.
14.Consent Withdrawal
a.Data subjects can withdraw their consent for data processing at any time by notifying the Company.
b.The Company has established procedures for withdrawing consent that are similar to or easier than obtaining it.
c.Upon withdrawal, the Company must stop processing the data without delay. However, processing that occurred before withdrawal remains lawful.
d.The Company must notify parties who received the data and request its destruction.
e.Withdrawing consent does not affect processing based on other legal grounds.
15.Legal Guardian
a.The legal guardian of a data subject lacking legal capacity may exercise the subject’s rights and consent to data processing, acting in the subject’s best interests.
b.When processing data of a data subject lacking legal capacity, the Company must verify the legal guardian’s authority.
c.When obtaining consent from a legal guardian, the Company must:
-Avoid harming the data subject’s interests.
-Ensure the subject can exercise their rights when they reach legal capacity.
16.Processing in the Data Subject’s Actual Interest:
a.When processing data to serve the data subject’s actual interest, the Company must retain evidence demonstrating:
-The existence of that interest.
-The difficulty of contacting or communicating with the data subject.
17.Data Collection from Third Parties:
a.When processing data collected from third parties, the Company must ensure:
-The processing is necessary and proportionate.
-The processing does not harm the data subject’s rights or interests.
b.When processing data from publicly available sources, the Company must ensure the collection is lawful.
18.Processing for Legitimate Interest
a.processing for legitimate interest requires:
-Compliance with Kingdom laws.
-Balancing the Company’s interests with the data subject’s rights.
-Avoiding processing sensitive data.
-Aligning with the data subject’s reasonable expectations.
b.Examples of legitimate interests include fraud detection, network security, and other lawful interests.
c.Before processing for legitimate interest, the Company must assess:
-Proposed processing and its purpose.
-Legality and compliance with Kingdom laws.
-Necessity of processing for the legitimate purpose.
-Potential harm to data subjects or their rights.
-Measures to mitigate risks.
d.If the assessment reveals potential violations or harms, the Company must modify the processing and conduct a new assessment or consider an alternative legal basis.
19.Choosing a Processor
a.The Company must ensure the processor provides sufficient data protection guarantees and that their agreement includes:
-Processing purpose.
-Data categories.
-Processing duration.
-Breach notification commitment.
-Compliance with foreign regulations.
-Disclosure notifications.
-Identification of subcontractors.
b.The Company must provide clear instructions to the processor. The processor must notify the Company of any violations.
c.The Company is responsible for assessing and monitoring the processor’s compliance. The Company may appoint a third party for this purpose.
d.If a processor violates instructions or the law, they become a controller and are directly liable.
e.Before contracting with sub-processors, the processor must:
-Ensure adequate data protection.
-Select compliant sub-processors.
-Obtain prior controller approval.
20.Further Processing of Personal Data
a.When processing data for a purpose other than the original one, the Company must:
-Clearly define the new purpose.
-Document procedures to limit data processing to what is necessary for the new purpose, using data maps.
-Minimize data collection and processing to achieve the new purpose.
b.For processing data for a new purpose (except as specified in Article 10(3) of the Regulation), the Company must:
-Clearly define the new purpose and document it.
-Minimize data collection and processing.
-Identify the type of data to be processed and ensure appropriate handling.
21.Data Minimization
a.The Company must collect only the minimum amount of personal data needed to achieve the processing purpose. This includes:
-Collecting only necessary data directly related to the purpose.
-Using data maps to link data to processing objectives.
-Minimizing unnecessary data collection.
b.The Company must retain only the minimum amount of personal data necessary to achieve the processing purpose.
22.Disclosure of Personal Data
a.Disclosure of publicly available data must comply with the law.
b.When disclosing personal data (except as specified in Article 15(3-4) of the Regulation),the Company must:
-Ensure the disclosure is for a specific purpose.
-Protect the privacy of the data subject and others.
-Minimize the amount of disclosed data.
c.When disclosing data to public authorities for security, legal, or public health purposes, the Company must:
-Document the disclosure request.
-Identify the necessary data.
d.When disclosing data related to another person, the Company must:
-Balance the rights of the data subject and the third party.
-Consider data encryption if possible.
-When disclosing data for a legitimate interest, the Company must comply with Article 16 of the Regulation.
-The Company must document disclosure operations, including dates, methods, and purposes.
23.Correction of Personal Data
a.Corrections include correcting incorrect data, completing incomplete data, and updating outdated data.
b.When correcting data, the Company must:
-Verify data accuracy using supporting documents.
-Notify parties who received the data.
-Notify the data subject when the correction is complete.
-Document all updates.
c.If inaccurate or incomplete data may harm the data subject, the Company must suspendprocessing until the data is corrected.
d.The Company must promptly correct, complete, or update inaccurate, outdated, or incomplete data.
e.The Company must:
-Develop and update internal policies for data correction.
-Periodically review data accuracy and timeliness.
24.Information Security
a.The Company must implement organizational, administrative, and technical measures to protect personal data and ensure data subject privacy. These measures include:
-Implementing necessary security and technical measures to limit data breach risks.
-Complying with cybersecurity standards and best practices, as applicable.
25.Notification of Personal Data Breach:
a.The Company must notify the competent authority within 72 hours of discovering a data breach that may harm data subjects or their rights. The notification must include:
-Breach description, date, and circumstances.
-Data categories, affected subjects, and data types.
-Breach risks, mitigation measures, and future prevention.
-Whether the data subject has been notified.
-Contact information for the Company or data protection officer.
b.If the Company cannot provide all information within 72 hours, it must do so as soon as possible and explain the delay.
c.The Company must keep a copy of the notification and document corrective measures.
d.The Company must notify the data subject without delay if the breach may harm them or their rights. The notification must include:
-Breach description.
-Potential risks and mitigation measures.
-Contact information.
-Recommendations for the data subject.
26.Impact Assessment:
a.The Company must conduct an impact assessment for:
-Processing sensitive data.
-Combining data from different sources.
-Processing data of individuals lacking legal capacity, continuously monitoring subjects, using new technologies, or making automated decisions.
-Offering products or services that may seriously harm privacy.
b.The impact assessment must include:
-Processing purpose and legal basis.
-Nature, types, and sources of data.
-Processing scope and geographical scope.
-Context of processing, including relationships and circumstances.
-Necessity and proportionality of measures.
-Potential impact on data subjects, including severity and likelihood.
-Measures to prevent or limit risks.
-Suitability of measures to avoid risks.
c.The Company must provide a copy of the assessment to any processor involved in the processing.
d.If the assessment indicates potential harm to privacy, the Company must address the reasons and conduct a new assessment.
27.Processing Health Data
a.The Company must implement measures to protect health data from unauthorized use, misuse, and breaches. These measures include:
-Adhering to regulations from the Ministry of Health, Saudi Health Council, Saudi Central Bank, Council of Health Insurance, and related entities.
-Incorporating legal requirements into internal policies.
-Distributing tasks to prevent overlapping responsibilities and ensure appropriate data access levels.
-Documenting all stages of health data processing and assigning responsibility.
-Including health data protection provisions in processor agreements.
-Limiting health data processing to what is necessary for healthcare services or insurance.
28.Data Protection Officer:
a.The Company must appoint a data protection officer in the following cases:
-Public entity providing large-scale personal data services.
-Large-scale continuous monitoring of individuals.
-Processing sensitive personal data.
b.The officer is responsible for:
-Monitoring law and regulation implementation.
-Overseeing Company procedures and handling data subject requests.
-Acting as the contact point for the competent authority.
-Supervising impact assessments, audits, and evaluations.
-Assisting data subjects in exercising their rights.
-Notifying the authority of data breaches.
-Responding to data subject requests and complaints.
-Monitoring and updating data processing records.
-Handling Company violations and taking corrective actions.
29.Records of Personal Data Processing Activities
a.The Company must retain records for the processing period plus five years.
b.Records must be written.
c.Records must be accurate and up-to-date.
d.The Company must provide access to records upon request from the competent authority.
e.Records must include:
-Company’s name and contact information.
-Data protection officer information.
-Processing purposes.
-Data categories and subject categories.
-Retention periods.
-Recipient categories.
-Cross-border transfer descriptions.
-Security measures.
f.The competent authority will provide record templates.