Privacy Statement

Effective Date: January 2023

Alshaya Group (hereafter referred to as “we" or “our” or "us" or “Alshaya” or “organization”) are firmly committed to protecting your privacy.

This Privacy Notice has been created to demonstrate our company’s commitment to keep personal data private and secure. This Privacy Notice explains who we are, how we collect, share, and use personal data about you, and how you can exercise your data privacy rights or communicate to us for redressal of your data privacy-related queries or concerns.

This Privacy Notice is provided in a layered format so you can click through to the specific areas set out below.

IMPORTANT INFORMATION AND WHO WE ARE PURPOSE OF THIS PRIVACY NOTICE

This Privacy Notice will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from), including any data you provide through this website when you sign up to our newsletter, take part in a survey, download any Alshaya publication, take part in a competition, or use any of our mobile applications. However, if you are submitting information through our recruitment solution linked to this website, please see our separate Job Applicant Privacy Notice here.

It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.

This website is not intended for children, and we do not knowingly collect data relating to children.

DATA CONTROLLER

M.H. Alshaya Co. W.L.L. a Kuwaiti Company that acts as parent company of other legal entities under Alshaya (hereinafter “Alshaya Group”). This Privacy Notice is issued on behalf of the Alshaya Group so when we mention “Alshaya”, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant company in the Alshaya Group responsible for processing your data.
In this Privacy Notice “You” or “Your” refers to data subject (customers, employees, website visitors or contingent workers) whose personal data is processed by us.
M.H. Alshaya Co. W.L.L. is the data controller and responsible for this website. Alshaya's Data Protection Officer is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact the Data Protection Officer using the details set out below.

CONTACT DETAILS

Our full details are:
Full name of legal entity: M.H. Alshaya Co. W.L.L. (trading as Alshaya).
Postal address: Burj Alshaya, Al Soor Street, Al Mirgab, PO Box 181, Safat 13002, State of Kuwait.
Phone: +965 2224 2000.
Data Protection Officer: Vicente Pomares Arias.
Email address: dpo@alshaya.com

THIRD-PARTY LINKS

This website include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices/statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

THE PERSONAL DATA WE COLLECT ABOUT YOU

Personal Data, or personal information, means any information about an individual from which that person can be identified (defined under JOB Applicant Notice). It does not include data where the identity has been removed (anonymous data). We collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth. Contact Data includes address, email address, telephone number and company details (including your company (or employer’s) name, position or title, company size, type of business/vertical and/or turnover).

Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website

Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.

Usage Data includes information about how you use our website, products and services.

Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data is derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

We do not collect any Special Categories of Personal Data about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about you. We do collect information about your health, biometric data, criminal convictions and offences.

We use different methods to collect data from and about you including through:

DIRECT INTERACTIONS

You normally give us your identity, contact, resume by filling in forms or by corresponding with us by phone, and email or otherwise. This includes sharing of personal data for the following purpose:

a) Records of your interactions with us such as emails and other correspondence and your instructions to us.
b) Providing your feedback.
c) By filling in forms.
d) By sharing your personal data such as resume for recruitment purpose.
e) By interacting with us on social media platforms such as Facebook, Twitter, and LinkedIn etc.

AUTOMATED TECHNOLOGIES OR INTERACTIONS

Log Files. Log information is data about your use of the Service, such as IP (Internet Protocol) address, browser type, referring/exit pages, operating system, date/time stamps, and related data, which is stored in log files.

Cookies. A cookie is a small data file transferred to your computer (or other device) when it is used to access our service. Cookies are used for many purposes, including to enable certain features of our service and remember your preferences, your equipment, browsing actions and patterns, to better understand how you interact with our service, to provide you advertising on and off the service, and to monitor usage by visitors and online traffic routing. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the online services you visit.

For more information about cookies and how we use them, please read our Cookie Notice

We receive personal data about you from various third parties as set out below:

HOW WE USE YOUR PERSONAL DATA

We will only use your personal data in the following circumstances:

Consent

When you give us your consent, for example, to access your contacts on your phone or allow us to have access to your location. You have the right to withdraw your consent at any time. To withdraw your consent just go to the Privacy Settings in our mobile application or Android or iOS Mobile app settings or contact us at dpo@alshaya.com

Performance of a Contract

When we need to execute a contract with you to which you are a party or to take steps at your request before entering such a contract by accepting applicable terms and conditions or specific related terms relating to other services offered by us.

Where we need to collect Personal Data under the terms of a contract we have with you, and you fail to provide that data when requested, we will not be able to perform our services under the contract we have or are trying to enter into with you (for example, to provide you with any of our services). In this case, we will have to cancel a service you have with us but we will notify you if this is the case at the time.

When we need to collect Personal Data by law. If you fail to provide that data when requested, we will not be able to perform our services under the contract with you (for example, to provide you with any of our products or services). In this case, we will have to cancel a product or service you have with us and we will notify you at that time.

Legitimate Interest means the broader stake that Alshaya has in the processing or the benefit that we derive from the processing of your Personal Data.

Where we rely on legitimate interests, we make sure that we consider and balance any potential impact on you and your rights before we process your Personal Data for our legitimate interests.

Additionally, we also process certain special categories of data such as criminal convictions and biometric data where we are lawfully permitted to do so and only for limited purposes such as fraud or loss prevention and for security purposes in our stores and premises. Apart from this, we do not collect any of the following Special Categories of Personal Data about you that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, or genetic data.

We rely on consent as a legal basis for processing your personal data in relation to sending third party direct marketing communications for the purpose of targeting advertising campaigns via email and or SMS. You have the right to withdraw consent to marketing at any time by contacting us in our Contact Details section.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we can process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table above.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose (such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes). If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact the Data Protection Officer using the contact details provided in this Privacy Notice.

Aura is the Alshaya loyalty program ("Program") accessible via the Aura mobile application and / or Aura card and website.

This Program is purposed to promote and increase our retail business lines sales; support continuing engagement by incentivizing customers to increase the frequency of their visits across Alshaya’s retail brands portfolio and ultimately, expand the customer database that will be the basis for personalized marketing activities. Any resident or national of a country in which Alshaya operates the Program can join it free of charge by downloading the Aura application and completing enrolment or via www.aura-mena.com. The below information we collect is provided when you use our application, such as when you create an account, join this loyalty program; or submit online forms through our websites or mobile applications.

i. User’s First and last Name;
ii. Phone number;
iii. E-mail;
iv. Currency;
v. Country;
vi. User’s language preference
vii. Title
viii. Password

The above personal data is strictly needed for our App functionality which in case of not being accepted by agreeing with these terms, Alshaya shall not be able to provide you the application. Use of Aura entails information collection in accordance with the above provisions and includes ways for you (the “User”) to control Application functionality, such as location services, setting push notification and in-app message preferences based in your revocable consent. As described further below, certain optional information based on your choice is also shared with through the Application, including:

i. your Date of Birth;
ii. Gender;
iii. Nationality.
iv. Advanced analytics information such as location data, diagnostic and usage data, and user interactions and v. location-based information, such as through GPS, Bluetooth-enabled iBeacons, or other location-based technology to enhance the user experience so that you can order ahead, receive directions, and see what is available at nearby stores.

We are committed to providing you with choices regarding certain Personal Data uses, particularly around marketing and advertising. We will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to receive 3rd party marketing communications at any time by Contacting us.

We will use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you want or need, or what can be of interest to you. This is how we decide which products, services and offers are relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased goods or services through any of the sites operated by Alshaya or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data processed by us because of a product/service purchase, product/service experience or other transactions until you decided to opt-out.

We will share your personal data with the parties set out below for the purposes set out in the table above.

This disclosure to companies in the Alshaya Group who are based inside the Middle East, North Africa and Turkey (“MENAT”) are required for us

a) to provide you access to our services and products offered to you,
b) to comply with our legal obligations,
c) to enforce our user agreement,
d) to facilitate our marketing and advertising activities, or
e) to prevent, detect, mitigate, and investigate fraudulent or illegal activities related to our services.

We and our affiliates will share some or all your personal data with another business entity should we plan to merge with, or be acquired by that business entity, or re-organization, amalgamation, restructuring of business. Should such a transaction occur, that other business entity (or the new combined entity) will be required to follow this Privacy Notice with respect to your personal data. Additionally, we ensure your personal data is protected by requiring all our group companies to follow the same rules when processing your personal data.

Disclosures to other companies based in the MENAT, outside the MENAT, the European Economic Area (“EEA”) and outside the EEA.
a) Service providers acting as processors who provide IT, system administration services, marketing services and/or communication services.
b) Professional advisers including lawyers, bankers, auditors and insurers based who provide consultancy, banking, legal, insurance and accounting services.
c) Revenue, regulators and other authorities who require reporting of processing activities in certain circumstances.
d) We will disclose personal and sensitive personal data to government agencies or other authorized law enforcement agencies.
e) If required to do so by law or in good faith that such disclosure is reasonably necessary to respond to subpoenas, court orders, or other legal process.

This “Categories of Data Providers” table provides information on the type of third-party recipient (i.e. by reference to the activities it carries out), the industry and the location of the recipients.
In order to prevent any misuse of your personal data by franchisors and third-party vendors, we sign Data Processing Agreement ensuring that they do not use your personal data other than the purposes for which it was shared. Some of our external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards are implemented.
For more information about specific transfer mechanisms, including information on existing third-party vendors, partners and safeguards implemented by Alshaya, please be referred to our “Contact Details” section.

We share your personal data within Alshaya Group. This will involve transferring your data outside the jurisdiction where we obtained your personal data.

We ensure your personal data is protected by requiring all our group companies to follow the same rules when processing your personal data. These rules are called “binding corporate rules”. Some of our external third parties are based outside the country where we obtained your personal data so their processing of your personal data will involve a transfer of data outside that country. Whenever we transfer your personal data out of that territory, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.

Where we use certain service providers, we may use specific contracts approved by the Supervisory Authorities which give personal data the same protection it has in your country of origin.

Please Contact us if you want further information on the specific mechanism used by us when transferring your personal data out of your country.

AUTOMATED DECISION- MAKING

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

SECURITY

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. We have taken precautions to ensure the security of your data. The Personal Data you have entered on HTML pages (contact forms) and that is stored by us, shall be transmitted to Alshaya in encrypted form (TLS - Transport Layer Security) via the public data network, and stored and processed at Alshaya under the following standards.

• Server to server: TLSv1.2, HTTPS, SODBC, JDBC over TLS, LDAP over TLS, WS-Security, XML Encryption, JSSE.
• Desktop to application: TLSv1.2, SSHv2.
• File Transfer: SFTP, FTPS, SSHv2, IPsec, SCP.
• Email: S/MIME, PGP, Iron Port, TLSv1.2.

In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties strictly needed under the provisions made within a service agreement signed with them. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality and a duty to comply with data protection procedures.

We have put in place procedures to deal with any suspected or actual Personal Data breach. We will notify you and any applicable authority of a Personal Data breach where we are legally required to do so.

DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our Retention Schedule.

YOUR RIGHTS

Under certain circumstances, You have the right to:

Request Access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request Correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we need to verify the accuracy of the new data you provide to us.

Request Erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we are not always able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to Processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we will demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request Restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the Transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw Consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent as a result of the acceptance of the terms of the services, we have offered to you, we will not be able to provide those services to you. We will advise you if this is the case at the time you withdraw your consent.

Without prejudice to any other administrative or judicial remedy, you have the Right to Lodge a Complaint if you contend that there has been a breach of your rights in the state of your habitual residence, place of work, or place of an alleged infringement of the data protection regulation with the correspondent supervisory authority described here Prior to that, we would appreciate the opportunity to first address your concerns and would welcome you directing an inquiry first to us at our email address seen in “Contact Us” section.

These rights can be exercised by writing to us at dpo@alshaya.com

WHAT WE MIGHT NEED FROM YOU TO RESPOND

We will need to request specific information from you – if needed - to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We will also contact you to ask you for further information in relation to your request to speed up our response.

TIMELIMIT TO RESPOND

We try to respond to all legitimate data subject requests basis the timelines specified here in the applicable data privacy regulations. Occasionally, it can take us longer if your request is particularly complex or you have made several requests. In this case, we shall notify you and keep you updated. The country specific timelines for responding to data subject request is as under.

We do not intend for our websites, Alshaya applications or online services to be used by anyone under the age of 13 however, we cannot prevent certain users, including children, from fraudulently representing their age in order to gain access to the Site or an App. If you are a parent or guardian and believe we have collected information about your child, please contact us immediately as described in the “Contact Us" section of this Privacy Notice.

Applicable Laws – It refers to the applicable relevant country laws and any other instruments having the force of law as they are issued and enforced from time to time.

Children – Any natural person who has not attained certain specified age (of majority) as per applicable laws and regulations.

Contingent workers – Any non-permanent workers including agents, consultants, independent contractors, sub-contractors, temporary workers, professional advisors, interns, and those affiliated with third parties.

Data Controller or Controlling Entity – Any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.

Data Processing Agreement – It is a legally binding document entered into between controller and processor/ third party vendors in writing or in electronic form.

Data Processor or Processing Entity – Any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Data Protection Authority or Competent Authority – means an independent public authority which is established by applicable law.

Data Protection Officer – refers to an individual appointed by Alshaya for managing organizational data protection and overseeing compliance with applicable data privacy regulation.

Data Subject or Personal Data Owner or Natural Person – An identified or identifiable living individual natural person.

Personal Data – Any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject.

Processing – Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Special Category of Personal Data or Sensitive Personal Data – Data that reveals your racial or ethnic origin, religious, political, or philosophical beliefs or trade union membership, genetic data, biometric data for the purposes of unique identification or data concerning your health / sex life.

We will update the Privacy Notice from time to time in response to emerging legal, technical, contractual, regulatory, or business developments. When we update our Privacy Notice, we shall take appropriate measures to inform you, consistent with the significance of the changes we make.

You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the beginning of this Privacy Notice.

By using our websites/apps where this Privacy Notice is visible, you signify your acknowledgement and acceptance of this statement, and you are encouraged to contact us at dpo@alshaya.com if you have any questions about it.