Introduction
Al-Etihad Cooperative Insurance ("we", "us", "our") is committed to protecting your personal data and respecting your privacy rights. This Privacy Notice explains how we collect, use, disclose, and protect your personal data in accordance with the Saudi Personal Data Protection Law (PDPL) and other applicable regulations for the purposes of providing our insurance products (“service”), and access to use our application (“product”).
For the purposes of this document, the term “Law” shall refer to the Personal Data Protection Law brought into effect by the Saudi Data & AI Authority (SDAIA). The term “Regulation” refers to the Personal Data Protection Regulations published by SDAIA to aid the implementation of the Law.
Data Controller
The data controller of any personal information given to us about you, or other people named on the policy, quote or claim is Al-Etihad Insurance Cooperative. If you have any questions about how we process personal information, please get in touch with us by email at
DPO@tui-sa.com.
Personal Data We Collect
We only collect information that we need and have strict controls to keep it safe. We collect personal information to provide our products and services (e.g. handling claims) to you. Without the information we collect, we wouldn’t be able to give you a quote or an insurance policy and it may affect the outcome of any claims you make. Personal information we collect will be held in digital and / or paper files. We collect and process the following categories of personal data:
• Customer information (e.g., name, national ID number, contact details)
• Vehicle information (for auto insurance)
• Medical information (for health insurance)
• Financial information (e.g., payment details)
• Information from government portals such as Najm, Yakeen, Wathiq, Absher, etc.
We may collect your personal data from the following sources:
• You directly when you apply for our services.
• Government portals.
• Third-party service providers (e.g., insurance aggregators).
Purposes and Legal Basis for Processing
By law, we must have a legal justification to process your personal information for the purposes described in this privacy notice.
We collect personal information to provide our quotes, products and services to you. We do this to enter into and / or perform the insurance contract with you. This includes arranging, underwriting and managing our products and handling claims in accordance with the terms of the policy.
As a regulated financial services organization, we are required to comply with legal and regulatory obligations. This includes meeting responsibilities we have to our regulators, tax officials, law enforcement and any other legal responsibilities we have, such as the prevention, detection and reporting of fraud and other financial crimes.
We may process personal information for our legitimate interests, when we have a business reason to do so. We will also need your consent to be able to process your personal data for the following purposes:
• Providing insurance services and products.
• Accessing customer details from government portals.
• Calculating insurance premiums.
• Assessing and managing risks.
• Claims processing and management.
• Compliance with legal and regulatory obligations.
• Fraud prevention and detection.
• Customer service and communication.
The legal basis for processing your personal data includes:
• Performance of a contract to which you are a party.
• Compliance with legal obligations.
• Legitimate interests pursued by us or third parties.
Data Minimization and Accuracy
We collect only the minimum amount of information necessary to provide our services and fulfill our legal obligations. We ensure this by only collecting the data necessary to access your information directly from government portals. We also take steps to ensure that the personal data we process is accurate, complete, and kept up to date, including regular retrieval of data from government portals.
Data Storage and Destruction
All personal data related to customers is stored in multiple regions within the Kingdom of Saudi Arabia. Your personal data is not transferred outside KSA for any purposes whatsoever.
In accordance with regulatory requirements outlined in the Insurance Market Code of Conduct published by the Saudi Arabian Monetary Authority (SAMA), we are required to retain your personal data for a period of 10 years after the termination of our services to you. After this period, we will securely delete or anonymize your data unless we are required to retain it longer for legal or regulatory reasons.
Should you decide to prematurely end your policy, your data will be deleted and will be stored for a period of 10 years, in line with the requirements outlined by SAMA and SDAIA, after which it shall be deleted. Once the 10 year period is over, we shall ensure that all of your personal data is removed from any and all systems in which it may have been stored.
Data Subject Rights
All data subjects in the Kingdom of Saudi Arabia have the following rights regarding their personal data:
• Right to be informed about the collection and use of your personal data.
• Right to access your personal data.
• Right to request copies of your personal data in a readable and clear format.
• Right to request correction, completion, or updating of your personal data.
• Right to request deletion of your personal data (subject to retention requirements, as mentioned in Section 7).
• Right to withdraw consent at any time.
• Right to object to processing based on legitimate interests.
• Right to data portability.
To exercise these rights or make a request, please contact our Data Protection Officer at:
• Phone: +966 13 8164555, Ext.: 8708.
We shall, upon receiving your request regarding your rights, as stipulated in the Law, do the following:
1) Act on your request exercising your rights under the Law within a period not exceeding (30) days and without delay. This period may be extended in case the implementation requires disproportionate effort, or if we receive multiple requests from you, the data subject, provided that the extension period does not exceed an additional (30) days and that you, the Data Subject, are notified in advance of the extension with the reasons for the delay.
2) Take the necessary technical, administrative, and organizational measures to ensure a prompt response to requests related to exercising your rights.
3) Take appropriate measures to verify your identity as the requester before executing the request in accordance with relevant legal requirements.
4) Take the necessary measures to document and keep record of all received requests including oral requests.
While you as a data subject have the right to withdraw consent for the processing of your personal data at any time, this will mean the cancellation of any services provided by EA related to the processing of that personal data. You as a Data Subject must also note that while processing activities may stop, your data must still be stored for a period of 10 years as required by SAMA.
As defined in the Law, we may refuse a Data Subject Right’s request when it is repetitive, manifestly unfounded, or requires disproportionate efforts, in which the Data Subject shall be notified of such reason.
In cases where you, as the Data Subject, fully or partially lack legal capacity, your legal guardian shall exercise your rights on your behalf.
Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
• Encryption of personal data.
• Regular security assessments and audits.
• Access controls and authentication measures.
• Employee training on data protection and security.
Data Sharing and Transfers
We may share your personal data with the following entities:
• Regulatory authorities (e.g., SAMA) as required by law.
• Third-party service providers who assist us in providing our services.
• Reinsurance companies for risk assessment and management.
We ensure that any third parties who process your data on our behalf provide sufficient guarantees to implement appropriate technical and organizational measures to meet PDPL requirements, as outlined in Article (17) of the Regulations.
Exemptions for Disclosure of Personal Data
As outlined in the Law, we may disclose Personal Data in the following situations:
1) Data Subject consents to the Disclosure in accordance with the provisions of the Law.
2) Personal Data has been collected from a publicly available source.
3) The entity requesting Disclosure is a Public Entity, and the Collection or Processing of Personal Data is required for public interest or security purposes, or to implement another law, to fulfill judicial requirements.
4) The Disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
5) The Disclosure will only involve subsequent Processing in a form that makes it impossible to directly or indirectly identify the Data Subject.
6) The Disclosure is necessary to achieve the legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.
However, we shall not disclose Personal Data in the situations stated in Points (1, 2, 5) and (6) if the Disclosure:
1) Represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom.
2) Affects the Kingdom’s relations with any other state.
3) Prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures.
4) Compromises the safety of an individual.
5) Results in violating the privacy of an individual other than the Data Subject, asset out in the Regulations.
6) Conflicts with the interests of a person that fully or partially lacks legal capacity.
7) Violates legally established professional obligations.
8) Involves a violation of an obligation, procedure, or judicial decision.
9) Exposes the identity of a confidential source of information in a manner detrimental to the public interest.
Changes to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices or for legal reasons. We will notify you of any material changes and obtain your consent where required.
Complaints
If you have any concerns about how we handle your personal data, you can contact our Data Protection Officer. You also have the right to lodge a complaint with the Insurance Authority.
• Phone Number: +966 800 124 0551
For complaints related to health insurance, visit this
link.
For complaints related to motor and other insurance products, visit this
link.
Consent
To use our services, you must consent to the collection and processing of your personal data as described in this Privacy Notice. You have the right to withdraw your consent at any time, although this may affect our ability to provide certain services to you.
You must also separately provide consent if you would like us to contact you with advertisements about services and awareness materials.
Opt-out
If you no longer wish to receive correspondence, emails, surveys, awareness materials, or other communications from us, you may opt-out by:
• Logging into your account settings and updating your preferences.
• Contacting us using the DPO via the information provided below:
o Phone: +966 13 8164555, Ext.: 8708.