Conformance with the Personal Data Protection Law

Data controller & DPO function

The Data Controller for personal data processed in connection with the Industries BU is Veltrixair, headquartered in Riyadh, Kingdom of Saudi Arabia. The Controller determines the purposes and means of processing for all activities described in this notice and in the companion Privacy Notice.

Veltrixair has designated the VP — Data Protection & InfoSec Advisory function (held by Tarique Ahmad in his concurrent capacity as Chairman & CFO) as the body discharging the duties of a Data Protection Officer. The function reports directly to the Chairman, outside the commercial chain — preserving independence in the handling of data subject rights, breach assessments, and refusal decisions.

Regulatory framework stack

The BU operates under a stack of intersecting Saudi regulatory instruments. PDPL is the primary instrument; the others either implement it, cross-reference it, or impose adjacent obligations on the same operational data flows.

• PDPL — Personal Data Protection Law · Royal Decree No. M/19. The primary instrument.
• PDPL Implementing Regulations · issued by SDAIA. Operational specifics on consent, retention, breach notification, cross-border transfers.
• SDAIA Guidance Notes · supplementary regulatory guidance issued from time to time on specific PDPL matters.
• ZATCA Fatoora Phase 2 · e-invoicing regulations, governing the financial data category.
• Saudi Labour Law · workforce records, end-of-service gratuity, and employment data retention obligations.
• HCIS site access protocols · access logs and permit-to-work records on petrochemical complex sites.
• NCA Essential Cybersecurity Controls (ECC) · adopted as the supplementary security control framework over personal data.
• ISO/IEC 27001 · adopted as a best-practice baseline for the information security management system supporting personal data processing.

Where instruments intersect — for example, where PDPL retention principles meet ZATCA's mandatory record-retention period — the BU resolves the intersection by applying the longer mandatory retention plus PDPL's purpose-limitation principle to access controls. Records are kept for the regulatory minimum but are accessible only for the original processing purpose.

Lawful basis map

PDPL Article 5 sets out the lawful bases on which personal data may be processed. The map below assigns each processing activity within the BU to its lawful basis. No activity is conducted without an identified, documented basis.

Sensitive data handling

PDPL Article 6 imposes elevated requirements on the processing of sensitive personal data — categories including health information, biometric data, racial or ethnic origin, religious belief, political opinion, trade union membership, and criminal record. Processing of sensitive data is permitted only with the data subject's explicit consent or under another lawful basis specifically prescribed by the Implementing Regulations.

The Industries BU does not routinely process sensitive personal data. The BU's standard data flows — quote enquiries, engagement records, site visit imagery, financial records, workforce administration — do not require sensitive data. Where exceptions arise, they are handled under the framework below.

• HSE incident health information · Where a workplace incident or near-miss requires processing of health-related information, the data is collected on the explicit basis of vital interests under PDPL Article 5, retained under elevated controls (encrypted, role-restricted access), and is the subject of a documented incident-specific processing record.
• CCHI medical insurance administration · Workforce health insurance administration is handled by the CCHI-licensed insurer as a separate Controller under their own Article 6 basis. Veltrixair acts only as a transmission point for enrolment data.
• Biometric site access · Where a client site (Aramco, SABIC, HCIS-regulated complex) operates biometric access, the client is the Controller for that processing. Veltrixair's role is limited to facilitating its workforce's enrolment under the client's framework.

The other categories of sensitive data identified in Article 6 — ethnic origin, religious belief, political opinion, trade union membership, criminal record — are not processed by the Industries BU under any circumstance.

Transparency obligation

PDPL Article 14 imposes a transparency obligation on Controllers — at the point of collection, data subjects must be informed of the Controller's identity, the purposes of processing, the lawful basis, the categories of recipients, the retention period, the rights available to them, and the route to lodge a complaint.

Veltrixair fulfils Article 14 through a layered approach. The structured legal view sits in this document. The readable, consumer-facing view sits in the Privacy Notice. The just-in-time view appears at every collection point — short-form notices alongside each form, alongside email confirmations on submission, and alongside verbal notice at site visits where imagery is captured.

Layered notice — point of collection

The cards below reproduce, in compact form, the just-in-time notice provided to a data subject at the point of submitting each major form. Each card constitutes a standalone Article 14 notice — the data subject can act on it without reading the full Privacy Notice, though the link to the full notice is always provided.

Data subject rights workflow

PDPL Article 4 grants data subjects eight rights over the processing of their personal data. The Privacy Notice describes the rights in consumer-facing form. This section documents the internal workflow the BU follows when a request is received — the operational discipline that makes the rights real rather than aspirational.

• T+5 working days · Acknowledgement. Receipt of the request is acknowledged with a reference number routed to the requesting data subject. Initial routing to the DPO function is automatic.
• T+12 days · Identity verification. Where the request relates to specific personal data, the requester's identity is verified through proportionate means (existing relationship reference, ID document, secondary contact channel).
• T+30 days · Substantive response. Per Article 4, substantive response is delivered within thirty days of verified receipt. Complex requests may invoke a documented extension under the Implementing Regulations, with notification to the requester.
• Refusal grounds. Where a request is refused — for example, retention obligations under Saudi Labour Law preventing erasure — the refusal is documented with reference to the lawful basis. The DPO function reviews refusals before issue.
• External escalation. Every response includes the route to escalate to SDAIA as the Competent Authority, where the requester is dissatisfied with the BU's response.

Requests are received at privacy@veltrixair.com. Standard requests are processed without charge; manifestly unfounded or excessive requests may attract a reasonable fee per the Implementing Regulations.

Cross-border transfers

PDPL Article 29 and the Implementing Regulations govern transfers of personal data outside the Kingdom. The BU's preferred posture is data residency in-Kingdom: KSA-region cloud infrastructure for cloud workloads, in-Kingdom servers for on-premise systems, and in-Kingdom processing for the workflows that handle personal data.

Where transfer outside the Kingdom is required — for example, OEM technical support routing through a vendor's European service desk, or cloud workload spillover where KSA-region capacity is unavailable — the transfer is governed by a documented Transfer Impact Assessment maintained by the DPO function.

• Lawful basis. Each transfer is mapped to a permitted basis under Article 29 — adequacy where SDAIA-recognised, contractual necessity for engagement-critical transfers, or explicit consent for non-essential transfers.
• Recipient assessment. Recipient jurisdiction's data protection regime is assessed. Where adequacy is not established, additional contractual safeguards are imposed via DPA.
• Technical safeguards. Transit encryption (TLS), at-rest encryption (AES-256), access controls (role-based), audit logging (centralised). Personal data in transit is never sent unencrypted.
• India operations bilateral. Veltrixair operations in India support the Industries BU's back-office functions. Transfers India-bound are governed by both PDPL Art 29 and the India Digital Personal Data Protection Act 2023, with the bilateral DPA framework documented and reviewed annually.

Onward transfers from a recipient outside the Kingdom — that is, a transfer from the Kingdom to country A and onward to country B — require additional approval under the BU's transfer governance and are not permitted by default.

Retention schedule

PDPL Article 18 establishes the retention principle — personal data is retained no longer than is necessary for the purpose collected. The BU's published retention schedule sits in Section 06 of the Privacy Notice and is reproduced there in full. This section documents the operational discipline behind the schedule.

• Quarterly retention review. The DPO function reviews the retention schedule quarterly. Records past their retention period are flagged for the responsible function (HR for workforce, Finance for ZATCA, BU Operations for engagement records) for action.
• Documented destruction. Records reaching end-of-retention are destroyed via documented destruction workflows. Destruction certificates are retained for audit trail purposes; the certificates themselves are not personal data.
• Anonymisation alternative. Where data has continued analytical value but no continuing personal-data purpose, irreversible anonymisation is preferred over deletion. Anonymised aggregates are retained outside the personal-data control regime.
• Statutory minimums prevail. Where Saudi statutory law mandates a minimum retention period (Saudi Labour Law for workforce, ZATCA for invoicing, SASO for inspection certificates), the statutory minimum prevails over the BU's operational preference for shorter retention.

Breach response framework

The PDPL Implementing Regulations require notification to SDAIA within 72 hours of becoming aware of a personal data breach that is likely to cause harm to data subjects. The BU's internal breach response protocol exists to detect breaches early, contain them quickly, assess them rigorously, and notify on time.

Programme governance

A privacy programme that exists only on paper is not in conformance with PDPL. The BU's programme is structured around six operational governance disciplines — each with documented cadence, ownership, and outputs.

Document control & updates

This document is version-controlled. Material changes — to processing activities, to the regulatory framework, to the lawful basis map, to the breach response framework — trigger a new version. The version reference at the top of this document is incremented; a change log is maintained internally and made available on legitimate request.

Where Arabic and English versions of the document differ, the English version prevails as the authoritative text in line with the BU's operating language for governance documents. Translation discrepancies should be reported to the DPO function for correction.