1. Responsibility
2. Collection of Personal Information
3. Purposes
4. Client Relationship Management
5. Cookies
6. Sharing your Personal Information
7. Cross-Border Transfer of Your Information
8. How long we keep your Personal Information
9. Your Rights
10. Information Security
11. Changes to this Privacy Notice
12. Contact Details
13. Privacy Notice – Kingdom of Saudi Arabia

Responsibility

This Privacy Notice is provided by Al Tamimi & Company Limited (DIFC Commercial Licence No. CL0155 of Level 7, Central Park Towers, Dubai International Financial Centre, Dubai, United Arab Emirates)for and on behalf of itself and the various entities operating as part of the Al Tamimi law firm across the Middle East, as further specified here (collectively, “Al Tamimi & Company”, “we”, “us”, “our”). This Privacy Notice has been prepared with reference to applicable data protection laws including DIFC Data Protection Law considerations, and may be augmented by jurisdictional specific addendums from time to time.
We are committed to safeguarding the privacy of the personal information that we process in the course of our business, including the personal information we receive from you (“you” or “your”). This Privacy Notice describes how and why we collect, store and use personal information, and provides information about the rights of the individuals to whom such personal information relates.
For the purposes of applicable data protection law, Al Tamimi & Company is typically the “data controller” of any personal information provided to us. Specifically, your data will be controlled by the Al Tamimi Entity that you have instructed, or that is providing services to or communicating with you. Very occasionally, we will act on specific retainers as a “processor” (meaning that we process personal data only in accordance with the directions of a data controller, or as otherwise permitted by applicable law).
Please read the following information carefully to understand our views and practices regarding how we handle personal information. If you have any queries about our approach to data protection that are not already addressed in this Privacy Notice, please contact our Chief Risk & Compliance Officer, as per the contact details set out at the end of this Privacy Notice.
This Privacy Notice applies to all entities that control and process personal data within Al Tamimi & Company as specified here

Collection of Personal Information

We may collect personal information from you in the course of our business, when you contact us or request information from us, when you instruct us to provide legal services, when you use our website or mobile app (or other platforms), or as a result of your relationship with any of our personnel or clients.

The personal information that we process includes:

• Basic details, such as your name, role/title, employer/s, your relationship to a person, marital status, and your contact information (such as your email address, physical address, contact numbers, details of your public social media profiles);
• Identification information to enable us to check and verify your identity (e.g. your passport details or national identity number; utility provider details; tenancy contracts), and information collected from publicly available resources to verify the same;
• Demographic Information such as gender; date of birth / age; nationality; salutation; title; and language preferences.
• Information relating to the matter on which you are seeking our legal services;
• Bank account, payment card details, or other financial information, if relevant to our engagement with you;
• Technical information (including your location, IP address, browser details, traffic data, location data), such as information from your visits to our website or mobile app (page interaction information, length of visits, etc.), or in relation to marketing emails, and digital communications we send to you;
• Information relating to your visits to our offices or our meetings and events, including appointment details (e.g. time, location, participants), CCTV images and other photographic or video images;
• Personal information provided to us by or on behalf of our clients, or generated by us in the course or providing services to them, which may include special categories of personal data;
• Professional and Educational Information related to your job such as your former or current employer and job title;
• Health Information may include access or dietary requirements;
• Preferences, such as your stated interests, how often you would like to receive our newsletters, or other communications; and
• Any other information relating to you which you may provide to us.

We may collect your personal information:

• As part of our business development, new business intake and client on-boarding or client maintenance activities, and when you seek legal services from us;
• When you apply for a role or work experience opportunity or open day with us;
• When you seek employment from us, as part of our new employee on-boarding and maintenance of the employment relationship, or when you engage with our alumni group;
• When you provide (or offer to provide) services to us, either yourself or on behalf of your employer;
• When we are acting on a matter where you or your employer are a party to the same;
• When you interact with our website or mobile app, or use any of our online services;
• When you interact with us in respect of any of our marketing communications, digital communications or events or visit our offices;

We collect most of this information directly from you, or through your use of our website. However, we may also collect data about you from a third party source, such as our clients, recruitment agencies, your employer, other law firm firms or professional advisers, other parties to matters in which we are involved, platform operators for technology used in our business (e.g. webinar platforms), other organisations that you have dealings with, regulators or other government authorities, credit reporting agencies, information service providers, or from publicly available records (including electronic data sources to conduct checks to enable us to comply with applicable law).

The information you provide may be confidential, and we will maintain such confidentiality and protect your information in accordance with our professional obligations and applicable law. We have arrangements in place with personnel and service providers who may process your personal information, to ensure that confidentiality is maintained.

Purposes

Whether we receive your personal data directly from you or from a third party, we will only use your personal information if we have obtained your consent (where necessary), or if we have another a lawful basis upon which to do so (e.g. for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such contract; for compliance with a legal obligation on us; to protect your vital interests or those of another natural person; or for our own legitimate interests, or those of a third party, except where such interests are overridden by your own rights or interests).

The purposes for which we process your personal information are as follows:

• Providing legal services to you;
• Communicating with you in respect of legal developments, publications and the promotion of our legal practice;
• Managing our business relationship with you (or your organisation), whether in connection with the provision of our legal services, the procurement of your goods and services, or as your employer (or potential or former employer), including processing payments, accounting, auditing, billing and collection and related support services;
• Complying with our risk management and legal obligations to identify and verify the identity of our clients and their beneficial owners, including with respect to legal and regulatory considerations (e.g. anti-money laundering and sanctions checks, audits, enquiries by regulatory authorities);
• Managing and securing access to our premises and information technology systems, and monitoring the technology side of our operations;
• Processing and respond to requests, enquiries or complaints received from you;
• Keeping your contact details accurate and current using information provided by you, or information publicly available; and
• For any purpose related and/or ancillary to any of the above or any other purposes for which your personal data was provided to us.

Client Relationship Management

We operate a Client Relationship Management email mailing list program, which we use to inform clients and other contacts about our services, including our publications and events. Such marketing messages may contain tracking technologies in order to track subscriber activity relating to engagement, demographics and other data, and to build subscriber profiles. We use this as a means by which to undertake direct marketing.
If you would like to cease receiving marketing materials from us at any time, please let our CRM management team know directly. You can also change your preferences for receiving our marketing emails and legal updates from us at any time, and you can unsubscribe by following the instructions specified in our marketing emails or via the websites. Please update your details by contacting our CRM management team by email at crmhelpdesk@tamimi.com .

Cookies

Cookies are small files that are sent to a computer’s hard drive by a web server, enabling a website to remember who you are. Information from cookies may include information relating to your use of our websites, information about your computer (such as IP address and browser type), and demographic data. We use cookies to improve our website.
Specifically, we use Google Analytics, and other similar products to track unique visitors to our website and app (storing a unique visitor ID, the date and time of first visit, the time their current visit started and the total number of visits they have made); to register session details (so as to attribute visit information, including conversions and transactions to a traffic source); and to register that a website visit has ended and the browser closed. Most internet browsers have a mechanism notifying you when you receive a new cookie, and telling you how to reject new cookies or disable cookies altogether (if you wish to do so).

Sharing your Personal Information

We may disclose your personal information to a recipient (i) for the purposes of outsourcing one or more of the purposes-related functions described above; (ii) to confirm or update information provided by you; (iii) to inform you of events, information about our services, and other important information, or (iv) for other purposes disclosed at or before the time the information is collected. If we re-organise our business, we may need to transfer your personal information to other group entities or to third parties.

If you tell us you wish to attend an event, your name and organisation may appear on a list which we provide to other delegates at the event. We also take photographs and video of our events, and this may result in your image being captured and used in the course of reporting on the event (e.g. via social media or other means); we will draw this to your attention in materials relating to the specific events.

In relation to any other disclosures to third parties as necessary to provide the services as effectively as we can (for example but not limited to our professional advisors as such as lawyers and accountants, government or regulatory authorities, professional indemnity insurers, tax authorities, document processing and transaction services, corporate registries, counsel, arbitrators, mediators, clerks, witnesses, experts, third party postal and courier services), we will only do so where you have given your consent, where we are required to do so by law, or where it is necessary for the purpose of or in connection with legal proceedings or in order to exercise or defend legal rights. We do not sell, rent, distribute, or otherwise make, personal information commercially available to any third party.

In addition, we make use of third party technology services including, amongst other things, cloud security systems. The use of these services may require your personal information to be held in the cloud on infrastructure managed by the relevant service provider.

Cross-Border Transfer of Your Information

It may sometimes be necessary for us to share your personal information with other Al Tamimi & Company offices around the Middle East and Africa region (currently, in Bahrain, Egypt, Iraq, Jordan, Kuwait, Morocco, Oman, Qatar, Saudi Arabia and the United Arab Emirates) – or for such Al Tamimi & Company offices to share your information with Al Tamimi & Company in the DIFC.

Where necessary, we may also share your personal information with government, regulators and enforcement agencies, courts, tribunals in connection with enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so.

It may also be necessary for us to share your personal information with third parties and associated professional services firms around the world, who provide services to us or on our behalf (including data storage facilities or online storage located within or outside the United Arab Emirates, which may be operated by independent service contractors). This will entail a transfer of personal information from within the Dubai International Financial Centre to recipients outside the DIFC, and vice versa.

The level of personal information protection in the various jurisdictions in which we operate varies, and in some instances may not provide an adequate level of protection from an international perspective. To address this, we have procedures and safeguards in place to ensure the protection of personal information. These procedures include contractual obligations to ensure that all such entities safeguard your personal information and use it only for the purposes that we have specified and communicated to you. (For a further information, please contact our Chief Risk & Compliance Officer at privacy@tamimi.com.) When we transfer your information to other countries, we will use, share and safeguard that information as described in this Privacy Notice.

How long we keep your Personal Information

We will retain your personal information for the length of time needed to fulfil the purposes for which it was collected, unless we specifically agree a longer retention period with you, or a longer retention period is required to comply with our legal or regulatory accounting or reporting requirements, as permitted by applicable law or to assert or defend against legal claims.

Your Rights

Various rights may be available to you, depending on the circumstances and the applicable law. We summarise key rights likely to be available to most data subjects:

• Withdraw consent: When personal information is processed on the basis of consent, you may withdraw consent at any time, although such withdrawal will not affect the lawfulness of processing occurring prior to such withdrawal;/li>
• Access and rectification, etc.: You may request access to and rectification or erasure of personal information, or restriction of Processing concerning the Data Subject or to object to Processing as well as the right to data portability;
• Objecting and restricting: You may object, on legitimate grounds, to the processing of your personal information, or request that processing be restricted; and
• Complaints: If you believe that your data protection rights may have been breached, you may lodge a complaint with the relevant data protection authority (e.g. the Commissioner of Data Protection in the case of the DIFC),

The above rights may be subject to certain exceptions and limitations under applicable data protection laws. Our responses may vary depending on the nature and circumstances of the request.

Please note that in certain circumstances, the processing via an automated or semi-automated system may prevent fulfilment of individuals’ rights to erase or rectify their data. In such circumstances, we will assess such requests individually and provide a justification. If you would like to exercise any of the above rights, or any other rights available to you pursuant to applicable law, please contact our Chief Risk & Compliance Officer using the contact details set out below. In order to comply with your request. we will require proof of your identify.

Information Security

We have implemented reasonable administrative, technical and physical measures to protect your personal information against loss, misuse and alteration.

Changes to this Privacy Notice

We may from time to time make changes to this Privacy Notice. Where these are likely to be material, we will communicate these in advance. Otherwise, these will become effective once the amended Privacy Notice is posted on our website. Please check back regularly to keep informed of updates to this Privacy Notice.

How to Contact Us

Our Chief Risk & Compliance Officer oversees compliance with data protection within Al Tamimi & Company. If you have any questions about this Privacy Notice, or our processing of your personal data, please contact our Chief Risk & Compliance Officer using the contact details set out below:

Chief Risk & Compliance Officer

Al Tamimi & Company Limited

Level 7, Central Park Towers, Dubai International Financial Centre, Dubai, United Arab Emirates

Email: privacy@tamimi.com

Telephone: +971 4 364 1641

Privacy Notice – Kingdom of Saudi Arabia

Al Tamimi & Company consists of three offices in KSA as follows:

• Al Khobar Office – Al Tamimi & Company Advocates & Legal Consultants, Level 9, Abdulhadi Al Hugayet Tower, Prince Turki Street, Al Shamaliah Area;
• Jeddah Office – Al Tamimi & Company Advocates & Legal Consultants Jeddah, King’s Road Tower, Level 11 King Abdulaziz Road, Al Shate’a District; and
• Riyadh Office – Al Tamimi & Company Advocates & Legal Consultants, Level 8, Tadawul Tower, King Abdullah Financial District,

(collectively all three Saudi Al Tamimi & Company offices are referred to as “Al Tamimi & Company KSA”, “we”, “us”, “our”). We collect personal data directly from you and, from relevant third parties, that provide personal information to us. When processing we process your personal information this privacy addendum will apply.

This privacy addendum incorporates the content and disclosures made on the AL Tamimi & Company Privacy Notice (“Privacy Notice”) and relates to the processing of personal data relating to data subjects who are residents in the Kingdom of Saudi Arabia (the KSA).

Where Al Tamimi & Company KSA processes any personal information within the Kingdom of Saudi Arabia, the following will apply to ensure compliance with the provision of the KSA Personal Data Protection Law implemented by Royal Decree No. M/19 of 09/02/1443H and amended by Royal Decree No. M/147 of 05/09/1444H (PDPL), the Implementing Regulations of the PDPL (“Implementing Regulations”), along with the amendments to the Data Transfer Regulations (Data Transfer Regulations).

Purposes

We will not subsequently process your personal information in a manner that is inconsistent with the purpose for its collection (except where permitted as per the PDPL).

Your Rights in Connection with Personal Information

In addition to your rights set out in the Privacy Notice, you are entitled to exercise the following rights with respect to your personal information:

1. Right to obtain data in a readable and clear format;
2. Right to request destruction which is no longer needed; or
3. Right to file a complaint before the Competent Authority Saudi Data & AI Authority.

The above rights may be limited, and we may deny or restrict fulfilment of your request in some cases, such as when your access to data places another individual’s privacy rights at risk, or the continued processing of your data is necessary to comply with a legal obligation. If so, we will notify you of the reason(s) for this denial.)

Sensitive Personal Information

We may process sensitive personal information (as defined in the PDPL). When we process your sensitive information we will generally do so on the basis of your consent, however we may also process your sensitive information to fulfil our legal obligations or to protect your vital interests.

We only process sensitive personal information (as necessary) if and to the extent permitted and needed for achieving purposes set out in the Privacy Notice. If you have any questions about the provision of sensitive personal information to us, please contact us.

Cross Border Transfers of Personal Information

When transferring your personal data outside the Kingdom of Saudi Arabia, we do so in accordance with the PDPL and its Transfer Regulations.

We may transfer your personal information to other countries that have been recognised by the competent supervisory authority as having adequate levels of protection for personal information (i.e., pursuant to ‘adequacy decisions’). In the absence of adequacy decisions, we will only transfer your personal information to countries which do not have data protection laws or to countries where your privacy and other fundamental rights will not be protected as extensively where we have implemented appropriate safeguards to ensure that your personal information remains protected and secure.

Complaint

If you have any concerns, you can file a complaint to Our Chief Risk & Compliance Officer at privacy@tamimi.com.

If you are not satisfied with how we process your complaint, you can file a complaint to the Competent Authority Saudi Data & AI Authority (SDAIA).

SDAIA Address

Kingdom of Saudi Arabia

Riyadh

Website Saudi Data & AI Authority (sdaia.gov.sa)

National Data Governance Platform “DGP” (dgp.sdaia.gov.sa)

Last updated: October 2025