PERSONAL DATA PROTECTION

Introduction

ITB is committed to respecting your privacy and protecting your personal data.

You can access our full Privacy Policy below to help you to understand how we use your personal data. In it, we explain in particular the types of personal data we collect, how we collect and process it, what we may process it for and who we may share it with.

Full privacy policy

Controller Of Personal data

Any personal data processed in connection with this Privacy Policy is controlled by ITB, having its registered office at IT Belt Company-Head Office, Al-Wurud District, Riyadh, Zip Code 12253, Kingdom of Saudi Arabia, which is considered the “data controller” of your personal data under the Kingdom of Saudi Arabia’s Personal Data Protection Law and its Implementing Regulations.

To contact ITB Data Protection Officer, please send a request using the contact details specified at the end of this Privacy Policy.

What Do We Mean by Personal Data?

Personal data means any data, regardless of its source or form, that may lead to identifying you specifically, or that may directly or indirectly make it possible to identify you, including your name, personal identification number, addresses, contact numbers, records, personal assets, bank account numbers and any other data of a personal nature.

When Does This Policy Apply?

This Privacy Policy applies to personal data about you that we collect, use, or otherwise process in connection with your relationship with us as a customer.

 

How We Collect and What Types of Personal Data Do We Collect About You?

Direct Collection

We collect and generally process personal data that you provide directly to us when you interact with us through any of the following channels:

In that respect, we collect the following types of personal data:

• Name

• Address

• Bank Account Details

• Email Address

• Contact Number

• IBAN number

• Signature

• CR Number

• VAT Certificate

• Letter from the Ministry of Chamber of Commerce

• City

• Bank Statement

We will inform you at the time of collection of your personal data whenever the provision of such personal data to us is mandatory in order to allow us to achieve the purposes described below. Otherwise, the provision of personal data is optional.  If you do not provide the personal data, we require this may affect our ability to provide goods or services to you.

Indirect Collection

We may also collect and process personal data about you indirectly when you interact with our wholesalers or when you share your personal data with us at events held by our Internal Marketing and Communications Team.

In that respect, we collect the following types of personal data:

What Do We Use Your Personal Data for and Our Legal Basis?

We will only process your personal data where we have a legal basis to do so. The legal basis will depend on the reason or reasons we collected and need to use your data, as described below:

Performance Of A Contract With You

It will be necessary for us to use your personal data to:

Legitimate Interests

We have a legitimate business interest in processing your personal data to:

Consent

We rely on your prior consent in order to:

Compliance with Legal Obligations

There are situations where we are subject to a legal obligation and need to process your personal data to comply with those obligations. These legal obligations are as follows:

How Long Do We Keep Personal Data?

We will keep your personal data for no longer than is necessary for the purpose it is being processed for as identified in this Privacy Policy.

We will keep your information in electronic format for a period of 10 years to ensure comprehensive support and compliance across all business areas.

We will keep your information in hard copy format for a period of 5 years as required by our Business. Post the expiry of this period, we will archive your information in hard copy format.

We will keep the information for a period that enables us to handle or respond to any complaints, queries, or concerns relating to your account, including statutory requirements.

If you stop interacting with us as a customer, we will remove or anonymize your information after the passing of the statutory requirements.

On the expiry of the applicable data retention periods, we will delete it securely, or in some cases anonymize it.

If you wish to know more about our retention policy and retention periods that apply to your personal data, please send a request using the contact details specified at the end of this Privacy Policy.

Who Do We Share Your Personal Data With?

For the purposes referred to under this Privacy Policy, we share your personal data with processors, acting on our behalf and upon our instructions, providing us with the services necessary for the achievement of the purposes described above, i.e.:

These third parties are only permitted to use your personal data to the extent necessary to enable them to provide their services to us. They are required to follow our instructions and to comply with appropriate security measures to protect your personal data.

We do not sell personal data to third parties, and we only allow third parties to send you marketing information where we have your consent to do so.

 

Do we Transfer Your Personal Data Outside KSA?

We seek to ensure such transfers satisfy the conditions set out under the applicable privacy laws. We have in particular limited the transfer to the minimum personal data needed and implemented sufficient guarantees for preserving the confidentiality of the personal data transferred so that the standards of the protection of your personal data are not less than the standards set forth in the applicable privacy laws.

What Are Your Legal Rights in Relation to The Personal Data We Hold About You?

Under the applicable privacy laws, you have certain rights in relation to your personal data. Responses to exercise your rights will be provided within 30 days (or such other period under applicable law). If your request is particularly complicated, we may extend the deadline for responding by a further 30 days (or such other period permitted under applicable law), but we will let you know if this is the case.

We will handle all requests in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal data involved, there may be legal reasons why we cannot grant your request. Further explanation of those rights and the exceptions to them are set out below.

Details of how to exercise your rights are set out in the section below “How can you exercise your legal rights and change how we use your data?”.

Your rights include the following:

In any case, you also have the right to lodge a complaint with the competent data protection authority in accordance with applicable law if you consider that the processing of your personal data carried out by us infringes the applicable privacy laws. 

 

How Can You Exercise Your Legal Rights and Change How We Use Your Data?

In order to exercise any of your rights mentioned above, or if you have any questions about our use of your personal data, please send a request using the contact details specified at the end of this Privacy Policy.

We may ask for some additional information to confirm your identity, which will only be used to process your request.

In your request, please try to make clear which right(s) you would like to enforce and provide any details which may help us answer to your request.

Where you fully or partially lack legal capacity (for example you are a child under 18) your legal guardian may be required by applicable law to exercise your rights on your behalf.

Security of Your Personal Data

To protect against the loss, misuse, and alteration of the information under our control, we have in place appropriate physical, electronic, and managerial procedures. For example, our servers are accessible only by authorized personnel, and your information is shared with respective personnel on need-to-know basis to complete the transaction and to provide the services requested by you.

Although we will endeavor to safeguard the confidentiality of your personal data, transmissions made by means of the Internet cannot be made absolutely secure.

Be aware that there is an Internet fraud practice known as ‘phishing’ which is the illegal gathering of personal data by deception. Unsolicited emails are sent to individuals from lists illegally gathered by a third party, and recipients are asked to enter or reconfirm bank or password details into a cloned or illegal copy website.

How will we inform you of changes to this privacy policy?

If we change this Privacy Policy, we will let you know about the changes by publishing the updated version on the ITB website.

We are committed to protecting and respecting your privacy and will continue to do so in any future changes we make to this Privacy Policy.

How to get in touch with us and your right to complain to our supervisory authority?

If you want to exercise any of your rights, or if you have any questions about this policy or our use of your personal data, please contact the Data Protection Officer.

The Data Protection Officer for ITB can be contacted via email at dpo@itb.com.sa