This privacy policy (the "Privacy Policy") tells you how EFG Hermes KSA (the
"Company," "we," "our," or "us") process personal data we collect about you in
accordance with the Saudi Personal Data Protection Law (PDPL) and its
implementing regulations (collectively, the "PDPL"). The PDPL establishes
protections for your personal data and grants you certain rights. This Privacy
Policy applies when you use our websites, and interact with us (collectively,
the "Services"). The policy also describes the manner by which we use cookies
and employ similar tracking technologies. Additionally, this Privacy Policy
sets out your personal data protection rights, including your right to object
to some of the data processing which we carry out.
WHO ARE WE?
The controllers of your personal
data are listed under Annex 1 of this Privacy Policy.
We are committed to protecting your
privacy and personal data, and we take our responsibility to hold your personal
data securely and in strict confidence seriously.
WHAT PERSONAL DATA DO WE
PROCESS ABOUT YOU?
We collect the following personal
data you provide during your use of the Services:
Your name, your date of birth, your
gender, data which appears on your government or state issued identificationdocuments (e.g.
passport and national ID), your phone number, your fax number, your residential
address, your postal address, your e-mail address, your demographic
information, your bank account, , information about your income, information
about your account balances, your account details (including your username and
your password) in respect of the accounts used to access our website, your IP address,
your browser or your device information, information about how you access
and/or use our Services, information collected via the employment of cookies,
pixel tags, google tags, tracking URLs, and other similar tracking
technologies, telephonic or electronic recordings, and survey responses and
similar information which reveal your views and preferences.
HOW DO WE COLLECT YOUR PERSONAL
DATA?
We and our third-party service
providers collect the above information in a variety of ways. This includes
from you directly and:
·Through your browser and/or your device: Certain
information/personal data is collected by most browsers or automatically
through devices, including, but not limited to, your Media Access Control (MAC)
address, your computer type (Windows or Mac), your screen resolution, your operating
system name and version, your device manufacturer and model, the language
selected on your browser or device, your internet browser type, the version and
the name of the services/applications you use. We also collect your IP address,
which is automatically assigned to a computer by an Internet Service Provider.
An IP address will be identified and logged automatically in our server log
files whenever you access any of our Services, along with the time of the visit
and the page(s) that were visited. We use IP addresses for the purposes of,
among other purposes, calculating usage levels, diagnosing server problems, and
for administrative purposes. We also derive approximate location from IP
addresses for the foregoing purposes, and in order to analyze the location from
which you are using our Services;
·Via e-mail: If you correspond with us
via e-mail, we retain a copy of such correspondence for internal purposes. Information
collected via e-mail is also used to provide a record of communications between
you and us, in order to comply with any applicable legal and/or regulatory
requirements;
·By way of using cookies and similar tracking technologies: Please
refer to the ?Cookies and Similar Technologies? section; and
·From third parties: Please
refer to the ?Do We Collect Personal Data About You From Third Parties??
section.
DO WE COLLECT PERSONAL DATA ABOUT YOU FROM
THIRD PARTIES?
We also collect your personal data from third parties, such as:
·Publicly accessible sources, including publicly available
online profiles and databases, for the purposes of establishing and verifying
your identity, to derive your contact details in order to supplement the
contact information we have about you, and to liaise with you in relation to
our products and services using third party cookies and similar tracking
technologies, as is set out under the ?Cookies And Similar Technologies?
section.
HOW DO WE USE YOUR PERSONAL
DATA?
We collect and use your personal
data for the following purposes:
a)to execute a contractual arrangement with
you or to take steps linked to executing a contractual arrangement with you;
b)subject to the execution of a contractual
arrangement with you, and subject to the terms and conditions of that
contractual arrangement, to establish an account for you on our Services;
c)to pursue our legitimate interests which
do not override your interests or fundamental rights and freedom, such as:
·operating and administering our Services;
·providing our products and services to you
and/or our clients and to communicate with you and/or our clients about such
products and services;
·improving and developing products and services
we provide;
·providing information to you about our and/or
our group companies? services and products and/or any additional products and
services that we think may be of interest to you and/or our clients. This
information may be provided to you in the form of a digital advertisement and
campaigns or via e-mail or via Short Message Service (SMS);
·identifying which products or services we think
you are interested in by using cookies or similar tracking technologies on our Services
which track and analyse how you use our Services;
·keeping a record of your communication with us;
·administrative, assessment, and analysis
purposes;
·verifying your identity;
·monitoring and analyzing the use of our
products, services, and Services for system administration, operation, testing
and support purposes;
·managing our information technology and ensuring
the security of our Services and systems;
·establishing, exercising, and/or defending
legal claims or rights, and/or assisting our clients or others with the
foregoing;
·investigating and responding to complaints or
incidents relating to us or our business, maintaining the Services? quality,
and training our staff to deal with complaints and disputes;
·verifying compliance with and enforcing our
terms and conditions or other contractual terms; and
·in relation to any proposed merger or
acquisition of any part of our business,
d)to comply with applicable laws prevailing
the Kingdom of Saudi Arabia or in any other jurisdiction where we (or any of
our affiliates) may operate; and
e)to serve the purposes which are set out
under the ?Cookies and Similar Technologies? section.
f)For the avoidance of doubt, we obtain your
consent, and you have the right to withdraw your consent at any time. By not
providing your consent or withdrawing your consent, certain aspects or features
of our Services may not be available to you. The withdrawal of your consent
does not affect the lawfulness of processing your personal data which was
collected based on your original consent prior to the withdrawal thereof.
In order for us to provide you with
certain services, including but not limited to the Services, securities brokerage
services, and research services, which require us to process your personal data
due to regulatory and legal requirements (for example KYC and AML), the
provision of personal data is mandatory.
If the relevant personal data is
not provided to us, then we will not be able to provide you with the full range
of our services, meaning that our services may only be offered with a limited
scope or not at all. All other provision of your personal data is optional.
COOKIES AND SIMILAR
TECHNOLOGIES
Cookies are small pieces of
information sent by a web server to a web browser which allows the server to
uniquely identify the browser on each page. Other tracking technologies,
which are similar to cookies, are also employed and used by us. Other similar
technologies can include pixel tags, google tags, and tracking URLs. All these tracking
technologies shall be collectively referred to as the "Cookies".
The types of Cookies that we use on
our Services, and the purposes for which they are used, are set out below:
·Strictly necessary Cookies: These Cookies
are essential in order to enable you to move around our Services and use their
respective features, such as accessing secure areas of our Services. Without
these Cookies, any services on our Services that you wish to access cannot be
provided (the "Strictly Necessary Cookies");
·Analytical/performance Cookies: These
Cookies collect information about how you and other visitors use our Services, including,
for instance, which pages you go to most often, and if you get error messages
from certain pages. We use data from these Cookies to help test designs and to
ensure a consistent look and feel is maintained on your visit to the Services.
All information these Cookies collect is aggregated. It is only used to improve
how the Services work. We use Google Analytics, for example, to anonymously
track Services usage and activity;
·Functionality Cookies: These Cookies
allow our Services to remember choices you make (such as your username,
language, or the region you are in) and provide enhanced, more personal
features. These Cookies can also be used to remember changes you have made to
text size, fonts, and other parts of the pages that you can customize. These
Cookies are also used to provide services you have asked for, such as watching
a video or commenting. Additionally, these Cookies can be used to allow an
optional service to function. The information these Cookies collect may be
anonymised and they cannot track your browsing activity on other websites;
·Targeting Cookies: These Cookies
are used to deliver adverts which are more relevant to you and your interests.
These Cookies are also used to limit the number of times you see an
advertisement, as well as help measure the effectiveness of the advertising
campaign. These Cookies are usually placed by advertising networks with the Service
operator?s permission; These Cookies remember that you have visited a Service and
this information is shared with other organisations such as advertisers. Quite
often, targeting or advertising Cookies will be linked to site functionality
provided by the other organization;
·Social media Cookies: These
cookies allow you to share what you?ve been doing on our Services on social
media such as Facebook, Instagram and X (previously Twitter). These Cookies are
not within our control. Please refer to the respective privacy policies for how
their cookies work; and
·Pixel tags: Also known as a clear GIF
or web beacon. These Cookies are invisible tags placed on certain pages of our
Services but not on your computer. When you access these pages, pixel tags
generate a generic notice of that visit. They usually work in conjunction with
cookies, registering when a particular device visits a particular page. They
are used to, among other things, track the actions of users of our Services
(including email recipients), measure the success of our marketing campaigns,
and compile statistics about usage of our Services and response rates. If you
turn off Cookies, the pixel tag will simply detect an anonymous visit.
If you wish to disable Cookies (save
for Strictly Necessary Cookies), you can opt to disable the same by choosing "No,
I Disagree" when given the option, via the Cookies consent management tool on
our Services or you may rely on your browser?s settings to disable all Cookies.
You can choose "Yes, I Agree" to accepting all Cookies. You can also accept or
decline certain Cookie categories (save for Strictly Necessary Cookies) via the
Cookies consent management tool on our Services. Where you delete or disable
Cookies, certain features of our Services may not be able to function.
We are committed to protecting personal data
from loss, misuse, disclosure, alteration, unavailability, unauthorized access,
and destruction and takes all reasonable precautions to safeguard the
confidentiality of personal information, including through use of appropriate
security measures. These measures include the following:
·Preventative Measures: We
use these measures to proactively prevent threats from reaching your personal
data. This includes using advanced security software, firewalls, data
encryption, and regular security assessments;
·Detective Measures: We
use these measures to focus on identifying and responding to security incidents
if they occur. This includes continuous system monitoring, brand protection
measures, and incident response plans; and
·Physical Security Measures: We
use these measures to protect the physical infrastructure that houses your personal
data. This includes restricted access, environmental controls, and security
cameras.
We regularly review and update
our security measures to ensure that they are effective in protecting your personal
data. If we know or have reason to believe that your personal data has been
compromised, we will immediately notify you and take steps to mitigate the
impact of the breach.
However, while
providing your personal data to us, your personal data may be transferred over
the internet. Although we make every effort to protect the personal data which
you provide to us, we cannot guarantee the security of your personal data
transmitted to us over the internet.
FOR HOW LONG DO WE KEEP YOUR
PERSONAL DATA?
We keep
your personal data for no longer than necessary for the purposes for which the
personal data is used or otherwise processed. The length of time we retain
personal data depends on the purposes for which we collect and use it and / or
as required to comply with applicable laws. In all cases we will only retain
data as required to support legitimate business purposes.
Where we process data for: (i)
registration purposes, (ii) support purposes, or (iii) in order to customize
your experience on our Services, we keep this personal data for the duration of
the period where you are a user and for an additional Ten-year period from when
you cease to be a user, in compliance with regulatory rules and regulations,
unless a longer retention period is required by applicable laws.
Where we process personal data for
marketing purposes we will do so unless we receive a request from you to cease
such action. We will hold a record of such personal data for Ten years from
when you request us to cease such action.
Where we process personal data for the
security of the Services, we hold this personal data for a maximum period of
ten years.
WHO DO WE SHARE YOUR
PERSONAL DATA WITH?
Where we send direct marketing
materials to you, we send your personal data to third parties with whom we have
contracted to provide these materials to you on our behalf and in our name.
These third parties may be located inside or outside of Saudi Arabia.
We also share your personal data
with:
·service providers, who provide a service to us
or you, including those listed here; and
·the Service Providers? service providers,
delegates, and agents; and
·the Parent company ("EFG Holding")-located
in Egypt-, to enable you to receive the services provided by EFG Holding which
may cover different financial services;
a)To enable you to access the services provided by our sister
companies, which cover different financial services or are in different
jurisdictions than we cover
b)to allows us to improve the services that we provide across EFG Group;
and
c)to allow us to produce analytical reports reflecting the services
provided throughout the Group.
We also disclose your personal data
to:
·regulators, exchanges, auditors, courts, the
police, or other law enforcement agencies where we are legally obliged to do
so;
·to other persons where disclosure is required
by law or to enable products and services to be provided to you or our clients;
and
·our professional service
providers (e.g., legal advisors, accountants, auditors, insurers, and tax
advisors) where relevant. If it becomes relevant, we will share your
personal data with a potential buyer and their advisers in connection with any
proposed merger or acquisition of any part of our business.
For the avoidance of doubt, please
note that Service Providers do not use/disclose your personal data for marketing
purposes or for any other purposes. Personal data received by Service Providers
are used for the purposes of performing their designated functions.
WHERE IS YOUR PERSONAL DATA TRANSFERRED?
When we share your personal data with the parties listed above, it may involves
transferring your personal data outside of kingdom of Saudi Arabia to countries
where the level of protection of personal data has not been deemed adequate by Saudi
Arabia.
The locations of our third-party
service providers can be found here.
Where information is transferred
outside Saudi Arabia to a country that is not subject to an adequacy decision
by Saudi Arabia, personal data is adequately protected by NCA ECC, NCA DCC,
SAMA CSF & Regulation on Personal Data Transfer outside the geographical
boundaries of the Kingdom.
WHAT ARE YOUR RIGHTS IN
RELATION TO THE PERSONAL DATA WE PROCESS ABOUT YOU?
You
have the following rights in relation to your personal data:
·Right of access: You have
the right to access your personal data and to be informed of how it is being
processed;
·Right to rectification: You have
the right to have your personal data rectified if it is inaccurate or
incomplete;
·Right to erasure: You have
the right to have your personal data erased in certain circumstances, such as
if it is no longer necessary for the purpose for which it was collected or if
you withdraw your consent to processing;
·Right to restriction of processing: You have
the right to restrict the processing of your personal data in certain
circumstances, such as if you contest the accuracy of the personal data or if
you object to processing;
·Right to object to processing: You have
the right to object to the processing of your personal data for certain
purposes, such as direct marketing; and
·Right to data portability: You have
the right to receive your personal data in a structured, commonly used, and
machine-readable format, and to have it transmitted to another controller.
We are entitled to decline your
request to exercise your data subject rights if it is not permitted by applicable
laws, or if it is unreasonably repetitive, or if it would violate the rights
of others.
These rights may be limited, for
example if fulfilling your request would reveal personal data about another
person, where they would infringe the rights of a third party (including our
rights) or if you ask us to delete information which we are required by applicable
laws to keep or have compelling legitimate interests in keeping. KSA PDPL outlines
these limitations in detail. We will inform you of relevant exemptions we rely
upon when responding to any request you make.
Your request will be answered promptly and within 30 business days unless we
are legally entitled to an extension of time. If we are unable to grant your
request, we will provide you with an explanation.
If you have any concerns about how we handle your personal data,
we encourage you to contact us at dataprotection@efghldg.com. We're
committed to resolving your concerns. However, you also have the right to lodge
a complaint with your local data protection authority if you believe we haven't
addressed your concerns adequately.
AMENDMENTS TO THIS PRIVACY POLICY
This Privacy Policy was last
updated in [●] 2024 . We reserve the right to revise this Privacy Policy at
any time by posting a revised version and, if we consider it necessary, we will
notify you of changes.
HOW
CAN YOU CONTACT US?
If you have any questions about this Privacy Policy or would like to make any
requests as described in this Privacy Policy, please contact us using the
details in Annex 1 to this Privacy Policy.
Annex 1
Personal
Data Controllers
#
Data Controller
Address
Jurisdiction
DPO/Contact Details
EFG Hermes KSA
PO Box 300189 Third Floor, Sky Towers
Northern Tower , Riyadh Kingdom of Saudi Arabia
