Personal Data Protection Law (PDPL) – Privacy Policy
This privacy policy (the “Privacy Policy”) applies to all information the AlMostashar Insurance Brokerage Services Company (Mostashar) collects, uses and processes about you as a customer, potential customers, and third parties in relation to the products/ services you receive from Mostashar.
Mostashar is a data controller in respect of personal information that we process in connection with our business (including the products and services that we provide). The intention of this policy is to explain the:
- Purpose of personal data collection
- What personal data to be collected
- What means are used for data collection, processing, storage and destruction.
This policy also highlights the rights of the data subjects and how they can exercise the rights. “Personal information” means any information, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual.
For the avoidance of doubt, we would like to clarify that this Policy does not alter any agreement applicable to your business relationship with us, including the General Conditions.
It is important that you check back often for updates to the Privacy Policy. You will also be notified of any significant changes in this policy. We may update this Privacy Policy periodically to reflect changes in our personal information practices with respect to the Services or changes in applicable law. We will post a policy on our website to notify you in advance of material changes to our Privacy Policy and indicate at the top of the Privacy Policy when it was most recently updated.
1. Types of personal data we collect
We collect and process various categories of personal information at the start of, and for the duration of, your relationship with us and beyond (subject to appropriate retention periods as set out in Section 5 below). We will limit the collection and processing of information to information necessary to achieve one or more legitimate purposes as identified in this policy. Personal information may include: (to the extent permitted by applicable law):
- Personal details such as your name, identification number, date of birth, compliance related documents (including a copy of your national identity card or passport, phone number, address and residency status electronic address, and other family details;
- Financial information, including payment and transaction records and information relating to your transactions, financial statements, liabilities, revenues, earnings and investments;
- Professional information, wherever relevant, about you, such as your job title and experience;
- Details of our interactions with you and the products and services you use, including interactions across various channels such as e-mails and mobile applications;
- Any records of phone calls between you and Mostashar, specifically phone log information such as your phone number, calling details or types of calls;
- Voice recording and communication data;
- Details of your nomination of a mandate, wherever relevant;
- Identifiers we assign to you, such as business relation, contract, partner or account number, including identifiers for accounting purposes;
- When you access Mostashar website or some of our applications, your activity in our products and services, data transmitted by your device and automatically recorded by us, including date and time of the access, name of the accessed file as well as the transmitted data volume and the performance of the access, your device and IP address (additional data will only be recorded via our website if their disclosure is made voluntarily, e.g., in the course of a registration or request); and
- In some cases, as per law, special categories of Personal Data, such as your biometric information, political opinions or affiliations, health information, racial or ethnic origin, religious or philosophical beliefs, and, to the extent legally possible, information relating to criminal convictions or offences.
In some cases, we collect this information from public registers, public administration or other third-party or public sources, such as credit reference agencies and intermediaries that facilitate data portability.
2. Purposes for processing your Personal Data and legal basis
2.1. Purpose of Processing
We always process your Personal Data for a specific purpose and which is relevant to achieve that purpose. In particular, we process Personal Data, within applicable legal limitations, for the following purposes:
a. Essential Product and Services
- Client Relationship: To verify your identity and assess your application;
- To provide products and services to you and ensuring their proper execution, for instance by ensuring that we can identify you and make payments to and from your accounts in accordance with your instructions and the product terms;
b. Client Relationship Management
- To manage our relationship with you, including communicating with you in relation to the products and services you obtain from us and from our business partners, handling customer service-related queries and complaints, facilitating transactional activities, making decisions regarding your status, tracing your contact, and closing relationship, as per law, if we are unable to contact you after a period of time;
- To receive and handle complaints, requests or reports from you or third parties made to Mostashar;
c. To enhance our service quality and provide a personalized experience.
- To help us to learn more about you as a client, your preferences on the products and services you receive, including profiling based on the processing of your Personal Data, for instance by looking at the types of applications, platforms, products and services that you use from us, information we obtain and how you like to be contacted;
- To evaluate whether and how Mostashar may offer products, services and events, including those offered by us and that may be of interest to you;
d. Marketing and Awareness
- To contact you for marketing purposes about products and services we think will be of interest to you;
- To analyze the results of our marketing activities to measure their effectiveness and relevance of our campaigns;
e. To serve you and relations
- To provide special services, we may collect and process personal data only if you consent for the same. We will verify your data before processing the personal data and will reach out to you for any intention to communicate directly with you;
- We may collect and process your personal data if you are the owner, a board member, or a representative of a company to fulfill our contractual obligations, communicate effectively, and provide relevant services to the company;
f. Ensure Compliance with regulatory obligations
- To carry out legal and regulatory compliance checks, including during the relationship start process and through periodic reviews, in order to meet our ongoing obligations. This includes complying with anti-money laundering laws, fraud prevention, financial crime prevention, and other regulatory requirements such as recording and monitoring communications, applying risk classifications to business relationships, and making disclosures to tax authorities, financial service regulators, and other regulatory, judicial, or governmental bodies. This may involve profiling based on the processing of your personal data, such as analyzing how and from which geographic location you use our applications, products, and services;
- To reply to any actual or potential proceedings, requests or the inquiries of a public or judicial authority;
- To share periodic reports with regulators and law enforcement agencies;
g. Other purposes:
- For Mostashar’s operational management (including brokerage service, compliance and risk management, technological support services, reporting, insurance, audit, systems and products training and administrative purposes);
- To collect data to ensure the premises safety and security of staff and visitors, as well as information located, stored on or accessible from the premises, to prevent, and if necessary, investigate unauthorized access to secure premises (e.g., maintaining building access logs and CCTV system images to prevent, detect and investigate a theft of equipment or asset owned by Mostashar, visitor or staff, or threats to the safety of personnel working at the office);
- To undertake transactional and statistical analysis, and related research;
- To exercise our duties and/or rights vis-à-vis you or third parties;
- To provide technological solutions to you and ensure their proper execution in accordance with your instructions and our contractual arrangements with you, for instance by providing incident management and testing directly connected to the provision of the service, or by supporting our obligations regarding Personal Data storage, legal and regulatory compliance, audit activity and investigations;
- To take steps to improve our products and services and our use of technology, including testing and upgrading of systems and processes, and conducting market research to understand how to improve of our existing products and services or learn about other products and services we can provide;
We use both automated and manual methods to process your Personal Data for these purposes. Our automated methods often are related to and supported by our manual methods.
2.2. Basis for processing of Personal Data
Mostashar processes your Personal Data as per the principles stated in Personal Data Protection Law (PDPL). The processing of your Personal Data will be one of the following grounds:
- We may process your information where it is necessary to enter into a contract with you for the provision of our products or services or to perform our obligations under that contract. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate the relationship and/or provide products and services to you.
- When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.
- Necessary for the legitimate interests of Mostashar, without unduly affecting your interests or fundamental rights and freedoms and to the extent such Personal Data is necessary for the intended purpose.
- Our activities where we may rely on your consent, including where we process certain special categories of data (as described in Section 1); where we use cookies or similar technologies; or where we collect your permission for sending marketing communication or any other processing where we request your consent.
- In some cases, necessary for the performance of a task carried out in the public interest.
- In some case, to process the personal data of a child or legally incompetent individual, by obtaining explicit consent from their legal guardian.
Where the Personal Data we collect from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if we cannot collect this Personal Data, there is a possibility, we may be unable to on-board you as a client or provide products or services to you (in which case we will inform you accordingly).
3. Protecting your Personal Data
We take data protection seriously and, in our commitment, to safeguarding your information, we employ security measures and best practices. This includes access controls, encryption, regular security assessments, and employee trainings. We continuously monitor and adapt our security measures to mitigate risks and protect your information from unauthorized access, disclosure, alteration, or destruction. Our vigilant approach to information security ensures the highest standards of privacy and compliance with data protection regulations.
4. Access and sharing of Personal Data
4.1 Within Mostashar
- We usually share Personal Data within Mostashar, for special purposes to ensure a consistently high service standard across the company, and to provide services and products to you.
- Our business units within Mostashar who are required to process the data as per the purposes set out in this Privacy Policy.
- Any beneficiaries who are authorized to receive your personal data.
- Anyone who operates any of your relationships on your behalf including advisers (such as solicitors and accountants), intermediaries and those under power of attorney.
4.2 Outside Mostashar
- Providers of payment-processing services and other businesses that we use to process your payments.
- Government-authorized information agencies to comply with the mandatory legal and regulatory obligations.
- Your relationship officers who provide insurance brokerage services and any brokers who introduce you to us or deal with us for you.
- Our business partners, along with whom we provide services and service providers who provide services on their behalf.
- Insurance providers, including underwriters, brokers and associated parties;
- Social media companies to display messages to you about our products and services or make sure you do not get irrelevant messages;
- Law enforcement authorities, government bodies, courts, dispute resolution bodies, regulators, auditors, and any party appointed by our regulators to carry out investigations or audits of our activities;
- Background verification services, ensuring thorough verification processes for reliable information.
5. Your Data Retention by us
We will retain your Personal Data for:
- The duration of our relationship; and
- For as long as necessary to fulfil the purpose for which it was collected.
However, we will not keep your personal information for longer than is necessary for the purpose for which it was collected. This means that information will be destroyed or erased from our systems when it is no longer required. We take appropriate steps to ensure that we process and retain information about you based on the following logic:
- At least the duration for which the information is used to provide you with a service;
- As required under law, a contract, or with regard to our statutory obligations;
- Only for as long as is necessary for the purpose for which it was collected, is processed, or for longer if required under any contract, by applicable law, or for statistical purposes, subject to appropriate safeguards.
Please note that there may be instances where we are unable to enforce your instructions with respect to delete your personal information due to legal or regulatory requirements, such as those set by Saudi Insurance Authority.
However, when we no longer require the Personal Data that Mostashar collected about you, we will either delete or we will isolate your Personal Data from any further processing, employing security safeguards designed to protect it until deletion thereof is possible.
6. Your rights and how to exercise them
You have the right to exercise your data subject rights, including requesting whether the company is using or storing your personal information, obtaining copies of your personal data, updating, completing or deleting your personal data.
6.1 Your Rights
Rights | Description |
Right to Access: You have a right to get access to the personal information we hold about you | You have the right to access the personal data we hold about you, in accordance with the rules and procedures set out in the relevant regulations. When you raise a request, we will provide you with any of your personal data that we are processing. The more specific you are about what you are looking for the more quickly and effectively we can respond to your request. This right allows you to understand how your personal data is being used and to verify its lawfulness. However, please note that your access may be restricted in certain circumstances, such as if limiting access is necessary to protect you or others from harm. These limitations are set to ensure that the exercise of your right to access does not adversely affect the rights and freedoms of others or compromise security. |
Right to request a copy: You can obtain a copy of your personal data that was previously provided to us, in a legible and clear format, with some exceptions | You have the right to request a copy of your personal data that you previously provided to us, in a legible and clear format, with some exceptions. This right allows you to obtain your personal information in a structured, commonly used, and machine-readable format. This is particularly useful if you wish to switch services or take control of your personal information. However, please note that this right only applies to information that you provided to us. |
Right to request correction or completion or updating: You have a right to rectification of inaccurate personal information and to update incomplete personal information | You have the right to request the rectification of inaccurate personal information and to update incomplete personal information. If you believe that the personal information, we hold about you is incorrect, outdated, or incomplete, you can request that we correct, update, or complete this information. This ensures that the data we process is accurate and up to date, which is essential for the proper provision of our services. We will take reasonable steps to verify the accuracy of the information before making any changes. |
Right to Deletion or destruction: You have a right to request that we delete your personal information | You may request that we delete your personal information if you believe that:We no longer need to process your information for the purposes for which it was provided;We have requested your permission to process your personal information where required for a particular purpose and you wish to withdraw your consent; orWe are not using your information in a lawful manner. Please note that there are some occasions when we may retain your personal information for legal, regulatory (including statutory retention periods) or judiciary. Also, we may not be able to delete your personal information for technical reasons. Also Bearing in mind that, if you request that we delete your information, we may have to suspend the operation of your account and/or the products and services we provide to you. |
Withdraw consent:You have a right to withdraw your consent | You have the right to withdraw your consent where Mostashar obtained your consent to process personal data such as used for direct marketing, you have the right to object to direct marketing, including any related profiling activities Where we process your Personal Data on the basis of your consent, or where such processing is necessary for entering into or performing our obligations under a contract with you, we will honor such withdrawal requests, but these rights are not absolute: they do not always apply, and exemptions may be engaged. For such requests, please reach out to us on the contact details given below. |
Lodge complaints:You have a right to lodge a complaint with the regulator. | If you wish to raise a complaint on how we have handled your personal information, please use our online complaints process which can be found here:info@mstshar.com Alternatively, you can contact our Data Governance and Privacy Office at privacy@MOSTASHAR.com.sa who will investigate the matter. We hope that we can address any concerns you may have, but you can always contact the competent authority for lodging complaints. |
6.2 Exercising your Rights
To exercise the above rights, please:
- Contact Mostashar’s customer care on the details mentioned in the contact section below.
- Raise your request through the data subject request Visit our branches.
- Use the Mobile to contact us.
- You can also reach out to us through provided channels.
7. Consequences of not providing personal data
Choosing not to provide necessary personal data or requesting the removal of your personal information may impact your ability to access the services we offer.
8. Collection of Data from Minors
We do not knowingly collect or process Personal Data from individuals under the age of 18 (minors).
If you are a resident of KSA and are under the age of 18, or if you reside in another jurisdiction and have not yet reached the age of majority as defined by the laws of your jurisdiction (minor), we are not authorized to engage in a contractual relationship with you directly.
If you are minor as aforesaid, please consult your parent(s) or legal guardian(s) before using Mostashar websites or our other services. Where required by applicable law, we will verify that you have obtained your parent’s or legal guardian’s consent before collecting your Personal Data and providing our services to you.
If you are a parent or guardian of an individual under 18/minor who has provided us with Personal Data, please contact us using the details provided in section 6.2 of this Privacy Policy.
9. Updates to this Policy
This Policy was updated in September 2024. We reserve the right to amend it from time to time.
Your review of this Privacy Policy and continue dealing with Mostashar shall constitute your explicit consent to the company with respect to processing your personal data and/or changing the purpose for which it has been collected, including transferring thereof inside or outside the Kingdom. Continue to deal with Mostashar shall also be considered an explicit consent to the company to obtain your personal data from you directly or from others in accordance with the Personal Data Protection Law, its Implementing regulation, and instructions from regulators.
10. Changes to your Personal Data
We are committed to keeping your Personal Data accurate and up to date as provided to us. As such, you are required to keep us informed of any changes to your Personal Data without delay.
11. Contact Details
You can contact us to update your preferences, correct your information, submit a request, or ask us questions. You can contact us through any of the following channels:
- Safwa Complex, As Sulimaniyah, Riyadh 11313, Saudi Arabia
- P.O. Box 360019
- Tel: +966 11 2882828
- Fax: +966 11 2882828 – Ext 100
- Email: info@mstshar.com