Русский
Italiano
Français
Español
Deutsch
العربية
Privacy Policy
At UNICOIL, we are committed to protecting the privacy and security of your personal data in compliance with the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) and international best practices, including the ISO/IEC 27001:2022 standard for Information Security Management Systems (ISMS).
This policy outlines UNICOIL’s approach to privacy, ensuring the secure and lawful handling of personal data. Its key objectives include safeguarding data confidentiality, integrity, and security; complying with relevant laws; ensuring transparency in data processing; enabling individuals to exercise their rights (access, correction, deletion); and mitigating risks through robust security measures.
Terms and Definitions
| Terms | Definition |
| UNICOIL | Universal Metal Coating Company Ltd. |
| IT | Information Technology |
| CISO | Chief Information Security Officer |
| PII | Personally Identifiable Information |
| PDPO | 1. The Personal Data Protection Officer (PDPO) is responsible for assisting the organization w.r.t compliance with data privacy laws and regulations.
2. The PDPO is the key point of contact for all data privacy issues within the organization. 3. Responding to requests related to Personal Data processing |
| KSA PDPL | Kingdom of Saudi Arabia’s Personal Data Protection Law |
| Personal Data | Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature. |
| Processing | Any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, blocking, erasing, and destroying data. |
| Controller | Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor. |
| Processor | Any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller. |
| Competent Authority | The Saudi regulatory authority that is responsible for enforcing the PDPL. The Saudi Data and Artificial Intelligence Authority (SDAIA) is the Competent Authority as of now. |
| DPMS | Data Protection Management System, which is a set of policies and procedures for systematically managing the personal data processed |
| ISMS | Information Security Management System, which is a set of policies and procedures for systematically managing an organization’s sensitive data |
Scope
This policy is applicable to all UNICOIL employees, vendors, customers, and business partners who may process personal data or business-related information, or have access to information systems that collect, process, or store data for UNICOIL, or on behalf of UNICOIL, regardless of geographic location.
The policy covers all personal data processing activities, including on-premises IT infrastructure and cloud-based systems, that are used for or support the operation and delivery of IT services to UNICOIL employees and end-users. It also extends to IT facilities under the control and management of UNICOIL, ensuring the privacy and protection of personal data across all systems
CISO, PDPO and the units concerned shall jointly resolve any conflicts arising from this policy.
Compliance with the Personal Data Protection Law (PDPL)
The Personal Data Protection Law (PDPL) governs any kind of processing of personal data including collecting, using, storing, sharing, transferring, or updating of personal data of the residents in the Kingdom. The overall objective of PDPL is to ensure that all entities process personal data in accordance with the principles set out in the PDPL and regulations. This includes ensuring that there is a purpose and a legal basis for processing personal data, as well as ensuring that personal data is processed fairly, lawfully, transparently, and securely. The collection of personal data is to be accurate and restricted to the minimum necessary for effectiveness of the business process. In addition, safeguards should be put in place to protect personal data from loss, damage, or destruction.
Data Collection and Use
We collect and process personal data solely for specific, clear, and legitimate purposes, with your explicit or implicit consent where required. Any data you provide through our website will be handled with the highest standards of confidentiality and security.
Personal data will be processed with care to protect the data subject’s rights, ensuring that data is anonymized or pseudonymized where possible to prevent identification unless legally justified. UNICOIL will handle all personal data in accordance with legal requirements, ensuring no harm or negative impact on the data subject.
UNICOIL collects personal data, including but not limited to names, contact details, identification numbers, financial information, and employment records, as required for operational, legal, and business purposes. Personal data is collected through various methods, including online forms, direct interactions, automated systems, and authorized third parties. The processing of personal data is conducted based on a valid legal basis, which may include the individual’s consent, the necessity of processing for contractual obligations, compliance with legal requirements, UNICOIL’s legitimate interests, or the protection of vital interests.
Information Security
We maintain an ISO/IEC 27001:2022-compliant ISMS to ensure the confidentiality, integrity, and availability of your data. Our systems and processes are designed to prevent unauthorized access, disclosure, alteration, or destruction of personal data.
Verification and Validation of Personal Data
UNICOIL ensures that personal data is processed only after verifying its accuracy, completeness, timeliness, and relevance, in full compliance with the PDPL. Personal data will be used solely for its intended purpose and outdated, or irrelevant data will not be processed. Regular reviews and updates are conducted to ensure data quality is maintained throughout its lifecycle.
Your Rights
In accordance with the PDPL, you have the right to:
- Access your personal data
Individuals may request details of the personal data stored about them, including the source of collection and its intended purpose. Any additional rights to access employment-related documents under applicable employment laws remain unaffected. If personal data is shared with third parties, individuals must be informed of this possibility. Additionally, if any personal data is inaccurate or incomplete, individuals have the right to request corrections or updates.
- Request correction or deletion of your data
Individuals can request to have their personal data corrected (if inaccurate), completed (if incomplete) or updated (if out of date). Individuals may request the deletion of their personal data if there is no legal basis for its processing or if the original legal basis is no longer applicable. This also applies if the purpose for which the data was processed is no longer relevant. However, any existing retention requirements or legitimate interests that warrant data protection must be considered.
- Withdraw consent (where applicable)
Individuals can at any time withdraw their consent which they previously gave in relation to processing their personal data.
- Object to certain processing activities
Individuals may object to the processing of their data if their personal circumstances justify prioritizing their rights over the interests of the data controller. However, this right does not apply if legal obligations require the data to be processed.
To exercise these rights or for any inquiries related to your personal data, please contact our Data Protection Officer at dpo@unicoil.com.sa
Subject access and modification requests to personal data
Individual subject access requests must be submitted via email or in writing. If a request is made verbally, it should be documented and processed by the authorized UNICOIL personnel. All requests must be recorded and logged for reference and follow-up to ensure proper handling and compliance with data protection requirements.
Third-Party Access
We do not share your personal data with third parties except as required by law or with your explicit consent. Any third-party service providers we use are contractually obligated to comply with our privacy and security standards.
Processing Sensitive Personal Data
UNICOIL implements strict measures to ensure the protection of sensitive personal data, including genetic and biometric data. Such data is processed only when legally justified, such as with explicit consent, compliance with legal obligations, or the protection of vital interests. Access to the sensitive data is restricted to authorized personnel and is subject to enhanced security controls, including encryption, access logs, and strict authentication measures.
Data minimization principles are applied to collect only the necessary information, and retention periods are strictly adhered to. Any sharing of sensitive data with third parties is conducted in compliance with applicable laws and only when essential for legitimate business or legal purposes.
Any individual subject access request received by UNICOIL will be thoroughly verified before processing. The identity of the requester must be confirmed to ensure that personal data is disclosed only to the authorized individual. Verification may involve requesting official identification or other necessary authentication measures.
UNICOIL shall respond to the requests and address complaints filed by the data subjects or individuals in accordance with the provisions of the Law and its Regulations in a timely manner.
Consent Management
Where required, explicit consent is collected for processing sensitive personal data. Individuals have the right to withdraw their consent at any time, and such requests are processed promptly, ensuring that data processing ceases unless another legal basis applies.
Unless it is necessary for a reason allowable in the KSA PDPL, consent must be obtained from a data subject to collect and process their data. In the case of children or Data subjects with special needs parental / guardian consent must be obtained. Transparent information about UNICOIL’s usage of their personal data must be provided to data subjects at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.
As per PDPL UNICOIL may process Personal Data without consent of the individual in following cases:
- There is confirmed interest in the individual to perform processing of his/her personal data, and it is difficult or impossible to contact him/her.
- Data processing is required to comply with another law.
- The data processing is required to perform an agreement to which the individual is a party.
- If the Controlling Entity is a public entity and the processing is required for security purposes or to meet judicial requirements.
- If data processing is required to achieve legitimate interests of the Controlling Entity and the processed personal data is not sensitive.
Changes to This Disclaimer
We may update this disclaimer to reflect changes in legal, regulatory, or operational requirements. We encourage you to review this page periodically for the latest information.
For questions or concerns regarding data privacy or security, please contact:
Data Protection Officer
Email: dpo@unicoil.com.sa