Notice for Customers

 

Introduction

In order to operate its business and provide its services to customers, Saudi Awwal Bank (SAB, the Bank, We, Us or Our) processes information about natural and legal persons which identify, directly or indirectly, the relevant person (Personal Data), including information about our current and former clients (the Customer, you or your) and, in line with personal data protection laws applicable in the Kingdom of Saudi Arabia, we are required to protect our customers’ privacy and Personal Data.

SAB takes your privacy seriously. This Privacy Notice (the Notice) contains information to help you understand:

• why and how SAB collects, uses and stores your Personal Data;
• the legal basis for processing of your Personal Data; and
• what your rights are in relation to such processing of your Personal Data and how you can exercise them.

 

Furthermore, this Notice explains the various measures we have in place to protect the security of your Personal Data and minimize the potential for its unauthorized use, disclosure or destruction.

 

Updates to this Notice

This Notice was last updated in [February 2024], and may be subject to further updates from time to time. Any such updates can be viewed through the latest version of this Notice as published on SAB’s website.

 

 

Contact Us

If you have any questions about this Notice or require further information, please contact SAB’s Data Protection Office at [data.protection.office@sab.com] or by writing to:

Saudi Awwal Bank (SAB) SAB Tower

P.O. Box 9084, Riyadh 13325

Kingdom of Saudi Arabia

 

 

Disclaimer

This Notice is not intended to, nor does it, create any contractual rights or any other legal rights, nor does it create any obligations on us in respect of any other party or on behalf of any party. This Notice does not apply to third parties’ websites, and we are not responsible for the contents of any such websites nor do we represent third parties. Therefore, we recommend you review the privacy notice of each link you log onto.

 

Contents of this Notice ,

1. What types of Personal Data do we collect?

2. For which purpose do we process your Personal Data and the legal basis we rely on?

2.1 Purpose of Processing

2.2 Legal Basis for Processing

2.3 Purpose and Legal Basis Overview

3. Who has access to your Personal Data and with whom are they shared?

3.1 Subsidiaries and Affiliates

3.2 Third Parties

3.3 Service Providers

3.4 Regulatory and Judicial Authorities

3.5 Others

3.6 Cross-Border Transfers

4. How do we protect your Personal Data?

5. How long do we store your Personal Data?

6. What are your rights and how can you exercise them?

6.1 Your Rights

6.2 Exercising your Rights

7. Collection of Data from Minors

8. Social Media and Direct Marketing

9. Making Decisions about you

10. Changes to your Personal Data

Schedule (1) - Overview of Personal Data processed by SAB, the purpose and legal basis of each

 

1. What types of Personal Data do we collect?

We may collect various types of Personal Data about you including, but not limited to, your:

• Personal identification details such as name, date of birth, address, gender, nationality, identification details (e.g. national ID, Residency (Iqama) or CR details for legal persons)
• Contact details such as telephone, mobile, email, fax and National Address
• Family details such as marital status and family member/dependent details
• Employment details such as work status, job title, employer name and address, work experience and salary details
• Professional profile details such as board directorships and other positions held and details relating to company ownership and financial background
• Digital activity such as account activity (including date and time of access, name of the accessed file, transmitted data volume, performance of the access, your device or web browser, browser language and requesting domain and IP address),  your use of our website, services and products, including electronic interactions across various channels such as e-mails and mobile applications
• Financial information such as payment and transaction records and information relating to your assets (including fixed properties), financial statements, liabilities, taxes, revenues, earnings and investments (including your investment objectives)
• Communication records such as records of phone calls between you and SAB and, specifically, your phone or mobile number or number used to contact SAB, time, date and duration of calls as well as records of messages and emails 
• Internal identifiers assigned to you such as the customer identification number, account numbers, and other identifiers used for record-keeping purposes
• Zakat or Tax certificate details and other tax-related documents and information
• Investment knowledge and experience
• Biometric information such as your face ID
• Sensitive Data where permitted and/or requested by law such as your health information, racial or ethnic origin, previous or current criminal convictions or offences.

 

We may use cookies, tracking technologies and other means to collect and process the above information from various channels including, but not limited to, website, mobile application, phone conversations, emails, chats, device IDs, IPs, etc.

 

We may use Personal Data for analytics and measurement (including machine learning) to process the above information, including profiling based on the processing of your Personal Data, for instance by looking at information we obtain via cookies and tracking technologies.

 

To the extent relevant, we will also collect information about your additional card holders or account holders, business partners (including other shareholders, or beneficial owners), dependents or family members, representatives, or agents.

 

Where you are a legal person (including corporate clients), we may also collect information about your directors, representatives, employees, shareholders or beneficial owners. Before providing SAB with this information, you should inform those persons accordingly and provide a copy of this Notice to them.

 

The Personal Data that we collect from or about you are mandatory for the purposes of processing as set out in this Notice, unless otherwise indicated.

 

2. For which purpose do we process your Personal Data and the legal basis we rely on?

2.1 Purpose of Processing

We always process your Personal Data for a specific purpose and only process the Personal Data which is relevant to achieve that purpose. In particular, we process Personal Data, within applicable legal limitations, for the following purposes:

 

• Client onboarding

To verify your identity, assess your application, conduct required compliance and regulatory checks and procedures (including AML and fraud prevention checks).

• Client relationship management

To manage our relationship with you, including communicating with you in relation to the products and services we offer to you, handling customer service-related instructions, requests, queries and complaints, facilitating debt recovery activities, making decisions regarding credit or your identity, tracing your whereabouts, and closing your account in accordance with applicable laws.

• Running credit checks

We may provide your data to, or obtain such data from, credit information agencies licensed by the Saudi Central Bank (SAMA) (including, but not limited to, the Saudi Credit Bureau (SIMAH) and Bayan Credit Bureau (Bayan) to determine eligibility for certain products and services.

 

• Product and service offering and management

To provide products and services to you and ensuring they are properly delivered and managed, and to notify you of any change to such services and products, and to provide you with offers regarding products and services which may be of interest to you. This may include analyzing your data to understand your requirements as a customer and identify the most suitable offers to meet your needs.

 

• Compliance with rules, regulations and directives from supervisory authorities 

 

To meet our legal and regulatory obligations (as mandated by the SAMA and other competent authorities), including in relation to recording and monitoring communications, apply a risk classification to ongoing business relationships, disclosures to regulatory, judicial, tax, enforcement, security and other Governmental authorities.

 

• Risk management and prevention, detection and investigation of crime and fraud

 

To carry out legal and regulatory compliance checks in particular as part of the onboarding process and periodic compliance checks, including to comply with anti-money laundering regulations, fraud prevention and financial crime prevention, sanctions country screening, or in legal proceedings and investigating or preventing crime and fraud.

 

• Supporting, enhancing and maintaining technology

 

To take steps to improve our products and services and use of technology, including testing and upgrading of systems and processes, and conducting market research to understand how to improve of our existing products and services or learn about other products and services we can provide. To analyze the results of our marketing activities to measure their effectiveness and relevance of our campaigns.

 

• Supporting M&A activities

To support and enable a transfer or disposal to, acquisition from, or merger with other entities and their advisers in connection with a potential or actual merger, transfer or disposal of all or part of SAB’s business or assets or any associated rights or interests, or acquisition of another business, asset or associated rights or interests.

 

• Operational Management 

For SAB's operational management including, but not limited to, credit and risk management, technological support services, reporting, insurance, audit, systems and products training and administrative purposes.

 

• Premise and Asset Management

To collect data to ensure the security of buildings, the safety of staff and visitors, as well as property and information located, stored on or accessible from the premises, to prevent, and if necessary, investigate unauthorized access to secure premises (e.g., maintaining building access logs and CCTV system images to prevent, detect and investigate theft of equipment or assets owned by SAB, visitor or staff, or threats to the safety of personnel working at the office).

 

• Business Development

To undertake product and service studies, and other transactional and statistical analysis and related research to enhance and develop the business as well as service and product offering.

 

It should be noted that, if you fail to provide certain information when requested, we may not be able to process your application successfully, enter into a contract with you, or provide you with all the benefits of our services and products (where such information is necessary for the purpose for which it was requested).

 

2.2   Legal Basis for Processing

We will only collect and use your Personal Data in accordance with the Personal Data Protection Law and its implementing regulations (together, the PDPL) and any further rules or regulations issued thereunder from time to time, or from competent authorities including SAMA, the Saudi Data & AI Authority (SDAIA) and any other competent authority pursuant to the PDPL.

Depending on the purpose of the processing activity (see Section ‎2.1 above), the legal basis for the processing of your Personal Data will be one of the following:

• Contract execution and performance: necessary for taking steps to enter into or executing a contract with you for the services or products you request, or for carrying out our obligations under such a contract.
• Legal and regulatory compliance: to comply with any legal obligations or requirements issued by competent regulatory authorities, including when conducting legal and regulatory compliance checks and disclosures to competent, supervisory and regulatory authorities.
• Consent: in limited circumstances, where we have obtained your prior consent (for instance, where required by law) or processed with your explicit consent (in the case of Sensitive Data as required by the PDPL).
• Actual interest: in some cases, where necessary for the performance of a task carried out in the actual interest of the data subject (whether moral or material), but communicating with the data subject is impossible or difficult.
  
• Legitimate interest: where necessary for the legitimate interests of SAB, without unduly affecting your interests or rights, and to the extent such Personal Data is necessary for the intended purpose provided no Sensitive Data[1] is being processed.
  1* Sensitive Data: includes personal data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual’s parents are unknown.

 

Examples of legitimate interest include (but are not limited to) the following provided it does not conflict with your fundamental rights under the PDPL:

• to enhance our products, services and your experience across our channels, promote new financial and investment products and services that may be of interest to you, and understand your needs as a customer and your eligibility for products and services.
• to receive and handle complaints, requests or reports from you or third parties made to SAB.
  
• to take steps to improve our products and services and our use of technology and to conduct market research.
• to cooperate with a request made in any actual or potential proceeding or inquiries of a public or judicial authority.
• to enable us to provide you with products and services.
• to protect you against fraud by conducting identity, credit, and conflict checks.
• To protect the security of our network and information, we may process your personal data to monitor and detect security threats, prevent unauthorized access to our systems, and ensure the integrity and confidentiality of your information as well as our services. This includes implementing security measures such as encryption, firewalls, and intrusion detection systems, and conducting security assessments and audits to identify and mitigate vulnerabilities.

 

2.3 Overview of Personal Data processed by SAB, the purpose and legal basis of each

Set out in Schedule 1 is a description of the ways in which we use your Personal Data and the legal bases we rely on to do so. Where appropriate, we have also identified our legitimate interests in processing your Personal Data.

 

3. Who has access to your Personal Data and with whom are they shared?

3.1 Subsidiaries and Affiliates

We may share your Personal Data with other group entities (including subsidiaries and affiliates) for the purpose of providing you with the products or services. Such other entities may also process your Personal Data on behalf of SAB and at its request.

 

3.2 Third Parties

We share Personal Data with other credit and financial services institutions, comparable institutions and to our professional advisors and consultants to perform the business relationship with you. In particular, when providing products and services to you, we will share Personal Data with persons acting on your behalf or otherwise involved (depending on the type of product or service you receive from us), including, the following types of entities (as applicable):

• A party acquiring interest in, or assuming risk in or in connection with, the transaction (such as an insurer)
• Card and payment (electronic and physical including points of sale (POS)) service providers and related platforms
• Payment recipients, beneficiaries and account nominees
• intermediaries and correspondent banks
• Specialized payment companies or institutions (such as Saudi Payments)
• Stock exchange, clearing and settlement houses and systems (such as the Saudi Exchange, Edaa and Muqassa), custodians, managers and other agents  (including pledge agents or managers)
• Other financial institutions (in their various capacities as correspondent banks, merchant or acquiring banks, payment processors, receiving banks, etc.) and capital market institutions (in their various capacities as arrangers, managers, custodians, fund/asset managers, etc.) for the purpose of providing services to Customers
• Credit information agencies licensed by SAMA (including, but not limited to, SIMAH and Bayan) for the purpose of obtaining or providing credit references and determining the Customer’s edibility to obtain certain products and services
• Professional advisors (including legal and financial advisors), auditors, accountants, insurers and other advisers providing services to SAB

3.3   Service Providers

We may share your Personal Data in some instances with our suppliers subject to confidentiality and data protection obligations, such as IT hardware, software and outsourcing providers, logistics, mail, courier, printing services and storage providers, marketing and communication providers, facility management companies, market data service providers, transportation and travel management providers and others. When we do so we take steps to ensure they meet our data security standards, so that your Personal Data remains secure and where possible, concealed.

 

Service providers are thereby mandated to comply with a list of technical and organisational security measures, irrespective of their location, including measures relating to: 

• information security management
• information security risk assessment and
• information security measures (e.g. malware and hacking protection; data encryption measures; backup and recovery management measures).

 

3.4   Regulatory and Judicial Authorities

If required from time to time, we may disclose Personal Data to regulatory authorities (including but not limited to SAMA and SDAIA), courts, enforcement courts, judicial committees or parties/advisors to legal proceedings.

We may also be required to disclose your Personal Data by applicable law or regulation, at the request of a competent regulator, court or judicial committee or to safeguard our legitimate interests.

 

3.5   Others

Other parties requiring sight of Personal Data in the context of specific transactions and subject to confidentiality and data protection obligations. This includes, but is not limited to, a potential buyer or transferee of SAB’s assets or businesses or an acquitting or merging/merged entity in the context of a merger or acquisition.

 

3.6   Cross-border transfers

In some cases, Personal Data is transferred and processed outside the Kingdom. We only transfer your Personal Data abroad to countries which are considered to provide an adequate level of data protection, or in the absence of such legislation, subject to contractual provisions guaranteeing a sufficient level of protection in accordance with a standard model issued by SDAIA or any other competent authority under the PDPL.

 

4. How do we protect your Personal Data?

All SAB employees must comply with our internal policies and procedures in relation to the processing of your Personal Data to protect them and ensure their confidentiality.

 

SAB has also implemented adequate technical and organisational measures to protect your Personal Data against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other unlawful forms of processing.

 

We have also put in place appropriate security measures to notify you and the competent authority of any breach as required by applicable law.

 

5. How long do we store your Personal Data?

We will retain your Personal Data:

• for the duration of our banking relationship; and
• for as long as necessary to fulfil the purpose for which it was collected.

 

However, we might retain your data after the termination of our banking relationship to comply with legal, regulatory (including statutory retention periods), judicial or internal policy requirements or if it is in SAB’s legitimate interest.

 

If you wish to have your Personal Data removed from our databases, you can make a request as per the instructions laid out in section 6.2 'Exercising your rights', which we will review and respond within a period not exceeding (30) days and without delay. This period may be extended in case the implementation requires disproportionate effort, or if the SAB receives multiple requests from you. The extension will not exceed an additional (30) days and you will be notified in advance of the extension with the reasons for such extension.

 

When we no longer require the Personal Data we have collected about you, we will either delete or anonymize it (so that it is no longer personally identifiable with you) or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will isolate your Personal Data from any further processing, employing security safeguards designed to protect it until deletion is possible.

 

6. What are your rights and how can you exercise them?

6.1   Your rights

You have a right to:

• access and obtain information regarding your Personal Data that we process
• update your Personal Data from time to time and, if you believe that any Personal Data we hold about you is incorrect or incomplete, you may also request the correction of your Personal Data
• request destruction of your Personal Data unless statutory or judicial requirements require otherwise
• withdraw your consent where SAB obtained your consent to process Personal Data (without this withdrawal affecting the lawfulness of any processing that took place prior to the withdrawal), unless statutory or judicial requirements require otherwise

 

SAB will work on honoring your requests in accordance with the PDPL. However, it should be noted that such rights are not absolute and that exemptions may be engaged. We will usually, in response to a request, ask you to verify your identity and authority, or provide additional information to helps us understand your request better. If we do not comply with your request, we will explain why.

 

6.2   Exercising your rights

To exercise the above rights, please send an e-mail to SAB’s Data Protection Office at [ data.protection.office@sab.com ]. You may also reach out to us should you wish to discuss any aspect of the processing of your Personal Data.

If you feel that we do not comply with applicable Data Protection Laws, you may lodge a complaint with SDAIA, or any other competent authority pursuant to the PDPL.

 

7. Collection Of Data from Minors

If you are a resident of the Kingdom of Saudi Arabia and are under the age of 18, or if you reside in another jurisdiction and have not yet reached the age of majority as defined by the laws of your jurisdiction, we are not authorized to engage in a contractual relationship with you directly.

 

We do not knowingly collect or process Personal Data from individuals under the age of 18. If you are under 18, please consult your parent(s) or legal guardian(s) before using SAB’s Websites or our other services. Where required by applicable law, we will verify that you have obtained your parent’s or legal guardian’s consent before collecting your Personal Data and providing our services to you.

 

If you are a parent or guardian of an individual under 18 who has provided us with Personal Data, please contact us using the details provided in section 6.2 of this Privacy Notice.

 

8.      Social Media and Direct Marketing

SAB operates channels, pages and accounts on social media sites to be able to inform, assist and engage with you in order to improve our products and services. Please do not share any Personal Data on our social media sites. If you wish to communicate with us, please contact us through official channels. SAB shall not be responsible for any information posted on those sites other than the information posted by its employees on its behalf through its official page.

 

We may use your Personal Data for marketing purposes to inform you about our products and services. You have the right to withdraw your consent/ opt out from direct marketing, including profiling to the extent it relates to such marketing, by clicking on the “unsubscribe” button in any marketing message sent to you or by contacting the SAB Customer Care department at (8001248888) and for SAB Premier clients at (8001160099) at any time. When you opt-out of receiving these marketing messages, you will no longer receive them.

 

9.      Making decisions about you

During our relationship with you, we may use automated systems and technology to process your data. The reasons why we might do this are:

To help us make some of our decisions, such as when you apply for products and services – banking and insurance. To make credit decisions when you ask for lending products, or if you’re asking for insurance products to determine if we can offer you insurance and at what price. We may base our decision on factors like health, lifestyle and occupational information, as well as the level of cover being requested

To help us identify the level of risk involved in customer or account activity. For example, credit worthiness, fraud, or financial crime reasons, or to identify if someone else is using your card without your permission.

10.      Changes to your Personal Data

We are committed to keeping your Personal Data accurate and up to date. As such, please keep us informed of any changes to your Personal Data without delay.

Schedule (1)

Overview of Personal Data processed by SAB, the purpose and legal basis of each

Purpose	Personal Data	Processing legal basis
1.    Client onboarding	·   Personal identification details	·   To meet legal or regulatory requirements ·   Contract execution and performance ·   Legitimate interest: -    to achieve increased clients/prospects understanding and engagement
	·   Contact details
	·   Family details
	·   Employment details
	·   Professional profile details
	·   Financial information
	·   Internal identifiers
	·   Zakat or tax details
	·   Investment knowledge
2.      Client Relationship Management	·   Personal identification details	·   To meet legal or regulatory requirements ·   Consent ·   Contract execution and performance ·   Legitimate interest: -    to maintain and enhance the relationship -    to assess eligibility of products and services -    to achieve increased client understanding and engagement -    business growth
	·   Contact details
	·   Family details
	·   Employment details
	·   Professional profile details
	·   Digital activity
	·   Financial information
	·   Communication records
	·   Internal identifiers
	·   Zakat or tax certificate
	·   Investment knowledge
	·   Biometric information
	·   Sensitive Data
3.    Running credit checks	·   Personal identification details	·   Consent ·   Contract execution and performance ·   Legitimate interest: -    to assess eligibility of products and services -    to minimize credit risk
	·   Contact details
	·   Financial information
	·   Internal identifiers
4.      Product and Service Offering and Management	·   Personal identification details	·   Taking steps to execute a contract
	·   Contact details
	·   Digital activity
	·   Financial information
	·   Internal identifiers
	·   Investment knowledge
	·   Biometric information
5.    Compliance with rules, regulations and directives from supervisory authorities	·   Personal identification details	·   To meet legal or regulatory requirements ·   Legitimate interest: -    to provide evidence and support with legal proceedings -    to receive and handle complaints, requests or reports from you or third parties made to SAB.
	·   Contact details
	·   Family details
	·   Employment details
	·   Professional profile details
	·   Digital activity
	·   Financial information
	·   Communication records
	·   Internal identifiers
	·   Zakat or tax certificate
	·   Investment knowledge
	·   Biometric information
	·   Sensitive Data
6.      Risk management and prevention, detection and investigation of crime and fraud	·   Personal identification details	·   To meet legal or regulatory requirements ·   Legitimate interest: -    to prevent fraud or criminal activity -    to prevent misuses of products or services -    to ensure security of IT systems, architecture and networks -    to ensure efficiency and reliability of the fraud detection process -    to monitor real estate financings of private and corporate clients -    to minimize credit risks
	·   Contact details
	·   Family details
	·   Employment details
	·   Professional profile details
	·   Digital activity
	·   Financial information
	·   Communication records
	·   Internal identifiers
	·   Zakat or tax certificate
	·   Investment knowledge
	·   Biometric information
	·   Sensitive Data
7.      Supporting, enhancing and maintaining technology	·   Personal identification details	·   Legitimate interest: -    to prevent misuses of products or services -    to ensure security of IT systems, architecture and networks -    to ensure reliability of data and ease of access
	·   Contact details
	·   Digital activity
	·   Financial information
	·   Communication records
	·   Internal identifiers
	·   Biometric information
8.      Supporting M&A activities	·   Personal identification details	·   Legitimate interest: -   to support the financial assessment of the transaction
9.      Operational Management	·   Personal identification details	·   To meet legal or regulatory requirements ·   Contract execution and performance ·   Legitimate interest: -    to maintain and manage the relationship -    to assess eligibility of products and services -    to support product and service offering and ensure proper execution -    business growth
	·   Contact details
	·   Digital activity
	·   Financial information
	·   Communication records
	·   Internal identifiers
	·   Zakat or tax certificate
	·   Biometric information
	·   Sensitive Data
10.   Premise and Asset Management	·   Personal identification details ·   Contact details	·   Legitimate interest: -    To prevent, and if necessary, investigate unauthorized physical access to secure premises and assets
11.   Business Development	·   Personal identification details	·   Consent ·   Contract execution and performance ·   Legitimate interest: -    to maintaining and enhancing the relationship -    to achieve increased client understanding and engagement -    to achieve business growth -    to conduct market research
	·   Contact details
	·   Digital activity
	·   Communication records
12.   Direct Marketing	·   Personal identification details ·   Contact details	·   Consent
13.  Profiling	·   Personal identification details ·   Sensitive Data (Health Data) ·   Contact details ·   Communication records ·   Financial information	·   Consent