Tadkeek Privacy Notice
(ISO 27001-aligned • Saudi Arabia-compliant • Screening Services)
1 Scope and Purpose
This notice explains how Al Tadkeek Al Awal Company for Trading (“Tadkeek”, “we”, “us”) collects, uses, stores, shares and disposes of personal data when providing background-screening and verification services in the Kingdom of Saudi Arabia (KSA) and internationally.
2 Legal Framework
-
KSA Personal Data Protection Law (PDPL – Royal Decree M/19 of 09-02-1443H) and its Executive Regulations.
-
EU / UK GDPR for data processed on behalf of customers subject to those laws.
-
ISO / IEC 27001:2022 Annex A controls (A.5–A.8, A.12, A.18) – Tadkeek’s security programme is aligned with these controls and is currently progressing toward formal certification.
-
Sectoral rules issued by the Saudi Central Bank (SAMA) and Saudi Data & AI Authority (SDAIA).
3 Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identity | Name, date of birth, national ID / Iqama, passport number | Candidate, client |
| Contact | Address, phone, e-mail | Candidate, client |
| Employment / Education | Job titles, dates, salaries, certificates, transcripts | Candidate, previous employer, institution |
| Public-records | Court judgements, sanctions, watch-lists | Government & open sources |
| Digital evidence | IP logs, audit trails | Generated automatically by our systems |
We do not collect or process special (sensitive) categories unless explicitly required and legally authorised (e.g. criminal-record checks with candidate consent).
4 Lawful Basis
| Purpose | Lawful basis under PDPL Art 6 & GDPR Art 6 |
|---|---|
| Pre-employment or continuing-service screening | Explicit consent from the data subject & legitimate interests of the client to hire trustworthy staff |
| Compliance with AML / sanctions regulations | Legal obligation |
| Fraud detection & document-forgery investigation | Legitimate interests of Tadkeek and its clients |
5 Use of Personal Data
-
Perform identity, education, employment, licence, address or reference verification.
-
Produce a secure report for the commissioning client (your prospective or current employer).
-
Respond to lawful requests from KSA authorities (e.g. Public Prosecution, Police) or foreign regulators under mutual legal-assistance treaties.
-
Maintain audit logs required by ISO 27001 control A.12.7.
6 Retention
| Data set | Retention period | Justification |
|---|---|---|
| Screening reports & evidence | 5 years from report issue | SAMA outsourcing & PDPL Art 18(1)(c) (record of processing) |
| System audit logs | 1 year | ISO 27001 A.12.7 & PDPL security obligation |
| Contact-centre recordings | 180 days | Quality & dispute resolution |
Once the retention period expires, data are secure-deleted (NIST SP 800-88) or anonymised.
7 International Transfers
Data may be transferred to verification partners outside KSA only when:
-
the destination country ensures adequate protection (PDPL Art 29) or
-
standard contractual clauses approved by SDAIA are in place and
-
the data subject has been informed and, where required, has consented.
All transfers use TLS 1.3 + AES-256 encryption at rest.
8 Data Subject Rights
Under PDPL (Arts 4–7) and GDPR (Arts 15–22) you may:
-
Request access to the personal data we hold about you.
-
Rectify inaccurate or incomplete data.
-
Withdraw consent at any time (this may prevent us completing the service).
-
Request deletion once statutory retention expires.
Submit requests to communication@tadkeek.com; we will respond within 30 days.
9 Disclosure to Third Parties
Tadkeek will not disclose your data except:
-
Verification sources you have authorised (e.g. universities, previous employers).
-
Official bodies when forged or fraudulent documents are detected.
-
Courts, regulators or law-enforcement agencies upon a lawful order, subpoena or warrant.
-
IT service providers under confidentiality & ISO 27001-aligned data-processing agreements.
We never sell or lease personal data for marketing.
10 Security Measures (ISO 27001 Annex A reference)
-
AES-256 encrypted storage (A.8.11).
-
MFA for all staff & privileged access (A.5.17).
-
Quarterly vulnerability scanning & patching (A.8.8).
-
Background screening of Tadkeek employees (A.6.1.2).
-
Annual ISO 27001 audit by an accredited certification body.
11 Changes to this Notice
We review this notice at least annually.
Last update 25 May 2025. Changes are published at tadkeek.com/privacy and take effect 14 days after posting.
12 Contact
Data Protection Officer
Al Tadkeek Al Awal Company for Trading
4273 Omar Ibn Al Khattab Branch,
8532 Al Farooq Dist., Riyadh 12863,
Kingdom of Saudi Arabia
✉ communication@tadkeek.com ☎ +966 54 218 2925
