EDAA (“Company”, “We”, “us” or “our”) is committed to protecting your privacy and ensuring compliance with the KSA Personal Data Protection Law approved by the Royal Decree No. 19/m, dated 1443/2/9 (corresponds to 16 September 2021) (“Law”) and its Implementing Regulation. This Privacy Notice will explain how we collect, store and protect your personal data as a customer while providing you services such as custody, clearing, and settlement of securities traded on the Saudi stock exchange (Tadawul).

We determine how and why your personal data about you as a customer is collected and used. Therefore, we act as the controller of your personal data under the Law.

Address: Securities Depository Center (EDAA), King Abdullah Financial District (KAFD) - Parcel 1.17, Financial Blvd, Al Aqiq, Riyadh 13519, Kingdom of Saudi Arabia.

Policy update

This Privacy Notice may be updated at any time to reflect changes in legal, regulatory, or operational requirements. Updated versions will be communicated to you (e.g., publishing on the website).

Sources of personal data

We collect and process personal data throughout providing services to you. This includes, but is not limited to:

•  Personal data collected on our website (e.g., “Contact Us” form).
•  Personal data received from third parties (e.g., brokers).
•  Personal data received from our information systems.

Categories of personal data collected

We collect various types of personal data, including, but not limited to:

•  Identification details: first name, last name, date of birth, nationality.
•  Contact information: address, phone number, email.
•  Governmental IDs: national ID, Iqama.
•  Financial details: investor type, bank account details, transaction history.
•  Other identifying information: Any other information collected that could identify you.

Legal basis for processing personal data

We will collect and process your personal data under the following legal basis, in accordance with the Law:

•  For legitimate interest.
•  To fulfill contractual obligations.
•  To comply with applicable legal and regulatory requirements.
•  With your consent to the collection and processing of personal data, where required.

We will ensure that our legitimate interest doesn’t override your rights and freedom. If consent is used as the legal basis for personal data processing, you may withdraw it at any time.

We will uphold the legal basis for data processing. However, we have the right in accordance with the Law to process your personal data for other than the legal bases defined above; which are included in the following cases:

•  If your personal data is publicly available and/or has been collected from publicly available source.
•  If processing your personal data will serve a vital interest.
•  If collection or processing of your personal data is necessary to protect public health or safety, or to protect the life or health of you or other individuals.

If your personal data is recorded or stored in a form that makes it impossible to identify you directly or indirectly (anonymized data).

Purpose of processing

We will collect and process your personal data only when there is a legal basis to do so, and solely for purposes necessary for providing services to you, including but not limited to:

•  Managing reports for operational, regulatory, and compliance purposes.
•  Facilitating meetings for participants and investors.
•  Distributing dividends.
•  Handling shareholder enquiries.
•  Managing requests from clients and regulatory authorities.
•  Ensuring compliance with cybersecurity and regulatory controls.
•  CCTV for security purposes.

We may update or modify our processing activities from time to time to reflect changes in operational requirements, legal obligations, or technological developments. When such changes affect the way we collect, use or share your personal data, we will notify you through the appropriate channels (e.g., via phone number or email, i.e. SMS, or by updating Privacy Notice on the website).

Data sharing and disclosure

As necessitated by the processing purposes above (section 6), we have the right to disclose your personal data to the following entities to allow them to access, collect and process your personal data:

•  STG group: STG Subsidiaries and/or entities within STG group.
•  Regulatory Authorities: Any applicable regulatory authorities (CMA, SDAIA, etc.) or other third parties as required by law or in accordance with other regulatory obligations or policies applicable.
•  Business Partners: Current or potential suppliers, subcontractors, business partners in banking, finance or other related sector (e.g., issuers and brokers).

Any disclosure of personal data will be in accordance with the Law and in the following circumstances:

•  You consent to the disclosure.
•  Your personal data has been collected from a publicly available source.
•  The entity requesting disclosure is a public entity, and the collection or processing of your personal data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
•  The disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
•  The disclosure will only involve subsequent processing in a form that makes it impossible to directly or indirectly identify you (anonymized data).
•  The disclosure is necessary to achieve our legitimate interests (in this case no sensitive data (e.g. health data) will be processed).

We store and process personal data within the Kingdom of Saudi Arabia. If it becomes necessary to transfer your personal data for processing outside of the KSA. In such cases we will comply with the requirements of the Law regarding cross-border personal data transfers, as well as with the requirements of other laws and regulations, where applicable, we will:

•  Ensure an adequate level of protection in the recipient country, and/or
•  Implement safeguards in line with the Law and its Implementing Regulations governing cross-border data transfer (if required).

Data retention

We keep all personal data only for as long as it is necessary to:

•  Fulfill the purpose for which personal data was collected.
•  Comply with legal, regulatory, or contractual requirements.

Once retention periods have expired, data will be securely deleted or anonymized.

Data subject rights

Under the Law, you have the certain rights regarding your personal data, including:

•  You have the right to be informed about your data is collected, stored, processed and retained.
•  You have the right to access your data.
•  You have the right to obtain copy of your data.
•  You have the right to request correction of inaccurate or incomplete data.
•  You have the right to request destruction of your personal data, subject to legal or contractual restriction.
•  You have the right to withdraw consent where processing is based on consent.

Data security measures

At EDAA we are committed to protecting the data entrusted to us. We have implemented appropriate administrative security policies, rules and technical measures to protect personal data. All security measures are designed to prevent unauthorized access, discloser, modification and unlawful destruction or loss of data. All security measures are aligned with the applicable laws in the Kingdom of Saudi Arabia.

Cookies

We use cookies to understand how you interact with our services, collect information about visits, and to enhance performance of our website. Most cookies do not collect information that identifies you, but collect general information (entry method, use of our website) instead.

You can manage cookies, which are placed on your devices (tablet, smartphone, PC, etc.): delete cookies, set permissions for them, and withdraw your consent to our use of cookies. Instructions for deleting or blocking cookies on various browsers are available at the links ( Google Chrome, Internet Explorer, Opera, Mozilla Firefox, Safari).

We use Google Analytics services on our website. On our behalf Google Inc. service owners analyze the ways users interact with the website. This is done to assess our website performance and improve its functionality in order to create high-quality content and services for you.

You can refuse to provide this information by downloading and installing the browser plugin at the link Google Analytics Opt-out Browser Add-on.

You should be aware that in this case some functions and services will not be able to work properly.

Contact information

If you have any questions or comments regarding our use of your personal data, or you wish to exercise any of your rights as a data subject, please contact us by using the following contact details:

•  Email: cc@edaa.sa

Legal Disclaimer

By accessing this web site, you agree to be bound by these terms and conditions. If you do not agree, please do not access this site. The contents of this site should not be regarded as complete or up-to-date.

The information contained on the Site is for information purposes only, EDAA does not hold itself out as providing legal, financial or other advice via the Site.

Cookies can be used interchangeably to serve the user better. A cookie is an element of data that an electronic service may send to a browser that may be stored on a user's computer. Cookies that are placed on a user's computer are intended to facilitate the browsing of websites only and do not serve any other functions. By continuing to use Edaa’s website, you are agreeing that we may place cookies on your computer to facilitate the browsing of websites only.