Press Release
Privacy Notice
The Saudi Real Estate Refinance Company (SRC) (hereby referred as “SRC”, "we”, “our” or “us”) are committed to protecting and respecting your privacy.
This Privacy Notice applies to all employees, borrowers, business partners, third parties, and others (hereinafter referred to as "you" or the "user") who access or use our websites, business partner and employee portals and social media pages.
This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Your personal data is processed only within the scope of the legal provisions of the Kingdom of Saudi Arabia’s Personal Data Protection Law (“PDPL”). Personal data means data which relates to an individual who can be identified directly or indirectly from that data. The definition includes a wide range of personal identifiers that constitute Personal Data, including e.g., your name, your address, your photo, etc. In this privacy notice we provide you with information about the processing of your personal data and your rights as a data subject in the context of the steps taken by SRC to process your request. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
Safeguarding your personal data is our main concern. We maintain physical, electronic and procedural safeguards that comply with applicable laws and regulations to secure your personal data from unauthorized access and use, accidental or unlawful alteration and destruction, and other unlawful or unauthorized forms of processing. We engage in the continuous training of our employees in the proper management of personal data. SRC has a code of conduct that has been approved by the SRC board. The code includes a section on confidentiality of information, which requires every SRC employee to keep business and internal information obtained in the course of their work confidential.
For the purposes of this notice, the Controller for personal data processing in accordance with the data protection legislation is:
Saudi Real Estate Refinance Company with the below address:
Riyadh Front Complex,
Building N7 King Khalid Airport Road Riyadh,
Saudi Arabia.
The Information We Collect
We will only collect your mandatory information in line with relevant regulations and laws.
We collect different kinds of information about you as shown below. In some cases, the information may not be personal by itself but where it is associated with other information from which you can be identified, we treat such information as personal information:
• Identity information may include your first name, last name, title and gender, job title and the organization you represent (if any).
• Contact information includes your billing address, email address and telephone numbers.
• Financial information includes your bank account and loan details.
• Transaction information includes details about payments to and from you to the originator of your loan.
• Recruitment information includes date of birth; gender; country of residence; nationality; details of your eligibility to work (including documents that we may collect to verify this); skills, qualifications, work history; photographs of you; any personal data which appears in your curriculum vitae or job application.
We may collect some sensitive personal data as well about you, for example to process employee or legal claims, including but not limited to:
• Medical reports, death certificates, medical claims history, details of physical and psychological health or medical conditions.
• In addition, we may obtain information about your criminal record or civil litigation history in the process of preventing, detecting and investigating fraud.
How Do We Collect Information?
We may collect information from a range of sources, and it may relate to any of our business operations we currently provide or may have provided in the past.
We collect personal data directly from you:
• When you are visiting the SRC office building.
• When you apply for employment within SRC.
• When you raise a data subject request.
We may collect your personal data from different external sources, including:
• When we seek information about your credit history from credit bureaus.
• Via our business partners.
• Third parties, whom we may use to provide for background checks and other purposes.
• publicly available sources for job application
We collect personal data indirectly from you:
• Through referral sources for the purpose of employment, and it will require SRC to inform the Data Subject within the stipulated timeframe identified in the regulations.
How We Use Your Information?
• We will only use your information when you have provided your consent or when we are required by the law to do so.
• We use your information in our business operations and to that extent, to ensure that all risk management procedures have been followed prior to purchasing portfolios from originators.
• We may send certain communications such as follow ups on requests or complaints.
• We may share your personal data with governmental systems, which provides a unified record system, to comply with legal or regulatory requirements.
• We may need to record conversations you have with us including phone calls, face-to-face meetings, letters, emails, and any other kinds of communication These recordings may be used to ensure quality of facility management and interactions SRC may have with the public.
• We may need to use your personal and sensitive data for reasons of public interest, such as investigating fraudulent or defaulting loans and anti-money laundering checks.
• We may need the approval to utilize the data in a manner that differs from the original purpose for which it was collected.
Information protection, storage and disposal
• Protection against data breaches and malicious actors/hackers
• Implementing relevant controls, standards, and rules as issued by the National Cybersecurity Authority to include best practices and cybersecurity standards
• Any requirements mandated by the Saudi National bank (SAMA) for protection of personal data will be implemented by SRC accordingly
• Your Personal Data will be stored for as long as necessary to fulfil the purpose for which it was collected unless required to be kept longer for compliance with another law, legal purpose e.g. fulfil judicial/court order, or by a regulatory authority’s rules and regulations to which SRC must comply.
• When stored SRC takes all reasonable steps to protect your Personal Data against misuse, loss, unauthorized access, modification or disclosure.
• Destruction of your Personal Data is done using secure methods such as shredding or degaussing or the Personal Data is anonymized thus preventing re-identification of individuals and their data.
Who We Share Your Information With?
At SRC, we, in efforts to provide you with excellent products and services, may need to outsource certain internal processes, this will be done in line with relevant regulations and law. We may need to disclose your personal data outside SRC if we believe such action is necessary to:
• Provide improved services and experience to our business partners.
• Comply with the law or legal process.
• Comply with our internal risk management processes.
• Protect and defend the rights or property of SRC (including the enforcement of our agreements).
We may share your personal information with determined third parties, including:
• Companies who may be acting as controllers or processors that provide system administration services and internal reporting activities.
• Governmental or semi-governmental entities.
• Companies outside who act as brokers on behalf of SRC.
• Brokers and insurance companies in relation to providing insurance coverage for our employees.
• Competent Authorities and Supervisory/ Regulatory bodies.
Security Practices & Procedures
The security of personal data is a priority and is protected by maintaining physical, electronic, and procedural safeguards that meet applicable laws. We shall take reasonable steps and measures to protect the security of the borrower’s & business partner’s personal data from misuse and loss, un-authorized access, modification, or disclosure. We maintain our security systems to ensure that the personal data of the borrower & business partner’s is appropriately protected and follows standard encryption norms for the transmission of information. We ensure that our employees and service providers respect the confidentiality of any personal data held by us.
Retention Of Personal Data
At SRC, we retain your personal data only for as long as mandated by the regulators for the purposes set out in this privacy notice. We will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies which is subject to instruction from regulators, such as SAMA and SDAIA and other applicable rules & regulations within the Kingdom of Saudi Arabia
Your Rights - Legal Rights Available to Help Manage Your Privacy
Right To Know/Information
You have the right to know about our contact details, the exact reason the data is being collected, the methods being used for data collection, and whether this collected data will be shared or sold.
Right To Request Access or Copy
You have the right to access your personal data from us and obtain a copy of it in a clear and readable format, in conformity with the content of the records, at no cost.
Right To Request Correction
You have the right to request correction of any data collected on them if it is incomplete, inaccurate, or obsolete.
Right To Request Destruction
You have the right to request the destruction of data collected on them. The reasons can range from the user rescinding their consent for data collection to the data no longer serving the purpose for which it was collected.
Right To Limit/Restriction of Processing
You have the right to limit or refuse the processing of your personal data by SRC for special cases and for a limited period of time. This right is not explicitly provided under the PDPL; however, the regulatory authority has released a set of FAQs that provides details of this right. We are required to ensure that you are appropriately informed about these rights and establish dedicated channels for you to exercise these rights. We must fulfill these requests within 30 days and record all data subject requests received.
Contact Us
If you have any questions, concerns, or complaints regarding our compliance with this privacy notice and the data protection law, or if you wish to exercise your rights, please contact us. We will investigate and will attempt to resolve complaints and disputes and make every reasonable effort to honor your wish to exercise your rights as quickly as possible, in any event, within the timescales provided by applicable data protection laws. If you have any questions or comments regarding the processing of your personal data our privacy practices or if you would like us to update information or preferences you provided to us, please contact the Data Privacy Team (Data Management Office) through the following email: DMO@srco.com.sa
Update to this Privacy Notice
The effective date of this notice is 10 September 2024. Any updates or changes to the notice will be posted on this website with the new revision date, which is the effective date of changes. Your continued use of this website constitutes your acceptance of any changes to this notice.