EXPRO is committed to protecting the privacy and confidentiality of the personal data of all users of its website, digital platforms, and smartphone applications used to deliver its services. In safeguarding your personal data, EXPRO adheres to the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443H and its Implementing Regulation (the "Law").

This policy aims to clarify the general rules governing the collection, processing, and protection of personal data, as well as the rights of data subjects and the mechanism for exercising those rights. It also outlines the types of personal data collected, the methods of collection, the purposes for which such data is used, and the legal basis upon which EXPRO processes such data.

EXPRO does not collect your personal data when you visit the website or use the digital platforms unless you knowingly and voluntarily provide such data. Personal data is used to fulfill the specified purpose for which it is processed, such as providing information or services related to EXPRO's activities.

By using EXPRO's e-platforms and applications, you acknowledge that you have read and agreed to the Privacy Policy and that EXPRO reserves the right to update this policy under regulatory and operational requirements.

1.0           Definitions

Personal Data Protection Law: The Law aims to protect individuals’ personal data from misuse and abuse during its collection, use, or processing. The Law sets out the rules and principles that entities shall follow when handling personal data to ensure individuals’ privacy and rights are upheld.

Personal Data: Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.

Data Subject: The individual to whom the personal data belongs.

Legal Basis: The legal basis on which EXPRO relies to carry out its activities that require personal data collection and processing.

Data Processing: Any operation carried out on data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.

Consent: Direct and explicit consent given by the data subject in any form that clearly indicates the data subject's acceptance of the processing of their personal data in a manner that cannot be interpreted otherwise, and whose obtention can be proven.

Legitimate Interest: Any necessary interest of the controller that requires the pocessing of personal data for a specific purpose, provided it does not adversely affect the rights and interests of the data subject.

Personal Rights: Individual's rights to access, correct, and delete their personal data, and other legal rights.

2.0           Personal Data Collection

-       EXPRO collects personal data of visitors to its website and users of its services, platforms, and applications directly or indirectly, as follows:

-       Once you visit EXPRO's website, EXPRO's server records your IP address, the date and time of the visit, and the URL of any website that referred you to EXPRO's website.

-       Most websites place a small file on the visitor's hard drive (browser) upon visiting, called "Cookies." Cookies are text files that contain information allowing the website that placed them to retrieve them when needed during the user's next visit. The stored information may include:

o   Remembering the username and password if available on the website.

o   Saving the page settings if available on the website.

o   Saving the colors chosen by the user if available on the website.

-       Personal data you provide to EXPRO when benefiting from services, such as registering on EXPRO's platforms and applications, or data you provide when creating your user profile or applying for a job or training. Such data include name, personal identification number, address, contact numbers, email, educational qualifications, License numbers, records and personal property, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.

-       Personal data and information exchanged through communication between EXPRO and service beneficiaries, such as requests for customer support services, inquiries, feedback, and complaints received from you.

-       Personal data received by EXPRO from other sources, including but not limited to government entities and any other entites that may provide EXPRO with your personal data as necessary to provide its services or to meet any security or criminal requirements.

By providing your personal data and information through EXPRO's website and all its e-platforms and applications, you fully consent to the storage, processing, and use of such data by EXPRO and the government entities in the Kingdom of Saudi Arabia. You are also solely responsible for the completeness, accuracy and validity of the data you submit through EXPRO's website or its platforms and applications.

3.0           Purpose and Legal Bases for Personal Data Collection

The data obtained by EXPRO in the course of its operations shall constitute the property of EXPRO and may be used to implement the regulations and legislation governing EXPRO’s activities, as well as to enable other government entities in the Kingdom to provide government services related to such activities. Therefore, EXPRO is required to store, process, and use data in accordance with its statutory powers without time constraints or the ability for the data subject to withdraw consent to data processing.

EXPRO collects and uses personal data for multiple purposes, in accordance with the relevant laws and regulations, including:

-       Sending notifications and awareness messages to data subjects and all beneficiaries of EXPRO's services.

-       Developing and improving the services provided to data subjects in line with EXPRO's mandate.

-       Customizing the user experience across EXPRO's website and digital platforms.

-       Processing requests submitted by data subjects, such as access, correction, or destruction requests.

-       Responding to inquiries related to the use and processing of personal data.

-       Providing support to data subjects concerning their rights under the Personal Data Protection Law.

-       Conducting studies and analysis to improve the efficiency of e-services.

-       Monitoring and detecting potential violations of the terms of use and data protection controls.

-       Improving EXPRO's website, systems, and network performance to ensure personal data security.

Linking to Third Party's Websites and Applications:

-       EXPRO's platforms may contain links to third-party websites such as Instagram, TikTok, or X. The use of such websites is subject to their respective privacy policies.

-       EXPRO bears no responsibility for the privacy practices or content of those third parties, and data subjects are advised to review the privacy policies of these websites prior to use.

Career:

When applying for a job at EXPRO, the data provided is used for the purpose of reviewing the application and communicating with potential candidates.

Child Data Protection:

EXPRO's services are not intended for individuals under the age of 18, and their personal data is not deliberately collected. In the event that such data is unintentionally collected, it will be immediately deleted. Parents are strongly encouraged to monitor their children’s online activities.

In accordance with the Personal Data Protection Law and its Implementing Regulation, the key legal bases on which EXPRO relies when processing your Personal Data are:

-       Consent of the data subject.

-       The Labor Law issued by Royal Decree No. (M/51) dated 23/8/1426H.

-       The Social Insurance Law issued by Royal Decree No. (M/33) dated 3/9/1421H.

-       The Social Insurance Law issued by Royal Decree No. (M/273) dated 26/12/1445H.

-       The Civil Service Law issued by Royal Decree No. (M/49) dated 10/7/1397H.

In addition to the above, other legal bases include:

-       Serving the public interest without prejudice to the rights of data subjects.

-       Meeting legal or regulatory requirements.

-       Executing an obligation in which the data subject is a party.

-       Protecting vital interests or preventing significant harm.

-       Safeguarding public health or national security.

EXPRO may process personal data for purposes other than those for which it was originally collected, where such processing is necessary and subject to the controls set forth under the Law.

4.0           Personal Data Protection

Your personal data will only be accessible to EXPRO's authorized employees or to authorized third-party personnel, namely trusted data processors who process data on behalf of and for the benefit of EXPRO. Contractual agreements have been entered into with such parties to guarantee the secure use of the data in compliance with the Personal Data Protection Law, and to ensure that they may not use your personal data except for the specified purposes.

We confirm that we are implementing appropriate technical and organisational security measures to ensure that your personal data is properly protected under the Personal Data Protection Law. Security measures include, but are not limited to:

-       Vulnerability scanning ad detection and penetration testing.

-       Encryption of data during transmission and storage.

-       Periodic implementation of updates and patches.

-       Review and hardening of system security configurations.

-       Implementation of security standards based on best practices for website and application development.

-       Data shall be collected within a secure technical infrastructure, adhereing to EXPRO's cybersecurity policies and standards, which are established pursuant to the controls and regulations issued by the National Cybersecurity Authority (NCA).

-       EXPRO applies the necessary measures to manage data sharing. Such data shall not be made publicly available, exchanged, or transferred to any third party without the prior consent of the data subject, except where required by applicable policies, laws, and regulations.

5.0           Disclosure of Personal Data

EXPRO may disclose personal data collected directly or indirectly to the following entities:

-       Other public entities, for the purposes of serving the public interest, ensuring security, enforcing another law, meeting judicial requirements, or protecting public health, public safety, or the life or health of an individual or specific individuals.

-       EXPRO's data processors, to achieve a legitimate interest for EXPRO without violating the data subject's rights or conflicting with their interests.

-       Any entities inside or outside the Kingdom, in accordance with local or international agreements that serve a legitimate interest of Authority or a public interest without prejudice to the controls of the Law.

6.0           Personal Data Retention

EXPRO stores your personal data securely either at its headquarters in the Kingdom or through secure cloud computing solutions. Data shall be retained indefinitely as per Section 3 of this Policy.

Rights of Data Subjects

EXPRO shall exercise due diligence and make every effort to provide high-quality services all data subjects, ensuring their rights under the Law, namely:

-       Right to be informed: This includes being aware of the legal grounds and the statutory basis or actual need for collecting your personal data. To this end, this Privacy Policy has been prepared to inform you and ensure that you are aware of your rights and the controls and purposes for which your personal data is collected.

-       Right to access and obtain your personal data, including the right to review such data and receive a copy in a clear and readable format, subject to EXPRO's powers to restrict access or determine a specific timeframe for the exercise of this right.

-       Right to request correcting, completing, or updating you personal data held by EXPRO, subject to the controls stipulated by the Law for the exercise of this right.

-       Right to destruct your personal data: The data subject may ask EXPRO to delete their personal data in accordance with the provisions of the Law. EXPRO shall make the appropriate decision upon reviewing the request. The request may be denied, based on one of the following reasons:

o   Compliance with a legal obligation.

o   Preservation of data for archiving purposes as required by the public interest.

o   Relevance of the personal data to legal or financial claims.

-       Right to withdraw consent to the processing of your personal data: The data subject may exercise this right as per the provisions of the Law, provided that this does not conflict with the EXPRO's regulations and laws or impede its procedures.

-       Right to object to processing: You have the right to object to the processing of your personal data in certain cases, subject to the controls set forth in the Law. The objection request shall be considered, and the appropriate decision shall be taken based on the applicable legal bases.

-       Right to restrict processing: You may request to restrict the processing of your personal data in certain cases determined by the Law, when there are legitimate reasons that require restricting the processing of your data, such as verifying the accuracy of the data or if there is an objection to processing.

-       Right to submit any complaint arising out of the implementation of the provisions of the Law to the competent authority.

-       Right to claim compensation for material or moral damage arising from any violations under the Law and its Implementing Regulation.

Except as provided by the applicable laws, the data subject shall not be required to pay any fees for exercising these rights. Upon submitting a request to exercise any of these rights, a response will be provided to the data subject within thirty (30) business days from the date of receipt of a complete request.

For further details on the processing of your personal data and how to exercise your rights, you may contact EXPRO's Data Protection Officer, using the contact details provided in this Policy.

7.0           Potential Consequences and Risks that May Result from not Collecting the Personal Data

Failure to complete the process of collecting personal data may prevent users of EXPRO's website, platforms, and applications from benefitting from the services provided. Therefore, providing personal data is necessary to ensure a complete and effective efficient experience.

8.0           Contact with EXPRO's Data Protection Officer

In accordance with the Law and without prejudice to EXPRO's regulations and laws, we welcome all requests, inquiries, questions, and complaints related to the Privacy Policy or data subject rights. You may reach us through the following contact details:

Entity Name: EXPRO

Address: Riyadh - Digital City - Building IN01

Data and Cybersecurity Office

Email: privacy@expro.gov.sa

If you are not satisfied with the way your complaint has been handled, or if you do not receive a response within thirty (30) business days, you may submit a complaint to the competent authority, Saudi Data & AI Authority (SDAIA) through  the National Data Governance Platform.

9.0           Relevant Laws and Policies

EXPRO has issued this Privacy Policy in compliance with the Personal Data Protection Law and its Implementing Regulation, the policies and controls issued by the National Data Management Office (NDMO), and the relevant laws applicable in the Kingdom. You may refer to one of the following links for more information:

-       Personal Data Protection Law

-       The Implementing Regulation of the Personal Data Protection Law

-       Policies issued by NDMO

-       Controls issued by NDMO

-       Controls issued by NCA

SDAIA:

-       Kingdom of Saudi Arabia, Riyadh | Website:  sdaia.gov.sa

-       National Data Governance Platform: dgp.sdaia.gov.sa

10.0      Policy Updates

Users should regularly review the Privacy Policy, which may be amended at any time. Updates will be posted on the Privacy Policy page with the date of the last update. EXPRO reserves the right to amend the Privacy Policy when necessary, and any amendment to the terms and conditions shall become effective upon approval without any obligation to provide notice.