Consumer Data Protection Policy
We, at Foodics, are committed to conducting our business in accordance with all applicable data protection laws and regulations in alignment with quality standards of ethical conduct.
This policy sets forth the expected behaviors of Foodics employees and Third Parties concerning the collection, use, retention, transfer, disclosure, destruction, and breach of any Consumer Data belonging to Foodics Contact (i.e. the Data Subject).
This policy applies to all Processing of Consumer Data in an electronic form in a way that allows ready access to information about Foodics consumers. It has been designed to establish a worldwide baseline standard for the processing and protection of Consumer Data by all Foodics employees.
An individual who works part-time or full-time for Foodics under a contract of employment, whether oral or written, expressed or implied, and recognizes that rights and duties include temporary employees and independent contractors.
An external organization with which Foodics conducts business and is also authorized to, under the direct authority of Foodics, process Consumer Data of Foodics data subjects, employees, suppliers, service providers, contractors, etc.
Any information- including opinions and intentions- which relates to a business using Foodics’s products and services.
The data controller is the business, i.e Foodics, which determines the purposes for which and how data is processed.
The identified or identifiable consumer to which the data refers.
It is any operation or set of operations performed on Consumer Data or sets of Consumer Data, whether or not by automated means, which include the collection, recording, organization, structuring, storage, adaptation or processing alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction of data.
The process of safeguarding Consumer Data from unauthorized or unlawful disclosure, access, alteration, processing, transfer, or destruction.
Any freely given, specified, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the Processing of Consumer Data.
Any form of automated processing of Consumer Data.
Consumer Data Breach:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, consumer data transmitted, stored or otherwise processed.
The process of converting information or data into code to prevent unauthorized access.
3.1 POLICY DISSEMINATION & ENFORCEMENT
- The Compliance Department, with coordination of each head of departments, ensures that all Foodics employees who are responsible for the processing of consumer data are aware of and comply with the contents of this policy.
- Foodics ensures that all Third Parties engaged to the Process Consumer Data on their behalf (i.e. their Data Processors) are aware of and comply with the contents of this policy.
- Assurance of such compliance must be obtained from all Third Parties before granting them access to consumer data controlled by Foodics.
3.2 DATA PROTECTION BY DESIGN
To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before being resumed.
- Foodics must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Compliance Department, for all new and/or revised systems or processes it is responsible for.
- The subsequent findings of the DPIA must then be submitted to the Compliance Department for revision and approval. Where applicable, the Information Technology (IT) department, as part of its IT system and application design review process, will cooperate with the Compliance Department to assess the impact of any new technology uses on the security of consumer data.
3.3 COMPLIANCE MONITORING
To confirm that an adequate level of compliance is being achieved by Foodics concerning these principles, the Compliance Department carries out an annual Data Protection Compliance Audit. As a minimum, it assesses:
- Compliance with Policy with respect to the protection of Consumer Data, including:
- Assigning Responsibilities
- Raising Awareness
- Training Employees
- The effectiveness of Data Protection related to operational practices, including:
- Data Subject Rights
- Consumer Data Transfers
- Consumer Data Incident Management
- Consumer Data Complaints Handling
- The level of understanding of Data Protection and Privacy policies;
- The accuracy of Data Protection and Privacy policies;
- The accuracy of Consumer Data being stored;
- The conformity to Data Processor activities;
- The adequacy of procedures for redressing poor compliance and Consumer Data Breaches;
- The Compliance Department, IT team support, and Legal Department’s advice and consultation, in cooperation with key business stakeholders of Foodics will:
- Devise a plan with a schedule for resolving any identified deficiencies within a defined and reasonable time frame.
- Report any major deficiencies identified to the Foodics senior management which in turn will monitor those deficiencies.
Foodics has adopted the following principles to govern its collection, use, retention, transfer, disclosure, and destruction of Consumer Data:
Principle 1: Lawfulness, Fairness, and Transparency
Consumer Data shall be processed lawfully, fairly, and transparently with respect to the Data Subject; where:
- Foodics must inform the Data Subject which processing will occur (transparency);
- The Processing must match the description given to the Data Subject (fairness;
- It must be compatible with one of the purposes specified in the applicable Data Protection Regulation (lawfulness).
Principle 2: Purpose Limitation
Consumer Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes:
- Foodics must specify exactly what the Consumer Data collected will be used for.
- Foodics must limit the Processing of that Consumer Data to only what is necessary to meet the specified purpose.
Principle 3: Data Minimization
- Consumer Data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Foodics must not store any data beyond what is strictly required.
Principle 4: Accuracy
- Consumer Data shall be accurate & kept up-to-date
- Foodics must have in place processes for identifying and addressing out-of-date, incorrect, and redundant consumer data.
Principle 5: Storage Limitation
Consumer data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary according to the purposes for which the Consumer Data is processed.
- Foodics must, wherever possible, store Consumer Data in a way that limits or prevents identification of the Data Subject.
Principle 6: Integrity & Confidentiality
Consumer Data shall be processed in a mode that ensures appropriate security of the Data, including:
- Protection against unauthorized or unlawful Processing.
- Protection against accidental loss, destruction, or damage. Foodics ought to use appropriate technical and organizational measures to ensure that the integrity and confidentiality of Consumer Data is maintained at all times.
Principle 7: Accountability
The Compliance Department shall be responsible for, and be able to demonstrate compliance towards the guiding principles. This means that Foodics should demonstrate that the six Data Protection Principles outlined above are met for all Consumer Data for which it is responsible.
- Foodics is bound under the laws and regulations of SAMA to observe secrecy and confidentiality with regards to all information that is collected and stored.
- Foodics is permitted, in terms of the laws in SAMA, to disclose confidential information under certain circumstances, including where it is required to do so in terms of law or where ordered to do so by a court order (amongst others).
- Foodics, as a Data Controller, is responsible for ensuring compliance with Consumer Data Protection requirements outlined in this policy.
- Non-compliance may expose Foodics to complaints, regulatory action, fines, and/or reputational damage.
- To any of our professional advisers, including but not limited to financial, legal, management, and other advisers as might be engaged from time to time.
- To any of our group entities or affiliated entities.
- To any consultants, including market research entities, advertising agencies, etc.
- To any actual or potential assignee or transferee of Foodics rights against its consumer.
- To any person who may otherwise enter into contractual relations with Foodics in relation to the business relationship with the consumer.
- To any person to whom Foodics has outsourced any activities or services of the Foodics Product, including any material and/or non-material activities and/or services of Foodics diligence exercise
- Information can be disclosed when the information is required to be disclosed or is requested in the course of due diligence exercise.
- Information can be disclosed when the information is required in the normal course of business with institutions or other persons who are normally bound by similar obligations of secrecy.
6.1 LAWFULNESS OF PROCESSING
Foodics will only process data in the consent of consumers, and will undoubtedly perform contracts and comply with all the laws and regulations of our consumers’ location.
6.2 Processing Consumer Data
- Foodics stores and processes consumer data, including personal data in terms of the Data Protection Act, to the extent that this is necessary for the appropriate conduct of our business relations and conforms to the applicable statutory provisions.
- Foodics only records information which serves to fulfill its duties and does this solely within the scope of the service provided to consumers.
- In providing its services, Foodics collects, processes, and stores data relating to consumers that involves acquiring bank partners and other professionals.
6.3 Third Party Access to Consumer Information
- Foodics constantly strives to ensure that consumer information is kept safe and secure at all times.
- All staff and all third parties with permitted access observe and comply with these policies.
- We aim to keep consumer information up-to-date and in this regard, we may use third parties to process the information on our behalf.
- We will only disclose limited data to third parties if this is required for:
- Fulfilling any specific request that a consumer may request to Foodics.
- Foodics does not process or provide third parties with information regarding consumers’ financial transactions/accounts held with us unless we are required or permitted to do so by law, by court order, with your consent, or as otherwise set out in this policy.
- Whenever third parties process consumer information on Foodics request:
- Foodics binds them to keep such information in strict confidentiality.
- During the processing of information, consumer information shall at all times be kept protected by strict codes of secrecy and security to which Foodics, its staff, and third parties are subject to, noting that the information will only be used in accordance with our instructions.
- Personal data about transaction settlement (SARIE) may be required to be disclosed to our acquiring bank partner in order to comply with SAMA financial settlement processing regulations.
6.4 Direct Marketing
- Foodics may use consumer contact details and process personal data to inform consumers of relevant opportunities, developments, events, promotions, and products that may be of interest to them.
- Foodics may carry out direct marketing in order to inform consumers, by mail, telephone, email, or other digital channels, about products and services provided by Foodics, its subsidiaries, affiliates, associates, agents, and carefully selected third parties. It may also utilize these means for research purposes.
- Foodics provides a provision to its consumers who do not wish to be contacted for marketing purposes, where consumers should inform accordingly by ticking the appropriate box in the personal/corporate profile form or relevant application form, or should otherwise inform Foodics by sending a written request to this effect (by sending it to firstname.lastname@example.org or by calling the helpline number).
- Foodics may require contract third party companies to carry out bulk mailing or marketing campaigns on Foodics’s behalf, in which case we would be required to provide them with consumer contact details excluding personal financial information.
- Such third party companies are required to comply with all provisions of law including data protection when using information included in Foodics’s communication means.
6.5 Consumer Rights
Consumers have rights under the data protection law concerning personal data.
6.5.1 Access to Personal Data
- This enables you to receive a copy of the personal data we hold during the merchant onboarding process.
- If consumers require this, you can write to email@example.com for the amendment, correction, or modification to existing data.
- This enables consumers to have any incomplete or inaccurate data Foodics holds about consumers corrected, though we may need to verify the accuracy of the new data the consumer provides us with. If you require this, then please reach out to us through firstname.lastname@example.org.
6.5.2 Request Restriction of Processing Consumer Personal Data:
- This enables consumers to request the suspension of the processing of personal data in the following scenarios:
- If consumers want to establish the data’s accuracy;
- Where use of the data is unlawful but consumers do not want us to erase it;
- Where consumers need to hold the data even to establish, exercise, or defend legal claims; or
- When consumers have objected to the use of their data but we need to verify whether we have overriding legitimate grounds to use it.
Please note that:
Any request pertaining to the restriction of the processing of consumer data means that
Foodics may not be able to perform the contract it is trying to enter into with consumers, including the Foodics Services. In this case, Foodics may have to cancel consumers’ use of the Foodics Services but will notify consumers if this is the case at the time.
6.6 Internet Communications
In order to maintain the security of its systems, protect its staff, record transactions, and, in certain circumstances, prevent and detect crime or unauthorized activities, Foodics reserves the right to monitor all Internet communications including web and email traffic into and out of its domains.
6.7 PROFILING & AUTOMATED DECISION-MAKING
- Foodics will only engage in Profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the Data Subject or where it is authorized by law and /or where consent is obtained from the Data Subject.
- Where Foodics utilizes Profiling and automated decision-making, this will be disclosed to the relevant Data Subjects. In such cases, Data Subjects will be given the opportunity to:
- Express their point of view;
1- Obtain an explanation for the automated decision;
2- Review the logic used by the automated system;
- Supplement the automated system with additional data;
- Have a human review the automated decision;
- Contest the automated decision;
- Object to the automated decision-making being carried out.
- Foodics must also ensure that all Profiling and automated decision-making relating to a Data Subject is based on accurate data.
6.8 In-House Business Intelligence Tools
Foodics has built an in-house business intelligence strategy to:
- Control all employees’ authorization to confidential/sensitive information to prevent any unauthorized access.
- To have full data security and confidentiality and not share consumer data with any third party or organization.
- Ensure that before gaining access to the tool, employees will sign a non-disclosure agreement that all consumer data will be kept confidential and will not be revealed to unauthorized members/third-party organizations, and they will also agree not to share anything if they interact and use Foodics BI tool.
- Secure that only the senior management and C-level directors, heads of department, and the assigned concerned department employees have access to the tool.
- Guarantee that all authorized users will have a set of credentials for accessing the tool according to their needed requirements to protect consumer data.
When any of Foodics’s members need to have access to review necessary data:
- Submit a request to Helpdesk, include all the needed information, and provide the purpose for requesting access to data.
- The Helpdesk team, led by the CTO, will review and then approve the request.
- Approval will be sent to the member with a valid date of use according to the stated requirements.
- The employee will sign a non-disclosure agreement and then have access to the tool.
- The time frame given for the authorization is limited.
7.1 DATA SUBJECT CONSENT
- Foodics will obtain Data only by lawful and fair means and where appropriate with the knowledge and Consent of the consumer concerned. When a need exists to request and receive the Consent of a consumer before the collection, use, or disclosure of his/her Data, Foodics is committed to seeking such Consent.
- The Compliance Department has established a system for obtaining and documenting Data Subject Consent for the collection, processing, and/or transfer of consumer data. The system includes provisions for
- Determining what disclosures should be made to obtain valid Consent
- Ensuring the request for Consent is presented in a manner which is distinguishable from any other matters, is made in an intelligible and easily accessible form, and uses clear and plain language.
- Ensuring the Consent is freely given; i.e. is not based on a contract that is conditional to the Processing of Personal Data that is unnecessary for the conclusion of that contract.
- Documenting the date, method, and content of the disclosures made, as well as the validity, scope, and volition of the Consent given.
- Providing a simple method for a Data Subject to withdraw his/her Consent at any time.
7.2 DATA SUBJECT NOTIFICATION
- Foodics will when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of Data.
- When the Data Subject is asked to give Consent to the Processing of Personal Data and when any Personal Data is collected from the Data Subject, all appropriate disclosures will be made in a manner that draws attention to them, unless one of the following applies:
- The Data Subject has already been informed of the process.
- A legal exemption applies to the requirements for disclosure and/or Consent.
- The disclosures may be given orally, electronically, or in writing. If given orally, the person making the disclosures should use a suitable script or form approved in advance by the Compliance Department. The associated receipt or form should be retained, along with a record of the facts, date, content, and method of disclosure.
7.3 EXTERNAL PRIVACY NOTICES
- All must be approved by the senior management supported by the Compliance Department prior to publication on any Foodics external website.
7.4 DATA QUALITY
- Foodics will adopt all necessary measures to ensure that the data it collects and processes is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject.
- The measures adopted by Foodics to ensure data quality include:
- Correcting Consumer Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading, or outdated, even if the Data Subject does not request rectification.
- Retaining Consumer Data only for the period necessary to satisfy the permitted uses or applicable statutory retention period.
- Removing Consumer Data if in violation of any of the Data Protection principles or if the Consumer Data is no longer required.
- Restricting, rather than deleting Consumer Data, insofar as: i. A law prohibits erasure;
- Erasure would impair the legitimate interests of the Data Subject.
- The Data Subjects dispute that their Consumer Data is correct and it cannot be ascertained whether their information is correct or incorrect.
- Consumers who suspect that their data has been submitted to theft or exposure must immediately notify the Data Controller and describe the incident.
- Notification of the incident can be directed in the first instance to the Compliance Department.
- The Data Controller and Compliance Department will investigate all reported incidents to confirm whether or not the Consumer Data Breach has occurred.
- If the Consumer Data Breach is confirmed, the Data Controller with support from the Compliance Department will follow the relevant authorized procedure based on the criticality and quantity of Consumer Data involved.
- 5. For severe Consumer Data Breaches, Foodics’s Legal and Compliance Departments coordinate, manage, and respond to the Consumer Data Breach.
Your responsibility as a Foodics consumer for data protection is as follows:
- Be Honest with the information you provide:
Always provide full and accurate information to Foodics employees when processing your requested inquires.
- Submit your documents using your official email address:
When submitting any documents for processing your inquiries:
- Email them using the official email address you have provided the team with.
- Never disclose any confidential documents using communication channels like WhatsApp or any social media platform.
- If you receive any financial disclosures or legal documents from unofficial communication channels from our team, forward them to email@example.com in order to protect your confidential/sensitive documents and avoid any related occurrences.
- Contact us when you encounter any ambiguous information/guidance:
You have the right to ask questions for clarification if you receive any unclear guidelines for processing your inquiries. Our team will provide you with support in a professional manner.
- Request products and services that meet your needs:
- When requesting a product or service, make sure it suits your needs.
- You must disclose all financial obligations to ensure that the decision is made based on your ability to meet any additional obligations after contracting for services.
- Use the product or service in alignment with our terms and conditions:
Use our products and services in accordance with the terms and conditions provided.
- Only disclose your account information and confidential documents to authorized employees responsible for processing your data:
Don’t reveal your sensitive/confidential information to unauthorized personnel who do not contribute to your inquiry process. All information transactions should be conducted through the official email address you provided on the date you started using our services.
- Always update your details in the dashboard:
To remain informed of the latest updates of your POS system, always update your personal details, especially your email address and mobile number.
- Power of Attorney:
When assigning your representative as a business owner, know what information you’re providing others access to and whom you’re giving power to over your transactions. By submitting a form with your signature, the business owner that you have assigned as a representative on your behalf from the Customer Happiness Department will possess such authorizations.
- Review before you submit or sign any processing documents:
Review all of your documents before you sign and submit them to any of our employees. Your signature indicates your approval of and agreement to the document’s content.
- Keep copies of your documents:
- Keep all documents that you sign and approve of in a safe and secure manner to prevent any unauthorized personnel from exposing your confidential information.
- Sharing financial or legal documents for the purpose of transactions between Foodics and yourself as a consumer to any external individuals/organizations is prohibited per our laws and regulations.
This policy shall be available to all Foodics Consumers and Employees as deemed appropriate by the Data Controller.
10.1 EFFECTIVE DATE
This policy is effective as of September 2020.
The Data Controller with the advice of the Compliance and Legal Department is responsible for the maintenance and accuracy of this policy. Notice of significant revisions shall be provided to Foodics Employees through the People Operations Department. Changes to this policy will come into force when published.
- This policy is revised by the Compliance Department and approved by our CEO, and when any amendments are performed, consumers will be informed in advance.