Welcome to the BAE Systems Saudi Arabia Data Privacy Notice (the "Privacy Notice"). This Privacy Notice has been prepared by BAE Systems Saudi Arabia and its affiliated companies (referred to as the "Company," "we," "our," or "us") in compliance with the Kingdom of Saudi Arabia’s Personal Data Protection Law issued under Royal Decree No. M/19 dated 9/2/1443 H (corresponding to 16 September 2021), as amended, along with its Implementing Regulations, effective from 14 September 2023 (“PDPL”).
The purpose of this Privacy Notice is to inform you about the types of personal data we collect, the legal basis for collecting it, why we collect it, and the methods we use for its processing, storage, and destruction. It also outlines your rights regarding your personal data and how we safeguard your privacy in compliance with the Kingdom of Saudi Arabia (KSA) privacy laws. We take your privacy rights and our legal obligations seriously, ensuring that your information is handled securely and responsibly. The Company processes your personal data when you interact with us - whether through our website (the "Website"), during employment, service provision, customer engagement, or other interactions with the Company.
Of course, not all of the sections in the Privacy Notice will be relevant to everyone. The Privacy Notice is intended to provide details of all the processing activities that we undertake and therefore the mere listing of an activity in this Privacy Notice does not mean that we are processing your personal data in this manner and for these purposes. If you have any questions about how the information presented relates to you, please do contact us using the relevant contact details appearing in the Contact Information section.
What personal data is collected?
The following definitions are not exhaustive and are intended to illustrate the types of personal data that we process with reference to the broad categories described below.
| Category | Description |
|---|---|
| Business information | Your business contact details (e.g., address, telephone number, e-mail), your job title, your employer, and any other relevant information |
| Contact information | Home address, email address, and telephone number(s) |
| Data related to your employment with the Company | Work contact details (e.g., address, telephone number, e-mail), work location, default hours, default language, time zone, and currency for location, worker ID, performance review information, biography, reporting line, employee/contingent worker type, hire/contract dates, cost centre, job title/description, working hours, termination/contract end date, reason for termination, last day of work, exit interviews, references, status, position title, job change date, benefit coverage start date |
| Employment claims, complaints, and disclosures data | Termination arrangements and payments, subject matter of employment-based litigation and complaints, employee involvement in incident reporting and disclosures |
| Financial data | Credit card information, bank account details, and other relevant payment information |
| Health data | Where applicable, to support your overall health and well-being and where required in relation to employment related activities. |
| HR processes data | Allegations, investigations, proceeding records, outcomes, colleague and line management feedback, appraisals, talent programmes, performance management processes, flexible working processes, restructuring and redundancy plans, consultation records, selection and redeployment data, health and safety audits, risk assessments, incident reports, data related to training and development needs |
| Identity information | Your title, forename, surname, preferred name, photographic images and/or video images, and any additional names |
| Immigration information | Gender, nationality, second nationality, civil/marital status, date of birth, age, national ID number, immigration data, languages spoken, and next-of-kin/dependent contact information |
| Leave information | Absence records (including dates and categories of leave/time-off), holiday dates, and information related to family leave |
| Monitoring data | Closed-circuit television footage, body-worn camera footage, system and building login and access records, keystroke, download and print records, call recordings, data caught by IT security programmes and filters |
| Share information | Number of shares held, date joined the register, date left the share register, dividends paid/not cashed, bank mandate details, share transactions, nationality, and AGM/proxy voting |
| Staff-related data | Your title, forename, middle name(s), surname, birth name, preferred name, any additional names, gender, nationality, second nationality, marital status, date of birth, age, home contact details, national ID number, immigration and work eligibility data, languages spoken, next-of-kin/dependent contact information, passport details, driving licence, and car registration details |
| Recruitment data | Qualifications, references, CV and application, interview, and assessment data |
| Regulatory data | Records of your registration with any applicable regulatory authority, your regulated status, and any regulatory references |
| Remuneration and benefits data | Your remuneration information (including salary/hourly plan/contract pay information, as applicable, allowance, bonus, merit plans), bank account details, grade, tax information, third-party benefit recipient information |
| Vetting data | Vetting and verification information, including results of any background or other checks |
| Website information | Data you provide by filling in forms on the Website, including data provided at registration; personal information requested when reporting a problem with the website; correspondence with us; and details of your visits, including traffic data, location data, weblogs, and other communication data |
How do we collect your personal data and for what purpose?
In most cases, we receive the personal data directly from you. You either provide this to us at the start of our relationship or at another time during your interactions with us. This includes personal data that you input into a form or through any self-service function, as well as information that you provide to the HR team, your Company contact, or to any member of our workforce.
Additionally, if you have a contractual relationship with us or the company identified in that contract (whether issued by us or a third party) will be the data controller of your personal data. (A data controller is the entity responsible for determining the purposes and methods for processing your personal data.) Where processing of personal data is carried out by another BAE Systems group company for its own purposes, that other group company may also be a data controller of your personal data. In some instances, third parties may also act as independent data controllers if they determine the purposes and means of processing your personal data separately from us.
Internal sources
We may create personal data about you during your relationship with us. In addition to the personal data that you provide to us, we may generate some further personal information internally. This will usually be generated by HR, line management, or your Company contact, as appropriate.
In some circumstances, data may be collected indirectly from monitoring devices or other means (for example, building and location access control and monitoring systems, CCTV, telephone logs and recordings, and email and Internet access logs), if and to the extent permitted by applicable laws. In these cases, the data may be collected by us or a third-party provider of the relevant service on our behalf.
External sources
In some cases, we receive personal data about you from third-party sources.
If you are a representative of a supplier or customer, we may receive your personal data directly from that company or from your colleagues. We may also use third parties to carry out anti-money laundering, anti-bribery, and corruption checks, and Know Your Client checks.
If you are an employee, we may obtain references from a previous employer, medical reports from external professionals, data from tax authorities, benefit providers, or from a third party we engage to carry out a background check (where permitted by applicable law).
How do you use my personal data?
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If the way that personal data will be managed differs from the details provided in this Privacy Notice or is incompatible with the original purpose the data was collected for, additional information regarding this processing will be provided to you.
If necessary, we will collect consent from you and advise you of the impact of not providing any such consent. You should be aware that it is not a condition or requirement of your relationship with us that you agree to any request for consent from us.
Please note that we may process your personal data without your knowledge or consent, in compliance with the information set out in this Privacy Notice, where this is required or permitted by applicable law.
How do we disclose your personal data?
Within the Company, your personal data can be accessed by or may be disclosed internally on a need-to-know basis - see internal recipients section below.
Your personal data may also be accessed by third parties, including suppliers, advisers, national authorities, and government bodies - see external recipients in the section below. We have sought to identify these parties in this Privacy Notice.
In addition, there are circumstances where we may need to disclose your personal data to third parties, to help manage our business and deliver our services. We may disclose your personal data to third parties if:
- We sell or buy any business, in which case we may disclose your personal data to the prospective seller or buyer of such business; BAE Systems Saudi Arabia or substantially all of its assets are acquired by a third party, in which case personal data held by it about you will be transferred to that third party;
- We are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation, or in order to enforce or apply our legal rights, in which case we may share your personal data with our regulators and law enforcement agencies in KSA and around the world, or with our legal advisers;
- It is necessary to protect the rights, property, or safety of BAE Systems Saudi Arabia or any member of the BAE Systems group of companies, our customers, suppliers, or others, in which case we may disclose your personal data to our legal advisers and other professional service firms; and
- They provide services to us connected with your relationship with us.
Where these third parties (or any others) act as a data processor (for example, a benefits provider), they carry out their tasks on our behalf and upon our instructions for the reasons that we have set out in this Privacy Notice. In this case, your personal data will only be disclosed to these parties to the extent necessary to provide the required services.
Internal recipients:
Internal recipients of your personal data may include:
- Local, and global departments, including line management and team members;
- Local and executive management responsible for managing or making decisions in connection with your relationship with the Company or when involved in a process concerning your relationship with the Company (including, without limitation, staff from Compliance, Legal, Audit, and Security);
- System administrators; and
- Where necessary for the performance of specific tasks or system maintenance by staff in teams such as the Finance and IT departments.
Personal data may also be shared inside of the Company between certain interconnecting IT systems.
In addition, where relevant, certain basic personal data (which may include your name, location, job title, contact data, and any published skills and experience) may also be accessible to the Company's employees for the purposes set out in this Privacy Notice.
External recipients:
External recipients of your personal data may include:
- Service providers,
- Tax authorities,
- Regulatory authorities,
- Insurers,
- Bankers,
- IT administrators,
- Lawyers,
- Auditors,
- Investors,
- Law enforcement and/or other emergency services,
- Consultants and other professional advisors,
- Payroll providers,
- Administrators of our benefits programs, and
- Our Customers
Personal data contained in our IT systems may be accessible by providers of those systems, their associated companies, and sub-contractors (such as those involved with hosting, supporting, and maintaining the framework of our HR information systems).
We expect these third parties to process any data shared with them in line with the contractual relationship we have and applicable laws, including data confidentiality and security.
Additionally, we may share personal data with national authorities to comply with a legal obligation to which we are subject. This is, for example, the case in the framework of imminent or pending legal proceedings or a statutory audit.
What are the legal grounds for collecting and processing personal data?
In accordance with the PDPL, we rely on one or more of the following legal grounds for processing your personal data:
- Your explicit consent: We can process your personal data where you have given clear consent for us to process such data for a specific purpose.
- Fulfilling a contractual obligation: We can process your personal data where the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract. This means that we can carry out the actions needed to conclude or execute our contract with you.
- Compliance with statutory or regulatory obligations: We can process your personal data where this processing is necessary for compliance with a legal or regulatory obligation to which we are subject. Therefore, we can carry out any actions we need to take in order to comply with applicable laws.
- Protection of vital interests: We can process your personal data where the processing is necessary to protect your vital interests, such as during emergencies or incidents that require immediate action.
- Achieving public interest: We can process your personal data where the processing is necessary for us to perform a task in the public interest or official functions, and the task or function has a clear basis in law.
- Legitimate interests or objectives: We can process your personal data where the processing is necessary for our legitimate interests, provided those interests are not overridden by your interests or rights. Where we rely on this ground, we will tell you what our legitimate interests are and explain these in this Privacy Notice. We will ensure that the processing does not negatively infringe on your rights and interests.
Examples of how we apply the lawful bases for processing personal data:
- Explicit consent: We may request your consent to process your personal data in specific instances, such as for participation in optional employee benefits programs or using your image for promotional purposes. Consent can be withdrawn at any time without affecting prior processing.
- Contractual obligation: This applies to processing necessary to fulfil the terms of your employment contract, such as using your personal data for payroll processing, providing you with benefits like healthcare or pensions, and ensuring compliance with performance management processes.
- Compliance with legal obligations: We may be required to process your personal data in order to comply with applicable laws, such as providing employee data for regulatory audits, or retaining records for statutory reporting purposes.
- Vital interests: If there is an emergency situation, such as a medical crisis, we may process your health-related data to ensure your safety or to provide necessary assistance.
- Public interest: In certain cases, we may process your personal data to comply with health and safety laws, to support national security or defence activities, or to adhere to other regulations that serve the wider public interest.
- Legitimate interests: We may process your personal data for purposes such as monitoring and improving the security of our IT systems, conducting employee performance evaluations, or analysing company-wide trends to improve workforce management. In these cases, we ensure that our legitimate interests do not infringe upon your privacy rights.
For more detailed information on how these legal grounds apply to the processing of your personal data, or if you wish to discuss specific examples, please contact us using the details provided in the Contact Information section.
How do we store your personal data?
The Company is committed to protecting the security of the personal data you share with us or we otherwise process about you. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.
We will retain your personal data for as long as is reasonably necessary for the purposes explained in this Privacy Notice.
In some circumstances we may retain your personal data for longer periods of time than is needed for those purposes described in this Privacy Notice. For instance: where we are required to do so in accordance with legal, regulatory, tax or accounting requirements; to ensure that we have an accurate record of your dealings with us in the event of any complaints or challenges; or if we reasonably believe there is a prospect of litigation relating to your relationship with us.
We maintain policies governing the creation, retention and disposal of records in our care. These policies set out our requirements for the management of records, including guidance on keeping personal data as current as possible, securely deleting records and irrelevant or excessive data, and storing information anonymously or in a manner which no longer identifies you.
What are my rights?
Under the PDPL, you have the following rights, which primarily depend on the purpose of personal data collection and processing:
Right to be informed: You are entitled to know how and why we collect, process, store, and destroy your personal data, including the legal basis for processing. You can access all details through this Privacy Notice or by contacting us. In certain cases, we may limit the information we provide to comply with legal obligations or to protect the rights of others.
Right of access to your personal data: You are entitled to request access to your personal data held by the Company. Where feasible, we offer automated means for you to access your data, such as via the Website. Access may be restricted if providing it would violate the rights and freedoms of others or is otherwise restricted by law.
Right to request access to your personal data: You are entitled to request access to your personal data held by the Company in a readable and clear format. In certain cases, we may not be able to meet your request due to technical limitations or legal restrictions, but we will ensure the reasons are clearly communicated to you.
Right to request correction of your personal data: You are entitled to request the correction of your personal data if you believe it is inaccurate, incorrect, or incomplete. You can do this by contacting us through your usual BAE Systems Saudi Arabia contact or by using the details provided in the Contact Information section. The Company aims to ensure that all personal data is accurate, but it is your responsibility to notify us of any changes as soon as possible to keep your data up-to-date. We may request supporting documentation to verify the accuracy of your correction request.
Right to request destruction of your personal data: You have a right to request that we erase inaccurate personal data. We may seek to verify the accuracy of the personal data before rectifying it. You can also request that we erase your personal data in limited circumstances where:
- It is no longer needed for the purposes for which it was collected; or
- You have withdrawn your consent (where the data processing was based on consent); or
- It has been processed unlawfully; or
- It is necessary to comply with a legal obligation to which we are subject.
- We are not required to comply with your request to erase personal data if the processing of your personal data is necessary:
- For compliance with a legal obligation; or
- For the establishment, exercise, or defence of legal claims.
Right to withdraw consent for processing your personal data: Where you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by (i) in some cases, deleting the relevant data from the relevant IT system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our policy) or (ii) contacting us. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.
How do I exercise my rights?
If you wish to exercise your rights, you should contact us or make contact with your usual BAE Systems Saudi Arabia contact, manager or via the Contact Information provided below.
We may ask you for proof of identity when making a request to exercise any of these rights. We do this to ensure we only disclose information or change account details where we know we are dealing with the right individual.
In relation to exercising your rights you will not be required to pay a fee unless otherwise stipulated by the PDPL. Where a fee is necessary, we will inform you before proceeding with your request.
We aim to respond to all valid requests within 30 days. However, it may take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than 30 days. To speed up our response, we may ask you to provide more detail about what you want to receive or are concerned about.
We may not always be able to fully address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are otherwise legally entitled to deal with the request in a different way, in line with the provisions of the PDPL. We may also refuse to act on your request if it is repetitive, manifestly unfounded, or requires disproportionate efforts. In such cases, we will notify you of the reason for our refusal.
What if I don’t provide you with my personal data?
In some cases, you will be free to withhold personal data from us; however, if you do withhold specific data, we may not be able to continue our relationship with you if we believe we require the relevant data to support the effective and efficient administration and management of that relationship.
For example, for employees, we require your identity data, contact, and payroll information to pay you. If this is not provided, we may be unable to manage our contractual relationship.
In addition, for representatives of suppliers or customers, if we do not have your identity and contact information, we will not be able to communicate with you regarding the relevant commercial transaction between the Company and that supplier or customer.
What if I am not satisfied with the way my request has been handled?
If you have any concerns, or if we do not comply with the PDPL, you can file complaints or objections regarding the processing of your personal data by contacting the Legal team at:
Contact Information:
FAO Legal Department
Address:
Al Shaheen, PO BOX 1732, Riyadh 11441, Saudi Arabia
Phone Number:
+966 (0) 11 445 9100
E-mail: ksadataprivacy@baesystems.com
If you are not satisfied with how we process your complaint, or if we fail to respond within 30 days, you can file a complaint with the Competent Authority - the Saudi Data & AI Authority (SDAIA) - through the following channels:
SDAIA Website: sdaia.gov.sa
National Data Governance Platform (DGP): dgp.sdaia.gov.sa
Links to Other Websites
Our Website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's website. Please note that any personal data you provide on those websites is subject to their own privacy notices and terms and conditions. It is recommended you to review the privacy policies and terms of use of every website you visit.
We are not responsible for the content, privacy practices, or terms and conditions of any third-party sites. Your use of such external websites is at your own risk.
Changes to This Privacy Notice
We may update this Privacy Notice from time to time, for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. Individuals are notified of changes through appropriate means, such as website notices or direct communication.
Continued use of our Website or engagement with us after any updates will constitute your acceptance of the revised terms.
This Privacy Notice has also been provided in Arabic. However, in the event of any dispute regarding the interpretation of this Privacy Notice, the English version shall take precedence over any other language version.
Last Updated: 24 September 2024