Data Privacy Notice for Employees
Nahdi Medical Company, Nahdi Care Clinic & Sakhaa Golden Company (“we” or “our”) is committed to protecting your personal data. This privacy notice and policy (“Notice”) is addressed to our employees based in the Kingdom of Saudi Arabia (“KSA”) or the United Arab Emirates (“UAE”) or Egypt. This Notice will help you to understand what personal data we collect about you as an employee, why we collect and use (process) it and what we do with it.
What is personal data and processing?
What is personal data?
Personal data means any data by which you may be identified as an individual. The personal data that we collect from you may be different, depending on the circumstances. For example, it may include the following:
- Name, address, National ID details, passport details, contact details (e.g. phone number, email)
- Age, date of birth, nationality, visa information
- Family details, relatives working in our company
- Bank account details, salary amount; Bank Loans
- Sensitive data, including biometric data (including your facial image)
- Job title, qualifications, education and training history
- Records of absence, videos, voice recordings, etc.
What is processing?
Processing means doing anything with personal data, e.g. viewing, collecting, using, storing, sharing, modifying, printing, copying, archiving, erasing, etc.
What lawful bases do we use for processing your personal data?
We will use a lawful basis to process your personal data. This means we will have a legal justification to use your personal data, as required by the Law. We may rely on the following lawful bases to process your personal data under the Law:
- Your consent (we will let you know on a case-by-case basis should we require your consent).
- Processing achieves a definite interest for you and it is impossible or difficult to contact you.
- Processing is required by applicable laws and is performed in accordance with them.
- Processing is performed in order to perform an agreement to which you are a party.
- Processing is necessary for the purpose of our legitimate interest.
When, how and why do we process your personal data?
We may process your personal data in many ways. We will choose particular ways of processing your personal data depending on the purpose of processing, as specified below. The ways of how we may process your personal data may include viewing, collecting, using, storing, sharing, modifying, printing, copying, archiving, erasing, etc.
Please see in the table below the types of possible processing activities and their purposes.
Purposes of processing activities
| Purpose | Processing Activities |
|---|---|
| Onboarding process | Sign an employment contract with you; create your work accounts; grant access to our IT systems and offices; provide you with working devices (phone, laptop); and perform necessary onboarding training, orientations and Meetings. |
| Maintenance and development of our business | Maintain our internal accounts and records; make internal reports; arrange internal and external communications in relation to our business; negotiate, conclude and perform contracts with our contractors and other business partners; comply with regulatory requirements applicable to you and to us. |
| Calculation and payment of salary, pension and other benefits and compensations | Pay your salary; make payments for your pension fund (if applicable); arrange for you medical and/or life insurance (if applicable); manage and offer other benefits related to your employment; ensure our compliance with the KSA laws; process any leave of absence taken (including sick leave, maternity/paternity leave, etc.) and your holiday entitlement; and make compensations related to your business travel, as well as other compensations to which you may be entitled to; make any deductions as per the HR policy; request for funds from HRDF (if applicable). |
| Employee development | Your career development; managing internal vacancy processes; assessing your training needs; arranging training for you; and talent management and performance management in order to ensure you receive professional development. |
| Visa management | Provide you with a required visa and work permit (and formalise other immigration documents), where required (in compliance with applicable immigration and labour laws and regulations) or arrange their cancellation (where required); renew your visa and work permit (and other immigration documents), where required; book travel tickets, hotels and venues for your business travel. |
| Monitoring you as an employee | Monitor your compliance with our policies and other internal documents; ensure that our systems are used primarily for business purposes; ensure that our systems are protected against cybersecurity threats; and ensure safety of our employees, customers and other persons who we work with. |
| Protection and enforcement of your and our legal rights | Enable you to raise complaints regarding your rights; allow us to investigate any violation of laws and our internal documents, as well as to make decisions based on such investigation; defend your and our rights in relation to claims made by or against us or our employees (or other persons). |
| Employment termination | Terminate our employment relationship with you. We may also keep your personal data related to your employment with us to fulfil our legal obligations – (according to data retention policy). |
Processing personal data for other purposes
We aim to ensure that as a general rule we will use your personal data in accordance with the purposes, as specified in section 4 above. However please note that pursuant to the Law we may process your personal data for purposes other than specified in section 4 above. It may happen in the following cases:
- If you give your consent to such collection and processing.
- If your personal data is publicly available, or if it was collected from a publicly available source.
- If collection and processing is required for your vital interests.
- If collection or processing of your personal data is necessary to protect public health or safety, or to protect the life or health of you or other individuals.
- If your personal data is recorded or stored in a form that makes it impossible to identify you directly or indirectly.
- Collection of your personal data is necessary to achieve our legitimate interests (in this case we will not process your sensitive data, e.g. health data).
Your rights in relation to processing of your personal data
In accordance with the Law, you may exercise the following rights:
- Right to be informed: You have the right to be informed of the valid legal or practical justification for collecting your personal data and the purpose for collecting your personal data.
- Right to have access to your personal data: You have the right to have access to your personal data that is held by us.
- Right to request your personal data: You have the right to request your personal data held by us in a readable and clear format.
- Right to request correction, completion or updating: You have the right to request correction, completion or updating of your personal data which is held by us.
- Right to request erasure (destruction): You have the right to request erasure (destruction) of your personal data available to us, which is no longer required by us (subject to compliance of the requirements of the Law).
Please contact us if you would like to know more about your rights or if you would like to exercise any of them: [email protected]
Cross-border personal data processing
We may be required to transfer your personal data for processing outside of the KSA. In such cases we will comply with the requirements of the Law regarding the cross-border personal data transfers, as well as with the requirements of other laws and regulations, where applicable.
Storing personal data
We will arrange safe storage of your personal data in Nahdi IT Systems for employees (oracle, DWH, BI, Microsoft and etc) and Nahdi digital file archiving system. We will determine the period of storage of your personal data in accordance with our Data Retention Policy. In particular, when determining the period of storage of your personal data we will take into account:
- Requirements to the storage period, as such requirements are specific in applicable laws and regulations;
- Specific purposes for which we require your personal data.
Protecting personal data
We protect your personal data by using a range of methods, procedures and techniques. For example:
- We have in place policies and procedures in the area of protection of personal data;
- We apply encryption and other techniques to protect your personal data.
Disclosure of your personal data
We may, as could be required for the purposes listed in section 4 above, disclose your Personal Data to the following organizations:
- Our professional advisors or other contractors who provide us with data processing, professional or management services, such as IT, payroll administration, pension administration, etc;
- Insurance, health or legal services, any member of our group, current or potential clients, suppliers, subcontractors and other business contacts in the ordinary course of our business;
- Current or potential business partners in the banking and financial sector or other third parties involved in the management of our business, as a result of, for example, a joint venture or a merger;
- Any applicable regulatory authorities (governmental and other public bodies, etc.) or other third parties as could be required by law or in accordance with other regulatory obligations or policies applicable to us or to you.
Please note that some of your personal data may be published on our intranets, websites and publications for the purpose of sharing knowledge, information, products and ideas in relation to our business. Such personal data may include, for example: your name, contact details, job title, your photograph, etc.
We may disclose your personal data, in the following cases:
- You consent to the disclosure.
- Your personal data has been collected from a publicly available source.
- The entity requesting disclosure is a public entity, and the collection or processing of your personal data is required for public interest or security purposes, or to implement another law, or to fulfil judicial requirements.
- The disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
- The disclosure will only involve subsequent processing in a form that makes it impossible to directly or indirectly identify you.
- The disclosure is necessary to achieve our legitimate interests (in this case no sensitive data (e.g. health data) will be processed).
Disposal of personal data
If we no longer need your personal data and if we do not have any legal basis to hold it further, we will arrange its erasure (destruction), anonymisation or return to you (unless we must return it to any other entity based on our legal obligations). We will ensure that:
- In case of anonymisation: you will not be further re-identified after anonymization;
- In case of erasure (destruction): the personal data will not be reconstructed after it was erased.
Withdrawal of consent
In some cases we may request your consent to processing of your personal data. When we request your consent we will also explain to you how you can withdraw your consent. If you have any questions regarding the consent that you may provide to us (or already provided), as well as how you can withdraw it – you may contact us with the use of the contact details, specific in section “Contact details” of this Notice.
Contact details
If you have any questions or comments regarding our use of your personal data please contact us by using the following contact details:
Address:
Nahdi Medical Company, King Abdulaziz Branch Road, Jeddah, PO Box 17129, Saudi Arabia
Email: [email protected]