1   Privacy Notice and Consent Management

1.1 Introduction

This document guides the establishment of a Privacy Notice and Consent Management framework within Unified Talk Finance (the Entity). Unified Talk Finance shall define and document its processes for providing data Subjects with notice. The entity shall request consent at all points along the data lifecycle where personal data is collected based on the NDMO’s Personal Data Protection Regulations.

1.2 Scope

This document is applicable to all data subjects from whom Unified Talk Finance shall collect, use, or disclose personal data.

1.3 Compliance and Enforcement

Unified Talk Finance shall comply with the designated roles, responsibilities, and policy statements defined in this document to ensure rigorous consent management is applied throughout the business. Unified Talk Finance must also ensure that any suppliers or sub-contractors they engage abide by their obligations under the Policy and the supporting NDMO DMPDP Standards.

Personal data may only be collected directly from data subjects, and processed only for the purposes for which it was collected by Unified Talk Finance.

1.4 Privacy Notice

Unified Talk Finance shall document and make available a Privacy Notice to Data Subjects to review before or at the time the Entity requests permission to collect personal data.

The privacy notice, which is a declaration directed towards data subjects, defines what personal data would be collected, the purpose behind processing it, how it would be used and which entities it would be shared with the duration of its storage, and the means for disposing of it.

1.5 Consent Management

1.5.1   Consent Management Components

Consent provided by a data subject must be:

1.5.1.1 For a specific and unambiguous purpose.

1.5.1.2 In accordance with supporting information provided to the data subject so that they can make an informed decision about whether to provide their consent for the particular processing.

1.5.1.3 Consent must be given through a clear affirmative action, such as a written or oral statement, including electronic means. This could involve ticking a box on a website, Silence, pre-ticked boxes, or inactivity should not be considered consent.

1.5.1.4 Able to be withdrawn at any time, in a manner no more complex than it was originally provided.

Unified Talk Finance shall ensure that it:

1.5.1.5 Understands when the specific consent of a data subject for processing activities is required.

1.5.1.6 Obtains, manages, and stores consent records (e.g., online consent forms)

1.5.1.7 Facilitates the withdrawal of consent when requested by a data subject.

1.5.1.8 Ensures that personal data is no longer processed when consent for its processing has been withdrawn.

You can set or amend your web browser controls to accept or refuse cookies. If you choose to reject cookies, you may still use our website though your access to some functionality and areas of our website may be restricted.

Use cookies that remember my settings on the site

Do not use cookies that remember my settings on the site

1.5.2   Consent Management

Unified Talk Finance shall:

1.5.2.1 Maintain effective knowledge of Saudi PDPL to understand when the specific consent of data subjects is required for the processing of their personal data, and to consistently apply the requirements of this Consent Management Procedure to such activities undertaken by (or on behalf of) Unified Talk Finance at all times.

1.5.2.2 Operate an established and effective means of obtaining and managing the specific consent of data subjects (e.g., the use of contractual terms that are signed, the use of manual consent forms, digital receipts created by a customer-facing online consent portal, etc.).

1.5.2.3 Maintain supporting privacy notices, privacy impact assessments, and other related material necessary to clearly communicate to a data subject information on which they can base their decision on whether to provide consent for the processing of their personal data.

1.5.2.4 Obtain the consent of data subjects only in respect of one or more specific data processing activities and ensure that given consent is recorded and not applied to other activities for which the data subject’s approval has not been provided.

1.5.2.5 Obtain and record the explicit consent required from data subjects for data processing activities that involve their sensitive personal data.

1.5.2.6 Our organization does not process data of subjects under 16; therefore, no assessments or special considerations for obtaining parental consent are required.

1.5.2.7 Retain records to support the granting of consent by data subjects.

1.5.2.8 Undertake Privacy Impact Assessments of all high-risk data processing activities to ensure that consent-related controls are implemented and effective. Any of these assessments would be undertaken by the Data Protection Officer.

1.5.2.9 If required, obtain consent of legal guardian of a data subject that fully or partially lacks legal capacity. Unified Talk Finance shall take appropriate measures to verify validity of guardianship over the data subject.

1.5.2.10 When obtaining consent of legal guardian of a Data Subject that fully or partially lacks legal capacity, Unified Talk Finance shall comply with the following provisions:

•   It shall not cause any harm to the interests of the Data Subject.

• It shall enable the Data Subject to exercise their rights as provided in the Law and this Regulation when they reach legal capacity

1.5.2.11 Controller shall obtain the Consent from the targeted recipient before sending advertising or awareness material in case of the absence of a prior interactionbetween the Controller and the targeted recipient.

1.5.2.12 Conditions for obtaining the targeted recipient’s consent for advertising or awareness materials shall be as follows:

• Consent shall be given freely, and no misleading methods shall be used to obtain it.

• Targeted recipient shall be enabled to specify the options related to advertising or awareness material subject to consent.

• Consent of a targeted recipient consent shall be documented in a manner that can be verified in the future

1.5.3   Withdrawal of Consent

Unified Talk Finance shall:

1.5.3.1 Communicate to data subjects their right to amend or withdraw their consent at any time, the process for doing so, including any reference to statutory or legal obligations that may still apply even after the data subject has withdrawn their consent.

1.5.3.2 Act promptly to identify all personal data for which consent for processing has been withdrawn and unless another valid reason for its processing is communicated to the data subject, ensure that this is no longer processed for the purpose for which consent had been withdrawn.

1.5.3.3 Explain to data subjects that the withdrawal of consent does not affect the processing of personal data that had already taken place before the withdrawal.

1.5.3.4 Retain records to support the withdrawal of consent by data subjects.

1.5.3.5 Our organization does not process the personal data of individuals aged below 16; therefore, no parental or legal guardian consent is required for such data processing.

1.5.4   Alternative Legal Bases for Data Processing

Unified Talk Finance may process personal data based on one of several legal bases for its processing. The specific provision of data subject consent is just one such basis, but in the absence of consent, other reasons may be used for the processing of personal data. These may include one or more of the following:

1.5.4.1 Serving the actual interests of the Data Subject, but communicating with the Data Subject is difficult or impossible.

1.5.4.2 Implementation of another law or an agreement/ contract to which the Data Subject is a party.

1.5.4.3 Processing by a public entity for security purposes or to satisfy judicial requirements.

1.5.4.4 Exercising the legitimate interests of the Data Controller, unless this conflicts with the fundamental rights and interests of the Data Subject, and provided that no sensitive personal data is processed.

1.6 Responsibilities of DPO

The Data Protection Officer is responsible for:

Ensuring that Unified Talk Finance remains fully compliant with PDPL.

Providing staff advice and training required to receive, process, manage, store, and withdraw data subject consent.

Maintaining detailed records of data subject consent and consent withdrawal.

Coordinating the authorization of data processing where consent has been provided.

Coordinating the cessation of data processing where consent has been withdrawn.

Our organization does not process any children’s data; therefore, no consent validation is required in relation to children

The Data Protection Officer is responsible for ensuring this procedure remains current and up to date.