PERSONAL DATA PROTECTION

Introduction

ITB is committed to respecting your privacy and protecting your personal data.

• We will be transparent about the information we are collecting about you and what we will do with it.
• We will use your personal data for the purposes described below. Your personal data will not be processed in a manner inconsistent with the purpose of its collection or in cases other than those stipulated by applicable privacy laws.
• We will only process your personal data where we have a legal basis to do so. The legal basis will depend on the reason or reasons we collected and need to process your personal data.
• We have measures to protect your personal data and keep it secure.
• We will respect your data protection rights and aim to give you control over your own personal data.

You can access our full Privacy Policy below to help you to understand how we use your personal data. In it, we explain in particular the types of personal data we collect, how we collect and process it, what we may process it for and who we may share it with.

Full privacy policy

Controller Of Personal data

Any personal data processed in connection with this Privacy Policy is controlled by ITB, having its registered office at IT Belt Company-Head Office, Al-Wurud District, Riyadh, Zip Code 12253, Kingdom of Saudi Arabia, which is considered the “data controller” of your personal data under the Kingdom of Saudi Arabia’s Personal Data Protection Law and its Implementing Regulations.

To contact ITB Data Protection Officer, please send a request using the contact details specified at the end of this Privacy Policy.

What Do We Mean by Personal Data?

Personal data means any data, regardless of its source or form, that may lead to identifying you specifically, or that may directly or indirectly make it possible to identify you, including your name, personal identification number, addresses, contact numbers, records, personal assets, bank account numbers and any other data of a personal nature.

When Does This Policy Apply?

This Privacy Policy applies to personal data about you that we collect, use, or otherwise process in connection with your relationship with us as a customer.

 

How We Collect and What Types of Personal Data Do We Collect About You?

Direct Collection

We collect and generally process personal data that you provide directly to us when you interact with us through any of the following channels:

• Walk-in : When you visit the Office and provide your information while availing from ITB.
• Email: When you reach out to us from your email ID to submit their relevant details and share the official documents.

In that respect, we collect the following types of personal data:

• Name

• Address

• Bank Account Details

• Email Address

• Contact Number

• IBAN number

• Signature

• CR Number

• VAT Certificate

• Letter from the Ministry of Chamber of Commerce

• City

• Bank Statement

We will inform you at the time of collection of your personal data whenever the provision of such personal data to us is mandatory in order to allow us to achieve the purposes described below. Otherwise, the provision of personal data is optional.  If you do not provide the personal data, we require this may affect our ability to provide goods or services to you.

Indirect Collection

We may also collect and process personal data about you indirectly when you interact with our wholesalers or when you share your personal data with us at events held by our Internal Marketing and Communications Team.

In that respect, we collect the following types of personal data:

• Name
• Email Address
• Contact Number
• Address

What Do We Use Your Personal Data for and Our Legal Basis?

We will only process your personal data where we have a legal basis to do so. The legal basis will depend on the reason or reasons we collected and need to use your data, as described below:

Performance Of A Contract With You

It will be necessary for us to use your personal data to:

• Provide the agreed-upon services and any other services outlined in the agreement.
• Billing purposes including generating invoices, processing payments, and managing financial transactions related to the services provided.
• Quality assurance purposes, to ensure that the services provided meet the agreed-upon standards and to identify areas for improvement in service delivery.
• Facilitate secure transactions through the payment gateway, ensuring smooth processing of payments for parts services.

Legitimate Interests

We have a legitimate business interest in processing your personal data to:

• Engage with you and provide you with information and assistance through the website.
• Maintain communication with you regarding your orders, service requests, and other inquiries.
• Process and verify the official documents couriered by you.
• Courier your official documents related to your request.
• Register  customers and their representatives in the ITB systems.
• Verify the authenticity and accuracy of the representative's information.
• Help the business serve new customers effectively by understanding their needs and preferences.
• Provide follow-up support for customer inquiries.
• Help the business serve its customers by facilitating service appointments and addressing their requests.
• To handle complaints received from the customers.
• To facilitate secure transactions through the payment gateway, ensuring smooth processing of payments for services.

Consent

We rely on your prior consent in order to:

• Use your feedback and interaction data to improve the services offered by the business.
• Analyze data to suggest products that align with your preferences and past interactions.
• Utilize transaction-level data to understand the purchasing patterns, preferences, and trends of individual customers.
• Conduct surveys or feedback requests related to services experiences.
• Use your feedback and interaction data to improve the services offered by the business.

Compliance with Legal Obligations

There are situations where we are subject to a legal obligation and need to process your personal data to comply with those obligations. These legal obligations are as follows:

• Reporting customer complaints-related data with the Ministry of Commerce as required.
• To comply with requirements from ZATCA (Zakat, Tax, and Customs Authority) by validating and fetching data from the internal system to ZATCA.

How Long Do We Keep Personal Data?

We will keep your personal data for no longer than is necessary for the purpose it is being processed for as identified in this Privacy Policy.

We will keep your information in electronic format for a period of 10 years to ensure comprehensive support and compliance across all business areas.

We will keep your information in hard copy format for a period of 5 years as required by our Business. Post the expiry of this period, we will archive your information in hard copy format.

We will keep the information for a period that enables us to handle or respond to any complaints, queries, or concerns relating to your account, including statutory requirements.

If you stop interacting with us as a customer, we will remove or anonymize your information after the passing of the statutory requirements.

On the expiry of the applicable data retention periods, we will delete it securely, or in some cases anonymize it.

If you wish to know more about our retention policy and retention periods that apply to your personal data, please send a request using the contact details specified at the end of this Privacy Policy.

Who Do We Share Your Personal Data With?

For the purposes referred to under this Privacy Policy, we share your personal data with processors, acting on our behalf and upon our instructions, providing us with the services necessary for the achievement of the purposes described above, i.e.:

• Different third-party providers for the following purposes: -
• For utilizing customer data for providing delivery services.
• For shipping and delivery service that is required to courier your documents.
• For the purpose of offering invoicing-related services to ITB Company.
• Our sister entity, for the purpose of handling the service appointment for the customer.
• The company of our group, for the purpose of providing financing for your purchase, if availed.

These third parties are only permitted to use your personal data to the extent necessary to enable them to provide their services to us. They are required to follow our instructions and to comply with appropriate security measures to protect your personal data.

We do not sell personal data to third parties, and we only allow third parties to send you marketing information where we have your consent to do so.

 

Do we Transfer Your Personal Data Outside KSA?

We seek to ensure such transfers satisfy the conditions set out under the applicable privacy laws. We have in particular limited the transfer to the minimum personal data needed and implemented sufficient guarantees for preserving the confidentiality of the personal data transferred so that the standards of the protection of your personal data are not less than the standards set forth in the applicable privacy laws.

What Are Your Legal Rights in Relation to The Personal Data We Hold About You?

Under the applicable privacy laws, you have certain rights in relation to your personal data. Responses to exercise your rights will be provided within 30 days (or such other period under applicable law). If your request is particularly complicated, we may extend the deadline for responding by a further 30 days (or such other period permitted under applicable law), but we will let you know if this is the case.

We will handle all requests in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal data involved, there may be legal reasons why we cannot grant your request. Further explanation of those rights and the exceptions to them are set out below.

Details of how to exercise your rights are set out in the section below “How can you exercise your legal rights and change how we use your data?”.

Your rights include the following:

• Right to be informed about our processing of your data [this Privacy Policy provides this information].
• Right to obtain personal data in a readable and clear format.
• Right to request correction, completing or updating of personal data.
• Right to request the destruction/erasure of personal data.

In any case, you also have the right to lodge a complaint with the competent data protection authority in accordance with applicable law if you consider that the processing of your personal data carried out by us infringes the applicable privacy laws. 

 

How Can You Exercise Your Legal Rights and Change How We Use Your Data?

In order to exercise any of your rights mentioned above, or if you have any questions about our use of your personal data, please send a request using the contact details specified at the end of this Privacy Policy.

We may ask for some additional information to confirm your identity, which will only be used to process your request.

In your request, please try to make clear which right(s) you would like to enforce and provide any details which may help us answer to your request.

Where you fully or partially lack legal capacity (for example you are a child under 18) your legal guardian may be required by applicable law to exercise your rights on your behalf.

Security of Your Personal Data

To protect against the loss, misuse, and alteration of the information under our control, we have in place appropriate physical, electronic, and managerial procedures. For example, our servers are accessible only by authorized personnel, and your information is shared with respective personnel on need-to-know basis to complete the transaction and to provide the services requested by you.

Although we will endeavor to safeguard the confidentiality of your personal data, transmissions made by means of the Internet cannot be made absolutely secure.

Be aware that there is an Internet fraud practice known as ‘phishing’ which is the illegal gathering of personal data by deception. Unsolicited emails are sent to individuals from lists illegally gathered by a third party, and recipients are asked to enter or reconfirm bank or password details into a cloned or illegal copy website.

How will we inform you of changes to this privacy policy?

If we change this Privacy Policy, we will let you know about the changes by publishing the updated version on the ITB website.

We are committed to protecting and respecting your privacy and will continue to do so in any future changes we make to this Privacy Policy.

How to get in touch with us and your right to complain to our supervisory authority?

If you want to exercise any of your rights, or if you have any questions about this policy or our use of your personal data, please contact the Data Protection Officer.

The Data Protection Officer for ITB can be contacted via email at dpo@itb.com.sa