Document Issue Date: November 2024

Version Number: 1.0

Data Privacy Notice

1. Definition.
2. When do we Collect Your Personal Data?
3. Direct Interactions.
4. Automated Technologies or Interactions.
5. Third Parties or Publicly Available Sources.
6. Data Collection from Minors?
7. What Personal Data do we Collect?
8. How and why do we use Your Personal Data?
9. Who do we Share Your Personal Data With?
10. How do we Protect Your Personal Data?
11. How Long will we Keep Your Personal Data?
12. Automated Decision Making.
13. What are Your Rights as a Data Subject?
14. What Silah may Need From you?
15. Indemnity and Limitation of Liability
16. Intellectual Property Rights.
17. Changes to This Data Privacy Notice.

Data Privacy Notice

Silah Gulf W.L.L and its subsidiaries (“Silah”) respects your right to data privacy. In this Notice, “You” or “Your” refers to data subjects (e.g., customers, employees, website visitors, or contingent workers) whose personal data is processed by Silah.

Our company is committed to safeguarding your personal data and ensuring its confidentiality, integrity, and security. We implement stringent security measures to protect your information from unauthorised access, disclosure, or misuse. As part of our ongoing efforts, all employees receive regular training on data privacy, best practices for data protection, and how to securely handle and manage personal information in compliance with the applicable data protection laws and regulations.

This privacy notice explains who we are, how we collect, share, and use personal data about you, and how you can exercise your data privacy rights. The details on what personal data will be processed and which method will be used depend significantly on the services applied for or agreed upon.

If you have any questions or concerns about our processing of your personal data, then please contact us at: DPO@silah.bh

This Data Privacy Notice is governed by the following applicable data protection laws:

Region	Law	Abbreviation
Bahrain	Law No. 30 of 2018	Bahrain’s PDPL
Saudi Arabia	The Personal Data Protection Law	KSA’s PDPL

1 Definition

1.1 Personal data

1.1.1 Any data in any form relating to an identified or identifiable (‘data subject’), a natural or legal person can be identified directly or indirectly, particularly through their name, ID number, voice, image, address, personal assets, an online identifier or to one or more factors specific to their physical, physiological, intellectual, cultural or economic characteristics or social identity. In determining whether a data subject is identifiable, all the means that the data controller or any other person uses or may have access should be taken into consideration.

1.2 Sensitive personal data

1.2.1 Any personal data that reveals, directly or indirectly, a (‘data subject’)’s race, ethnicity, philosophical or political views, religious beliefs, union affiliation, criminal record, or any related data to his/her health, genetic, biometric or sexual status. Sensitive personal data also includes data that indicates that one or both of an individual’s parents are unknown.

1.3 Processing

1.3.1 Any operation or set of operations carried out on personal or sensitive personal data by automated or non-automated means, such as collecting, recording, organising, classifying, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.

1.4 Transfer

1.4.1 The transfer of personal data from one country or territory to another.

1.5 Data subject

1.5.1 The individual or organisation that Silah is holding information about, which could be an employee, a client, a customer, a contractor, a supplier or an agent.

1.6 Data controller

1.6.1 A natural or a legal person who decides, solely or in association with others, the purposes and means of the processing of certain personal data. In the events where such purposes and means are prescribed by Law, the data controller shall be the person who is responsible for the processing.

1.7 Joint controller

1.7.1 Where two or more controllers jointly determine the purposes and means of processing, they shall be labelled as joint controllers

1.8 Data processor

1.8.1 A natural or a legal person who processes personal data for and on behalf of Silah. It processes it under Silah’s supervision and in accordance with their instructions.

1.9 Third party

1.9.1 Any person other than:

1.9.1.1 Data subject.

1.9.1.2 Data controller.

1.9.1.3 Data processor.

1.9.1.4 Data governance committee; or

1.9.1.5 Any person working under the supervision of the data controller or data processor and authorised to process data on behalf of the data controller or data processor.

1.10 Authority

1.10.1 The personal data protection authority (“DPA”) is the public body that oversees compliance with provisions of privacy laws.

1.10.2 In Bahrain, the Ministry of Justice, Islamic Affairs, and Waqf has been assigned as the DPA.

1.10.3 In the KSA, the Saudi Authority for Data and AI has been assigned as the DPA.

1.11 Data protection officer

1.11.1 Silah’s Information Security Steering Committee (ISSC) undertakes the tasks of ascertaining the extent to which the organisation complies with the controls, requirements, and procedures stipulated by the relevant privacy laws.

1.12 Silah staff

1.12.1 Silah staff refers to all individuals employed by Silah, including employees, contractors, and third-party personnel, who have access to or handle personal data as part of their responsibilities. They are expected to adhere to the data protection policy to safeguard the privacy and confidentiality of personal information in their possession.

1.13 Data receiver or recipient

1.13.1 Any person to whom personal data are disclosed, whether a third party or other, without including the person to whom data are revealed in order to exercise a specific legal jurisdiction or perform a specific public duty.

1.14 Direct marketing

1.14.1 Any communication, by any means, through which marketing or advertising material is directed to a specific person.

1.15 Consent

1.15.1 Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

1.16 Data breach

1.16.1 Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data transmitted, stored or otherwise processed.

1.17 Security incident

1.17.1 An event or occurrence that affects or tends to affect data protection or may compromise the availability, integrity, and confidentiality of personal data.

1.18 Profiling

1.18.1 Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject, in particular, to analyse or predict aspects concerning that data subject’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

2 When do we Collect Your Personal Data?

2.1 We primarily collect personal data directly from you for the purposes specified at the time of collection. However, in certain situations, we may collect personal data from other sources or for different purposes, including:

2.1.1 With your explicit consent.

2.1.2 When the data is publicly available or obtained from a publicly accessible source.

2.1.3 If required for public interest or security purposes, or to comply with legal or judicial obligations.

2.1.4 If necessary to protect your vital interests or prevent harm.

2.1.5 For public health and safety, or to protect the life or health of individuals.

2.1.6 When the data is processed in a way that does not identify you.

2.1.7 When it is necessary to protect our legitimate interests, provided that your rights and interests are not compromised, and no sensitive personal data is processed.

3 Direct Interactions

3.1 You may give us your identity, contact, resume, or KYC-related information by filling in forms or by corresponding with us by phone, SMS, email, or otherwise:

3.1.1 Records of your interactions with us like emails and other correspondence and your instructions to us.

3.1.2 Providing your feedback.

3.1.3 By filling in forms, for example, to download white papers and / or gather insights on case studies.

3.1.4 By sharing your personal data such as your resume for recruitment purposes.

3.1.5 By interacting with us on social media platforms such as Facebook, Instagram, LinkedIn, etc.

3.1.6 Ordering information regarding our products or services.

3.1.7 Subscribing to our services, publications, or newsletters.

3.1.8 Requesting marketing material notifications to be sent to you.

3.1.9 By sending us emails and text messages (SMS or WhatsApp or Chat Service).

3.1.10 By adding posts, reviews, and other comments to our website; and

3.1.11 By liking or disliking our offers and promotions.

4 Automated Technologies or Interactions

4.1 Direct log files

4.1.1 Log information is data about your use of the service, such as IP (Internet Protocol) address, browser type, referring / exit pages, operating system, date / time stamps, and related data, which is stored in log files.

4.2 Cookies

4.2.1 A cookie is a small data file transferred to your computer (or other devices) when it is used to access our service. Cookies may be used for many purposes, including to enable certain features of our service and remember your preferences, your equipment, browsing actions, and patterns, to better understand how you interact with our service, to provide you advertising on and off the service, and to monitor usage by visitors and online traffic routing. You may be able to instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the online services you visit. If you do not accept cookies, however, you may not be able to use all portions of our service or all functionality of our service.

4.2.2 Please see our Cookie Notice for further details.

5 Third Parties or Publicly Available Sources

5.1 We may receive aggregated personal data about you from various third parties, via public domains such as:

5.1.1 Technical data from the following parties:

5.1.1.1 Analytics providers such as Google, Facebook, etc.

5.1.1.2 Social media platforms such as Facebook, Instagram, LinkedIn, etc.

5.2 Personal data gathered from publicly available directories / registers are processed fairly, and lawfully with an adequate level of security and are not excessive concerning the purpose for which they are collected.

6 Data Collection from Minors?

6.1 If you are under 18, or if you reside elsewhere and are not yet of legal age in your jurisdiction, we are not permitted to contract with you directly. If required by local legislation, your guardian must acknowledge and consent to the terms of this Data Privacy Notice on your behalf. Should we need to obtain your consent for processing your personal data for specific purposes, such consent must be provided by your guardian.

7 What Personal Data do we Collect?

• 7.1 We may collect, store, and use the following categories of personal data about you:
  • Identity Data
  • First name
  • Last name
  • Username
  • National ID
  • Date of birth
  • Home address
  • Phone numbers
  • Passport number
  • Gender
  • Iqama ID details
  • Driving license
  • Photographs
  • Occupation details
• 7.2 Financial Data
  • Bank account number (IBAN #)
  • Name as per bank account
  • Credit card numbers
• 7.3 Contact Data
  • Email addresses
  • Telephone numbers / contact numbers
  • Billing addresses
  • Shipping / delivery addresses
• 7.4 Transaction Data
  • 7.4.1 Details about payments to and from you and other details of products and services you have purchased from us. These include any relevant billing and delivery addresses.
• 7.5 Technical Data
  • Internet protocol (IP) address
  • We also track how often you visit and use our website. We do this via email and website cookies and similar tracking technology built into our website.
  • Biometric data

  7.5.1 Please see our Cookie Notice for further details.

• 7.6 Profile Data
  • Your interests, preferences, feedback, and survey responses.
  • Profile image;
  • About you (mentioned in resume including qualifications).
  • Usernames and passwords to access the insurance portal.
• 7.7 Usage Data
  • Information about how you use our website, products, and services;
  • For information on what you view, click on, or access by way of our emails and text messages, website and mobile.
• 7.8 Marketing and Communications Data
  • 7.8.1 We may ask you to leave a review or take a survey to provide you better services. We may also collect your personal data for responding to your queries and comments, social media posts, and questions / queries. If you would like to opt-out / unsubscribe from marketing or promotional communications from Silah, you can do so by reaching out to DPO@Silah.bh
• 7.9 Aggregated Data (sometimes referred to as anonymised data)
  • Silah also collects, uses, and shares aggregated data (sometimes referred to as anonymised data) such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in the applicable law(s) as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.
  • However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this data privacy notice.
• 7.10 Sensitive Personal Data
  • 7.10.1 Silah does not collect, store, and use the following sensitive personal data:
    • Information about your race or ethnicity, and sexual orientation.
    • Any criminal records in relation to you, and
    • Biometric information about you, for example retina scans.
  • 7.10.2 Our intent is not to collect or process any sensitive personal data about you unless required by applicable laws. And it is only collected after obtaining explicit consent from you. However, in certain circumstances, we may need to collect or request your sensitive personal data like religious belief and fingerprints for employment-related purposes, to comply with anti-discrimination laws and for government reporting obligations.

8.2 Purpose / Activity, Type of Data, and Lawful Basis for Processing

8.2.1 Silah has set out below a description of all the ways we plan to use your personal data, and which of the legal base(s) we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

8.2.2 Note that Silah may process your personal data for more than one lawful basis depending on the specific purpose for which Silah is using your data.

8.2.3 However, Silah normally collects personal data from you only where Silah has your consent to do so, where Silah needs the personal data to perform a contract with you, or where the processing is in the legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In certain cases, Silah may also have legal obligations to collect personal data from you or may otherwise need the personal data to protect your vital interests or those of another data subject.

8.2.4 Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

8.2.5 If Silah requests any personal data not mentioned in this notice, we will clearly explain the type of data being requested and the purpose for collecting it at the time of collection.

8.2.6 However, Silah may also use your personal data for other purposes such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where they are permitted by applicable laws.

8.3 Promotional Offers from Silah

8.3.1 If you have explicitly consented to receive marketing information from Silah, Silah may use your identity, contact, technical, usage, and profile data to form a view on what Silah thinks you may want or need, or what may be of interest to you. This is how Silah decides which products, services, and offers may be relevant for you.

8.3.2 You will receive marketing communications from us if you have requested information from us or purchased goods or services from us or if you provided us with your details when you entered a competition or registered for an event / promotion and, have not withdrawn your consent to receiving such information.

8.4 Third-Party Marketing

8.4.1 Silah shall get your explicit consent for sharing your personal data for any marketing activities carried out by our third-party service providers. In such cases, we shall provide you with an option to withdraw your consent from receiving such marketing promotions from our third-party service providers.

8.5 Request to Withdraw Consent

8.5.1 At any point, if you wish to withdraw your consent to receive marketing / promotional information from Silah, you can write an email to DPO@Silah.bh

8.5.2 Kindly note that this does not apply to personal data provided to us due to a product / service subscription / purchase or other transactions.

8.6 Change of Purpose

8.6.1 We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

8.6.2 If we need to process your personal data for a purpose other than the one for which it was originally collected, we will first obtain your consent, unless an exception under the law applies. You have the right to withdraw your consent at any time, as governed by the applicable regulations.

8.6.3 If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the contact details provided.

8.7 Processing Without Consent

8.7.1 In certain circumstances, we may process your personal data without your explicit consent:

• If processing serves your actual interests but communicating with you is impractical or impossible.
• If processing is required by law or to fulfil an agreement to which you are a party.
• If processing is necessary for security purposes or to meet judicial requirements.
• If processing is necessary for our legitimate interests, provided it does not infringe on your rights and interests and does not involve sensitive personal data.

8.8 Disclosure of Personal Data

8.8.1 We will not disclose your personal data except in the following situations:

• If you have consented to the disclosure in accordance with the applicable laws.
• If the data has been collected from a publicly available source.
• If the disclosure is requested by a public entity for public interest or security purposes, or to comply with another law or judicial requirements.
• If the disclosure is necessary to protect public health, safety, or the lives or health of specific individuals.
• If the disclosure involves subsequent processing in a manner that makes it impossible to identify you directly or indirectly.
• If the disclosure is essential for achieving our legitimate interests, provided it does not infringe on your rights and interests and does not involve sensitive data.

8.8.2 However, we will not disclose your personal data if such disclosure:

• Threatens security or harms the reputation of the countries in which Silah operates.
• Impedes crime detection, affects the rights of an accused to a fair trial, or impacts the integrity of criminal procedures.
• Compromises individual safety.
• Violates the privacy of individuals other than you, as set out in applicable regulations.
• Conflicts with the interests of individuals who lack legal capacity.
• Breaches professional obligations or judicial decisions.
• Exposes confidential sources in a manner harmful to the public interest.

9 Who do we Share Your Personal Data With?

9.1 Group Entities / Subsidiaries

9.1.1 Silah shall share your personal data with its parent/ group entity / entities for reporting purposes, having similar arrangements, to be able to provide you with the same value for money and high-quality experience for the services provided to you by us. It’s also the only way we can provide you with the best benefits.

9.2 External Third Parties

9.2.1 Regulators and other authorities based in the Kingdom of Saudi Arabia, the United Arab Emirates, the Kingdom of Bahrain or the United Kingdom who request reporting of processing operations in certain circumstances.

9.2.2 With social media companies such as Facebook, Twitter, LinkedIn, and others: they run promotions for us on their platforms.

9.2.3 Any new business partners: we may have over time, for example, in the event of a joint venture, reorganisation, business merger, or sale that affects us.

9.2.4 We may share your personal data with the police, local authorities, courts, or other government authorities if legally required. Additionally, we may share your data with government electronic systems and software, such as the NPHIES platform, which provides a unified health record system to ensure compliance with privacy and confidentiality regulations.

9.2.5 Other people who make a ‘data subject access request’: where we are required to do so by law.

9.2.6 We may use your personal data to investigate fraudulent claims or applications made by insurance policy holders, including cases of large-scale or organised fraud, medical malpractice, and to conduct Anti-Money Laundering (AML) checks.

9.2.7 We may also share the information we collect where we are legally obliged to do so, e.g., to comply with a court order.

9.2.8 Any social media posts or comments you send to us: (on Silah’s Facebook page, for instance) will be shared under the terms of the relevant social media platform (e.g., Facebook, X, LinkedIn, or other) on which they are written, and could be made public. Other people, not Silah, control these platforms. Silah is not responsible for this kind of sharing. Before you make any remarks or observations about anything, you should review the terms and conditions and privacy policies of the social media platforms you use. That way, you will understand how they will use your information, what information relating to you they will place in the public domain, and how you can stop them from doing so if you are unsatisfied about it. It is worth remembering that any blog, review, or other posts or comments you make about us and/or our products and services on any of our blogs, reviews, or user community services will be shared with all other members of that service and the public at large. You should take extra care to ensure that any comments you make on these services, and on social media in general are fit to be read by the public, and are not offensive, insulting, or defamatory. Ultimately, you are responsible for ensuring that any comments you make comply with any relevant policy on acceptable use of those services.

9.2.9 Third parties / data processors: to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change occurs in our business, we will notify you, and the new owners may use your personal data in accordance with the terms outlined in this privacy notice. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers / data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions / third-party agreements.

9.3 International Transfers

9.3.1 Silah may share your personal data within the parent / group entity on a need-to-know basis with the confidential obligation mentioned herein.

9.3.2 Some of our external third parties are based outside the countries in which Silah operates in, so their processing of your personal data will involve a transfer of data. Whenever we transfer your personal data, including cloud hosting, backup systems, or data recovery sites, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• Subject to prior approval from the authority; or
• With your consent; or

9.3.3 Please contact us if you want further information on how we transfer your personal data.

10 How do we Protect Your Personal Data?

10.1.1 Silah uses appropriate technical and organisational measures to protect the personal data that it collects and processes. The measures Silah uses are designed to provide a level of security appropriate to the risk of processing your personal data.

10.1.2 A lot of the information we receive reaches us electronically, originating from your devices, and is then transmitted by your relevant telecoms network provider. Where it’s within our control, we put measures in place to ensure this ‘in flight’ data is as secure as it possibly can be.

10.1.3 Sensitive data like passwords are protected for data in transit by data encryption. In addition to encryption, we have implemented robust network security controls to help protect data in transit. Network security solutions like firewalls and / or network access control to secure the networks used to transmit data against malware attacks or intrusions.

10.1.4 We do not permit the copying of official documents that identify data subjects, except where required by law or if a competent public authority requests such copying in accordance with applicable regulations.

10.1.5 Silah uses secure means to communicate with you where appropriate, such as ‘https’ and other security and encryption protocols.

11 How Long will we Keep Your Personal Data?

11.1.1 We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Once these purposes are met, we will securely destroy the data without undue delay, unless there is a legal requirement to retain it for a specific period. In such cases, we will retain the data until the legal retention period expires or the original purpose is fulfilled, whichever is longer. Additionally, if the data is needed for an ongoing judicial matter, we will retain it until the legal process is concluded.

12 Automated Decision Making

12.1.1 Automated decisions are decisions concerning you which are made automatically on the basis of a computer determination (using software algorithms), without human intervention. We do not use automated decision-making.

13 What are Your Rights as a Data Subject?

Your duty to inform us of changes: It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes by keeping your details up to date on our website and by sharing your updated details at DPO@Silah.bh

13.1 Your rights in connection with personal data:

Under certain circumstances, by law, you have the right to:

• Be informed of all details regarding the processing of your personal data;
• Access a copy of all personal data belonging to you;
• Rectify and block inaccurate, incomplete or outdated personal data;
• Erase your personal data;
• Object to processing of your personal data where solely automated profiling tools are used and where the processing causes moral or material damages to you;
• Opt-out of direct marketing;
• Withdraw your consent at any given time;
• Complain to the relevant data protection authorities.

13.2 Fees for Excessive or Unreasonable Requests

13.2.1 You will not have to pay a fee to access your personal data (or to exercise any of the other rights).

13.3 Responding to Your Requests

13.3.1 Depending on the request raised, Silah will respond to all legitimate requests in accordance with the timelines mandated by the applicable data protection laws. Occasionally, it may take us longer than usual to respond if your request is particularly complex or if you have made a number of requests simultaneously. In this case, we will notify you and keep you updated.

13.4 Exercise Your Rights

13.4.1 You can exercise your rights by submitting the request on DPO@silah.bh

14 What Silah may Need From you?

14.1.1 Silah may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

14.1.2 We may also contact you to ask for further information in relation to your request to speed up our response. If you wish to exercise any of the rights set out above, please contact us at DPO@Silah.bh

15 Indemnity and Limitation of Liability

15.1.1 By using this site, you agree to defend, indemnify, and hold harmless Silah, its officers, directors, and employees from any claims, liabilities, damages, losses, or expenses, including reasonable legal fees and settlement costs, that arise from or are related to your access to or use of the site.

15.1.2 Although Silah shall make every attempt to keep the Website free from viruses, it cannot guarantee that it is virus / malware-free. For your own protection, you should take the necessary steps to implement appropriate security measures and utilise a virus scanner before downloading any information from the website.

15.1.3 Silah, its directors, and its employees shall not be liable in any manner whatsoever for any direct, indirect, incidental, consequential, or punitive damage resulting from the use of, access to, or inability to use the information available on the Website or the services provided by us. Silah, its directors, and employees shall not be liable in any way for possible errors or omissions in the contents of the Website.

16 Intellectual Property Rights

16.1.1 All information on this Website is protected by copyright and other intellectual property rights. No images, text, or other content from this website may be distributed or reproduced without prior written approval from Silah.

17 Changes to This Data Privacy Notice

17.1.1 We may update this Data Privacy Notice from time to time in response to emerging legal, technical, contractual, regulatory, or business developments. When we update our Data Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any changes if and when this is required by applicable laws.

17.1.2 You can see when this Data Privacy Notice was last updated by checking the “last updated” date displayed at the top of this document. If you have any questions or concerns, please do not hesitate to contact us at DPO@Silah.bh.