PRIVACY AND DATA PROTECTION POLICY

We, Nashmi Qaed Al Otaibi Advocates and Legal Consultants Professional Company, a law firm registered in Riyadh, Saudi Arabia as detailed below, for and on behalf of all the NAX Law group entities operating in various jurisdictions (“we”, “us”, “our”), set out this Privacy and Data Protection Policy (“Policy”).

In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 27 April 2016, regarding the protection of natural persons with regard to the processing of personal data, and repealing Directive 95/46/CE (“GDPR”) and any other applicable law, we guarantee the protection and confidentiality of personal data of any type provided to us by our clients, in accordance with the law.

We are committed to safeguarding the privacy of the personal information that we process in the course of our business, including the personal information we receive from you (“you” or “your”). This Policy describes how and why we collect, store and use personal information, and provides information about the rights of the individuals to whom such personal information relates.

The data provided will be treated in the terms established in the GDPR and other applicable laws. The website has adopted the levels of protection that are legally required, and has installed all the technical measures at its disposal to avoid loss, misuse, alteration, unauthorised access by third parties, as set out below. However, users are aware that Internet security measures are not infallible.

  1. PERSON RESPONSIBLE FOR THE DATA TREATMENT

Name: Nashmi Qaed Al Otaibi Advocates and Legal Consultants Professional Company.

Registered office: Olaya District, Riyadh, Saudi Arabia.

Commercial Registration: 1009014787

Email: info@naxlaw.com

Registered as a law firm in Riyadh, Saudi Arabia.

  1. PERSONAL DATA WE MAY COLLECT

We may collect personal information from you in the course of our business, when you contact us or request information from us, when you instruct us to provide legal services, when you use our website (or other platforms), or as a result of your relationship with any of our staff or clients.

The personal information that we process includes:

  • Basic details, such as your name, role/title, employer/s, your relationship to a person, and your contact information (such as your email address, physical address, contact numbers);
  • Identification information to enable us to check and verify your identity (e.g. your birthdate; your passport details), and information collected from publicly available resources to verify the same;
  • Information relating to the matter on which you are seeking our legal services;
  • Bank account or other financial information, if relevant to our engagement with you;
  • Technical information (including your location, IP address, browser details, traffic data, location data), such as information from your visits to our website or mobile app (page interaction information, length of visits, etc.), or in relation to marketing emails we send to you;
  • Information relating to your visits to our offices or our meetings and events, including appointment details;
  • Personal information provided to us by or on behalf of our clients, or generated by us in the course or providing services to them, which may include special categories of personal data;
  • Any other information relating to you which you may provide to us.

We may collect your personal information:

  • As part of our new business and client on-boarding or client maintenance activities, and when you seek legal services from us;
  • When you seek employment from us, as part of our new employee on-boarding and maintenance of the employment relationship, or when you engage with our alumni group;
  • When you provide (or offer to provide) services to us, either yourself or on behalf of your employer;
  • When we are acting on a matter where you or your employer are a party to the same;
  • When you interact with our website or mobile app, or use any of our online services;
  • When you interact with us in respect of any of our marketing communications or events;

We collect most of this information directly from you, or through your use of our website. However, we may also collect data about you from a third party source, such as our clients, your employer, other parties to matters in which we are involved, platform operators for technology used in our business (e.g. webinar platforms), other organisations that you have dealings with, regulators or other government authorities, credit reporting agencies, information service providers, or from publicly available records.

  1. PURPOSE OF THE TREATMENT

All data provided by our clients and/or visitors on the website or its staff will be included in the record of personal data processing activities, created and maintained under our responsibility, for the purposes of providing legal services to you; communicating with you in respect of legal developments and updates; managing our business relationship with you; complying with our legal and tax obligations (e.g. tax audits, anti-money laundering and sanctions checks, enquiries by regulatory authorities); keeping your contact details accurate; and for any purpose related and/or ancillary to any of the above or any other purposes for which your personal data was provided to us.

  1. LEGITIMACY OF THE TREATMENT
  • We are legitimised to collect and treat your data based on either or all of the following reasons:
  1. Contractual relationship: It is the relationship that applies when you hire any of our services.
  2. Legitimate interest: To respond to the queries and claims you raise and to manage the collection of amounts owed.
  3. Your consent: If you are a user of our website, by checking the box that appears in the contact form, you authorise us to send you the necessary communications to respond to the query or request.
  1. DATA TRANSFERS

We do not transfer your personal data to anyone, except to those public or private entities to which we are obliged to provide your personal data in order to comply with any law.

In the event that, apart from the aforementioned assumptions, we must disclose your personal information to other entities, we will previously request your permission through clear options that will allow you to decide in this regard.

  1. INTERNATIONAL DATA TRANSFERS

We will not carry out international transfers of your personal data.

As an exception, we may transfer personal data from the European Economic Area (“EEA”) to other countries where we operate. When we do so, we use a variety of legal mechanisms, including contracts where required by applicable law, to help ensure your rights and protections.

In addition, to the extent a transfer of EEA customer data is required for us to perform services for our EEA customers, we have intracompany Standard Contractual Clauses (“SCCs”) in place to validate the transfer.

The SCCs are written commitments between parties that can be used as a ground for data transfers from the EEA to third countries by providing appropriate data protection safeguards. SCCs have been approved by the European Commission and cannot be modified by the parties using them. We rely on SCCs for our data transfers where required and in instances in which they are not covered by an adequacy decision.

  1. CONSERVATION

We will only retain your personal data for as long as necessary to achieve the purposes for which it was collected. When determining the appropriate retention period, we consider the risks involved in the processing, as well as our contractual, legal and regulatory obligations, internal data retention policies and our legitimate business interests described in this Policy.

In this sense, the website will keep the personal data once its relationship with you has ended, duly blocked, during the prescription period of the actions that may arise from the relationship maintained with the interested party.

Once blocked, your data will be inaccessible to the website, and will not be processed except to make it available to government authorities and/or courts, for the attention of possible responsibilities arising from the data treatment, or in any data protection claims.

  1. DATA SECURITY

We use all reasonable efforts to maintain the confidentiality of personal information processed on our systems. We maintain strict levels of security to protect the personal data we process against accidental loss and unauthorised access, processing or disclosure, taking into account the state of technology, the nature and the risks to which the data is exposed.

However, we cannot be responsible for the use you make of the data that you use on our website. Our staff follows strict privacy standards and if we hire third parties to provide support services, we require them to abide by the same standards and allow us to audit them for compliance.

  1. KNOW YOUR RIGHTS

We inform you that you may exercise the following rights:

  1. Right of access to your personal data, to know which data is being processed and the processing operations carried out with it;
  2. Right to rectify any inaccurate personal data;
  3. Right to delete your personal data, when this is possible (for example, pursuant to a legal requirement);
  4. Right to limit the processing of your personal data when the accuracy, lawfulness or necessity of processing the data is doubtful; in which case we may retain the data for the exercise or defense of claims.
  5. Right to object to the processing of your personal data, when the legal basis that enables us to process the indicated data is our legitimate interest. The website will stop processing your data unless it has a legitimate interest or is necessary to defend any claims.
  6. Right to the portability of your data, when the legal basis that enables us to process it is the existence of a contractual relationship or your consent.
  7. Right to revoke the consent given to the website.
  1. PROTECTION OF RIGHTS

If you are based in Spain and understand that your rights have been neglected by us, you may file a claim with the Spanish Data Protection Agency, through any of the following means:

  • Electronically, through the following link: https://www.aepd.es
  • Through post at Spanish Data Protection Agency, calle Jorge Juan, 6, 28001, Madrid, or
  • Through phone at +34 900293183.

Filing a claim with the Spanish Data Protection Agency does not entail any cost and the assistance of a lawyer or attorney is not necessary.

Claims for data protection violations committed in countries other than Spain may be brought before the relevant competent authority.

  1. UPDATES

We reserve the right to amend this Policy at any time, to adapt it to legislative or jurisprudential developments that may affect it.

Scroll to Top