banner

Privacy Policy

EFG Hermes KSA Privacy Policy

(the "Company," "we," "our," or "us") process personal data we collect about you in accordance with the Saudi Personal Data Protection Law (PDPL) and its implementing regulations (collectively, the "PDPL"). The PDPL establishes protections for your personal data and grants you certain rights. This Privacy Policy applies when you use our websites, and interact with us (collectively, the "Services"). EFG Hermes KSA ("the Company") is a leading financial services company providing investment services, asset management, securities brokerage, and investment banking to individual investors, corporate clients, and financial institutions within and outside Saudi Arabia. We are committed to protecting your Personal Data in accordance with the Personal Data Protection Law issued by Royal Decree No. M/19 dated 09/02/1443H and its Implementing Regulations.

Contact Information and Update Record

Contact Information

Details
DepartmentData Protection
Address PO Box 300189, Third Floor, Sky Towers Northern Tower, Riyadh, KSA
Phone009660112938048
Emaildata.protection@efg-hermes.com
Websitewww.efghermesksa.com
SDAIA License No.3250001427

Data Protection Officer

Contact InformationDetails 
Name/Title 

Mohamed Al Qassim - Data Protection Officer

Email

data.protection@efg-hermes.com

 

Update Record

Date Version & Changes 
May 2024 

Version 1.0 - Initial Privacy Policy

March 2026

Version 2.0 - Comprehensive update to align with SDAIA Privacy Policy Guidelines (Version 1.0 - August 2024). Updated response timeframes per Article 12 of the Implementing Regulations. Enhanced data lifecycle details and cross-border transfer safeguards.

Personal Data to Be Collected

Data Category Details 

Account Data

Full name • National ID/Residency number • Date of birth • Nationality • Mailing address • Phone number • Email address • Employment information

Financial Data 

Bank account information (IBAN) • Income and wealth information • Transaction records • Investment portfolio

Transaction Data 

Order and trade details • Transaction date and time • Transaction value and type

Technical Data 

IP Address • Browser type and OS • Cookies • Login and usage logs

Compliance Data  

Identity documents (ID/passport copy) • KYC information • AML information • Suitability assessment

Communication Data 

Phone call records • Email correspondence • Text messages • Customer service chat logs

Note that some data is mandatory (identity, basic financial) while other data is optional (marketing preferences).

Collecting Personal Data Methods and Purposes

A. Collection Methods

 

MethodDetails 

Direct Collection 

Account opening forms • Service request forms • Trading platforms • Mobile applications • Company website • Phone calls • Personal interviews

Indirect Collection 

Cookies and tracking technologies • Web analytics tools • Publicly available information • Credit
information providers • Regulatory authorities • EFG group companies

 

B. Processing Purposes

  • Providing Financial Services: Opening/managing accounts, executing orders, brokerage services, investment advisory
  • Regulatory Compliance: KYC implementation, AML compliance, suitability assessment, regulatory reporting, judicial compliance
  • Customer Relations: Account communications, inquiry responses, technical support, periodic reports
  • Risk & Security: Fraud prevention, system security, risk management
  • Improvement: Service enhancement, new product development, platform analytics
  • Marketing (with explicit consent): Product information, event invitations, newsletters

Legal Basis for Collection and Processing of Personal Data

Legal Basis Description 

Explicit Consent 

Obtained for account opening and marketing. Withdrawable anytime by contacting the DPO.

Contractual Obligation 

Necessary to execute the financial services contract (account opening, order execution).

Legal Obligation

Required for: Capital Market Law • AML Law • Personal Data Protection Law • CMA rules • Other regulatory requirements.

Legitimate Interest 

To prevent fraud, protect security, manage risks, improve services, and protect legal rights.

Public Interest

When necessary for public interest (cooperating with regulatory/security authorities).

Note that multiple bases may apply.

Legal Basis for Collection and Processing of Personal Data

  • Collection: Collect minimum necessary data • Use secure methods • Obtain consent when required • Ensure clear and direct methods
  • Storage: Store in secure systems • Implement strict security • Define access permissions • Maintain integrity and confidentiality
  • Use: Use only for specified purposes • Ensure data accuracy • Limit access to authorized employees • No incompatible processing
  • Sharing: Share only with specified entities (Section Seven) • Ensure recipient compliance • Enter data protection agreements Monitor compliance
  • Destruction: Secure destruction after retention period • Use irrecoverable deletion methods • Document the process

Personal Data Sharing

Entity Type 

Entities 

Purpose & Frequency

Regulatory

CMA • SAMA • Ministry of Commerce • Zakat Authority • Criminal Evidence Directorate • Financial Investigation Unit

Regulatory compliance, AML, reporting Frequency: Periodic/continuous

Service Providers

Tadawul • Edaa • Banks • IT providers • Credit info providers • Auditors • Legal advisors

Transaction execution, settlements, technical services, audit Frequency: As needed

Marketing Service Providers 

Digital marketing services providers (Egypt) 

Purpose: Social media, digital marketing, online advertising, PR Frequency: As needed

EFG Group 

EFG Hermes (Egypt, UAE, Bahrain) 

Integrated services, operational support, HR records (for EFG employees), providing financial
services to clients across EFG Group, analytical reports Frequency: Continuous Safeguards: Binding agreements

International

Cloud providers • Market data providers • Trading platforms

Data hosting, transaction processing, market
data. Frequency: Continuous Safeguards: Data processing agreements

Cross-border Safeguards: Adequate protection in receiving countries • Binding agreements • Encryption • Your consent when necessary • SDAIA compliance. We NEVER sell your data for marketing.

Storage, Retention & Destruction

📍 A. Storage Location:

  • Servers in KSA
  • Cloud servers with approved providers with appropriate protection
  • Data centers with international security standards

 

⏱️ B. Retention Periods:

 

Data Type Retention Period 

Identity & KYC documents 

10 years from the relationship's end

Transaction records 

10 years from the transaction date

Compliance & AML records 

10 years from the relationship end

Communications

10 years from the communication date

Technical data & logs 

10 years from the relationship end

Marketing data 

Until consent withdrawal or 10 years from last interaction

Note: Data may be retained longer if legally required or to protect our legal rights.

 

🗑️ C. Destruction & Security:

 

  • Destruction Methods: Secure electronic deletion • Data overwriting • Physical destruction • Anonymization • Documented process
  • Technical Security: Encryption (SSL/TLS, AES-256) • Firewalls • Intrusion detection • Multi-factor authentication • 24/7 monitoring
  • Administrative Security: Security policies • Employee training • Confidentiality agreements • Periodic risk assessments
  • Organizational Security: Need-to-know access • Separation of duties • Audit logs • Incident reporting procedures

 

✋ Your Rights

 

Right

Description & Exercise Method

Right to Be Informed 

Know how data is collected, legal basis, processing, storage, destruction, and disclosure entities. Access your information through the means added in this Policy or contact us.

Right of Access 

Request access via: Online platforms • Customer service • Written request to DPO Response: 30 days (extendable to 60 with notice if extra effort required)

Right to Copy 

Request data copy in clear, readable format Method: Email data.protection@efg- hermes.com or account portal Response: 30 days (extendable to 60)

Right to Correction 

Request correction of inaccurate/incomplete data Method: Online account or customer service Response: 30 days with notification

Right to Destruction 

Request destruction when: Data no longer necessary • Consent withdrawn • Unlawful processing • Legal requirement Note: May not be possible if legally obligated Response: 30 days

Right to Withdraw Consent 

Withdraw consent anytime unless another legal basis exists Method: Contact DPO at data.protection@efg-hermes.com or 009660112938048 Does not affect prior lawful processing

Right to Complain 

File complaint with SDAIA if dissatisfied

Important: No fees required • Identity verification may be requested • All response times per article 12 of Implementing Regulations

 

📝 Complaint Filing Mechanism

 

Level

Contact Information

Company Level 

Department: Data Protection Email: data.protection@efg-hermes.com
Phone: 009660112938048
Address: PO Box 300189, Sky Towers, Riyadh, KSA
Website: www.efghermesksa.com
Processing: 30 days with status updates

SDAIA (if unsatisfied) 

Authority: Saudi Data & AI Authority
Website: https://sdaia.gov.sa/ar/default.aspx
Platform: https://dgp.sdaia.gov.sa/wps/portal/pdp/home
Address: Northern Ring Road, Al Nakheel Dist, Riyadh, KSA

 

🌐 Policy Access and Updates

 

📱 Access Methods

  • Servers We are committed to making this Privacy Policy accessible to all Data Subjects in clear, non-misleading, and easy-to-read language. You can access this Policy through:

Company website: www.efghermesksa.com/privacy-policy
Email l upon request: Data.protection

 

🌍 Language Availability

  • This Privacy Policy is available in both Arabic (العربية) and English. In case of any conflict between the Arabic and English versions, the Arabic version shall prevail.

 

🔔 Update Notifications

We will notify you of any material changes to this Privacy Policy through the following channels:

  • Prominent notice on our website homepage
  • Email notification to your registered email address
  • Text message (SMS) to your registered phone number

You will have [30 days] to review changes before they take effect unless immediate implementation is required by law.

 

🔄 Periodic Review:

We conduct periodic reviews of this Privacy Policy to ensure:

  • Compliance with the latest regulatory requirements and SDAIA guidelines
  • Alignment with industry best practices
  • Accuracy and completeness of information provided
  • Clarity and readability for all user categories

Any amendments or updates are recorded in the Update Record table in Section Two above.

Cookie Policy EFG Hermes KSA

🍪 What Are Cookies and Similar Technologies?

Cookies are small pieces of information sent by a web server to your web browser, allowing the server to uniquely identify your browser on each page. We also use other tracking technologies similar to cookies, including pixel tags, Google tags, and tracking links — all collectively referred to as "Cookies" in this Policy.

Types of Cookies We Use

Cookies

Description

Legal Basis

🔒 Strictly Necessary 

Enable navigation and access to secure areas. Services cannot be provided without these cookies.

Legitimate interest / Contractual obligation

📊 Analytical / Performance 

Collect anonymous information on how you use our site (e.g., Google Analytics) to improve performance.

Explicit consent

⚙️ Functional 

Remember your choices (language, username, display settings) to provide a personalized experience.

Explicit consent

🎯 Targeting / Advertising 

Enable navigation and access to secure areas. Services cannot be provided without these cookies.

Explicit consent

📱 Social Media 

Allow sharing of content via social platforms (Facebook, Instagram, X). Subject to those platforms' privacy policies.

Explicit consent

Other Tracking Technologies

Tracking Technology 

Description

Pixel Tags Invisible images embedded in pages that generate a notification upon visit. Work alongside cookies to measure usage activity.
Google Tags Measurement tools for tracking conversions and advertising campaign performance across Google platforms.
Tracking Links Custom URLs that measure the source of traffic and the effectiveness of marketing campaigns.
Note: If you disable cookies, pixel tags will only record your visit anonymously.

 

Your Cookie Rights

Right

How to Exercise

✅ Accept All Cookies 

Select "Yes, I agree" when the consent notice appears.

🚫 Reject Optional Cookies 

Select "No, I do not agree" or adjust settings via the Consent Management Tool on the website.

⚙️ Customise Preferences 

Accept or reject specific categories (except Strictly Necessary) through the Consent Management Tool.

🌐 Browser Settings 

Disable cookies from your browser settings. Note that some website features may not function fully.

✏️ Withdraw Consent 

Withdraw consent at any time via the Consent Management Tool or by contacting the Data Protection Officer.

For more information about cookies, please visit:

🌐 Policy Access and Updates

This Cookie Policy is available in both Arabic (العربية) and English. In case of any conflict between the two versions, the Arabic version shall prevail.
We will notify you of any material changes to this Policy via a prominent notice on our website or by email to your registered address.

 

EFG Hermes KSA is regulated by the Capital Market Authority.
© 2024 EFG-Hermes Holding S.A.E.
All rights reserved.

This Website uses cookies

We use cookies to collect information about how you use our website. And we use the information derived from such cookies to ensure the functionality of our website and to enhance our services.