Privacy Policy

Company Profile

The First National Human Resource Company (FNRCO) (“The Company” or “We” or “Ours”) is a company incorporated under the laws of the Kingdom of Saudi Arabia (“The Kingdom”), holding national unified number 7001743611, its registered headquarters at 3530 Umar Ibn Abdul Aziz Br Rd, Az Zahra, Riyadh 12815 – 6268 – Kingdom of Saudi Arabia.

As the controller of personal data processing, we are committed to protecting your privacy and personal data, according to the Personal Data Protection Law and its Executive Regulation in the Kingdom. This policy aims to clarify how we collect, use, and protect personal data, regarding our clients, suppliers, website visitors, and any other parties engaged in interaction in the context of our activities.

Personal Data We Collect

According to the personal protection law applicable in the Kingdom, Personal data refers to “Any data, regardless of its source or form, which might lead to specifically identifying the identity of the individual, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank card numbers, credit card numbers, photos, videos, and any other data of a personal nature”.

The personal data we collect varies based on the purpose of its use, however, the following are examples of the personal data we collect:

• Identity details: Job title, full name, gender, nationality, national ID/residence number, passport details, relevant documents, date and place of birth.
• Contact information: Your email address (business and private), national or business address, job title, contact phone numbers and preferences for marketing communications.
• Transactional data: Transactional data related to the services we provide.
• Third-party data: This includes data obtained from other parties.
• Employment details: Job title and information regarding your professional status, financial status (where applicable), background and educational information before or during employment.
• Usage data: Certain technical information is collected during your visit to our website, such as the type of browser used, Internet Protocol (IP) address, date and time of visit, and pages viewed.
• Interaction Data: This includes records of phone calls between you and us, email messages, customer support requests and feedback we receive from you either through our systems or websites, mobile applications, social media accounts, or any channels we use to communicate with our customers.

How do we collect your personal data?

We will collect personal data directly from you. We also collect personal information about you from other sources where it is lawful and reasonable. The ways in which we will collect your personal data are set out in more detail below:

• Directly from you: When you provide us with your personal data by filling out the contact forms on our website, when you email us, when you contact us by phone, or through any direct interaction between you and the Company.
• Through your use of our website: Certain data may be automatically collected when you visit our website, such as your Internet Protocol (IP) address, browser type, date and time of visit, and pages viewed, using cookies.
• Through digital recruitment platforms, systems, or applications owned by us or by our authorized partners, whether such platforms are web portals, mobile apps, HR management systems, or interactive voice response (IVR) systems, for the purposes of managing recruitment processes, administering our contractual relationship with you, and maintaining or updating your employment and service records, in line with the purposes set out in this policy.
• Through our contractual relationship: When you enter into or perform service contracts with us, whether you are a customer, supplier, employee, or job applicant, we collect data necessary to fulfill those contracts.
• From government entities or other sources: We may obtain your personal data from relevant government entities (such as the Ministry of Human Resources and Social Development, competent entities for issuing visas and work permits), or from publicly available sources where it is legal.

What is the purpose and scope of this policy?

This policy aims to demonstrate how we collect, use, and retain your personal data in addition to its disclosure when needed, moreover, it demonstrates your rights in relevance to your personal data, and how the Law protects these rights. This policy applies to all individuals we interact with in the context of our commercial activities, including our clients, suppliers, employees, service providers, website visitors, and any other parties we engage with in the scope of providing our services. We process your personal data for the following purposes:

• Provide our services relevant to human resources, operations, and recruitment for clients.
• Manage our business and contractual relations with our clients, suppliers, and partners.
• Operate and develop our business and improve the level of services we provide.
• Compliance with applicable legal and regulatory requirements in the Kingdom.
• Protect our business rights and interests, including risk management, verifying compliance, and preventing fraud.
• Communicate with you about our services or respond to a request or inquiry you make to us.

Why do we process your personal data?

To be able to provide you with our services and manage your relations with us, we need to process your personal data. We also process your personal data for the other reasons provided herein or any additional notifications we provide when needed. Your personal data will not be processed unless for the legal and specified purposes for which it was collected, and it will not be processed in any manner unless it aligns with these purposes, unless otherwise permitted under the applicable laws.

What are the statutory foundation and purposes for collecting and using your personal data?

We process your personal data based on the statutory foundation stipulated in the Personal Data Protection Law and its Executive Regulation in the Kingdom, for the legal purposes relevant to the nature of our business. The following are the main statutory foundations and purposes we rely on:

• Executing the contract: We process your personal data when it is necessary for the execution of a contract with you or your representative, or to take the necessary steps prior to entering into a contract, for the following purposes:
  • Provide our human resources, recruitment, operation, and administrative support services.
  • Manage our contractual relationship with our customers, suppliers, and partners.
  • Fulfill our contractual obligations related to the provision of our services.
• Compliance with statutory obligation: We process your personal data when it is necessary to comply with legal and regulatory requirements imposed on us by applicable laws in Saudi Arabia, including:
• Comply with the requirements of the Ministry of Human Resources and Social Development.
• Comply with the requirements and procedures for issuing visas, work and residence permits.
• Cooperate with other governmental and regulatory authorities as required by relevant laws.
• Fulfill accounting and tax requirements.
• Legitimate interests: In some cases, we may process your personal data when it is necessary to fulfill our legitimate interests, provided that such processing does not conflict with your rights and freedoms, in the scope of the following purposes:
  1. Operating and improving our business and services.
  2. Ensuring the security and safety of our systems and employees.
  3. Managing operational risks.
  4. Protecting our legal rights and initiating or defending claims.
  5. Improving customer experience and quality of services provided.
  6. Communicating with you about our services and responding to your inquiries.
• Approval: In some cases, we will rely on your explicit approval to process your personal data, for purposes required by law or where there is no other lawful basis. For example:
  1. Sending marketing materials (e.g. newsletters or promotions), emphasizing that you can withdraw your approval at any time.
  2. Processing job applications submitted to us (job applicant data).

If we rely on approval to process your personal data, you can withdraw this approval at any time. However, this will not affect the lawfulness of processing based on your approval which was carried out prior to such withdrawal, or when we have other legitimate grounds for processing your personal data.

How and why do we retain your personal data?

We retain your personal data in a form that allows your identification only for the period necessary to fulfill the purposes set out in this policy, and for our commercial and operational purposes, and in line with our legal and regulatory obligations.

We will securely delete or destroy your personal data when the purposes for which it was collected no longer exist, unless its retention is required by legal or regulatory requirements or for other legitimate purposes as described below:

• If there is a legal or regulatory requirement to retain your personal data for a specific period, we will retain the data for such period, and then securely destroy it after that period has expired or the purpose has been fulfilled, whichever is longer.
• If your personal data is related to ongoing legal or judicial proceedings, we will retain it for the duration of those proceedings, and it will be destroyed after the relevant judicial proceedings are concluded.

Rights of Data Subjects

We are keen that you be aware of your rights relevant to your personal data and how you can exercise them, as stipulated by the Personal Data Protection Law and its executive regulations in the Kingdom of Saudi Arabia.

Your rights are as follows:

• The right to review the statutory foundation and purpose of the collection and processing of your personal data.
• The right to request access to your personal data that we hold about you.
• The right to obtain a copy of your personal data in a clear and legible format.
• The right to request correction of your personal data if it is inaccurate, to complete it if it is incomplete, or to update it if it is outdated.
• The right to request the restriction of the processing of your personal data in the cases stipulated by law.
• The right to request the deletion or destruction of your personal data when there is no longer a statutory need for its retention, or if you withdraw the approval that was the basis for such processing.
• The right to withdraw your approval to the processing of your personal data at any time, in cases where we rely on your consent as a basis for the processing, without affecting the lawfulness of the processing carried out prior to the withdrawal of approval.
• The right to submit a complaint to the Data Protection Authority (SDAIA) regarding any alleged violation of the Personal Data Protection Law.
• The right to claim compensation for material or moral damages that may cause you harm as a result of any violation of the provisions of the Law.

Direct Marketing

We will not make any communications with you for the purpose of direct marketing without your prior express consent. If you agree to receive such direct marketing communications, you have the right at any time to unsubscribe by contacting us via email (info@fnrco.com.sa) or by following the instructions in the direct marketing communication.

Transferring your personal data across borders

We may transfer your personal data to parties outside the Kingdom, including to our service providers whom we engage with in the provision of our services. Any transfer of data outside the Kingdom will take place in accordance with the controls and requirements set out in applicable laws and regulations in the Kingdom, and after taking the necessary measures to ensure that the privacy and security of your data is protected. We will ensure that there are appropriate contractual obligations with any third party to whom the data is transferred to ensure that the confidentiality and protection of data are respected.

We will store your personal data inside Saudi Arabia, and in our local servers or secure cloud solutions, whether such data is stored in our own data centers or with authorized service providers.

We retain your personal data for as long as necessary to fulfill statutory purposes or as per regulatory requirements. When destroying your personal data after fulfilling its purpose, we will use appropriate means such as Physical Destruction/Shredding, Data Overwriting and Secure Erasure, de-identification, or other technical means to ensure that the data cannot be viewed or recovered.

How do we protect your personal data?

We ensure that your personal data is adequately protected by employing the necessary physical, technical, administrative and procedural security measures to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal. We protect and safeguard your data in a manner that complies with applicable data protection regulations in the Kingdom.

In order to protect your personal data, the Company has taken several technical and organizational measures. Technical measures include appropriate measures to address online security or the risks of data loss, alteration, or unauthorized access, which include:

• Encryption and Pseudonymization
• Access Control
• Network Security
• Security Software
• Data Backup and Restore
• Physical Security

Organizational measures include restricting access to personal data only to authorized individuals who have a legitimate access need for the purposes of processing operations.

When, how, and with whom will we share your personal data?

We share your personal data with our authorized employees who require access to perform their duties, and with our affiliated companies (if any) for fulfilling our contractual obligations with you or providing our services.

We may also share your data with our clients, whether public entities or private individuals, solely for the purpose of executing contractual obligations with you or with the entity you represent.

Furthermore, we may share your data with service providers who support us in delivering our services or managing our operational processes, IT and cloud hosting providers, HR and administrative service providers, legal and consulting service providers, healthcare and medical insurance providers, banks and financial institutions, transportation and accommodation service providers, as well as other related support services.

In addition, we may share your data with governmental and regulatory authorities when such disclosure is required by applicable laws and regulations.

We do not share your data with any third party for marketing purposes unless we have obtained your explicit prior consent.

We exercise the utmost caution when transferring or sharing your personal data and ensure that we have appropriate contractual agreements with third parties we deal with, ensuring that the confidentiality of your personal data is protected and your rights are safeguarded in accordance with applicable Laws.

How can you withdraw your approval?

Where we rely on your approval as one of the statutory bases for processing your personal data (and not on any other statutory basis), you have the right to withdraw that approval at any time. Withdrawal of approval does not affect the lawfulness of the processing carried out on the basis of that approval before it was withdrawn.

If you wish to withdraw your consent, you may submit your request through the electronic platform dedicated to managing data subject requests (dsr.fnrco.com.sa). You may also contact the Company’s Data Protection Officer via the following email address: dpo@fnrco.com.sa.

Please note that even after withdrawing your approval, we may be required to retain some of your personal data to comply with applicable legal requirements.

What happens if you do not provide us with your personal data?

Some of the personal data we request is necessary for us to be able to provide our services to you, or to comply with our legal and regulatory obligations. If you do not provide us with the requested data, we may not be able to enter or form a contractual relationship with you, provide some of our services, or fulfill our relevant legal obligations.

Amendments to this policy

We reserve the right to amend or update this policy at any time. The date of the last update will be identified at the top of the page, allowing you to know if any changes have been made since your last review. We recommend that you review this policy periodically to stay up to date with the latest amendments.

Use of Cookies

Our website may use cookies and similar technologies to improve site performance and user experience, and to collect statistical information about how visitors use the site. We use essential cookies that are necessary for the proper functioning of the website. We may also use analytical cookies to improve the Site's content and our services. You can manage your cookie preferences through your browser settings.

Contacting us

If you have any questions or wish to exercise your rights regarding your personal data, you can contact us via the following email address: dpo@fnrco.com.sa. You can also contact us through the contact form available on our website.

If you are not satisfied with the way we have handled your personal data, or have other questions about processing your personal data, privacy notice, and privacy practices, please contact the Data Protection Officer below.

Personal Data Protection Officer

• Name: Abdullah Bin Ali Bin Jaber
• Address: 3530 Umar Ibn Abdul Aziz Br Rd, Az Zahra, Riyadh
• Phone number: [+966 - 9200 - 15188]
• Email address: dpo@fnrco.com.sa

How to Submit a Complaint or Objection

If you have any concerns, or if we are not complying with Saudi personal data protection laws, you can submit a complaint though the following steps:

The complaint or objection submission process is managed in stages to ensure effective and transparent handling of requests, in accordance with the Personal Data Protection Law issued by the Saudi Data and Artificial Intelligence Authority (SDAIA), as follows:

1. Stage One: Submitting the Request via the Company’s Electronic Platform
   If you have any inquiry, comment, or wish to exercise any of your rights related to the protection of your personal data, you may submit an official request through the designated electronic platform on the company’s website, which is prepared to receive:
   1. Data subject requests
   2. Complaints related to the application of the privacy policy
   3. Objections to data processing
   Upon submission, a reference ticket number will be issued to track the status until it is fully processed by the Employee and Customer Service Department.
2. Stage Two: Direct Communication
   If needed, you may contact the Employee and Customer Service Department directly, referring to the ticket number issued by the platform to facilitate follow-up and ensure prompt response.
3. Stage Three: Escalation to the Saudi Data and Artificial Intelligence Authority (SDAIA)
   If no response or appropriate resolution is received within thirty (30) days from the date of submission, you have the right to file an official complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) through the following channels:
   1. Address: An Nakheel, Riyadh 12382 – Kingdom of Saudi Arabia
   2. Website: sdaia.gov.sa
   3. National Platform for Data Governance: dgp.sdaia.gov.sa

Disclaimer

The First National Company for Human Resources (FNRCO) is committed to the highest standards of personal data protection and security in accordance with the provisions of the Personal Data Protection Law (PDPL) issued by the Saudi Data and Artificial Intelligence Authority (SDAIA), and in compliance with the Essential Cybersecurity Controls (ECC) issued by the National Cybersecurity Authority (NCA), as well as the relevant cybersecurity and information protection regulations issued by the Capital Market Authority (CMA).

Although the company takes all reasonable technical and organizational measures to protect personal data from unauthorized access, use, disclosure, loss, or alteration, it assumes no legal liability for any damages that may arise due to factors beyond its control, including but not limited to:

• Technical failures or cyberattacks occurring outside the company’s protected system environment.
• Unauthorized actions by third parties or external users.
• Submission of inaccurate or incomplete data by data subjects or their representatives.

The company also reserves the right to update or amend the privacy policy or any of its provisions in line with emerging regulatory requirements or directives issued by relevant authorities. Any updates will be published along with the date of the latest revision.

This policy is not intended to create any contractual or legal rights against any other party, nor does it create any obligations on us to any third party. If you access third-party websites through links on our website, you are subject to the privacy policies of those websites. We are not responsible for the content or privacy practices of those websites, and we recommend that you review the privacy policy of each website you visit.

By using any of the company’s services or interacting with it, you acknowledge that you have read this policy, understood its content, and agree to its provisions and the company's liability limitations as outlined above.