In addition to this privacy notice, we also have an established framework of policies, procedures, contracts and training addressing data protection, confidentiality and security and we regularly review the appropriateness of the measures we have in place to keep the personal information we hold secure.
By using our services and this website, you agree to us collecting, using, disclosing and storing your personal information in accordance with this privacy notice.
This privacy notice is separate from and not intended to override the terms of any contract we have with you or your rights under applicable data protection laws.
We recognise that we have an ongoing responsibility of transparency with data subjects so we keep this privacy notice under regular review. We therefore encourage you to check it regularly as it is your responsibility to ensure you monitor any updates or changes to ensure you are aware of them and accept them . We will include a notification on our website's home page if we make any significant changes to this privacy notice.
Last updated: 17 September 2024
1. What Personal Information We Collect
Personal information is information that directly or indirectly identifies you.The types of personal information that we collect will vary depending on your relationship with us. The most common types of personal information that we may collect about you are:
(a) contact information, such as your name, date of birth, address, telephone number, and email address;
(b) business contact information, including your job title and employer;
(c) other personal identifiers, such as your Saudi National Identity ID Number;
(d) financial information, such as your bank account, credit card information, and other financial details you use to transact with us;
(e) recruitment information, such as your CV and employment history; and
(f) any other information relating to you which you may provide to us.
2. How We Collect Personal Information
We may collect personal information directly from you or your authorised representative. For example, we may collect your personal information via telephone, email, or from the information you submit to us directly via our website or in person, to enable us to provide our services to you.We may also collect personal information about you from third parties, such as from our partners or via publically available sources.
We may also collect information about your online activities automatically when you use our website and our services, usually from the use of cookies.
3. The Purpose for Which We Collect and Use Personal Information
In accordance with the PDPL, we collect and use your personal information for specific purposes, including:(a) providing legal services to you, including initial client intake activities;
(b) complying with legal and regulatory requirements applicable to law firms and legal consultancy in the Kingdom;
(c) verifying your identity and adhering to 'Know Your Customer' requirements;
(d) managing our business operations and business relationships, whether in connection with the provision of legal services, the procurement of goods and services, or in the course of employment;
(e) complying with our legal obligations, such as anti-money laundering and fraud prevention measures, tax reporting, and regulatory oversight;
(f) communicating with you in respect of legal developments and the promotion of our legal practice; and
(g) other purposes related to and/or ancillary to any of the above.
As a general rule, your personal information will be used only for the purpose that you have consented to and we would never ask for information that we do not need. However, in some situations it may be necessary for us to use your personal information without your consent, where we have a lawful basis to do so. This includes situations where:
(a) it is necessary to prevent harm to you, or to protect your vital interests;
(b) it is necessary to protect public health, public safety, or to protect the life or health of certain individuals;
(c) the personal information is anonymized in such a way that it is not possible to identify you; (d) it is necessary for the purposes of pursuing our legitimate interests, provided that such use does not prejudice to your rights or interests; or(e) we are required to disclose your personal information by operation of law or regulation.
4. How We Store Personal Information
Safeguarding the privacy of your personal information is a key priority for us.
Your personal information may be held and stored on paper, by electronic means or both. We make sure that personal data is only made available to those who have a need to see it. One of the methods we follow to achieve this goal is by implementing appropriate organisational, administrative and technical measures, including, but not limited to the following:
- Controlling access to systems and networks;
- Providing employees with appropriate data protection training;
- Implementing appropriate data security controls such as encryption;
- Deleting and disposing personal data when it is no longer needed in accordance with applicable laws and regulations (including in compliance with the PDPL); and
- Implementing a secure physical environment for your hard copy printed data records.
In accordance with the applicable laws, where possible your personal data will be stored and processed securely within the geographical borders of the Kingdom, aiming to ensure the preservation of the national digital sovereignty of the data.
However there may be several cases, as described in the PDPL, where your data may be transferred or processed outside of the geographical borders of the Kingdom. For example, our service providers outside of the Kingdom, as detailed in section 5 below, conduct a number of our essential processing operations such as time recording, data and file management. Where we transfer your personal information outside the Kingdom, we will ensure that such transfer is in accordance with permitted law and that your personal information is adequately protected as required under the PDPL, as further detailed in section 5 below.
5. With Whom We Share Your Personal Information
It may sometimes be necessary for us to share your personal information with third parties for the purposes listed in section 3 above. Those third parties include:
(a) our contractors and service providers who assist us in providing our services, including IT and infrastructure service providers;
(b) our auditors, regulators and professional advisors;
(c) organisations who we are required to disclose your personal information to by law;
(d) our affiliates, in order to administer our services and conduct the other activities described in this privacy notice; and
(e) the DWF Group, a global provider of legal and business services, which provides us with a number of essential processing services which enable us to provide our business activities. For further details about DWF and its locations, and to see DWF's own privacy policy, please see Privacy Notice (dwfgroup.com).
Appropriate security controls are applied when sharing your information, to ensure a secure and reliable environment. Among other measures, we require our data processors to provide assurances that they will process personal information in accordance with applicable data protection laws, regulations and policies.
Where it is necessary to transfer your personal information outside of the Kingdom, we will implement appropriate procedures and safeguards to ensure that your personal information is held securely in accordance with this privacy notice, the PDPL and its Implementing Regulations, the instructions of regulatory authorities and in accordance with all other applicable laws and regulations. These appropriate procedures and safeguards may include, for example, our data processors executing standard contractual clauses to ensure a sufficient level of protection for personal information transferred outside the Kingdom.
If you have questions about the parties with which we share personal information, please contact us at the email address listed in section 9 below.
6. How Long We Keep Your Personal Information
We keep your personal information in accordance with our internal retention procedures, which are determined by our legal, regulatory and professional obligations including applicable data protection laws and in accordance with good practice. The retention periods differ depending upon the nature of the data we hold and the reasons why we are holding it, and are subject to change.
We only keep your personal information for as long as we need to. When your information is no longer required, we will delete it in a secure manner that prevents access or retrieval.
If your personal information relates to an unsuccessful job application with us, you will be given the opportunity to consent to us using your personal information to contact you where other positions or opportunities emerge that we believe you might be suitable for. You can withdraw your consent to us utilising your personal information in this way at any time.
7. Your Rights
In accordance with the provisions of the PDPL, you may exercise the following rights in respect of your personal information:
(a) The right to be informed: The right to be informed of the legal basis and purpose for collecting your personal information, and the purpose thereof, as described in this privacy notice or as otherwise disclosed in our communications with you.
(b) The right to access: The right to view and receive a copy of your personal information in a format that is clear and identical to the content of the records, free of charge, as determined by the regulations and without prejudice to the stipulations of the PDPL.
(c) The right to request rectification: The right to correct, complete or update your personal information held by us. If your personal information has been transferred to a third party, we will notify that third party of the change.
(d) The right to request destruction: The right to request the destruction of your personal information if it is no longer needed, without prejudice to the PDPL.
It is important to understand that these rights listed above may be subject to certain exemptions set by the law and will be assessed on a case-by-case basis to ensure they are valid. For example, we may not be able to delete your personal information if we are legally obligated to retain certain information for a specified period due to statutory or regulatory requirements.
Please also note that when your personal information is processed only on the basis of consent, you may also withdraw consent at any time, although such withdrawal will not affect the lawfulness of processing occurring prior to such withdrawal.
If you wish to exercise any of these rights, please send a written request via email or post to us at the contact details listed in section 9 below. We will aim to act upon your request within 30 days of receipt, or such longr period as may be extendable as permitted by law.
8. Changes to this Privacy Notice
We may from time to time make changes to this privacy notice. Please check back regularly to keep informed of updates.
9. Contact Details For Making Enquiries or Complaints
If you have any queries or concerns relating to our privacy notice or our processing of your personal information please contact our Personal Data Protection Officer via email at enquiries@alqhtanilaw.com or you can write to our Personal Data Protection Officer at AlQhtani & Partners, Unit No. 7A, Ground Floor, Zone C, Building No. C03, Commercial Area No. 6, Business Gate, Airport Road, Riyadh 11683, Kingdom of Saudi Arabia.
We hope that you won’t ever need to, but if you do need to complain about our use of your personal information we will ensure at all times that your complaint:
- will be treated seriously;
- will be dealt with promptly;
- will be dealt with in a confidential manner; and
- will not affect your existing obligations or affect our commercial arrangements.
If you do decide to submit a request to access your personal information or otherwise exercise your privacy rights, this will not affect the level of service you can expect from us. We treat our clients equally, regardless of whether or not they have exercised their privacy rights.
If the disclosure:
- represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom;
- affects the Kingdom’s relations with any other state;
- prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures;
- compromises the safety of an individual;
- results in violating the privacy of an individual other than you, as set out in the Implementing Regulations of the PDPL;
- conflicts with the interests of a person that fully or partially lacks legal capacity;
- violates legally established professional obligations;
- involves a violation of an obligation, procedure, or judicial decision; and/or
- exposes the identity of a confidential source of information in a manner detrimental to the public interest;
we are not obliged to disclose the Personal Data.