Skip to Content

Data Privacy Policy

The PolicyWhich Personal Data categories does Opexor Process as part of its operations?How does Opexor protect Personal Data Processed for its own needs?On which legal basis does Opexor Process Personal Data for its own needs?Sensitive Personal Data / Special Categories of Personal Data Processed for Opexor’s own needsHow does Opexor protect clients’ Personal Data?Privacy by Design and Privacy by DefaultWhat are the rights of individuals and how they can be exercised?How does Opexor manage Personal Data breaches?Communication and Training?AuditOpexor Privacy OrganizationRecord of Processing ActivitiesUpdates of the Data Privacy PolicyQuestions, Requests and Recourses

The Policy

Opexor is dedicated to safeguarding the Personal Data we handle and collaborates closely with our clients and Third-Party Suppliers to address the dynamic and evolving data protection regulatory landscapes across our global operations, including the GCC countries, India, Canada, and the USA.

This Data Privacy Policy details our privacy principles, standards, and practices, outlining how we protect all Personal Data as part of our operations, whether we Process Personal Data for our own purposes or for the needs of our clients.

Capitalized terms are defined in Appendix 1 hereto. 

 

Principles

As a global IT and business consulting services organization, Opexor is committed to maintaining levels of protection of Personal Data aligned to best practices, the Applicable Data Protection Legislation relevant to each jurisdiction, and Opexor’s contractual obligations.


Opexor collects and/or uses Personal Data for its own needs.


Opexor may also handle Personal Data on behalf of and upon instructions of a client, including implementing the technical and organizational measures required to prevent accidental or unlawful destruction, loss, alteration, disclosure or access to the Personal Data. Any commitment regarding these responsibilities and measures must be expressly reflected in any agreements entered between Opexor and our clients.


Opexor’s value proposition includes robust data protection and proactive data risk exposure prevention. Opexor guides and assists its clients on how to manage and protect their Personal Data to meet compliance requirements. Upon a client’s instructions, Opexor will implement effective security measures to safeguard the Personal Data and avert data breaches.

Scope and Compliance

This Data Privacy Policy forms an integral part of the Opexor Management Foundation and is binding on all Opexor Legal Entities and employees (“Opexor Professionals”) regardless of their location, as well as Third-Party Suppliers engaged by Opexor. To the extent permitted by law and relevant jurisdiction, any violation of this Data Privacy Policy may result in administrative and/or disciplinary action by Opexor (including monetary penalties, suspension, or termination).

Opexor Professionals acknowledge these requirements and annually confirm acceptance of this Data Privacy Policy as part of their commitment to the Code of Ethics. In addition to this Data Privacy Policy, Opexor Professionals must also comply with other applicable confidentiality and privacy obligations, including those set out in Applicable Data Protection Legislation, their employment agreements, Opexor’s Management Foundation and/or client instructions.

Any Third-Party Supplier that Processes Personal Data on Opexor’s behalf is required to implement appropriate technical and organizational measures to ensure compliance with the principles and requirements of this Data Privacy Policy and the specific data protection requirements of the relevant jurisdictions (e.g., GDPR, CCPA, PIPEDA, DPDP, Saudi Arabia's PDPL, UAE's Federal Decree-Law No. 45/2021). When Opexor Processes Personal Data on behalf of a client, any contractual commitments or other obligations of Opexor towards its client need to be passed down to all engaged Third-Party Suppliers. Any commitment or obligation must be expressly reflected in agreements entered between Opexor and Third-Party Suppliers.

Which Personal Data categories does Opexor Process as part of its operations?

Subject to Applicable Data Protection Legislation in each operating region, Opexor and any Third-Party Supplier may Process the following non-exhaustive list of Personal Data categories: 

  • Demographics & Personal Information (e.g., age, gender, physical traits, date of birth, home address, marital status, family details, cultural preferences, interests, memberships)
  • Technical & Usage Data (e.g., IP address, device identifiers, browser fingerprint, logs, website activity, tracking data)
  • Economic & Financial Data (e.g., bank account number, financial health, shares, tax status, salary, financial transactions, payment card details)
  • Sensitive Personal Data / Special Categories of Personal Data (e.g., social security number/national identification numbers, biometrics, health information, religious beliefs, ethnic origin, trade union membership, sexual orientation, genetic data)
  • Identity & Contact Information (e.g., name, email address, telephone number, physical address, photo, nationality, government-issued ID and passport numbers)
  • Professional Life & Business Information (e.g., employer, department, job title, employment history, performance reviews, interview notes, educational degrees and certifications, billing details, delivery address)


These categories of Personal Data relate to the following non-exhaustive list of individuals:

  • Employment candidates, contractors,  trainees, and students,
  • Opexor Professionals and former employees, and their relatives,
  • Clients’ employees and former employees, and their relatives,
  • Clients’ patients, customers, citizens, or beneficiaries,
  • Prospective clients’ employees and customers,
  • Visitors of Opexor websites and digital platforms,
  • Shareholders,
  • Third-Party Suppliers’ employees and freelancers.

How does Opexor protect Personal Data Processed for its own needs?

Opexor is responsible for protecting any Personal Data handled as part of its operations.

As a result, Opexor Professionals comply with the following core principles:

  1. Transparency, Fairness and Lawfulness Personal Data is Processed lawfully, fairly, and in a transparent manner in relation to the individual, in accordance with the requirements of this Data Privacy Policy and relevant Applicable Data Protection Legislation. Opexor provides detailed data Processing information to relevant individuals, in an easily understandable and accessible format, through privacy information notices.
  2. Purpose Limitation Any Processing of Personal Data is preceded by the identification of the specific purpose for such Processing, which must be explicit, legitimate, and clearly communicated to the individual, and in line with what would reasonably be expected by an individual in the context of the relationship with Opexor.
  3. Data Minimization Personal Data is only collected and used to the extent required to accomplish the explicitly stated purpose for which it is Processed. Personal Data must be adequate, relevant, and limited to what is strictly necessary in relation to such purpose.
  4. Accuracy Collected Personal Data must remain accurate and up to date. Reasonable steps must be taken to ensure that any inaccurate Personal Data is erased or rectified without undue delay, including through self-service options for individuals where feasible. Adequate means must be provided to individuals to inform Opexor of any change to their Personal Data.
  5. Storage Limitation Personal Data must not be kept for longer than strictly necessary to achieve the purpose for which it is collected, or as required by Applicable Data Protection Legislation. Consequently, Opexor must determine the required data retention period in accordance with Opexor Records Retention Schedule and Applicable Data Protection Legislation.
  6. Integrity and Confidentiality Appropriate technical and organizational measures, as prescribed in Opexor’s Enterprise Security Management Framework (ESMF) and aligned with industry best practices, must be implemented to guard against unlawful access and/or Processing of Personal Data, including unauthorized alteration, disclosure, or destruction.


On which legal basis does Opexor Process Personal Data for its own needs?

 Most commonly, Opexor may Process Personal Data in the following circumstances, recognizing varying legal bases across jurisdictions:

  • When Opexor needs to comply with a legal obligation (e.g., regulatory requirements, anti-money laundering laws, tax laws).
  • When it is necessary for the performance of a contract with an individual or to take steps at the individual's request prior to entering into a contract (e.g., employment contracts, service agreements).
  • When Opexor has a legitimate interest in doing so as part of its operations, provided such interests are not overridden by the fundamental rights and freedoms of the individual (e.g., for internal administrative purposes, security, fraud prevention, service improvement, direct marketing where permitted by law).
  • There can be some occasions where it becomes necessary for Opexor to Process Personal Data to protect the vital interests of individuals (e.g., in medical emergencies) or with the prior, freely given, specific, informed, and unambiguous consent of the individuals.


Sensitive Personal Data / Special Categories of Personal Data Processed for Opexor’s own needs

Opexor will not Process Sensitive Personal Data / Special Categories of Personal Data unless one of the following conditions is met and permissible under Applicable Data Protection Legislation:

  • The individual has given their prior, explicit consent, or
  • The Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Opexor or of the individual in the field of employment, social security, and social protection law,
  • If the individual is not able to give their consent (e.g., for medical reasons), the Processing is necessary to protect the vital interests of the individual or another person,
  • The Processing is required in the context of preventive medicine, medical diagnosis, or the provision of health or social care or treatment by a health professional under Local Legislation,
  • The individual has already manifestly placed the relevant Sensitive Personal Data / Special Categories of Personal Data in the public domain,
  • The Processing is essential for the purpose of establishing, exercising, or defending legal claims, unless the individual has an overriding legitimate interest in ensuring that such Sensitive Personal Data is not Processed, or
  • The Processing is explicitly permitted or required by Local Legislation (e.g., for public interest reasons, substantial public interest).


How does Opexor protect clients’ Personal Data?

When Opexor Processes clients’ Personal Data, Opexor ensures that Personal Data is Processed solely for the client’s expressed purposes, and according to the client’s written instructions, including in respect of duration, set out in the terms and conditions agreed between Opexor and the client.


The client remains solely responsible for ensuring that there is a valid legal basis for the Processing performed by Opexor and that the instructions given to Opexor in respect of the Processing comply with Applicable Data Protection Legislation, including the retention period to be applied. Nonetheless, Opexor will promptly inform the client if, in its opinion, any such instructions contravene Applicable Data Protection Legislation.


Unless otherwise instructed by the client, Opexor will apply (as a minimum) Opexor’s security baseline as prescribed in Opexor’s Enterprise Security Policy (ESP). Any deviation from this baseline requires relevant risk reviews and the approval of Opexor’s Privacy and Security teams in accordance with Opexor’s Management Foundation.


Opexor will, subject to financial, technical, and organizational conditions agreed in writing, provide reasonable assistance to the client to support it in undertaking its obligations under Applicable Data Protection Legislation, including assisting with data subject requests and security breach notifications.


Privacy by Design and Privacy by Default

To ensure that the principles defined in this Data Privacy Policy are effectively considered when Opexor Processes Personal Data, Opexor will identify and address data protection constraints at the beginning of any new internal project or client opportunity. This ensures that the principles contained herein are reflected in the design of the project and appropriately implemented from the outset. Opexor has therefore implemented Data Privacy and Security review processes, as well as a Privacy by Design Code of Practice and several frameworks (e.g., Responsible Use of Data, Responsible Use of Artificial Intelligence, and Responsible Use of Cloud Technology) applicable to all Opexor internal projects and client opportunities involving the Processing of Personal Data. These frameworks assist each relevant Opexor Professional in analyzing and addressing data privacy risks.


As per Applicable Data Protection Legislation, Opexor will carry out a data privacy impact assessment (DPIA) or similar risk assessment for all Opexor internal projects where the Personal Data Processing activity is likely to result in a high risk to the rights and freedoms of individuals and determine any corrective measures to be implemented to ensure risks are mitigated.


The Opexor Privacy organization reviews and approves the Privacy aspects of proposals and/or services developed for clients, as well as of any Opexor Intellectual Property or new internal project, as defined in the Opexor Management Foundation. The Opexor Professional responsible for the solution, service and/or project retains evidence of compliance with Opexor Privacy organization approval requirements.


What are the rights of individuals and how they can be exercised?

The rights individuals have over their Personal Data vary significantly from one country to another. Opexor is committed to acting in strict accordance with the Applicable Data Protection Legislation relevant to each jurisdiction in which we operate.


Depending on the specific jurisdiction (e.g., GDPR in EU/EEA, CCPA/CPRA in California, PIPEDA/provincial laws in Canada, DPDP in India, various sector-specific laws in the USA, Saudi Arabia's Personal Data Protection Law (PDPL), and the UAE's Federal Decree-Law No. 45/2021 on Personal Data Protection), Applicable Data Protection Legislation may provide individuals with a range of rights, including but not limited to the following:


  • Right of Access: Individuals have the right to obtain confirmation as to whether or not Personal Data concerning them is being Processed, and, where that is the case, access to the Personal Data and information regarding its Processing.
  • Right to Rectification: Individuals can request the correction of inaccurate or incomplete Personal Data concerning them without undue delay.
  • Right to Erasure (Right to be Forgotten): Individuals may have the right to request the deletion of their Personal Data under certain circumstances, for instance, when the data is no longer necessary for the purposes for which it was collected, or when consent is withdrawn.
  • Right to Withdraw Consent or Object to Processing: Where processing is based on consent, individuals have the right to withdraw their consent at any time. They may also object to the Processing of their Personal Data on legitimate grounds, unless such Processing is imposed by law, necessary for the performance of a contract, or for a compelling legitimate purpose that overrides their interests.
  • Right to Restriction of Processing: Individuals may request the restriction of the Processing of their Personal Data where the accuracy of the Personal Data is contested, the Processing is unlawful, or Opexor no longer needs the Personal Data for the purposes of the Processing but it is required by the individual for the establishment, exercise, or defense of legal claims.
  • Right to Data Portability: Where technically feasible and legally permissible, individuals may have the right to receive their Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another data controller without hindrance.
  • Rights Related to Automated Decision Making and Profiling: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless explicit consent is given or it is authorized by law and appropriate safeguards are in place.
  • Right to Lodge a Complaint: Individuals typically have the right to lodge a complaint with a competent data protection authority.
  • Right to Appoint a Representative: Where legally recognized, individuals may have the right to appoint an individual to exercise their rights upon their death or incapacity.


Individuals who wish to exercise these rights and/or obtain information on the Processing of their Personal Data may send a request as set out in the “Question and Recourse” section below. Opexor will handle such requests in accordance with the specific requirements and timelines mandated by the Applicable Data Protection Legislation.


When Opexor Processes Personal Data for its own needs: Opexor communicates any rectification or deletion of Personal Data or restriction of Processing carried out in accordance with Applicable Data Protection Legislation to each recipient to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. Opexor ensures that it handles requests without undue delay and within the timeframes prescribed by Applicable Data Protection Legislation, in accordance with Opexor’s individual rights request process.


When Opexor Processes clients’ Personal Data: If Opexor receives a complaint or request from individuals wishing to exercise their rights, Opexor will promptly communicate all relevant information to the client and will expressly indicate to the individual that it is the client’s responsibility to handle such complaint or request as the data controller. Opexor is only responsible for handling complaints or requests in accordance with the client’s instructions and the terms of the agreement.


How does Opexor manage Personal Data breaches?

Opexor has a mature, standards-based security incident response and management process designed to handle all phases of a security incident, including incidents with privacy impacts. Opexor Professionals' responsibilities are clearly defined at all levels. Incident assessment and prioritization standards are followed to ensure appropriate engagement levels and timely resolution.


​Incident records are maintained and reported to Opexor’s senior management as required. All incidents are managed through Opexor’s Security Operations Centre (SOC), where highly trained, full-time incident response professionals coordinate response efforts. Opexor’s Privacy team is immediately engaged in the incident management process whenever Personal Data is suspected or known to be involved.


If Opexor reasonably believes that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed has occurred, Opexor will provide security incident notification and status updates to the relevant Data Protection Authority, affected individuals, and/or clients (as the case may be), in accordance with the specific requirements and timelines of Applicable Data Protection Legislation, as well as Opexor’s Management Foundation.


Similarly, in the event a Personal Data breach is identified by a Third-Party Supplier engaged by Opexor, the Third-Party Supplier must inform Opexor as agreed upon in the relevant agreement and in accordance with Applicable Data Protection Legislation.


Communication and Training?

Opexor continually promotes a strong data protection culture within its organization. Opexor deploys an annual data privacy learning program, regularly updated to reflect technological and legislative changes. Such training is mandatory for all Opexor Professionals, subcontractors, and freelancers. All Opexor leaders must ensure that the Opexor Professionals reporting to them take the training.


Role-specific learning courses adapted to several functions within the organization and security trainings are also available on Opexor’s learning platform.


Additional information to Opexor Professionals may also be provided through several channels, including targeted Privacy briefings, webinars, individual meetings, newsletters, ‘Know How’ sessions, security awareness campaigns, and global annual Data Privacy Day communications.


These provide Opexor Professionals’ awareness of the core principles contained in this Data Privacy Policy and associated best practices to help protect Opexor and its stakeholders against unauthorized access and improper handling of Personal Data.


Audit

Opexor integrates into its business-wide internal audit program a review of its compliance with this Data Privacy Policy. The internal audit program defines:

  • A schedule under which audits will be carried out,
  • The expected scope of the audit, and
  • The team responsible for the audit.


The business-wide internal audit program includes verification at delivery, functional, and corporate levels. The audit programs may be revised on a regular basis. However, Opexor will perform internal audits on a regular basis through qualified audit teams. Such programs will be initiated by the relevant Opexor audit departments for each level.

The results of the audit will be communicated to the Opexor Privacy organization and resulting actions will be defined and prioritized, enabling the Opexor Privacy organization to determine a schedule for the implementation of corrective and preventive measures.


Competent data protection authorities, as well as clients, may request access to the audit results (in the latter case, subject to contractual obligations, as defined in the Contract Management Framework). Such communication is subject to a confidentiality agreement and audit results do not include any confidential information of other Opexor clients or Opexor internal business areas. Release of such results are subject to the approval of the Opexor Privacy organization and Legal Services.


As part of Opexor’s commitment towards ISO27701:2019 certification (if applicable and maintained), external auditors independent from Opexor act as an additional line of compliance. They provide oversight and assurance of our ISO27701:2019 implementation across our certified Opexor sites and conduct needed audits. The results of such audits are treated as per all audit results, with any recommended corrective and preventive measures being prioritized across all areas of the business.



Opexor Privacy Organization

Opexor has designated a Chief Privacy Officer (“CPO”) and a network of Privacy Business Partners who may also be appointed as Data Protection Officers (DPOs) or equivalent roles, in accordance with Applicable Data Protection Legislation, and records management specialists. The Opexor Privacy organization is further defined on the Privacy page of Opexor’s corporate intranet.​


Record of Processing Activities

Opexor maintains a record of Processing activities carried out as part of its operations (the “Data Processing Inventory”). Opexor will ensure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. Opexor will make a record(s) of Processing available to the supervisory authority upon request, as required by law.


Updates of the Data Privacy Policy

This Data Privacy Policy may be amended from time to time, as necessary, to reflect changes in our operations, regulatory requirements, or best practices. Opexor will issue relevant communications relating to such changes in due time. The current version of this policy will always be available on the Opexor website/intranet.


Questions, Requests and Recourses

Questions and requests: In case of questions related to the interpretation or operation of this Policy, or requests related to your Personal Data Processed by Opexor, please:

  • send an email to [email protected], or
  • contact Opexor’s Chief Privacy Officer at:
    • Att. Opexor CPO, Shams Business Center, Sharjah Media City, Sharjah, UAE, or
  • complete the following online form 🔗.


Opexor seeks to maintain strong relationships with data protection authorities and cooperate with them in any relevant matter, including any audit requests. Opexor will also carefully consider recommendations issued by competent data protection authorities in relation to Personal Data Processing carried out by Opexor as part of its operations.


If you have any question or request related to your Personal Data that is not addressed by Opexor in accordance with Applicable Data Protection Legislation or require assistance from any competent data protection authority, you may submit a complaint or reach out to the relevant authority. Below are useful resources (note: this list is illustrative and may need to be tailored to specific operational presence in each region):


  • GCC Countries (Illustrative):
    • Saudi Arabia: Saudi Data & Artificial Intelligence Authority (SDAIA)
    • UAE: UAE Data Office (established under Federal Decree-Law No. 45/2021)
    • Qatar: National Cyber Security Agency (NCSA) or relevant ministries
    • Bahrain: Personal Data Protection Authority (PDPA)
    • Oman: Ministry of Transport, Communications and Information Technology (MTCIT)
    • Kuwait: Communication and Information Technology Regulatory Authority (CITRA)
  • Canada: Office of the Privacy Commissioner of Canada (OPC) or relevant provincial privacy commissioners (e.g., OIPC Alberta, B.C. OIPC, Quebec CAI)
  • India: Data Protection Board of India (DPBI) once fully operational under the Digital Personal Data Protection Act, 2023.
  • USA: Federal Trade Commission (FTC), State Attorneys General offices (e.g., California AG for CCPA/CPRA), or relevant sector-specific regulators (e.g., HHS for HIPAA).


Policy owner Opexor’s Chief Information Officer (CIO)