Saudi Maintenance and Supply Chain Management Company Data Privacy Notice

Introduction
Welcome to the Saudi Maintenance and Supply Chain Management Company Privacy Notice (the "Privacy Notice"). This Privacy Notice has been prepared by Saudi Maintenance and Supply Chain Management Company and its affiliated companies (referred to as the "Company," "we," "our," or "us") in compliance with the Kingdom of Saudi Arabia’s Personal Data Protection Law issued under Royal Decree No. M/19 dated 9/2/1443 H (corresponding to 16 September 2021), as amended, along with its Implementing Regulations, effective from 14 September 2023 (“PDPL”).

The purpose of this Privacy Notice is to inform you about the types of personal data we collect, why we collect it, and the methods we use for its processing, storage, disclosing and destruction. It also outlines your rights regarding your personal data and how we safeguard your privacy in compliance with the Kingdom of Saudi Arabia (KSA) privacy laws. We take your privacy rights and our legal obligations seriously, ensuring that your information is handled securely and responsibly. The Company processes your personal data when you interact with us—whether through our website (the "Website"), during employment, service provision, customer engagement, or other interactions with the Company.

Of course, not all of the sections in the Privacy Notice will be relevant to everyone. The Privacy Notice is intended to provide details of all the processing activities that we undertake and therefore the mere listing of an activity in this Privacy Notice does not mean that we are processing your personal data in this manner and for these purposes. If you have any questions about how the information presented relates to you, please do contact us using the relevant contact details appearing in the contact us section.

What personal data is collected?

The following definitions are not exhaustive and are intended to illustrate the types of personal data that we process with reference to the broad categories described below.

Category & Description

Business information

Your business contact details (e.g., address, telephone number, e-mail), your job title, your employer, and any other relevant information

Contact information

Home address, email address, and telephone number(s)

Data related to your employment with the Company

Work contact details (e.g., address, telephone number, e-mail), work location, default hours, default language, time zone, and currency for location, worker ID, performance review information, biography, reporting line, employee/contingent worker type, hire/contract dates, cost centre, job title/description, working hours, termination/contract end date, reason for termination, last day of work, exit interviews, references, status, position title, job change date, benefit coverage start date

Employment claims, complaints, and disclosures data

Termination arrangements and payments, subject matter of employment-based litigation and complaints, employee involvement in incident reporting and disclosures

Financial data

Credit card information, bank account details, and other relevant payment information

Health data

Where applicable, to support your overall health and well-being and where required in relation to

employment related activities.

HR processes data

Allegations, investigations, proceeding records, outcomes, colleague and line management feedback, appraisals, talent programmes, performance management processes, flexible working processes, restructuring and redundancy plans, consultation records, selection and redeployment data, health and safety audits, risk assessments, incident reports, data related to training and development needs

Identity information

Your title, forename, surname, preferred name, photographic images and/or video images, and any additional names

Immigration information

Gender, nationality, second nationality, civil/marital status, date of birth, age, national ID number, immigration data, languages spoken, and next-of-kin/dependent contact information

Leave information

Absence records (including dates and categories of leave/time-off), holiday dates, and information related to family leave

Monitoring data

Closed-circuit television footage, body-worn camera footage, system and building login and access records, keystroke, download and print records, call recordings, data caught by IT security

programmes and filters

Share information

Number of shares held, date joined the register, date left the share register, dividends paid/not cashed, bank mandate details, share transactions, nationality, and AGM/proxy voting

Staff-related data

Your title, forename, middle name(s), surname, birth name, preferred name, any additional names, gender, nationality, second nationality, marital status, date of birth, age, home contact details, national ID number, immigration and work eligibility data, languages spoken, next-of-kin/dependent contact information, passport details, driving licence, and car registration details

Recruitment data

Qualifications, references, CV and application, interview, and assessment data

Regulatory data

Records of your registration with any applicable regulatory authority, your regulated status, and any regulatory references

Remuneration and benefits data

Your remuneration information (including salary/hourly plan/contract pay information, as applicable, allowance, bonus, merit plans), bank account details, grade, tax information, third-party benefit recipient information

Vetting data

Vetting and verification information, including results of any background or other checks

Website information

Data you provide by filling in forms on the Website, including data provided at registration; personal information requested when reporting a problem with the website; correspondence with us; and details of your visits, including traffic data, location data, weblogs, and other communication data

How do we collect your personal data and for what purpose?
In most cases, we receive the personal data directly from you. You either provide this to us at the start of our relationship or at another time during your interactions with us. This includes personal data that you input into a form or through any self-service function, as well as information that you provide to the HR team, your Company contact, or to any member of our workforce.

Internal sources
We may create personal data about you during your relationship with us. In addition to the personal data that you provide to us, we may generate some further personal information internally. This will usually be generated by HR, line management, or your Company contact, as appropriate.

In some circumstances, data may be collected indirectly from monitoring devices or other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings, and email and Internet access logs), if and to the extent permitted by applicable laws. In these cases, the data may be collected by us or a third-party provider of the relevant service on our behalf.

External sources
In some cases, we receive personal data about you from third-party sources.

If you are a representative of a supplier or customer, we may receive your personal data directly from that company or from your colleagues. We may also use third parties to carry out anti-money laundering, anti-bribery, and corruption checks, and Know Your Client checks.

If you are an employee, we may obtain references from a previous employer, medical reports from external professionals, data from benefit providers, or from a third party we engage to carry out a background check (where permitted by applicable law).

How do we disclose your personal data?
Within the Company, your personal data can be accessed by or may be disclosed internally on a need-to-know basis—see internal recipients section below.

Your personal data may also be accessed by third parties, including suppliers, advisers, national authorities, and government bodies—see external recipients in the section below. We have sought to identify these parties in this Privacy Notice.

In addition, there are circumstances where we may need to disclose your personal data to third parties, to help manage our business and deliver our services. We may disclose your personal data to third parties if:

We sell or buy any business, in which case we may disclose your personal data to the prospective seller or buyer of such business; Saudi Maintenance and Supply Chain Management Company or substantially all of its assets are acquired by a third party, in which case personal data held by it about you will be transferred to that third party;
We are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation, or in order to enforce or apply our legal rights, in which case we may share your personal data with our regulators and law enforcement agencies in KSA and around the world, or with our legal advisers;
It is necessary to protect the rights, property, or safety of Saudi Maintenance and Supply Chain Management Company or our customers, suppliers, or others, in which case we may disclose your personal data to our legal advisers and other professional service firms; and
They provide services to us connected with your relationship with us.

Where these third parties (or any others) act as a data processor (for example, a benefits provider), they carry out their tasks on our behalf and upon our instructions for the reasons that we have set out in this Privacy Notice. In this case, your personal data will only be disclosed to these parties to the extent necessary to provide the required services.

Internal recipients:
Internal recipients of your personal data may include:

Local, and global departments, including line management and team members;
Local and executive management responsible for managing or making decisions in connection with your relationship with the Company or when involved in a process concerning your relationship with the Company (including, without limitation, staff from Compliance, Legal, Audit, and Security);
System administrators; and
Where necessary for the performance of specific tasks or system maintenance by staff in teams such as the Finance and IT departments.

Personal data may also be shared inside of the Company between certain interconnecting IT systems.

In addition, where relevant, certain basic personal data (which may include your name, location, job title, contact data, and any published skills and experience) may also be accessible to the Company's employees for the purposes set out in this Privacy Notice.

External recipients:
External recipients of your personal data may include:

Service providers,
Tax authorities,
Regulatory authorities,
Insurers,
Bankers,
IT administrators,
Lawyers,
Auditors,
Investors,
Law enforcement and/or other emergency services,
Consultants and other professional advisors,
Payroll providers,
Administrators of our benefits programs, and
Our Customers

Personal data contained in our IT systems may be accessible by providers of those systems, their associated companies, and sub-contractors (such as those involved with hosting, supporting, and maintaining the framework of our HR information systems).

We expect these third parties to process any data shared with them in line with the contractual relationship we have and applicable laws, including data confidentiality and security.

Additionally, we may share personal data with national authorities to comply with a legal obligation to which we are subject. This is, for example, the case in the framework of imminent or pending legal proceedings or a statutory audit.

How Will We Use Your Personal Data?

We will only use your personal data for the purpose for which it was collected, unless we reasonably determine that it needs to be used for a different purpose that is compatible with the original one. If we need to use your personal data for a purpose that is not compatible with the original purpose, we will provide you with additional information about this new use.

We collect and process your personal data for the following purposes, but not limited to:

To allow you to access the registration-only features of the Website.
To ensure the Website content is displayed properly for you.
To provide you with the information or services you request.
To inform you of changes to the Website.
To manage our relationship with you, including for recruitment, employment, and customer service.
To comply with legal requirements and safeguard our legal rights.

What are the legal grounds for collecting and processing personal data?
In accordance with the PDPL, we rely on one or more of the following legal grounds for processing your personal data:

Your consent: In some cases, we can process your personal data where you have given clear consent for us to process such data for a specific purpose.

Fulfilling a contractual obligation: We can process your personal data where the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract. This means that we can carry out the actions needed to conclude or execute our contract with you.

Compliance with statutory or regulatory obligations: We can process your personal data where this processing is necessary for compliance with a legal or regulatory obligation to which we are subject. Therefore, we can carry out any actions we need to take in order to comply with applicable laws.

Protection of vital interests: We can process your personal data where the processing is necessary to protect your vital interests, such as during emergencies or incidents that require immediate action.

Achieving public interest: We can process your personal data where the processing is necessary for us to perform a task in the public interest or official functions, and the task or function has a clear basis in law.

Legitimate interests: We can process your personal data where the processing is necessary for our legitimate interests, provided those interests are not overridden by your interests or rights. Where we rely on this ground, we will tell you what our legitimate interests are and explain these in this Privacy Notice. We will ensure that the processing does not negatively infringe on your rights and interests.

How do we store your personal data?

The Company is committed to protecting the security of the personal data you share with us or we otherwise process about you. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.

We will retain your personal data for as long as is reasonably necessary for the purposes explained in this Privacy Notice.

In some circumstances we may retain your personal data for longer periods of time than is needed for those purposes described in this Privacy Notice. For instance: where we are required to do so in accordance with legal, regulatory, tax or accounting requirements; to ensure that we have an accurate record of your dealings with us in the event of any complaints or challenges; or if we reasonably believe there is a prospect of litigation relating to your relationship with us.

We maintain policies governing the creation, retention and disposal of records in our care. These policies set out our requirements for the management of records, including guidance on keeping personal data as current as possible, securely deleting records and irrelevant or excessive data, and storing information anonymously or in a manner which no longer identifies you.

What are my rights?
Under the PDPL, you have the following rights, which primarily depend on the purpose of personal data collection and processing:

Right to be informed: You are entitled to know how we collect, process, store, and destroy your personal data. You can access all details through this privacy policy or by contacting us.

Right to access your personal data: You have the right to request access to any of your personal data that the Company may hold. You should note that we do not always need to comply with your requests, but we will ensure that this is explained to you if this is the case.

Right to request obtaining your Personal Data: You are entitled to request a copy of your personal data held by the Company in a readable and clear format if technically feasible through, You should note that we do not always need to comply with your requests, but we will ensure that this is explained to you if this is the case.

Right to request correction: The Company aims to ensure that all personal data is correct. You also have a responsibility to ensure that changes to your personal data are notified to the Company as soon as possible so that we can ensure that your data is up-to-date. You have the right to request correction of any inaccurate data relating to you. We may request supporting documents or evidence to verify in order to update, correct, or complete your personal data.

Right to request destruction: You have a right to request that we rectify inaccurate personal data. We may seek to verify the accuracy of the personal data before rectifying it. You can also request that we erase your personal data in limited circumstances where:

It is no longer needed for the purposes for which it was collected; or
You have withdrawn your consent (where the data processing was based on consent); or
It has been processed unlawfully; or

We are not required to comply with your request to erase personal data if the processing of your personal data is necessary:

For compliance with a legal obligation; or
For the establishment, exercise, or defence of legal claims.

Right to withdraw consent: Where you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by (i) in some cases, deleting the relevant data from the relevant IT system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our policy) or (ii) contacting us. You should note that withdraw consent shall not affect the processing of personal data that is based on other legal basis.

How do I exercise my rights?
If you wish to exercise your rights, you should contact us via the Contact Information provided below.

We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure we only disclose information or change account details where we know we are dealing with the right individual.

We aim to respond to all valid requests within 30 days. However, it may take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than 30 days, and in any case, the extension will not exceed an additional 30 days To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.

We may not always be able to fully address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are otherwise legally entitled to deal with the request in a different way, and we may refuse to act on your request if it is repetitive, manifestly unfounded, or requires disproportionate efforts. In such cases, we will notify you of the reason for our refusal

What if I don’t provide you with my personal data?
In some cases, you will be free to withhold personal data from us; however, if you do withhold specific data, we may not be able to continue our relationship with you if we believe we require the relevant data to support the effective and efficient administration and management of that relationship.

For example, for employees, we require your identity data, contact, and payroll information to pay you. If this is not provided, we may be unable to manage our contractual relationship.
In addition, for representatives of suppliers or customers, if we do not have your identity and contact information, we will not be able to communicate with you regarding the relevant commercial transaction between the Company and that supplier or customer.

What if I am not satisfied with the way my request has been handled?

If you have any concerns, or if we do not comply with the PDPL, you can file complaints or objections regarding the processing of your personal data by contacting the Legal team at:

Contact Information:
Saudi Maintenance and Supply Chain Management Company - Legal Department

Address:
Al Arid, King Abdulaziz Rd, Building NO. 7611, PO BOX 1732, Riyadh 13342, the Kingdom of Saudi Arabia

Phone Number:
+966 (0) 11 445 9100

If you are not satisfied with how we process your complaint, or if we fail to respond within 30 days, you can file a complaint with the Competent Authority—the Saudi Data & AI Authority (SDAIA)—through the following channels:

SDAIA Website: sdaia.gov.sa
National Data Governance Platform (DGP): dgp.sdaia.gov.sa

Links to Other Websites

Our Website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's website. Please note that any personal data you provide on those websites is subject to their own privacy notices and terms and conditions. It is recommended you to review the privacy policies and terms of use of every website you visit.

We are not responsible for the content, privacy practices, or terms and conditions of any third-party sites. Your use of such external websites is at your own risk.

Changes to This Privacy Notice

We may update this Privacy Notice from time to time, for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. Individuals are notified of changes through appropriate means, such as website notices or direct communication. Continued use of our Website or engagement with us after any updates will constitute your acceptance of the revised terms.