DATA PROTECTION POLICY
1. Policy statement
2. Responsibilities and roles under the General Data Protection Regulation
3. Data protection principles
4. Data subjects’ rights
5. Consent
6. Security of data
7. Disclosure of data
8. Retention and disposal of data
9. Data transfers
10. Information asset register/data inventory
11. Definitions
1. Policy statement
1.1. The Board of Directors and management of alfanar, located at alfanar Building, Northern Ring Road,
Between Exit 5 & 6, Al-Nafal, Riyadh, Kingdom of Saudi Arabia are committed to compliance with all
relevant EU and Member State local laws in respect of personal data, and the protection of the “rights and
freedoms” of individuals whose information alfanar collects and processes in accordance with the General
Data Protection Regulation (GDPR).
1.2. The procedures provided and described in this policy consider alfanar’s organization and structure, the
processing of personal data conducted by alfanar and, as well, the applicable law referring to personal
data.
1.3. Compliance with the GDPR is described by this policy and in reference to Integrated Management Systems
policies and procedures along with connected processes and procedures.
1.4. This policy applies to all alfanar’s employee processing EU residents’ personal data, including those
performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other
personal data the organisation processes from any source.
1.5. alfanar has established objectives for data protection and privacy, which are in Personal Information
Management System (as defined bellow) and GDPR Objectives Record (GDRP-REC-10)
1.6. GDPR committee is responsible for reviewing the register of processing annually in the light of any changes
to alfanar’s activities (as determined by changes to the data inventory register and the management
review) and to any additional requirements identified by means of data protection impact assessments.
This register needs to be available on the supervisory authority’s request.
1.7. Any breach of the GDPR or this PIMS (as defined below) will be dealt with under alfanar’s disciplinary policy
and may also be a criminal offence, in which case the matter will be reported as soon as possible to the
appropriate authorities.
1.8. Partners and any third parties working with or for alfanar, and who have or may have access to personal
data, will be expected to have read, understood and to comply with this policy. No third party may access
personal data held by alfanar without having first entered into a personal data processing agreement which
imposes on the third-party obligations to which alfanar is committed, and which gives alfanar the right to
audit compliance with the agreement.
Personal information management system (PIMS)
Policy statement
To support compliance with the GDPR, the Board of Directors has approved and supported the
development, implementation, maintenance and continual improvement of a documented personal
information management system (‘PIMS’) for alfanar.
All employees of alfanar and external third parties identified in the PIMS (GDPR-REC-10) are expected to
comply with this policy and with the PIMS that implements this policy. All employees, and certain external
parties, will receive appropriate training. The consequences of breaching this policy are set out in alfanar’s
disciplinary policy and in contracts and agreements with third parties.
In determining its scope for compliance with the GDPR, alfanar considers:
• any external and internal issues that are relevant to the purpose of alfanar and that affect its ability
to achieve the intended outcomes of its PIMS;
• specific needs and expectations of interested parties that are relevant to the implementation of
the PIMS;
• organizational objectives and obligations;
• the organizations acceptable level of risk; and
• any applicable statutory, regulatory or contractual obligations.
• The PIMS Scope Statement is documented here GDPR-REC-12
alfanar’s objectives for compliance with the GDPR and a PIMS:
• are consistent with this policy
• are measurable
• take into account GDPR and the results from risk assessments and risk treatments
• are communicated (in line with Communication Procedure)
• are updated as appropriate (in line with Continual Improvement Procedure)
• alfanar documents those objectives in the PIMS and GDPR Objectives Record (GDRP-REC-10)
To achieve these objectives, alfanar has determined:
• what will be done
• what resources will be required
• who will be responsible
• when it will be completed
• how the results will be evaluated
2. Responsibilities and roles under the General Data Protection Regulation
2.1. alfanar is a data processor under the GDPR.
2.2. Top Management and all those in managerial or supervisory roles throughout alfanar are responsible for
developing and encouraging good information handling practices within alfanar; responsibilities are set out
in individual job descriptions.
2.3. GDPR committee is accountable to Board of Directors of alfanar for the management of personal data
within alfanar and for ensuring that compliance with data protection legislation and good practice can be
demonstrated. This accountability includes:
2.3.1. awareness and training of staff involved in operations of data processing;
2.3.2. cooperation and contact with the supervisory authority on matters relating to the processing of
personal data;
2.3.3. conduct reviews on the practices and existing procedures on data protection in order to guarantee
the ongoing improvement and compliance with the best available practices
2.3.4. information and guidance of the controller on its duties arising from the GDPR;
2.3.5. development and implementation of the GDPR as required by this policy
2.3.6. security and risk management in relation to compliance with the policy.
2.4. The GDPR committee have specific responsibilities in respect of procedures such as the Subject Access
Request Procedure and are the first point of call for Employees seeking clarification on any aspect of data
protection compliance.
2.5. Compliance with data protection legislation is the responsibility of all Employees of alfanar who process
personal data.
2.6. alfanar’s Training Policy sets out specific training and awareness requirements in relation to specific roles and
Employees of alfanar generally.
2.7. Employees of alfanar are responsible for ensuring that any personal data about them and supplied by them
to alfanar is accurate and up-to-date
3. Data protection principles
All processing of personal data must be conducted in accordance with the data protection principles as set out in Article
5 of the GDPR. alfanar’s policies and procedures are designed to ensure compliance with the principles.
3.1. Personal data must be processed lawfully, fairly and transparently in relation to the data subject and, as such,
can only be object of processing to the extent of the specific needs of each Employee, in accordance with its
respective duties and always in the performance of these and, as well, in respect
(i) for the purposes and other aims for which the data processing was consented and/or informed to the
data subject
(ii) for the principles of data processing herein described and
(iii) for everything else provided in this policy and any other relevant documents issued by alfanar on this
matter.
Lawful – identify a lawful basis before you can process personal data. These are often referred to as the
“conditions for processing”, for example consent.
Fairly – for processing to be fair, the data controller has to make certain information available to the data
subjects as practicable. This applies whether the personal data was obtained directly from the data subjects
or from other sources.
The GDPR has increased requirements about what information should be available to data subjects, which
is covered in the ‘Transparency’ requirement.
Transparently – the GDPR includes rules on giving privacy information to data subjects in Articles 12, 13
and 14. These are detailed and specific, placing an emphasis on making privacy notices understandable and
accessible. Information must be communicated to the data subject in an intelligible form using clear and
plain language.
alfanar’s Privacy Notice Procedure is set out in portal and the Privacy Notice is recorded in (GDPR-REC-13).
The specific information that must be provided to the data subject must, as a minimum, include:
3.1.1. the identity and the contact details of the controller and, if any, of the controller's representative;
3.1.2. the contact details of the Data Protection Officer;
3.1.3. the purposes of the processing for which the personal data are intended as well as the legal basis for
the processing;
3.1.4. the period for which the personal data will be stored;
3.1.5. the existence of the rights to request access, rectification, erasure or to object to the processing, and
the conditions (or lack of) relating to exercising these rights, such as whether the lawfulness of previous
processing will be affected;
3.1.6. the categories of personal data concerned;
3.1.7. the recipients or categories of recipients of the personal data, where applicable;
3.1.8. where applicable, that the controller intends to transfer personal data to a recipient in a third country
and the level of protection afforded to the data;
3.1.9. any further information necessary to guarantee fair processing.
In the case of personal data processing activities carried out based on explicit and unambiguous consent,
Employees must make available to data subjects, before or in the moment of data collection, the ‘terms of
acceptance’ in force at any given moment.
Every time an employee has doubts in relation to the versions of the ‘terms of acceptance’ in force or in
relation to which versions should be considered in respect to a specific situation, he should directly contact
the GDPR committee or his direct superior who, in due time, will inform the Employee on how to proceed.
An employee shall not proceed with collection of personal data until they are instructed.
In the case of personal data processing activities carried out in the context of actions taken at the request
of the data subject prior to entering into a contract, the Employees who establish and maintain contact
with the data subjects during such pre-contractual stage, must assure that the information provided above
is properly communicated to the data subject and that evidence of such communication is recorded.
During the pre-contractual stage, Employees should make available to data subjects, for signing, the
updated drafts of the contractual documents in force, while assuring that, in any case, the latest drafts
explicitly refer the processing of personal data of the data subjects and, in particular, refer to the
information referred above.
3.2. Personal data can only be collected for specific, explicit and legitimate purposes
3.2.1. Data obtained for specified purposes must not be used for a purpose that differs from those formally
notified to the supervisory authority as part of alfanar’s GDPR register of processing. Privacy Procedure
sets out the relevant procedures.
3.3. Personal data must be adequate, relevant and limited to what is necessary for processing
3.3.1. The GDPR committee is responsible for ensuring that alfanar does not collect or process information
that is not strictly necessary for the purpose for which it is obtained (refer to DPIA Tool for the data
flow/mapping).
3.3.2. Employees must refrain from processing personal data, including simple access or consultation, every
time this is not necessary for the proper exercise of their duties.
3.3.3. All data collection forms (electronic or paper-based), including data collection requirements in new
information systems, must be include a fair processing statement or link to privacy statement and
approved by the GDPR committee
3.3.4. The GDPR committee will ensure that, on an annual basis all data collection methods are reviewed by
external experts to ensure that collected data continues to be adequate, relevant and not excessive
(Data Protection Impact Assessment Procedure and DPIA Tool (GDPR-REC-06).
3.4. Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
3.4.1. The Head of HR is responsible for ensuring that all Employees who are processing the personal data are
trained in the importance of collecting accurate data and maintaining it.
3.4.2. No data should be kept unless it is reasonable to assume that it is accurate.
3.4.3. It is also the responsibility of the data subject to ensure that data held by alfanar is accurate and up to
date. Completion of a registration or application form by a data subject will include a statement that
the data contained therein is accurate at the date of submission.
3.4.4. Employees and customers should be required to notify alfanar of any changes in circumstance to enable
personal records to be updated accordingly. alfanar will make every effort to ensure records are
accurate but cannot be held responsible for inaccurate data if the Data subject has not made reasonable
effort to inform the organization. It is the responsibility of alfanar to ensure that any notification
regarding change of circumstances is recorded and acted upon.
3.4.5. The GDPR committee is responsible for ensuring that appropriate procedures and policies are in place
to keep personal data accurate and up to date, taking into account the volume of data collected, the
speed with which it might change and any other relevant factors.
3.4.6. On at least an annual basis, the GDPR committee will review the retention dates of all the personal data
processed by alfanar, by reference to the data inventory, and will identify any data that is no longer
required in the context of the registered purpose. This data will be securely deleted/destroyed in line
with the Secure Disposal of Storage Media Procedure
3.4.7. The GDPR committee is responsible for responding to requests for rectification from data subjects
within one month (Subject Access Request Procedure. This can be extended to a further two months
for complex requests. If alfanar decides not to comply with the request, the GDPR committee must
respond to the data subject to explain its reasoning and inform them of their right to complain to the
supervisory authority and seek judicial remedy.
3.4.8. GDPR committee is responsible for making appropriate arrangements that, where third-party
organizations may have been passed inaccurate or out-of-date personal data, to inform them that the
information is inaccurate and/or out of date and is not to be used to inform decisions about the
individuals concerned; and for passing any correction to the personal data to the third party where this
is required.
3.5. Personal data must be kept in a form such that the data subject can be identified only as long as is necessary
for processing.
3.5.1. Where personal data is retained beyond the processing date, it will be minimized in order to protect
the identity of the data subject in the event of a data breach.
3.5.2. Personal data will be retained in line with the Retention of Records Procedure which will be reviewed
every two years, once its retention date is passed, it must be securely destroyed as set out in this
procedure.
3.5.3. GDPR committee must specifically approve any data retention that exceeds the retention periods
defined in Retention of Records Procedure and must ensure that the justification is clearly identified
and in line with the requirements of the data protection legislation. This approval must be written.
3.6. Special rules to consider on recording and storing:
3.6.1. Data are preferably stored in digital format.
3.6.2. The recording and storing by physical means shall only be allowed in those cases where the recording
has been done through those means and when there are legal and/or contractual grounds for keeping
the original documents and, as well, where the storing by physical means is necessary to prove the
compliance with the duty to inform the data subject of the terms and conditions of the data processing
and, moreover, of the duty to obtain the data subject's consent if the basis for the data processing is
the consent.
3.6.3. In those situations where it is necessary or mandatory to store the personal data by physical means,
according to the previous paragraph, Employees must guarantee that those physical means are kept in
a locked and restricted access place; no document or paper containing personal data should be left in
sight, regardless of it being on paper or on any other devices, electronic of non-electronic ('clean desk');
meetings and internal and external visits all used material should be taken out of meeting
rooms, including those documents which contain written notes.
3.6.4. Data may be preferably stored in personal data structured files, centralized and accessible according to
specific criteria. Employees should refrain from replicating or reproducing, partially or in its entirety,
any files of existing databases, and should aim and promote, whenever possible, unique and
centralized databases, without prejudice of possible backups.
3.7. Personal data must be processed in a manner that ensures the appropriate security
3.7.1. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful
processing of personal data and against accidental loss or destruction of, or damage to, personal data.
3.7.2. These controls have been selected on the basis of identified risks to personal data, and the potential for
damage or distress to individuals whose data is being processed.
3.7.3. alfanar compliance with this principle is contained in its Information Management System policies and
procedures.
3.7.4. Security controls will be subject to audit and review.
4. Data subjects’ rights
4.1. Data subjects have the following rights regarding data processing, and the data that is recorded about them:
4.1.1. To make subject access requests regarding the nature of information held and to whom it has been
disclosed.
4.1.2. To prevent processing likely to cause damage or distress.
4.1.3. To prevent processing for purposes of direct marketing.
4.1.4. To be informed about the mechanics of automated decision-taking process that will significantly affect
them.
4.1.5. To not have significant decisions that will affect them taken solely by automated process.
4.1.6. To sue for compensation if they suffer damage by any contravention of the GDPR.
4.1.7. To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.
4.1.8. To request the supervisory authority to assess whether any provision of the GDPR has been
contravened.
4.1.9. To have personal data provided to them in a structured, commonly used and machine-readable format,
and the right to have that data transmitted to another controller.
4.1.10. To object to any automated profiling that is occurring without consent.
4.2. alfanar ensures that data subjects may exercise these rights:
4.2.1. Data subjects may make data access requests as described in Subject Access Request Procedure this
procedure also describes how alfanar will ensure that its response to the data access request complies
with the requirements of the GDPR.
4.2.2. Data Subjects who wish to complain to alfanar about how their personal information has been
processed may lodge their complaint directly by email to dataprotection@alfanar.com
5. Consent
5.1. alfanar understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed
and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw
their consent at any time.
5.2. alfanar understands ‘consent’ to mean that the data subject has been fully informed of the intended
processing and has signified their agreement, while in a fit state of mind to do so and without pressure being
exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a
valid basis for processing.
5.3. There must be some active communication between the parties to demonstrate active consent. Consent
cannot be inferred from non-response to a communication. The Controller must be able to demonstrate that
consent was obtained for the processing operation.
5.4. For sensitive data, explicit written consent (Consent Procedure) of data subjects must be obtained unless an
alternative legitimate basis for processing exists.
5.5. In most instances, consent to process personal and sensitive data is obtained routinely by alfanar using
standard consent documents.
6. Security of data
6.1. All Employees/Staff are responsible for ensuring that any personal data that alfanar holds and for which they
are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third
party has been specifically authorized by alfanar to receive that information and has entered into a
confidentiality agreement.
6.2. All personal data should be accessible only to those who need to use it, and access may only be granted in
line with the Access Control Policy. All personal data should be treated with the highest security and must be
kept:
• in a lockable room with controlled access; and/or
• in a locked drawer or filing cabinet; and/or
• if computerized, password protected in line with corporate requirements as mentioned in the Access
Control Policy
• stored on (removable) computer media which are encrypted in line with Secure Disposal of Storage Media
6.3. Care must be taken to ensure that PC screens and terminals are not visible except to authorized Employees.
All Employees are required to enter into an Acceptable Use Agreement before they are given access to
organizational information of any sort, which details rules on screen time-outs.
6.4. Manual records may not be left where they can be accessed by unauthorized personnel and may not be
removed from business premises without explicit authorization. As soon as manual records are no longer
required for day-to-day client support, they must be removed from secure archiving.
6.5. Personal data may only be deleted or disposed of in line with the Retention of Records Procedure. Manual
records that have reached their retention date are to be shredded and disposed of as ‘confidential waste’.
Hard drives of redundant PCs are to be removed and immediately destroyed before disposal.
6.6. Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal
data. Staff must be specifically authorized by GDPR Committee to process data off-site.
7. Disclosure of data
7.1. alfanar must ensure that personal data is not disclosed to unauthorized third parties which includes family
members, friends, government bodies, and in certain circumstances, the Police. All Employees should
exercise caution when asked to disclose personal data held on another individual to a third party. It is
important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the
conduct of alfanar’s business.
The GDPR permits certain disclosures without consent so long as the information is requested for one or more
of the following purposes:
• to safeguard national security;
• prevention or detection of crime including the apprehension or prosecution of offenders;
• assessment or collection of tax duty;
• discharge of regulatory functions (includes health, safety and welfare of persons at work);
• to prevent serious harm to a third party;
• to protect the vital interests of the individual, this refers to life and death situations.
7.2. All requests to provide data for one of these reasons must be supported by appropriate paperwork and all
such disclosures must be specifically authorized by the GDPR committee.
7.3. Personal data may only be transmitted to third parties (i.e., natural or legal persons which are not alfanar or
its Employees, processors or employees of processors or companies of the same group as alfanar) if:
7.3.1. Said transmission has been explicitly authorized by the data subject, in which case the authorization
must be part of the ‘terms of acceptance’, depending on the case; in these cases, the transmission can
only take place if the transferee is part of the category or a category of the recipients about which the
data subject was previously informed in the ‘terms of acceptance’;
7.3.2. Said transmission is necessary for the strict implementation of a contract of which the data subject is
part; in these cases, the transmission can only take place if the transferee is part of the category of a
category of recipients about which the data subject was previously informed in the actual contract,
by email or through any other document supplement to the contract.
7.4. In those situations where the data transmission is carried out under a processing agreement (i.e., data
transmitted to a service provider under a contractual relation of service provision and in the context of which
the service provider, in order to fulfil its contractual obligations, processes the personal data on behalf of and
following alfanar’s instructions), Employees must guarantee that, before the transmission occurs, there is a
signed agreement between alfanar and the service provider, requesting confirmation by the GDPR
Committee who, in turn, should inform the Employee about the existence of such agreement and confirm
that it fulfils the requirements prescribed in article 28 of the GDPR.
8. Retention and disposal of data
8.1. alfanar shall not keep personal data in a form that permits identification of data subjects for longer a period
than is necessary, in relation to the purpose(s) for which the data was originally collected.
8.2. alfanar may store data for longer periods if the personal data will be processed solely for archiving purposes
in the public interest or statistical purposes, subject to the implementation of appropriate technical and
organizational measures to safeguard the rights and freedoms of the data subject.
8.3. The retention period for each category of personal data will be set out in the Retention of Records Procedure
along with the criteria used to determine this period including any statutory obligations alfanar has to retain
the data.
8.4. alfanar’s data retention and data disposal procedures will apply in all cases.
8.5. Personal data must be disposed of securely in accordance with the sixth principle of the GDPR – processed
in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects.
Any disposal of data will be done in accordance with the secure disposal procedure.
9. Data transfers
9.1. All exports of data from within the European Economic Area (EEA) to non-European Economic Area countries
(referred to in the GDPR as ‘third countries’) are unlawful unless there is an appropriate “level of protection
for the fundamental rights of the data subjects”.
The transfer of personal data outside of the EEA is prohibited unless one or more of the specified
safeguards, or exceptions, apply:
9.1.1. An adequacy decision
The European Commission can and does assess third countries, a territory and/or specific sectors within
third countries to assess whether there is an appropriate level of protection for the rights and freedoms of
natural persons. In these instances, no authorization is required.
Countries that are members of the European Economic Area (EEA) but not of the EU are accepted as having
met the conditions for an adequacy decision.
A list of countries that currently satisfy the adequacy requirements of the Commission are published in the
Official Journal of the European Union. http://ec.europa.eu/justice/data-protection/internationaltransfers/
adequacy/index_en.htm
9.1.2. Model contract clauses
alfanar shall adopt approved model contract clauses for the transfer of data outside of the EEA.
9.1.3. Exceptions
In the absence of an adequacy decision, Privacy Shield membership, binding corporate rules and/or model
contract clauses, a transfer of personal data to a third country or international organization shall only take
place on one of the following conditions:
• the data subject has explicitly consented to the proposed transfer, after having been informed of the
possible risks of such transfers for the data subject due to the absence of an adequacy decision and
appropriate safeguards;
• the transfer is necessary for the performance of a contract between the data subject and the controller
or the implementation of pre-contractual measures taken at the data subject's request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of
the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defense of legal claims; and/or
• the transfer is necessary to protect the vital interests of the data subject or of other persons, where
the data subject is physically or legally incapable of giving consent.
10. Information asset register/data inventory
10.1. alfanar has established a data inventory and data flow process as part of its approach to address risks and
opportunities throughout its GDPR compliance project. alfanar’s data inventory and data flow determines.
• business processes that use personal data;
• source of personal data;
• volume of data subjects;
• description of each item of personal data;
• processing activity;
• maintains the inventory of data categories of personal data processed;
• documents the purpose(s) for which each category of personal data is used;
• recipients, and potential recipients, of the personal data;
• the role of the alfanar throughout the data flow;
• key systems and repositories;
• any data transfers; and
• all retention and disposal requirements.
10.2. alfanar is aware of any risks associated with the processing of particular types of personal data.
10.2.1. alfanar assesses the level of risk to individuals associated with the processing of their personal data.
Data protection impact assessments (DPIAs) (DPIA Procedure and GDPR REC 4.4) are carried out in
relation to the processing of personal data by alfanar, and in relation to processing undertaken by other
organizations on behalf of alfanar.
10.2.2. alfanar shall manage any risks identified by the risk assessment in order to reduce the likelihood of a
non-conformance with this policy.
10.2.3. Where a type of processing, in particular using new technologies and taking into account the nature,
scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms
of natural persons, alfanar shall, prior to the processing, carry out a DPIA of the impact of the envisaged
processing operations on the protection of personal data. A single DPIA may address a set of similar
processing operations that present similar high risks.
10.2.4. Where, as a result of a DPIA it is clear that alfanar is about to commence processing of personal data
that could cause damage and/or distress to the data subjects, the decision as to whether or not alfanar
may proceed must be escalated for review to the GDPR Committee.
10.2.5. The Data Protection Officer / GDPR Owner shall, if there are significant concerns, either as to the
potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory
authority.
10.2.6. Appropriate controls will be selected from alfanar’s Integrated Management System and applied to
reduce the level of risk associated with processing individual data to an acceptable level, by reference
to alfanar’s documented risk acceptance criteria and the requirements of the GDPR.
11. Definitions
Establishment – the main establishment of the controller in the EU will be the place in which the controller
makes the main decisions as to the purpose and means of its data processing activities. The main
establishment of a processor in the EU will be its administrative center. If a controller is based outside the
EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on
behalf of the controller and deal with supervisory authorities.
• Personal data – any information relating to an identified or identifiable natural person ('data subject'); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person.
• Special categories of personal data – personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric
data for uniquely identifying a natural person, data concerning health or data concerning a natural person's
sex life or sexual orientation.
• Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data; where the purposes and
means of such processing are determined by Union or Member State law, the controller or the specific criteria
for its nomination may be provided for by Union or Member State law.
• Data subject – any living individual who is the subject of personal data held by an organisation.
• Processing – any operation or set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction, erasure or destruction.
• Profiling – is any form of automated processing of personal data intended to evaluate certain personal
aspects relating to a natural person, or to analyze or predict that person’s performance at work, economic
situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of
the data subject to object to profiling and a right to be informed about the existence of profiling, of measures
based on profiling and the envisaged effects of profiling on the individual.
• Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
There is an obligation on the controller to report personal data breaches to the supervisory authority and
where the breach is likely to adversely affect the personal data or privacy of the data subject.
• Data subject consent - means any freely given, specific, informed and unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to
the processing of personal data.
• Child – the GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13
by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent
has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given
or authorized by the holder of parental responsibility over the child.
• Third party – a natural or legal person, public authority, agency or body other than the data subject,
controller, processor and persons who, under the direct authority of the controller or processor, are authorized
to process personal data.
• Filing system – any structured set of personal data which are accessible according to specific criteria, whether
centralized, decentralized or dispersed on a functional or geographical basis.
• GDPR Committee – this committee comprises of Board of Director, Head of HR, Finance, Data protection
Officer, Executive Manager IT, CIS, System & OD.
• GDPR Working Group – this committee comprises of representatives from HR, Finance, IT Security, System
&OD, Quality Assurance
Document Owner and Approval
The Owner of this document is responsible for ensuring that this procedure is reviewed in line with the review
requirements of the GDPR.
A current version of this document is available to all members of staff on the alfanar portal and is published
http://portal.alfanar.com
This procedure version controlled and is approved by Board of Director, Eng. Sabah Almutlaq.
