KSA Privacy Law

The privacy policy and procedures are governed by the Personal data protection law (Royal Decree No. (M/19) dated 1443/2/9 AH) the Main Principles of Personal Information Protection and the Main Principles and General Rules for Sharing Data issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) and National Data Management Office (NDMO).

The fundamental principles of our data protection policy include:        

  • Accountability by the head of the entity (or his designee) for the Data Controller’s privacy policies and procedures.
  • Transparency through Privacy Notice indicating the purposes for which personal data is collected.
  • Choice and Consent obtained through implicit or explicit approval regarding the collection, use and disclosure of personal data before collection.
  • Limiting Data Collection to minimum data that enables fulfilment of purposes.
  • Use, Retention and Destruction strictly for the purpose, retained as long as necessary to achieve intended purposes or as required by laws and regulations and destroyed safely, preventing leakage, loss, theft, misuse or unauthorized access.
  • Access to data by which any Data Subject can review, update and correct their personal data.
  • Data Disclosure Limitation approved by Data Subject restricts third parties to the purposes provided in Privacy Notice. 
  • Data security by protecting personal data from leakage, damage, loss, theft, misuse, modification, or unauthorized access; according to the controls issued by the National Cybersecurity Authority and other relevant authorities.
  • Data quality after verification of its accuracy, completeness and timeliness.
  • Monitoring and Compliance with Data Controller’s privacy policies and procedures, and any privacy-related inquiries, complaints, and disputes.

EU General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) is a first step toward giving EU citizens and residents more control over how their data are used by organizations. If your company handles the personal information of people in the EU, then you must comply with the GDPR, no matter where you are in the world. The fines for violating people’s new privacy rights can be up to 4 percent of your global revenue or €20 million, whichever is higher.

A GDPR privacy notice is an important way to help your customers make informed decisions about the data you collect and use. A privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.

According to the GDPR, organizations must provide people with a privacy notice that is: (1) In a concise, transparent, intelligible, and easily accessible form. (2) Written in clear and plain language, particularly for any information addressed specifically to a child. (3) Delivered in a timely manner. (4)

Provided free of charge.

The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party. If an organization is collecting information from an individual directly, it must include the following information in its privacy notice: (1) The identity and contact details of the organization, its representative, and its Data Protection Officer. (2) The purpose for the organization to process an individual’s personal data and its legal basis. (3) The legitimate interests of the organization (or third party, where applicable). (4) Any recipient or categories of recipients of an individual’s data. (5) The details regarding any transfer of personal data to a third country and the safeguards taken. (6) The retention period or criteria used to determine the retention period of the data. (7) The existence of each data subject’s rights. (8) The right to withdraw consent at any time (where relevant). (9) The right to lodge a complaint with a supervisory authority. (10) Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data. (11) The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences.

Privacy notices should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are purposefully vague. The writing should be in the active tense and sentences and paragraphs should be well structured, using bullets to highlight specific points of note. Avoid unnecessarily legalistic and technical terminology.

Firm Privacy Law

The LAW FIRM OF GAROUB and Affiliates (each and collectively, “Firm”, “we,” “us,” or “our”) is committed to safeguarding the privacy of visitors to our website, contacts for our clients and prospective clients, contacts for suppliers of goods and services to the Firm, candidates for employment or engagement, and any other individuals about whom the Firm obtains personal information (each, “you”). 

This privacy notice (this “Notice”) describes the ways in which we collect, use and share the personal information you provide to us, or that we otherwise collect or receive in the course of operating our business and our website www.garoub.com. It also sets out how we store and protect such information,  and describes certain rights you may have with respect to the personal information that we hold about you.  By continuing to use this website you agree to the terms of this Notice.

Topics:

  • What data do we collect?
  • How do we collect your data?
  • How do we use your data?
  • How do we share your data?
  • How do we store your data?
  • How do we protect your data?
  • What are your data protection rights?
  • Changes to our privacy policy
  • How to contact us

What data do we collect?

Our Firm can collect your personal information. “Personal Information” means information that (either in isolation or in combination with other information held by the Firm) enables you to be identified or recognized, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household.

How do we collect your data?

You directly provide the Firm with most of the data we collect. Personal Information that the Firm collects can include:

  • Information that you provide to us: We will process Personal Information that you give to us, including under the following circumstances:
    • Signing up for services on our website or otherwise contacting us including through email. When you sign up for newsletters, webinars, events, or when you contact us with queries or respond to our communications, the Personal Information you provide can include your full name, title, telephone number, email address, the content date and time of your email or other correspondence, and information about your employer or your business.
    • Our provision of legal services. If you are a client of our Firm, you will provide us with Personal Information when you or the organization you represent becomes a client, and as necessary in the course of our providing legal services. If you are not a client, you may provide us with your Personal Information because you attend meetings at our offices or otherwise are involved in one of our clients’ matters.
    • Recruitment applications and employment. When you apply for or accept a role with us, you may provide us with your full name, date of birth, nationality, education and qualification details, gender, resume, CV, photograph, passport details, bank account details, marital status, home address, home telephone number, mobile telephone number, and other details set out in your application.
  • Information we otherwise collect or generate about you: We will collect information about you when you use our services or when we otherwise interact or correspond with you. We use various technologies to collect and store information when you visit our website. We may, for example, collect information about the type of device you use to access our website, your IP address and your geographic location, the operating system and version of your device, your browser type, the content you view and features you access on our website, and the search terms you enter on our website.
    • Use of cookies. A cookie is a small file of letters and numbers that is sent by our web server to your computer or mobile device when you access our website. Our website uses persistent cookies, which enables our web server to recognize your device and browsing preferences each time you visit our website. We use cookies only to assist visitors in accessing our website and to collect information that will help us improve the quality of our visitors’ browsing experience. We use the information that we collect through our use of cookies only for our own analysis of how visitors use our website. Cookies can be disabled by changing the settings on your browser, though some parts of the website may not function properly if you choose to do so. By continuing to use this website without changing your browser settings, you agree to our use of cookies as described above. For more information on cookies visit www.allaboutcookies.org.
  • Information we obtain from third parties: We may request or otherwise receive your personal information from third parties in certain circumstances including:
    • If you apply for a position with us, we may collect Personal Information relating to your employment history, qualifications and education, opinions from third parties about you, and other details, which will be provided to us by a third party that provides background screening services to us.
    • In the context of our client acceptance procedures, our provision of legal services, or otherwise in the course of our business, we may receive your Personal Information from third parties such as your employer, our service providers and business partners, other parties relevant to the services we are providing (e.g., counterparties in transactions), regulators and authorities, and others. That information could include your name, contact details, employment details and other information relevant to the legal services that we are providing.
    • If you have a relationship with any of our clients or any members of our staff, they may provide us with your Personal Information, including your name, contract details, marital status and other details.

How do we use your data?

We may use your Personal Information for the following purposes:

  • To provide legal services to our clients;
  • To manage our business vendors;
  • To engage in marketing and business development activities in relation to the services we provide, including sending you newsletters, legal updates, marketing communications and other information that may be of interest to you (you may choose at any time not to receive marketing materials from us by emailing us @info@garoub.com;
  • To review and process your job application when you have applied for a position with us;
  • To comply with our legal and regulatory obligations, or to establish, exercise or defend our legal rights;
  • To manage and analyze usage and performance of our website or our other online services;
  • To improve the services we offer;
  • To respond to any requests, or investigate any complaints you may have, or to notify you about any changes to our services or our website; and
  • To prevent and respond to actual or potential fraud or illegal activities.

We rely on one or more of the following legal grounds for using your Personal Information in these ways:

  • We have your consent;
  • We need to in order to take steps to enter into a contract with you or to perform our obligations under a contract with you, including a contract to provide legal services;
  • We need to in order to comply with our legal and regulatory obligations, or to establish, exercise or defend our legal rights; or
  • It is required for our legitimate business interests.

How do we share your data?

We share your Personal Information among our offices as well as any offices that we open in the future. Additionally, your Personal Information can be shared with third parties including:

  • Third party agents or contractors that are subject to confidentiality requirements, in connection with the processing of your Personal Information for the purposes described in this Notice;
  • Third parties relevant to the legal services that we provide, including counterparties to transactions or litigation, other professional service providers, regulators, authorities, governmental institutions and stock exchanges; and
  • Regulatory authorities, courts, tribunals, government agencies or law enforcement agencies to the extent required by law, regulation or court order (for example, if we are under a duty to disclose your Personal Information in order to comply with any legal obligation, or where we need to establish, exercise or defend our legal rights).

The information sharing described above can involve a transfer of your Personal Information from a location within the European Economic Area (the “EEA”) to outside the EEA, or from outside the EEA to a location within the EEA.

Where we transfer your Personal Information outside the EEA, we will ensure that it is protected in a manner that is consistent with how we protect your personal data in the EEA:

  • The country that we send the data to might be approved by the European Commission;
  • The recipient might have signed up to a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your Personal Information; or
  • Where the recipient is located in the U.S., to a certified member of the EU-US Privacy Shield scheme.

How long do we store your data?

How long we retain your Personal Information will vary depending on a number of factors, including:

  • The purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose;
  • Legal obligations – laws or regulations may set a minimum period for which we have to keep your Personal Information.

How do we protect your data?

We have put in place various technical and organization measures intended to protect your Personal Information from unauthorized access, use, disclosure, alteration or destruction consistent with applicable data protection laws of the European Union (EU) and the Kingdom of Saudi Arabia (KSA). Independent auditors, who confirm and certify our operations, review these measures periodically.

If you are a client of the Firm, electronic communications between you and us, including via our website, may be treated as legally privileged, as attorney work product or otherwise confidentially under applicable rules of legal ethics and professional responsibility. Nothing in this notice is intended to affect such protections for existing clients. If you are not a client of the Firm, your communications with us are not eligible for such protections except for certain limited special circumstances.

What are your data protection rights?

Our Firm would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

  • The right to access: You have the right to request copies of your personal data from our Firm.
  • The right to rectification: You have the right to request that we correct any information you believe is inaccurate. You have the right to request that we complete information you believe is incomplete.
  • The right to erasure: You have the right to request that we erase your personal data, under certain condition.
  • The right to restrict processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
  • The right to object to processing: You have the right to object to the Firm’s processing of your personal data, under certain conditions.
  • The right to data portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request based on the abovementioned rights you have, our Firm will have one month to respond to you. We may charge a small fee for your requested service to cover costs associated with your request. If you would like to exercise any of these rights, please contact us at our email: info@garoub.com

Changes to our privacy policy:

Our Firm keeps its privacy policy under regular review and places any updates on this web page.

How to contact us:

If you have any questions about our privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us: info@garoub.com
Call us: +966 12 6513363
Write us: Alireza Tower, 3rd Floor, Madina Road, P.O. Box 34267 Jeddah, Kingdom of Saudi Arabia 21468