Last Updated on: 07-03-2022

Al Salam Bank B.S.C (hereinafter referred to as "we" or “our” or "us" or “Al Salam” or the "Bank") respects your right to data privacy. In this Data Protection and Privacy Policy (hereinafter referred to as the “Policy”), “you” or “your” refers to the data subject (clients, employees, website visitors or contingent workers) whose personal data is processed by Al Salam.

Any capitalized terms not defined herein shall have their meaning ascribed to them in Law No. 30 of 2018 on the Issuance of the Personal Data Protection Law as updated, amended or replaced from time to time (hereinafter referred to as “PDPL” or the “Law”).  

This Policy explains how we collect, share, and use personal data about you, and how you can exercise your data privacy rights. The details on what personal data will be processed and which method will be used depends significantly on the services you apply for and/or avail.

Collection of personal data

Depending on your activities on and/or in connection with Al Salam’s websites, mobile application, products and/or services we may be required to collect, process, store, and/or use your personal data.  The following are the categories of personal data we may collect about you and subsequently use, process, share and/or transmit: 

Marketing and Communications data

We may ask you to leave a review or take a survey to provide you with a better quality of services. We may also collect your personal data for the purpose of responding to your queries and comments, social media posts and/or questions/queries. You may opt-out/unsubscribe from receiving marketing and/or promotional communications from Al Salam at any time by informing us in writing.

Please note that any personal data provided by way of social media posts or comments (e.g. Al Salam Bank’s Facebook page) will be governed by the terms and conditions of the relevant social media platform (e.g. Facebook, Twitter and LinkedIn) and therefore such personal data shall not be under our control. As a result of this, these posts and the personal data contained therein could be made public, therefore we cannot be held responsible for the sharing of this personal data. Prior to posting any information on these platforms, we recommend that you review the terms, conditions and policies of these platforms.

Aggregated Data (sometimes referred to as pseudonymised data)

We also collect, use and share aggregated data (sometimes referred to as pseudonymized data) such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data under the Law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we will treat the combined data as personal data which will be used in accordance with this Policy.

We shall not be held liable for disclosure of any pseudonymized client information and/or statistical information in accordance with this Policy or the terms of any other agreement with you.

Sensitive Personal Data

We do not collect, store or use the following sensitive personal data as defined in the PDPL without your explicit consent, or in accordance with the provisions of the PDPL, unless required in order to allow Al Salam to comply with the laws that Al Salam is subject to and/or the Central Bank of Bahrain’s rules, regulations and/or directives:

1. information about your race or ethnicity, political or philosophical opinions, religious beliefs or sexual orientation;
2. information about your health, including any medical condition, health and sickness records, medical records and health professional information;
3. any criminal records or related information in relation to you; and
4. biometric information about you, for example, fingerprints or retina scans.

When do we collect your personal data?

Personal Data Provided by you and direct interactions

1. Through direct internations such as corresponding with us by phone, SMS, email, digital means or otherwise you may give us data in relation to your identity, contact, resume, employment details or KYC related information, below are a few examples of how we collect your personal data: when you communicate with us via email and other methods of correspondence;
2. when you wish to know more about our products and services;
3. when you apply for our banking products and services;
4. when you provide us with feedback on the products and services we offer to you;
5. when you opt-in to receive marketing emails and promotional offers from us;
6. when you wish to avail your data subject rights;
7. when you want to perform transactions;
8. when you interact with us on our website, mobile applications and social media; and/or
9. when you wish to be employed at our bank.

Information we collect via automated means:

Log Information

This is data collected from your usage of our digital platforms such as your IP address, access date and time, hardware and software information, device information, device event information, unique identifiers, crash data, and the pages you have viewed or engaged with before or after using our platform.

Cookies

We may use cookies or similar technologies on our website and mobile applications. Cookies are text files that get small amounts of information, which your computer or mobile device stores when you visit a website or use a mobile application. We use cookies for various purposes such as enabling smooth navigation between pages in an easy and efficient manner, remembering your preferences and improving your overall online experience. Please visit our Cookie Policy below for further details.

Information we collect through third party or publicly available sources

We may receive personal data about you from third parties only when we have adequate assurances that such data is processed fairly, lawfully and with an an adequate level of security. For example, we may obtain personal data related to you and your interests from publicly available sources such as government registers/databases or advertising platforms and analytics providers such as Facebook, Google etc. or if you connect with us using any of the social media platforms like Facebook, Instagram, Twitter, Linkedin etc.

How and why do we use your personal data?

The PDPL sets out a number of requirements for the legitimate processing of your personal data, these are often known as lawful bases for processing. These lawful bases are:

• Consent: processing personal data where you have given us written, explicit, and clear consent to processing for a specific purpose issued based on your free will or based on the free will of your guardian, executor or custodian.
• Contractual obligation: processing of personal data in order to implement a contract to which you are a party or, upon your request, to conclude a contract;
• Legal requirement: processing of personal data to implement an obligation prescribed by the Law or implementation of a court order from a competent Court or the Public Prosecution;
• Protection of your vital interests: processing of personal data to save your life; and
• Legitimate interests: processing personal data where we have a legitimate interest to do so in order to run our business. We may use this basis where it does not conflict with your rights and freedoms under the PDPL. See section “Your rights in connection with personal data” for more information on your rights.

Purpose/Activity	Type of data	Lawful Basis
Notifying you about changes to our terms or Policy Responding to your queries and comments, social media posts and questions Asking you to leave a review or take a survey To make suggestions and recommendations to you about goods or services that may be of interest to you	Identity Financial Contact Transaction Technical Profile Usage Marketing and Communications Aggregated	Consent Contractual Obligation Legal Requirement Vital Interests Legitimate Interests
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data Compliance-related purposes such as AML, KYC, fraud prevention, risk management and client onboarding Assessing Credit-worthiness Legal-related purposes such as aiding in establishing, exercising and defending the Bank’s legal rights	Identity Financial Contact Transaction Technical Profile Usage Marketing and Communications	Consent Contractual Obligation Legal Requirement Vital Interests Legitimate Interests
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	Identity Financial Contact Transaction Technical Profile Usage Marketing and Communications	Consent Contractual Obligation Legal Requirement Vital Interests Legitimate Interests
To use data analytics gathered from our website to improve our website, products/services, marketing, client relationships and experiences	Identity Financial Contact Transaction Technical Profile Usage Marketing and Communications	Consent Contractual Obligation Legal Requirement Vital Interests Legitimate Interests
To make suggestions and recommendations to you about goods or services that may be of interest to you	Identity Financial Contact Transaction Technical Profile Usage Marketing and Communications	Consent Contractual Obligation Legal Requirement Vital Interests Legitimate Interests
To power our security measures and services in order to protect you and our business	Identity Financial Contact Transaction Technical Profile Usage Marketing and Communications	Consent Contractual Obligation Legal Requirement Vital Interests Legitimate Interests
To process financial transactions on your behalf	Identity Financial Contact Transaction Technical Profile Usage	Consent Contractual Obligation Legal Requirement Vital Interests Legitimate Interests

Promotional offers from us 

In the event you have explicitly consented to receive marketing and/or promotional communications from us  in relation to offers with regards to  our various products and services, we may use your identity, contact, technical, profile and usage data to decide on offers that might be relevant or of interest to you.

You will receive marketing communications from us if you have requested information from us or purchased/availed goods or services from us or if you provided us with your details when you entered in a competition or registered for an event/promotion and have not withdrawn your consent to receiving such information.

Third-party marketing

We shall obtain your explicit consent to share your personal data for any marketing activities carried out by our third party service providers. In such case, we shall provide you with an option to withdraw your consent from receiving such marketing promotions from our third party service providers.

Automated decision-making

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.  We are allowed to use automated decision-making in the following circumstances without receiving your express written consent:

• where it is necessary to perform the contract with you;
• proceeding with our legitimate interests unless such is contrary to your fundamental interests;
• take action at your request with a view to concluding a contract; and
• to protect your vital interests.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Who do we share your personal data with?

We may have to share your personal data with third parties, including third-party service providers and other entities in the group.

We will share your personal information with third parties where required by law or regulation, where it is necessary to administer the relationship with you (i.e. for fraud prevention purposes, credit reporting, verification and risk management or to carry out our contractual obligations to you) or where we have another legitimate interest in doing so. "Third parties" includes third-party service providers (including contractors and designated agents) and other entities within our group and such activities of third-party service providers may include, but shall not be limited to: registry, custody, administration, advisory, compliance and IT services.

We require third parties to respect the security of your data and to treat it in accordance with the law. All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.  We do not allow our third-party service providers to use your personal data for their own purposes.  We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We may share your personal information with other third parties, including with respect to joint product promotional campaigns.  In this situation we will, so far as possible, share anonymised data with the other parties.  We may also need to share your personal information with a regulator or to otherwise comply with the law.

International Transfers

We may transfer the personal information we collect about you outside of the Kingdom of Bahrain in order to perform our contract with you.  We anticipate that the transfer will be made to countries that have been deemed to provide an adequate level of protection for personal data and are whitelisted by the Authority .

If your personal information is to be transferred to countries not on the list, we will put in place appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the PDPL.

How long will we keep your personal data?

Data provided by you is retained as long as the purpose for which the data was collected continues; data is then destroyed or anonymised unless its retention is required to satisfy legal, regulatory or accounting requirements or to protect the Bank’s interests. We retain personal data where we have a legitimate interest, performance of the contract, vital interest of data subject or of another natural person, performance of a task carried out in the public interest or in the exercise of official authority vested or for the purposes of satisfying any legal, accounting, or other regulatory reporting requirements or with your consent.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

How we protect your personal data

The Bank maintains strict security standards and procedures with a view to preventing unauthorised access to your data and pledges its intention to meet fully internationally recognised standards of personal data privacy protection and to comply with the requirements of all applicable data protection/privacy laws. The Bank will ensure compliance by its staff with the strictest standards of security and confidentiality. However, it is your responsibility to maintain the secrecy of your user identification and login details.

We have taken reasonable technical and organizational measures to protect the security and confidentiality of the client information and its transmission and to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. You are required to follow the Bank’s relevant terms and conditions in conjunction with the Policy while using this website and/or the mobile application.  Sensitive data such as passwords are encrypted in transit.  Furthermore, we use controls such as robust user access control and data encryption to guard your data at rest.  In addition to encryption, we use network security solution such as firewalls and endpoint protection such as antimalware solutions to secure the infrastructure used to transmit or store data.  The measures used are designed to provide a level of security appropriate to the risk of processing and storing your personal data. When communicating with you, we ensure to use appropriate security measures and mechanisms to protect your personal data.

We limit access to personal information to only authorised employees. Employees who violate this Policy shall be subject to disciplinary process as per the bylaws of the Bank. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Any employee who withdraws from the employment of the Bank will have to undertake to abide by this Policy and keep all client information secure and confidential.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Knowing  your data protection rights and duties

Duty to keep us informed

All personal data held by us about you should be accurate and up-to-date at all times. Therefore, it is important that you notify us in the event that there are any changes to your personal data that we hold through any of the applicable channels.

Rights under the law

1. Below are a few of the rights afforded to you under the PDPL which you may exercises under certain circumstances: Right to Request Access to Personal Data: You have the right to request access to your personal data along with information relating to the processing of your personal data to ensure our compliance with the PDPL.
2. Right to Object to the Processing of Personal Data: You have the right to object to the processing of your personal data by us on grounds relevant to your specific situation.
3. Right to Object to Processing that Causes Harm: You have the right to object to the processing of your personal data where such processing results in damage, whether material, moral and unjustified, to you or to others or where there are reasonable grounds to believe that such damage could result from such processing, unless we have legitimate grounds for processing your personal data.
4. Right to be Informed: You have the right to be informed about the collection, use storage, disclosure of your personal data by us. We provide these details in this privacy policy.
5. Right to request to be notified: You have the right to request to be notified on when your personal data is being processed, the purpose of processing your personal data, recipients of the personal data, the source from which personal data was collected and methods used to make decisions affecting your personal and direct interests as long as such request does not compromise our intellectual property rights or trade secrets.
6. Right to Object to Processing for Direct Marketing Purposes: You have the right to object or opt-out towards the usage of your personal data for direct marketing. Within ten (10) days of exercising this right, we will stop contacting you for direct marking purposes and cease or partially cease the processing of your personal data, unless we have legitimate reasons for rejecting your request.
7. Right to object to decisions made based on automated processing: You have the right to object to purely automated processing we use to evaluate you on your performance at work, financial position, credit-worthiness, behaviour or trustworthiness and request us to use alternate methods of processing that are not solely automated.
8. Right to request rectification, blocking and erasure: You have the right to rectify or erase your personal data if we are processing personal data which is inaccurate, outdated, incomplete or in non-compliance with the PDPL. You have the right to block any further processing of your data, where we may have processed inaccurate or incorrect data of yours or if the processing of such data might not be in compliance with the PDPL, until we rectify, erase or provide legal jusitification to continue processing.
9. Right to withdraw consent: You have the right to withdraw your consent from certain specific processing activites where we rely on consent as our lawful basis of processing.
10. Right to Submit Complaints to the Authority: You have the right to submit a complaint directly to the Authority if you have reason to believe that our practices are not in compliance with the PDPL or that your personal data is being processed unlawfully. Please visit the Authority’s website to obtain information on specific rules and procedures for lodging complaints.

Time limit to respond

We will respond to all legitimate requests within the legally required time as defined in PDPL.

If you wish to exercise any of the rights set out above, please contact us at privacy@alsalambank.com

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Cookie Policy

This Cookie Policy (the “Cookie Policy”) is a part of our Policy and explains the different types of cookies being used on our website “https://www.alsalambank.com/” (the “website”) along with their purpose. Terms mentioned herein carry the same meaning as explained in our Policy.

What are Cookies ?

Strictly Necessary Cookies

These are cookies that are essential for the proper functioning of the services you have requested.  Without them the products or services you have requested will not function.  This category of cookies cannot be disabled.  These cookies may:

• Record your preference regarding our use of cookies
• Manage your secure session to our web services or app and protect you against online fraud
• Deliver interactive services and manage the site layout

Without these cookies we are unable to provide some products or services that you might request.  By using our website, you understand that cookies are used and acknowledge that by continuing to use the site, you consent to their placement in your browser and devices. You can set your browser to block or alert you about these cookies. However, please be advised that this category of cookies cannot be disabled without impacting the availability of some products or services. 

Performance Cookies

These cookies are used by third-party analytics providers and allow us to record certain information about you, such as the pages you visit on our web site; how many times you visit our website; and links you might click on.  These cookies store anonymous information and assign a randomly generated number to recognize unique visitors.

Third Party Cookies

We use third-party analytics cookies in our websites. Cookies set by the third-party partners and service providers are called third-party cookies.

Analytics cookies allow us to analyze how you access and use our website in order to make our services more useful and relevant to you.

These collect information about your use of our website and enable us to improve the way they work. For example, analytics cookies show us which are the most frequently visited pages on our website. They help us record how you interact with our website, such as how you navigate around pages and from page to page, identifying improvements we can make to the client journey. They also help identify any difficulties you have accessing our services, so we can fix any problems. Additionally, these cookies allow us to see overall patterns of usage at an aggregated level.

We use analytics cookies from Google and YouTube to help us achieve this purpose. When you visit our website and access any pages using services from Google and YouTube, these websites set the cookies in your browser or device.

Please note that certain third parties may also use cookies, over which we have no control.

How do we use cookies ?

We use analytics services from Google in our website to obtain the following aggregated analytics information in line with our Policy. As a result, Google set analytics cookies as a part of their services that we avail to obtain the following aggregated analytics information.

• To generate statistical data on how the users use the website.
• To throttle request rate.
• To generate statistical data on how the users use the website.
• To know the visitor’s device and behavior to know the user across multiple devices.
• To receive information based on users geographical GPS location.

Managing cookies:

Most modern browsers are set to accept cookies by default but you can change your settings to notify you when a cookie is being set or updated. You also have the choice to opt-out by making settings in your browser to block cookies altogether. Please note that some parts of our website may become inaccessible or not function properly.

Please consult your browser’s documentation to understand how to block cookies and prevent websites from setting them in your browser. You can also delete the cookies that are already on your computer and you can set most browsers to prevent them from being placed

Policy Updates

The Bank reserves the right to amend this Policy at any time for any reason, including in response to emerging legal, technical, contractual, regulatory or business developments and will place any such amendments on the Bank’s website. 

When we update this Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any privacy policy changes if and when this is required by applicable laws.

You can see when this Policy was last updated by checking the “last updated” date displayed at the top of this Policy.

This Policy is not intended to, nor does it, create any contractual rights whatsoever or any other legal rights, nor does it create any obligations on the Bank in respect of any other party or on behalf of any party.

If you have any questions about this Policy, please contact us  at privacy@alsalambank.com