Introduction

CHUBB Arabia (“we” or “us” or “our”) is committed to respecting your privacy and recognizes your need for appropriate protection and management of any Personal Data or Sensitive Personal Data (“Personal Data“) you share with us, in alignment with applicable Personal Data Protection Laws and Regulations in the Kingdom of Saudi Arabia (KSA). We will only use your Personal Data to deliver the products and services you have requested from us and to meet our legal responsibilities.

This Privacy Notice applies to all our Customers, Visitors, users, and others (hereinafter referred to as “You” or the “User”) who Access or use our Website or Mobile Application. The applicability of this Privacy Notice shall not be Restricted only to Personal Data collected from our Website or Mobile Application, but also includes any such data collected offline or through other data Collection channels.  This Privacy Notice intends to inform you about the following:

1. The type of information we may collect about you and the Purposes for which we collect it when you use our Website.
2. How we use the information collected from you and with whom we may share it.
3. Your Privacy Rights regarding your data.

We fully understand how important your Personal Data is to you, and we will exert our effort to protect the security of your Personal Data. We have always been committed to maintaining your trust and will adhere to privacy principles to protect your Personal Data. We are also committed to taking appropriate security measures to protect your information.

This Privacy Notice shall apply to Personal Data about you and Related Parties that may be processed when you visit our offices, use our Website or mobile application, apply for or use any product, or service provided by us, handle any business, or make any transaction with us, participate in any of our marketing events and surveys, and in any way contact or correspond with us, no matter the information is provided by yourself or by the Related Parties, or collected or acquired by us from other sources according to PDPL (Personal Data Protection Law), regulation, regulatory provision, or based on your or Related Parties’ authorization or Consent.

The Content of this Notice is set out to give below details as per KSA Personal Data Protection Regulations:

1. How We Collect Your Personal Data
2. How We Use Your Personal Data
3. How We Store Your Personal Data
4. Lawful Basis for Processing
5. How We Protect Your Personal Data
6. How We Share, Transfer and Publicly Disclose Your Personal Data
7. Your Rights Relating to Personal Data
8. Protection of Personal Data of Person who fully or partially lacks legal capacity
9. How We Use Cookies and Other Technologies
10. How to Contact Us
11. Formulation, Effectiveness, and Update of this Policy and Others

1.     How We Collect Your Personal Data

1. To comply with the law, regulation, and regulatory provision, or as required for us to provide you or relevant parties with various products and services and continuously improve our products and services, or to contact or communicate with you or relevant parties, understand the needs of you or relevant parties, build, review, maintain and develop our relationship with you or relevant parties, we may receive and keep the Personal Data provided by yourself or by Related Parties, or, according to law, regulation, regulatory provision, your or relevant parties’ authorization or Consent, collect, enquire, and verify by proper methods your and/or Related Parties’ Personal Data from/with members of CHUBB Arabia or other third parties (including but not limited to credit reference agencies, information service providers, relevant authorities, employers, counterparties). We collect data directly from you through our application and may also receive data from your employer to verify employment status. We will always inform you if we collect data from Third Parties and obtain your consent where required.
2. The Personal Data we collect may be on paper, electronic, or any other form.
3. When you visit, browse, or use our website and/or applications as a Visitor, we may collect information about the browser or device you use (such as IP (Internet Protocol) address, operating system, and browser version), your browsing actions, and patterns. We use Cookies and other similar technologies to collect the above information. You may disable Cookies by changing your settings (for details, please refer to the section “How We Use Cookies and Other Technologies” in this notice).
4. Technical information which cannot identify any individual will not be treated as Personal Data. However, when such technical information can identify the individual alone or in combination with other information, we will protect it as your Personal Data.
5. We may invite you to subscribe to our updates, and alerts or to participate in our marketing events or survey via our Website and/or applications. If you accept the relevant invitation, we may collect the information you provide to us by filling out contact forms or questionnaires, etc. The said information may include name, Iqama number, telephone number, email address, etc. refusal to provide such information will not affect your visiting, browsing, or using our Website and/or applications.
6. When you are our prospect or existing individual customer/corporate customers or relevant parties to the transactions, for us to provide you with our products/services and to handle relevant business, we may collect the following information upon your Consent or authorization:

Purposes or Functions (Products/ Services/ Functions)

Personal Data we may need to collect

To provide you with General Insurance, Motor Vehicle Insurance and Travel Insurance.

a)      Personal identity information, including Name, Nationality, Citizenship, National/IQAMA ID or Residence Number, Job Title, Mobile Number, Email Address, Signature, occupation, Telephone number, E-mail, contact information, Birth date, Place of birth, Marital status, Family status, Place of residence (include historic address, contact address and permanent address), Salary/Wage Benefits, Company/employer and Job position, and any relationship with Politically Exposed Person and relevant information etc.; b)      Medical history, related to your health conditions or diseases, your family details (including spouse, Children), etc. c)      Personal account information, including Account Number, etc.

The above information is the basic information we must collect to provide you with our products or services, to fulfill our contract with you, and to comply with laws, regulations, and regulatory requirements. If you refuse to provide that information (or the information so provided is incomplete, inaccurate, or untrue), you will not be able to use our products or services.

7. You may decide, at your free choice, to provide us, or allow us to collect from you or any third party as you agree, the following information for the following Purposes or functions:

Purposes or Functions (Products/ Services/ Functions)	Consent Information we may need to collect
Message service functions	Your policy information and transaction information We collect the above information so that we can send you prompt notifications on policy information and other new product-related notifications.
Appointment for policy information, other services	Name, Mobile Phone Number, ID Document Type and Number, Tax Residence, Address, Email, Telephone Number, Fax Number
To provide you with more accurate, personalized, and convenient service and improve your customer service experience	Information you provide when raising your feedback, suggestion, or complaint, information you input when participating in campaigns or surveys, category, methods, and operation information. It may include notes from calls and other communications you’ve had with us or referrals from your existing insurance provider. We will conduct an analysis of the information and will contact you or provide you with the relevant response, service, or products based on that information.

You can choose not to provide such information. Your failure to provide such information will make you unable to participate in or utilize the corresponding convenience or functions but will not affect your normal use of our other services.

8. We obtain most of your Personal Data directly from you and through the products and services you use. Some information may be obtained from other sources. The other Sources may include:

a. Our group of Companies
b. Your parent or guardian (if you are a child)
c. Authorized third parties
d. Your employer
e. Healthcare providers
f. Medical regulators
g. Credit reference and fraud prevention agencies
h. Debt collection agencies
i. Third party that buys or takes over any of our businesses.
j. Professional consultants
k. Public sector bodies, government, and regulatory organizations
l. Public data sources
m. Suppliers who process your personal information on our behalf

9.  We may verify some of the information you give us with your employer or our references. Generally, when we obtain information from someone other than you, (other third parties we may have we record the source of that information). We may obtain your Consent in writing or through electronic means before collecting Personal Data. In some cases, we may be required by law to obtain your Explicit Consent, in which case we ensure that we do so.

2.     How We Use Your Personal Data

1. We will use your information to realize the purposes and functions mentioned in the above section of this Policy “How We Collect Your Personal Data.”
2. When you visit, browse, or use our Website and/or applications as a Visitor, we may use your information for the following purposes:

a. To respond to your queries and requests.
b. To provide you with information, products, or services that you request from us or which we feel may interest you, subject to your prior Consent.
c. To perform contracts or agreements entered between you and us.
d. To allow you to interact with us on our Website and/or applications.
e. To notify you about changes to our Website and/or applications.
f. To ensure the content of our Website and/or application is presented effectively on your device.
g. To maintain proper and secure operation of our Website and/or applications to prevent and Control risk, or to detect and prevent misuse or abuse of our Website, applications, products, or services.
h. To meet our compliance obligations, or to comply with any applicable laws and regulations that we are subject to; and
i. To make statistics and analysis of the use of our business, products, services, or functions. However, such statistics will not contain any of your Personal Data

      3. When you are our prospect or existing individual customer or a connected person or a guardian of our individual/ non-individual customers, we may use your information for the following purposes:

a. To provide you or Related Parties with products or services, to recognize or verify the Identity of you and Related Parties, or to approve, manage, handle, execute, or effect requests authorized by you or Related Parties.
b. To comply with any applicable Laws and any order or requirement from any authority.
c. To perform CHUBB Arabia’s compliance obligations (including regulatory compliance, and/or compliance with any Applicable Laws or requirement of any authority), or to implement any policy or procedure made by CHUBB Arabia for the performance of compliance obligations.
d. To enforce or defend CHUBB Arabia, or to perform CHUBB Arabia’s obligations.
e. As required by or to fulfill CHUBB Arabia’s reasonable operational requirements (including analysis, Processing, handling, Archiving, recording, system, product and service design, research, development and improvement, planning, insurance, audit, and administrative purposes).
f. Subject to your or relevant parties’ authorization, market or promote relevant products or services to you or relevant parties, to assess your or relevant parties’ interests in relevant products or services, or to conduct market research or survey or satisfaction survey; and
g. To obtain or utilize administrative, consultancy, telecommunications, computer, payment, Data Storage, Processing, outsourcing, and/or other products or services.

4. The above information Collection and use in this notice shall not impact our use of your information for the Purposes otherwise agreed between you or Related Parties and us.
5. If we use your Personal Data for purposes other than the purposes of Collection and use as outlined in this notice or other agreements between you or Related Parties and us, we shall obtain your Consent before using your Personal Data for such additional purposes, unless the same has been permitted by the Laws of KSA

3.     Lawful Basis for Processing

We will only process your Personal Data if we have a lawful basis to do so. This includes Consent, Performance of Contract, Legal Obligation, Vital Interest of Data Subject, Performance of task carried out in public interest and Legitimate Interests pursued by the controller or by a third party.

4.      How We Store Your Personal Data

We comply with KSA laws and requirements on Data Storage. When we collect or process your information, we will, according to applicable laws and regulations, regulatory, archival, accounting, auditing, or reporting requirements, and the purposes as outlined in this notice, store your information for a period as minimum as necessary to fulfill the purposes of information collection.

Personal and sensitive data collected from the Website and/or mobile applications and other official channels are being stored on our servers located within the Kingdom of Saudi Arabia for over 10 years and is being governed by appropriate security techniques to protect and preserve the data. After the Retention period expires, we will destroy, delete, or de-identify relevant information, or where the destruction, Deletion, or anonymization is not possible, store your Personal Data securely and separate it from other data Processing.

The requirements do not apply to the information that needs to be retained according to applicable laws and regulations, regulatory, archival, accounting, auditing, or reporting requirements, a special agreement between you or Relevant Customers and us, or for record check or inquiry from you, Relevant Customers, regulators, or other authorities.

We might require keeping your data even after the purpose of its Collection has ended in the following cases:

a. If there is a legal justification for us to keep it for a specified period by law, regulation, or security reasons
b. If the Personal Data is closely related to a case before a judicial authority and its Retention is required for this purpose
c. If all personal elements have been anonymized

5.     How We Protect Your Personal Data

1. Information security is our top priority. We will always endeavor to safeguard your personal data against unauthorized or accidental access, Processing, or damage. We maintain this commitment to information security by implementing appropriate physical, electronic, and organizational measures to secure your Personal Data. We will take responsibility by law if your information suffers from Unauthorized Access, public Disclosure, erasure, or damage for a reason attributable to us and so impairs your lawful rights and interests.
2. We maintain a strict security system to prevent unauthorized Access to your Personal Data. We exercise strict management over our staff members who may have Access to your Personal Data, including but not limited to Access control applied to distinct positions, a Contractual Obligation of confidentiality agreed with relevant staff members, formulation and implementation of information security-related policies and procedures, and information security related training offered to staff.
3. We will not disclose your Personal Data to any third party unless the Disclosure is made to comply with laws, regulations, and regulatory requirements or according to this Notice or other agreement (if any) or based on your or Related Parties’ separate Consent or authorization. When we use services provided by external service providers (Entities or individuals), we also impose strict confidentiality obligations on them and requires them to abide by the security standards of KSA PDPL when Processing Personal Data.
4. For the security of your Personal Data, you take on the same responsibility as us. You shall properly take care of your Personal Data, such as your account information, Identity Verification information (e.g., username, password, dynamic password, Verification code, etc.), and all the documents, devices, or other media that may record or otherwise relate to such information, and shall ensure your Personal Data and relevant documents, devices or other media are used only in a secured environment. You shall not, at any time, disclose to any other person or allow any other person to use such information and relevant documents, devices, or other media. Once you think your Personal Data and/or relevant documents, devices, or other media have been disclosed, lost, or stolen, or may otherwise affect the security of your use of our products, devices, or services, you shall notify us immediately so that we may act appropriately to prevent further Loss from occurring.
5. We will organize regular staff training and drills on emergency response. If unfortunately, a Personal Data security incident occurs, we will adopt the emergency plan and take relevant actions and remediation measures to mitigate the severity and Losses in connection therewith. Meanwhile, we will, following the applicable requirements set out in law and regulation, inform regulatory authorities about the basic information of the security incident and its possible impact, the actions and measures we have taken or will take, suggestions to prevent and mitigate the risk, and applicable remediation measures.

6.     How We Share, Transfer and Publicly Disclose Your Personal Data

1. Entrusted Processing and Sharing

For the Purposes set out above in the CHUBB Arabia Privacy Notice, we may provide or disclose all or part of your Personal Data to the following recipients under the preconditions that such provision or Disclosure is necessary and is made with proper protective measures (please refer to section “How We Protect Your Personal Data” for details) and the recipients may also, for the aforesaid Purposes, use, process or further disclose the information they receive provided that corresponding protective measures are adopted under the applicable laws or our requirements:

I. any member of CHUBB Arabia.
II. any contractor, subcontractor, agent, third-party product or service provider, professional consultant, business partner, or associated person of CHUBB Arabia (including their Employees, directors, and officers).
III. any regulator of CHUBB Arabia or any other authority, or any organization or individual designated by such regulators or authorities.
IV. Any reinsurer for the purpose of reinsurance.

Subject to applicable laws and regulations, we will seek your separate Consent and notify you of the Data Sharing/Transferring, including the data receiver’s identity, contact information, the purpose of Processing, method of Processing, and the type of Personal Data (if the cross-border Transfer involved, we will also notify you the manner and method of exercise your right).

 At times, we may need to collect your Personal Data from or share it with other individuals or organizations. When we do share your data, we limit it to only what’s necessary for a specific purpose and share as little as possible. For example, if you require medical treatment, we will share relevant medical details with your healthcare provider.

We have established processes to ensure that your Personal Data is protected when shared with third parties. If you provide us with someone else’s Personal Data, please ensure they have read this privacy notice and are comfortable with you sharing their data with us.

We may also disclose your Personal Data to other third parties (For eg. Brokers, Claim agents, Reinsurers etc.) if required or permitted by Law. Additionally, we ensure that any third party we share your data with adheres to PDPL and uses the information solely for the intended Purposes.

• Affiliates: We may share information about you within the CHUBB Arabia group for legal and regulatory purposes, to manage business risks, and to ensure we have corrected and up-to-date information about you, such as your current address, date of birth, etc. We may also share your information to better manage your total relationship with the CHUBB group and enable other members of the CHUBB group to bring suitable products and services to your attention. CHUBB Arabia will share your information within the CHUBB group for these Purposes unless prohibited by law or you tell us not to do so.
• Authorized Business Partners: We may Partner with other companies to offer you products or services. We may disclose Personal Data and/or non-personal or de-identified information collected about you to third-party Partners such as Brokers, Other Insurers/ Reinsurers, Third Party Administrators, Loss Adjustors/ Claims Experts, Assistance Providers, and Service Providers to help us provide those services.
• Sharing information where ownership or liability is shared with others: If you have a product or service where ownership or liability is shared with others, we may share your information with them in connection with the product or service. Also, if you authorize us, we may provide your information to your lawyer, accountant, or others you’ve identified.
• Parents or Guardians or Authorized Third Parties (i.e. Brokers):  You have authorized us to communicate with a third party on your behalf, such as a family member, solicitor, or someone acting through a Power of Attorney. The reasons for sharing such information are as follows –

a) To deliver our products and services to you.
b) To manage our relationship with you.
c) To establish your status as a customer.
d) To fulfill our regulatory obligations or comply with legal requests or claims.
e) To handle complaints, claims, or requests regarding individual rights.
f) Healthcare Providers and Organizations
g) Doctors, clinicians, and other healthcare professionals
h) Hospitals and clinics
i) Medical laboratories
j) Individuals or organizations responsible for paying for your care.

• Healthcare Providers and Organizations: You have authorized us to communicate with a third party on your behalf, such as Authorized healthcare workers with Access to your health records to support your direct care. The reasons for sharing such information are as follows –

a) To facilitate and provide you with appropriate treatment.
b) To process and validate invoices and handle payments.
c) To investigate complaints, claims, and potentially fraudulent activities.
d) To process and validate invoices and handle payments.
e) To investigate complaints, claims, and potentially fraudulent activities.

• Government and Law Enforcement; Compliance; Other Purposes Permitted by Law: Notwithstanding any other provision of this notice to the contrary, we reserve the right to disclose Personal Data to others as we believe appropriate to comply with legal process and/or to respond to governmental or regulatory requests for any other purpose permitted by applicable law.

2. Transfers

Without your separate Consent, we will not Transfer your Personal Data to any other company, organization, or individual in the following cases –

I. When the Processing involves Sensitive Data.
II. When the Processing involves Credit Data.
III. When decisions are made solely based on automated Processing of Personal

In exceptional cases to provide the cross-border service, after obtaining your Consent, your information may be transferred outside of the Kingdom of Saudi Arabia too. Under these circumstances, we will adopt appropriate, necessary, and effective security methods(encryption) to protect your information security. Also, we will inform you of the identity, contact, etc. of the Personal Data recipient according to the requirements of applicable laws and regulations and request the Personal Data recipient to comply with the CHUBB Arabia Privacy Notice. If the Personal Data recipient changes the Purposes, methods, etc. of Personal Data Processing under the CHUBB Arabia Privacy Notice, it shall re-obtain Consent from you.

3. Public Disclosure

We will not disclose your Personal Data to the Public unless we have your separate Consent.

7.     Your Rights relating to Personal Data

CHUBB Arabia makes all its efforts to provide high-quality services to all Users in a manner that guarantees their rights under the limits stipulated in the Personal Data Protection Law as well as other regulations according to the following:

1. Right to be Informed: You have the right to be informed about the Collection and Usage of your data including why and how we collect your data, the Purposes for Processing your data, Retention periods for that data, who will it be shared with, what are the security measures we take to protect this information and what your rights are.
2. Right to Access: You have the right to Access your data with CHUBB Arabia and are entitled to obtain a copy of it or Transfer it to another party.

      Exceptions to this right include:

a. If the Restriction is necessary to protect the data owner or others
b. If the Restriction is necessary for security purposes, implementing another law, or meeting judicial requirements
c. If the Access is characterized or may lead to the following:

I. Poses a Threat to security, harms the reputation of the Kingdom of Saudi Arabia, conflicts with the Kingdom of Saudi Arabia’s interests
II. Affects the Kingdom of Saudi Arabia’s relations with other countries
III. Prevents detection of a crime, affects the rights of the accused, affects the integrity of existing criminal procedures
IV. Endangers the safety of individuals
V. Violates the privacy of an individual other than the owner
VI. Conflicts with the interests of an incompetent or incapacitated individual

3. Right to Correction: You have the right to request data correction, completion, or update.

4. Right to Destroy: You have the right to request that your data be destroyed when:

a. You consider that we no longer require the information for the purposes for which it was obtained.
b. You have validly objected to our use of your Personal Data.
c. Our use of your Personal Data is contrary to law or our other legal obligations.
d. You have Revoked your Consent to collect and process your data.

5. Right to request a copy: You have the right to request the copy of you data which is being processed.

6. Right to Revoke Consent: You have the right to Revoke Consent to collect and process your data unless statutory or judicial requirements require otherwise.

You may submit a request to exercise your rights by following the below steps: DPO@chubb.com.sa

Data Subject Rights are not absolute, CHUBB shall have the sole discretion to accept or reject any requests made under DSR, while adhering to the Laws of KSA.

8.     Protection of Personal Data of a Person that fully or partially lacks legal capacity

We pay particular attention to the protection of Personal Data of a Person that fully or partially lacks legal capacity. We have no intention of Collecting any Personal Data of a Person that fully or partially lacks legal capacity unless it is agreed by their Legal Guardians, and it is necessary for the products or services offered to them. In the case where we Collect their Personal Data through our Website or mobile application, the purpose would solely be to directly respond to the request without using their Data for any other Purposes. The Personal Data will not be Processed without notifying the Legal Guardian of the request except for the following:

• If there is a legal justification for CHUBB Arabia to Process the Data specified by law, regulation, or for security reasons.
• When the sole purpose of Collecting the contact details is to respond directly to a specific request from the Data Subjects, this Data is not used to call them back again or for any other purpose.

The Personal Data we Collect with the Consent of your Legal Guardians, we will only Use or Disclose such Personal Data to the extent allowed by law and regulation or Expressly Consented by your Legal Guardians or necessary for the protection of the Data Subject’s interests.

9.     How we use cookies and other technologies

Cookies are small bits of information automatically stored on your local terminal, which can be retrieved by your local terminal. Cookies can enable our Website or applications to recognize your device and store information about your use of the Website or applications to provide more useful features to you and to tailor the content of our Website/applications to suit your interests and, where permitted by you, to provide you with promotional materials based on your use patterns. We will be able to Access the information stored on the Cookies.

Your visit, browse, and use of any of our Website or mobile device applications may be recorded for analysis on the number of Visitors to the site and/or applications, routine use patterns, and your personal use patterns and improving your experience. Some of this information will be gathered using “Cookies.”

The information collected by Cookies is anonymous aggregated data and contains no Personal Data such as name, address, telephone, email address, etc. We sometimes conduct analytics that cannot be performed without personal information. This type of analytics involves analysing personal information and other data. The goal is to make recommendations about changes to the business or improvements to the services we offer our customers.

You can manage or disable Cookies based on your preference. Should you wish to disable the Cookies, you may do so by changing the settings on your local terminals. However, after changing the setting you may not be able to enjoy the convenience that Cookies bring, but your normal use of other functions of the local terminals will not be affected.

10.  How to contact us

Requests for Access to, correction, or Deletion of Personal Data, for withdrawal of authorization or Disposal of Personal Data beyond the Retention period, for a copy of this Notice, or inquiries about our practices regarding Personal Data and privacy protection, should be addressed to:

Data Privacy Officer Name: Data Privacy Office

Contact Details: DPO@chubb.com.sa

Office Address: Khobar Business Gate, King Faisal Bin Abdulaziz Street,
PO Box 2685, Al Khobar 31952, Kingdom of Saudi Arabia.

11.  Formulation, Effectiveness, Update of this notice

This Privacy Statement may be revised from time to time. We urge you to request and review this Privacy Notice frequently to obtain the current version. Your continued provision of Personal Data or use of our services following any changes to this Privacy Notice constitutes your acceptance of any such change. This privacy notice was last updated in 19^th of September 2024.

12.  Definition

Privacy Notice
Term	Description
Access	Access refers to the ability to view, retrieve, or interact with Personal Data.
Data Storage/Store	Refers to the activity of retaining or holding onto personal data that has been collected with the individual’s Consent.
Archiving	Refers to the Process of securely storing Data for long-term preservation and future reference or retrieval.
Children	Refers to Individuals who are below a certain age threshold, which may vary depending on the specific legal framework.
Collection/Collect /Collected	The controlling Entity obtains Personal Data by the provisions of the Law, whether from its owner directly, from their representative, whoever has legal guardianship over him, or from another party.
Consent	Consent is a crucial concept that refers to an Individual’s freely given, specific, informed, and unambiguous agreement to the Processing of their Personal Data. It’s a fundamental requirement for organizations to Collect Use or share Personal Data Lawfully and transparently.
Control	Refers to measures, policies, procedures, or safeguards implemented to mitigate risks, ensure compliance with regulations, and safeguard assets, Information, or Processes within an organization
Cookies	Cookies are small bits of Information automatically Stored on your local terminal, which can be retrieved by your local terminal. Cookies can enable Website or applications to recognize User’s device and Store Information about User’s Use of the Website or applications to provide more useful features to User and to tailor the content of Website/applications to suit User’s interests and, where permitted by User, to provide User with promotional materials based on User’s Usage patterns.
Credit Data	All Personal Data related to an Individual’s request for, or obtainment of, financing, whether for a personal or family purpose, from an Entity that practices financing, including any Data related to the ability to obtain credit, their ability to pay it, or their credit history.
Customers	Customers, as Individuals who engage in commercial transactions with businesses, are inherently considered Data Subjects under the KSA PDPL. Their Personal Data, such as names, contact Information, purchase histories, and even online browsing behaviors fall under the law’s protection.
Data Controller	Means Individual, company, public authority, agency, or other body which, alone or jointly with Third Parties, determines the Purposes and means of the Processing of Personal Data
Data Privacy Office	Unit within CHUBB Arabia that is responsible for overseeing and managing Data Privacy and Data Protection matters. The primary Role of a Data Privacy Office is to ensure compliance with applicable Data Protection laws and regulations, safeguard Individuals’ Privacy Rights, and mitigate Privacy risks associated with the Processing of Personal Data.
Data Privacy Officer	The Data Privacy Officer is responsible for monitoring the implementation of the provisions of the Law and its Regulations, overseeing the procedures adopted by the Controller, and receiving requests related to Personal Data in accordance with the provisions of the Law and its Regulations.
Data Processor	In relation to Personal Data, means any person (other than an Employee of the Data Controller) who Processes the Personal Data on behalf of the Data Controller.
Data Protection	Refers to the process of safeguarding personal data from unauthorized access, Use, Disclosure, alteration, or destruction to ensure the privacy, confidentiality, integrity, and availability of the data.
Data Sharing/Transferring	Refers to the act of disclosing or transferring Personal Data from one Entity (the Data Controller or Data Processor) to another Entity (the Data recipient or Third-Party)
Data Subjects/Individual	The Individuals whose Personal Data and Sensitive Personal Data is Processed by or on behalf of CHUBB Arabia
Deletion / Erasure	Means to remove or erase something, usually from a digital or physical medium. When you delete something, you eliminate it or make it no longer accessible or visible.
Destroy/Destruction	Refers to the Process of permanently and securely Erasing or Destroying Personal Data in a manner that prevents its recovery or reconstruction. This means that the Personal Data must be Destroyed in a way that it cannot be restored or accessed by unauthorized Individuals. The KSA PDPL requires Data controllers and Processors to implement appropriate technical and organizational measures to ensure the secure Destruction of Personal Data, in accordance with the requirements set out in the law.
Disclosure/Public Disclosure	Enabling any person – other than the controlling Entity – to obtain, Use, or Access Personal Data by any means and for any purpose.
Disposal	Refers to the Process of discarding or getting rid of something that is no longer needed, usable, or wanted.
Employees	PDPL in KSA covers Employee Data (which is common in many Data Protection laws), “Employees” would refer to Individuals who are employed by the organization, and the PDPL may impose certain obligations on the Processing of their Personal Data.
Entities/Entity	Refer to organizations that exist and can be identified as separate and distinct.
Explicit Consent	Direct and Explicit Consent given by the Data Subject in any form that clearly indicates the Data Subject’s acceptance of the Processing of their Personal Data in a manner that cannot be interpreted otherwise, and whose obtention can be proven.
Expressly Consented	Refers to a situation in which an Individual provides clear, unambiguous, and specific Consent for a particular Purpose or action.
Health Data	All Personal Data related to an Individual’s health status, whether physical, mental, psychological, or related to their health services.
Identity	Refers to the distinct characteristics or attributes that uniquely identify an Individual or Entity. It encompasses various elements that differentiate one person or Entity from another.
Job Title	Job Title usually focuses on the official name of a position within an organization, often reflecting specific responsibilities and seniority. Examples: “Software Engineer,” “Marketing Manager,” “Chief Executive Officer.”
KSA Personal Data Protection Law (PDPL)	Is a set of Data Protection rules for governing how businesses must handle Personal Data. It defines what right to Privacy the people of Saudi Arabia have. Any company that Processes Personal Data of KSA residents must meet the KSA PDPL requirements, else face severe consequences.
Lawful/Legal Basis	A Lawful condition when Personal Data & Sensitive Personal Data is Processed. (i.e., Consent, Contractual Obligation, Legal Obligation, vital interests, public interest, legitimate interest).
Lawful/Legal Basis	Specific reasons or justifications that permit a Data controller (an Entity that Collect s and Processes Personal Data) to Lawfully Process Personal Data. (i.e., Consent of the Data Subject, Protecting Vital Interests, Executing an Agreement, Public Entities, Protecting Public Health or Safety, Legitimate Interest)
Legal	Refers to actions, Processes, or procedures that comply with applicable laws, regulations, and legal frameworks.
Legal Guardian	Legal Guardian refers to a person who has been appointed by a court or otherwise has the legal authority to make decisions relevant to the personal and property interests of another person who is deemed incompetent.
Legal Obligation	Legal Obligation refers to a duty or requirement imposed by law that necessitates the Processing of Personal Data. It’s a specific Lawful Basis for Processing, distinct From Consent or contract.
Loss	Refers to the unintentional or accidental disappearance or unavailability of Personal Data
Partner	Any Third-Party that provides a service or whose personnel work for CHUBB Arabia.
Person Who Fully or Partially Lacks Legal Capacity.	A Person Who Fully or Partially Lacks Legal Capacity refers to an Individual who, due to certain circumstances or conditions, is deemed unable to exercise certain legal rights or fulfil specific Legal Obligations to the same extent as Individuals who have full legal capacity. It could be due to:
Person Who Fully or Partially Lacks Legal Capacity.	Age-related lack of legal capacity: minors (Individuals below a certain age, usually 18 years old) are considered to lack full legal capacity. This means they may not have the legal authority to enter into binding contracts, make certain decisions independently, or engage in certain activities without parental or guardian Consent.
Person Who Fully or Partially Lacks Legal Capacity.	Mental or cognitive impairment: Individuals with mental or cognitive disabilities or impairments may be deemed to partially or fully lack legal capacity, depending on the severity and impact of their condition. This recognition acknowledges that their ability to understand and make informed decisions may be compromised, and they may require additional support, such as guardianship or legal representation, to protect their rights and interests.
Person Who Fully or Partially Lacks Legal Capacity.	Temporary lack of legal capacity: There may be situations where an Individual temporarily lacks legal capacity due to factors such as mental illness
Personal Account Information	Personal Account Information typically refers to the details associated with an Individual’s account, especially in the context of financial or online services. This includes but is not limited to Information such as personal identifiers e.g., Name, address, phone number; Account numbers, usernames, passwords, and other credentials associated with an Individual’s account; financial transactions, credit/debit card Information, bank account details, and other relevant Financial Data; Transaction history.
Personal Data	Every Data – of whatever source or form – that would lead to the identification of an Individual specifically or make it possible to identify them directly or indirectly, including name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit card numbers, fixed or moving pictures of the Individual, and other Data of personal nature.
Politically Exposed Persons (PEPs)	Individuals who are or have been entrusted with prominent public functions inside the Kingdom of Saudi Arabia or in another country, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials (in other countries), with family members or close associates thereof. b. Any natural person entrusted with a prominent function by an international organization, including Directors and deputy-directors, board members or equivalent, with family members or close associates thereof.
Privacy	Privacy measures are an integral and inherent part of the design, development, and operation of IT systems and business Processes.  Embedding Privacy measures ensures that Privacy is considered proactively during the development and operation of systems and Processes, reducing the risk of Privacy breaches.
Privacy Notice/Enterprise Privacy Policy/ Privacy Statement	A “Privacy Notice,” is a formal document or statement issued by an organization that outlines how the organization collects, uses, Processes, shares, and protects Personal Data
Privacy Rights	Refer to the legal rights and protections afforded to Individuals concerning the Collection, Use, Processing, storage, sharing, and protection of their Personal Data and Privacy
Processing/ Processes/ Processed	Any Process performed on Personal Data by any means, whether manual or automated, including Processes of Collection, recording, Archiving, indexing, arranging, formatting, storing, modifying, updating, merging, retrieving, using, disclosing, transferring, publishing, Data Sharing or interconnecting, blocking, Erasing, and Destroying.
Processor	Any Public Entity, natural person, or private legal person that Processes Personal Data for the benefit and on behalf of CHUBB Arabia.
Public	Refers to Information that is openly available or accessible to anyone without Restriction. This could include Data that is intentionally shared by Individuals or organizations for public consumption, as well as Information that is generally accessible through public sources such as government records, public Databases, social media profiles, or publicly available Websites
Purposes	Organizations must specify the Purposes for which they are Processing Personal Data. This involves clearly articulating the reasons why the Data is being Collected and how it will be used. For example, Purposes may include providing a service, fulfilling Contractual Obligations, conducting marketing activities, or complying with legal requirements. It is important to ensure that the Purposes are specific, Lawful, and legitimate.
Related Parties	Related Parties could refer to Individuals or Entities that are connected or associated with the   Data Subject (the person to whom the Personal Data relates) in some way. This might include family members, business associates, or Third Parties that have a relationship with the Individual.
Relevant Customer	“Relevant Party” could be a broader term that includes various Entities or Individuals involved in Data Processing, while “Relevant Customer” might specifically refer to Individuals who are Customers or Clients of a business or service.
Restrict/Restricted/Restriction	Restrict means to limit, Control, or regulate something within certain boundaries or parameters.
Retention	Refers to the act or Process of retaining or keeping something for a specific period of time.
Revoke	Means to cancel, annul, or withdraw something that was previously granted, authorized, or agreed upon.
Sensitive Data / Sensitive Personal Data	All Personal Data that includes a reference to an Individual’s ethnic or tribal origin, or religious, intellectual, or political belief, or indicates their membership in non-governmental associations or institutions, as well as criminal and Security Data, Biometric Data, Genetic Data, Credit Data, Health Data, Location Data, and Data that indicates that both parents of an Individual or one of them is unknown.
Third-Party	A natural or legal person or public authority, agency, or body other than the Data Subject, Data Controller, Data Processors, and any person who, under the direct authority of the Data Controller or Data Processors, is authorized to Process Personal Data and Sensitive Personal Data.
Transfer	Transfer/Movement of Personal Data from one place to another for Processing.
Unauthorized Access	Refers to the act of gaining entry to a system, network, application, or Data without proper authorization or permission from the system owner or administrator
Use/Usage	Refers to the action of employing or utilizing the Personal Data that has been provided or Disclosed to the recipients mentioned in the Privacy Notice. When Personal Data is shared with recipients, they may need to Use it for the specific Purposes outlined in the Privacy Notice.
Users	Individuals whose Personal Data is being Processed or handled by organizations or Data Controllers.
Verification	Refers to the Process of confirming or validating the accuracy, authenticity, or truthfulness of something, such as Information, claims, identities, or transactions
Visitors	Visitors likely refers to Individuals who Access or visit the Website or mobile application but may not necessarily be Customers or Users in the traditional sense.
Vital Interests	Refer to circumstances where the Processing of Personal Data is necessary to protect the life or physical integrity of the   Data Subject (the Individual to whom the  Data pertains) or another natural person.