Partner Login

1. Overview

Purpose and Commitment

Almatar is committed to safeguarding the Confidentiality, Integrity, and Availability (CIA) of its information assets, ensuring compliance with the Saudi Personal Data Protection Law (PDPL). Almatar recognizes the importance of protecting personal and sensitive data from breaches, unauthorized access, and interruptions, while ensuring availability of information systems critical to its operations. This Information Security Policy (ISP) outlines the necessary security measures, processes, and practices to protect personal data and business-sensitive information from threats, ensuring compliance with PDPL and other applicable laws.

Objective of Information Security Policy

The objective of this policy is to establish a secure framework for Almatar’s information systems and data handling processes, ensuring:

      • Compliance with PDPL and relevant regulatory standards.
      • Protection of data against unauthorized access, disclosure, modification, and destruction.
      • Continued availability of information assets and services.
      • Lawful, transparent, and fair processing of personal data.
Scope

This policy applies to:

      • All employees, contractors, customers, vendors, and third-party service providers who use, process, access, store, or manage Almatar’s information systems and data.
      • All types of information assets, including personal data, sensitive data, confidential business information, and other data stored or processed by Almatar.
      • All systems and devices that handle, transmit, or store Almatar’s data.
Regulatory Compliance Focus

The ISP is structured in alignment with the Saudi Personal Data Protection Law (PDPL) and other applicable Saudi regulations, ensuring that Almatar adheres to the highest standards of privacy and data security.

2. Key Definitions

Personal Data:

According to PDPL, personal data refers to any information that directly or indirectly identifies an individual, including but not limited to name, identification numbers, location data, and online identifiers.

Sensitive Data:

Sensitive data includes information related to an individual’s health, genetics, religion, political beliefs, biometric data, and criminal record. This data requires higher levels of protection as mandated by PDPL.

Data Processing:

Data processing refers to any operation performed on personal data, including but not limited to collection, recording, organization, storage, retrieval, transmission, disclosure, and destruction.

Data Subject:

A data subject is an individual whose personal data is being processed by or on behalf of Almatar.

3. Governance and Accountability

COE Team (Center of Excellence)

Almatar’s Center of Excellence (COE) Team is responsible for overseeing and implementing the Information Security Policy across the organization. The COE team is charged with ensuring that:

      • Almatar’s data protection measures are compliant with PDPL and other relevant regulations.
      • Security protocols are regularly reviewed, enhanced, and enforced across all departments.
      • Data protection risks are identified, assessed, and mitigated effectively.
Data Protection Officer (DPO)

Almatar has appointed a Data Protection Officer (DPO) to oversee compliance with PDPL. The DPO is responsible for:

      • Monitoring compliance with the PDPL.
      • Conducting Data Protection Impact Assessments (DPIA).
      • Responding to data subject access requests.
      • Liaising with Saudi Data and Artificial Intelligence Authority (SDAIA) on data protection matters.
      • Providing guidance and training to employees regarding personal data handling.
Data Controller and Data Processor Responsibilities
      • Data Controller: Almatar acts as the Data Controller for the personal data it collects and processes. The Data Controller determines the purposes and means of processing personal data.
      • Data Processor: Third-party processors, acting on behalf of Almatar, must comply with PDPL and this policy when processing data.
Compliance Audits

Regular compliance audits will be conducted by the COE Team in collaboration with the DPO to ensure adherence to the PDPL and internal information security protocols. Audit results will be analyzed, and any necessary improvements will be promptly implemented.

    •  

4. Information Security Framework

Data Classification

Almatar classifies its information into three categories:

      • Public Data: Data that can be freely disclosed to the public without restrictions.
      • Internal Data: Data that is proprietary and may include sensitive business information. Access to internal data is restricted to authorized personnel.
      • Confidential Data: Personal data and sensitive information that require high levels of protection under PDPL. Access to this data is strictly controlled and monitored.
Access Control

Access to Almatar’s information systems and data is regulated through:

      • Role-Based Access Control (RBAC): Access privileges are based on the user’s job role and responsibilities, with the principle of least privilege
      • Multi-Factor Authentication (MFA): MFA is required for accessing systems that handle personal or confidential data, ensuring an extra layer of security.
      • Access Logs: Logs are maintained for every access attempt, detailing the user, time, system, and action. These logs are regularly audited to identify any unauthorized access attempts.
Encryption

To ensure data security, Almatar adopts industry-standard encryption practices:

      • Data-at-Rest: All confidential and personal data is encrypted using AES-256 or equivalent encryption algorithms to ensure that data remains secure even if the storage media is compromised.
      • Data-in-Transit: All data transferred over networks is encrypted using secure transmission protocols such as TLS 1.2 or higher.
Anonymization and Pseudonymization

Almatar utilizes anonymization and pseudonymization techniques to minimize the risk of re-identifying personal data. These techniques are applied to datasets where full identification is not required, reducing the impact of unauthorized access.

Continuous Monitoring and Threat Detection

Almatar employs Security Information and Event Management (SIEM) tools to:

      • Monitor all network activities.
      • Detect and respond to threats in real time.
      • Identify vulnerabilities before they are exploited.
      • Implement Intrusion Detection Systems (IDS) to detect and respond to potential unauthorized access attempts.
Risk Management

A structured Risk Management Framework is in place to identify, assess, and mitigate data security risks. Risk assessments are carried out regularly, and the identified risks are classified according to severity, with high-risk vulnerabilities addressed promptly.

Incident Response and Breach Notification

In the event of a data breach or security incident, Almatar will:

      • Immediately activate its Incident Response Plan to contain and mitigate the breach.
      • Notify the DPO and relevant authorities, including SDAIA, within the legally prescribed timelines.
      • Inform affected data subjects if there is a significant risk to their personal data, detailing the nature of the breach, its impact, and mitigation measures.
      • Conduct a thorough post-incident analysis to improve security measures and prevent future incidents.

5. Data Protection Principles

Almatar complies with the following PDPL principles for processing personal data:

Lawfulness, Fairness, and Transparency

Almatar ensures that personal data is processed in a lawful, fair, and transparent manner. Data subjects are informed about the purposes of data collection and provided with clear information about their rights.

Purpose Limitation

Personal data is collected for specific, legitimate purposes. It will not be processed for any purposes beyond the original intent unless additional consent is obtained.

Data Minimization

Almatar ensures that only the necessary amount of personal data is collected and processed. No excessive data is collected, and only what is required for the specific purpose is retained.

Accuracy

Steps are taken to ensure that all personal data is accurate and up to date. Inaccurate data is rectified or deleted promptly, and regular reviews of data quality are conducted.

Storage Limitation

Personal data is retained only for as long as necessary to fulfill its intended purpose and comply with legal and regulatory obligations. Almatar implements a clear Data Retention Policy that defines the appropriate retention period for each type of data.

Integrity and Confidentiality

Almatar ensures that personal data is processed securely, employing appropriate technical and organizational measures to prevent unauthorized access, loss, alteration, or destruction.

6. Data Subject Rights

Almatar ensures that data subjects can exercise their rights under PDPL, including:

    • Right to Access: Data subjects may request access to their personal data held by Almatar. Upon a verified request, access will be provided within 30 days.

    • Right to Rectification: Data subjects may request corrections to inaccurate or incomplete personal data.
    • Right to Erasure: Data subjects have the right to request the deletion of their personal data when it is no longer required for its original purpose or if the data subject withdraws consent.

    • Right to Object: Data subjects can object to the processing of their personal data for specific purposes, including direct marketing or processing based on legitimate interests.

    • Right to Data Portability: Data subjects may request the transfer of their personal data to another entity in a structured, machine-readable format.

7. Employee Training and Awareness

    • Employee Training Programs:

      Almatar mandates that all employees undergo Data Protection and Information Security training, which covers PDPL requirements and their responsibilities in safeguarding personal data. Employees are required to complete this training upon joining and annually thereafter.

    • Third-Party Training:

      All third-party vendors and contractors with access to Almatar’s data are required to adhere to Almatar’s security policies and undergo training on PDPL obligations.

8. Data Retention and Disposal

    • Data Retention:

      Almatar ensures that personal data is retained only for the period necessary to fulfill the intended purpose or to comply with legal obligations. Data retention schedules are established for each data category.

    • Secure Disposal:

      When personal data is no longer needed, it is securely deleted or destroyed. Almatar follows industry-standard best practices for the secure disposal of physical and digital records to ensure that the data cannot be reconstructed.

9. Policy Review

    • Annual Review:

      This Information Security Policy is reviewed annually by the DPO and COE Team to ensure it remains aligned with PDPL and other relevant regulations.

    • Interim Reviews:

      Additional reviews will be conducted whenever significant changes occur in the regulatory environment or if any major incidents or breaches necessitate updates to the security protocols.

Linkedin-in

@arabiabeds.com2025