Privacy Policy

Your privacy is important to us at DAL. We respect your privacy regarding any information we may collect from you.
We're exhibiting at Money20/20!
Find us in Hall 2, Booth J90 this September 15–17 in Riyadh.
Get Your Pass Now
Access Money 20/20 Resources

Introduction

Dal Alalem, a company incorporated under the laws of the Kingdom of Saudi Arabia (Commercial Registration No. 10101891558), with its registered address at 13316, Al Thumama Road, Riyadh, is committed to safeguarding personal and confidential information entrusted to it.

This Data & Privacy Policy outlines how Dal Alalem collects, processes, stores, and shares data in compliance with the Saudi Personal Data Protection Law (PDPL) and other applicable regulations.

Scope

This policy applies to:

  1. All data collected, processed, or stored by Dal Alalem in connection with its Advisory and Technology service lines.
  2. All Dal Alalem personnel, contractors, partners, and third-party processors.

Legal Basis & Compliance

Dal Alalem ensures compliance with:

  • Saudi Personal Data Protection Law (PDPL) – Royal Decree No. M/19 dated 09/02/1443H
  • Applicable AML regulations and laws requiring regulated data disclosures.
  • Related directives by SDAIA, National Cybersecurity Authority (NCA), CITC, and GOSI

Under Article 10 of the PDPL, Dal Alalem lawfully processes Personal Identifiable Information (PII) for AML compliance under the following legal bases:

  • Legal Obligation: Processing is permitted when explicitly required by another applicable law or regulation. AML frameworks mandate the collection and use of PII for:
    • Customer Due Diligence (CDD)
    • Transaction Monitoring
    • Suspicious Activity Reporting (SAR)

Categories of Data Collected

Depending on the nature of the engagement, Dal Alalem may collect and process:

  • Client Data:  Business registration details, financial records, regulatory filings, contact details
  • Sensitive Data: National IDs, Iqama numbers, biometric identifiers (if required)
  • Employee Data: HR files, payroll, contractual documentation, performance records
  • Operational Data: Logs, communication records, service-level documents
  • Financial Services Information: Account activity, risk assessments, CDD records

Purpose of Processing

Data is collected and processed to:

  • Fulfill contractual and regulatory obligations to Clients
  • Deliver Advisory and/or Technology services to Clients
  • Satisfy AML, KYC, and other legal requirements for Clients
  • Improve service quality and uphold cybersecurity standards
  • Conduct business development activities and contact prospective Clients
  • Manage internal operations and Client servicing requests

Data Classification

As per Dal Alalem’s Information Confidentiality Policy, data is categorized as:

  • Highly Confidential: Access restricted to designated roles (e.g., client data, contracts)
  • Internal Information: Accessible to authorized employees and senior management
  • Public Information: Freely available and not subject to privacy control.

Data Protection Measures

To safeguard all data, Dal Alalem implements:

  • Role-based Access Control (RBAC): Enforcing least-privilege access
  • Encryption: All data encrypted at rest and in transit
  • Continuous Monitoring: System activity logging and threat detection
  • Data Minimization: Only essential data collected and retained
  • Retention & Disposal: Timely deletion and secure destruction based on legal retention schedules

Client Data Access Protocol

Access to client data by authorized Dal Alalem personnel is subject to strict controls and may occur only under the following conditions:

  • Written Approval & Consent: Explicit written authorization must be obtained from the client prior to any data access. This ensures full transparency and consent from the client for every instance of access.
  • Purpose Limitation: Data access must be strictly for one of the following purposes:
    • To fulfill or enhance advisory-related services that the client has contracted Dal Alalem to perform.
    • To troubleshoot or resolve technical issues pertaining to Dal Alalem’s Technology service offerings, such as software platforms or digital tools provided to the client.

All instances of data access are logged and subject to internal compliance audits, ensuring traceability and accountability. Unauthorized access is strictly prohibited and constitutes a breach of company policy and potentially applicable data protection laws.

Disclosure

Data will not be disclosed externally unless:

  • Required by regulatory, judicial, or governmental authorities (e.g., AML requests)
  • Permitted under a binding legal obligation
  • Explicitly consented to by the data subject
  • Part of a contractual engagement with a processor who is bound by confidentiality and security obligations

All disclosures must follow documented internal procedures and receive approval from the Compliance function.

Individual Rights

In line with the PDPL, individuals have the right to:

  • Access their personal data
  • Request correction, update, or deletion
  • Withdraw consent (where applicable)
  • Lodge complaints with the Saudi Data & AI Authority (SDAIA)

To exercise these rights, please contact: support@getdal.com\

Violations & Enforcement

Any violation of this policy will result in:

  • Internal disciplinary action
  • Possible reporting to relevant authorities
  • Legal consequences as outlined in applicable regulations

Policy Governance, Review & Update

This policy will be reviewed annually and updated to reflect changes in regulatory guidance or internal operational needs.