Privacy Policy

The privacy of your Personal Data is very important to alrajhi bank, as is maintaining the highest levels of customer service. This Privacy Notice is created in compliance with the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) and NDMO Management Standards. This Privacy Notice explains the data we collect, why we collect this data and how we handle it throughout its lifecycle.

Who we are?

Company Name: alrajhi bank and Investment Corporation

Commercial Registration No. 1010000096

Registered Address: 8467 King Fahad Road, Al Murooj District, Unit Number 1, Riyadh 12263 – 2743 Kingdom of Saudi Arabia.

We provide details on how to contact us in the ‘How to contact us’ section of this privacy statement.

For the purposes of this Privacy Notice, alrajhi bank and Investment Corporation, its affiliates and subsidiaries shall be referred to as- “the Group”. This includes any entity which the Group or any Member of the Group is considered a major shareholder of that entity in the Kingdom of Saudi Arabia. Hereafter also referred to as “we” or “us” and holding responsibility for the use of your Personal Data.

What Personal Data do we collect ?

In order to provide our customers with excellence in our services it is necessary for the Group to collect their Personal Data. Below is a non-exhaustive list of some Personal Data the Group may use.

Examples of Personal Data the Group collects from customers when you apply for our services will include:

1. Personal details, for example: name, date of birth and ID number
2. Contact details, for example: mobile number, email and national address
3. Details of transactions, for example: payment records of financial activities or exchanges.
4. Financial information, for example; your bank account number, credit and debit card numbers and financial history
5. Credit Data - We may use your credit data to assess your eligibility for our products and services and send promotional material.
6. Contact details for the purposes which you have given the Group consent: phone number, e-mail address.
7. Customer Service Interactions: Data exchanged with the Group when using our customer support services or any data provided as feedback or from web surveys
8. Social interactions: Data provided when using the social media to interact with the Group.
9. Browsing data about how you are using our web site, including the date and time of your visit, the type of Internet browser you use and cookies.
10. Loyalty scheme details, for example purchases, loyalty points and preferences
11. Data Subject has given their Explicit Consent to the Collection of the Personal Data, changing the purpose of the Collection, or Disclosure or Publishing of the Personal Data in accordance with the PDPL, its Implementing Regulation and the Credit Information Law.
12. When processing of Personal Data on individuals lacking full or partial legal capacity ARB undertaking the following means and methods:

1-Age-Appropriate Consent: For minors or individuals with partial legal capacity, obtain consent from a parent, guardian, or legal representative.

2-Data Encryption: strong encryption methods to protect data both in transit and at rest. This ensures that data remains secure even if intercepted or accessed by unauthorized parties.

3-Access Controls: Implement strict access controls to limit who can view or manipulate personal data. Use role-based access control (RBAC) to grant permissions based on job roles and responsibilities.

4-Data Minimization: Collect and retain only the data necessary for specific purposes. Avoid gathering excessive information that may increase risk if compromised.

What is the lawful basis and how do we use your data?

1. Contractual Basis – Processing needed for fulfilling and provisioning any of the contracted services between ARB and its Customers e.g. Conducting credit checks before processing a loan request.
2. Legal Basis - In order to comply with rules and regulations in the Kingdom of Saudi Arabia issued by the Saudi Data and Artificial Intelligence Authority and any legal obligations mandated by the regulatory authorities (in this case the Saudi Central Bank “SAMA”) that govern the Group’s operations within the Kingdom of Saudi Arabia, and governed in all respect by the Laws of the Kingdom of Saudi Arabia.
3. Legitimate Interest - When the processing is necessary for the purpose of legitimate interest of the Group, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed, examples are as follows:
4. To allow us to use analytics to improve customer experience, predict trends and patterns which in turn allow innovative new ways to improve our services and provide you with our excellent range of products and services.
5. In order to ensure the highest quality of service and accuracy of information to our customers.
6. To understand better the views of our customers and act appropriately to any feedback given.
7. To protect against fraud via identity and fraud detection tools/vendors
8. Consent Based - When a customer provides explicit consent to allow their personal data to be processed e.g. when you have consented to our sending of marketing communications regarding offers and services available.
9. Automated Processing - We may make decisions based solely on automated processing of your personal data to optimize the marketing communications you receive.
10. Public Interest - for processing based on public entities requests for purposes of Public Interest, Public Health, or Public Safety.
11. Vital Interest - When the processing is necessary to protect the vital interests of the Data Subject or another individual, such as in emergency situations where health or safety is at stake.
12. Actual Interest - When the processing is necessary for the actual interests of the Group, particularly where such interests are aligned with the fundamental rights and freedoms of the Data Subject, ensuring that the processing does not override the rights of the individual.

How we collect your Personal Data

We collect, use, share, and store information about you from various sources to provide you with our services and share relevant information with you. Here’s where this information comes from:

1. Information You Provide to us directly
2. This includes the information you give us when you:
3. Apply for our products or services such as accounts, cards, finance or insurance
4. Communicate or do business with us, such as:
5. Using our branches, telephone services, websites, or mobile applications
6. Writing to us
7. Entering competitions or promotions
8. Downloading and using our mobile applications or websites such as visit timings, Internet Browser types, and referral sources.
9. Manage your accounts with us.
10. Complete online web surveys that enable us to gather feedback regarding issues. Your valuable feedback enables us to enhance the quality of experience we provide to you as an organization.
11. Information from Third-Party Source
12. We may collect information about you from other organizations or people, such as:
13. Obtaining information from publicly available sources or government databases for purposes such as credit checks, identity verification, update/correct your personal data, and fraud prevention.
14. Obtaining Information from credit reference agencies and fraud prevention agencies to assess your creditworthiness and protect against fraud.
15. Obtaining information from other entities within the alrajhi bank Group
16. Other banks and financial institutions.
17. Criminal record checks and information.
18. Employers.
19. Joint account holders.
20. People appointed to act on your behalf as authorized agent(s) or representative(s).
21. Any posts and interactions you have directly with us on social media channels.
22. Please be aware that providing personal data is a prerequisite for engaging our services. Consequently, if you do not provide the necessary personal information as stipulated by the Group, it may affect our ability to deliver the services you have requested. This could potentially lead to the termination of these services.

Who do we share your Personal Data with and why?

In keeping with the requirements of the Personal Data Protection Law (PDPL) the Group may disclose your Personal Data to third parties in the following scenarios:

1. Where we have your explicit Consent e.g. sharing your data with loyalty partners for marketing purposes, service providers to market products or services and promote financial investments that may be of interest to you, via channels such as phone, email and SMS messages.
2. Where your personal data in scope is already in public domain and has been collected from a publicly available source.
3. When needed for security purposes, compliance with another law, or the execution of a court order e.g. sharing with tax authorities, fulfilling judicial requirements.
4. When needed for Public Health, Public Safety, Protecting Individual(s) Lives/Health.
5. If the shared data is completely de-identified and it’s impossible to identify any individual, either directly or indirectly, such as when we share aggregated de-identified data with our market research vendors. For the legitimate interests of ARB/Group without impacting your rights and interests and provided that data is not sensitive data, for example:
6. Sharing with a debt collection agency, credit bureau or insurance business to protect the interests of the Group and to prevent instances of fraud or any other illegal practices.
7. Sub-processing some or all of your contracted services with ARB for better delivery of those services, for example but not limited to courier businesses or identity verification service providers.
8. Please note the Group will only share the minimum amount of information required to facilitate the purpose of Personal Data disclosure. Also, some examples of when the Group will never share Personal Data include where it would:
9. Compromise the rights or safety of an individual.
10. Prevent the detection of a crime.
11. Violates the privacy of any individual. Threatens the security or reputation of the Kingdom.
12. Harms the interest of anyone lacking full or partial legal capacity.

Where do we process information about you?

We may need to transfer personal information about you to other companies in the Group or third parties located in KSA. If we send personal information about you outside KSA, we will make sure that such transfer is permitted by law and that your personal information is adequately protected as required by applicable law. This may include entering into a Data Sharing Agreement (DSA) or Data Processing Agreement (DPA) with the relevant parties to ensure that your personal information is handled securely and in compliance with applicable law.

How do we protect your Personal Data?

The Group is committed to protecting your personal information. We apply strong security and privacy measures to protect your personal information from unauthorized access, use, loss, disclosure or destruction. We maintain up-to-date and modern security both technically and materially to protect you and bank against loss or theft. This includes but is not limited to:

1. Protection against data breaches and malicious actors/hackers
2. Implementing relevant controls, standards, and rules as issued by the National Cybersecurity Authority to include best practices and cybersecurity standards
3. Any requirements mandated by (SAMA)
4. It must be noted the internet is not totally secure and the Group cannot be held responsible for third-party or external links

How long do we store your Personal Data?

1. Your Personal Data will be stored for as long as necessary to fulfil the purpose for which it was collected unless required to be kept longer for compliance with another law, legal purpose e.g. fulfil judicial/court order, or by a regulatory authority’s rules and regulations to which the Group must comply.
2. When stored the Group takes all reasonable steps to protect your Personal Data against misuse, loss, unauthorised access, modification or disclosure.
3. Archival of Personal Data is done in a secure environment and subject to Group internal best practice and restrictions to protect it.
4. Destruction of your Personal Data is done using secure methods such as shredding or degaussing or the Personal Data is anonymised thus preventing re-identification of individuals and their data.

What are your Individual Rights?

Under the PDPL the individual who the Personal Data refers to has rights. Whilst these rights are not absolute, they are intended for the protection of an individual’s Personal Data. The rights are as follows:

1. Right to be Informed
2. The right to know why their Personal Data is being collected, under what legal basis this is done and what their data will be used for
3. Right to Access and request a copy You have the right to access your Personal Data held by alrajhi bank and request a copy, You can exercise your rights by visiting any Al Rajhi Bank Branch.
4. The right to access your Personal Data held by alrajhi bank 
5. Right to request a copy
6. The right to request their Personal Data be provided to them in readable and clear format
7. Right to Rectification
8. The right to have data corrected (if inaccurate), completed (if incomplete or updated (if out of date)
9. Right to Delete
10. The right to request erasure of the Personal Data that is held about you, in certain circumstances only. Your deletion request will be balanced against our specific legitimate/legal ground for retention.
11. Right to withdraw consent
12. The right to withdraw their consent for Processing their Personal Data at any time. Consent withdrawal shall not affect the processing of Personal Data that is based on another legal basis as listed herein. To withdraw consent, you can do so through the AlRajhi Mobile application by navigating to: Profile & Settings > Notification.

The Group will promptly acknowledge, review, and process any data subject requests, such as those for access, correction, or deletion of personal data within thirty (30) days and without delay and maintain a record of these requests. In certain circumstances, this period may be extended to an additional 30 days, depending on the nature of the request, however you will be informed in advance of the extension along with the reasons for the delay.

How do we use Cookies and other technologies?

1. The Group uses Cookies on Group website to keep our site operational.
2. Also, Cookies help to recognise you as a customer and login to your account.
3. Finally, they help to see how you use our website and apps and improve Group.

How do you Contact us?

If you have any questions or wish to contact us about the contents of this Privacy Notice in the first instance, please contact us through:

DPP@alrajhibank.com.sa

The competent supervisory authority for Group activities is SAMA for complaints about Data Protection.

Changes to this privacy notice

Effective Date 1 Sep 2024 Please be aware that this Privacy Notice will be updated from time to time to recognize any changes in privacy law or modifications to regulations the Group must comply with.

Disclaimer

This Privacy Notice is not intended to, nor does it, create any contractual rights whatsoever, nor does it create any obligations on us in respect of any other party or on their behalf. Third-party websites are no responsibility of the Group, and this Privacy Notice will not apply. We recommend you review the Privacy Notice of any other sites.

Governing and Dispute Resolution

This Privacy Notice shall be governed by the laws and regulations of Kingdom of Saudi Arabia. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Saudi Arabia Law.