The KPI Institute Privacy Statement
Welcome! This Privacy Statement explains how The KPI Institute collects your personal and technical information, why we use it, and the measures we take to protect it. You’ll learn what types of data we gather and for which purposes, the legal bases that allow us to process your information, and the security safeguards we have in place. We also explain your rights—how you can access, correct, delete, or restrict our use of your data—and provide clear instructions for exercising them. If you have any questions or need assistance, our Data Protection Officer is ready to help at [email protected]. For full details and legal definitions, please continue to the sections that follow.
- DEFINITIONS AND INTERPRETATION For the purposes of this Statement:
- “Controller” means The KPI Institute Pty. Ltd. (ACN 109 262 366), or, where applicable, any entity within the KPI Institute Group determining the purposes and means of processing Personal Data.
- “Processor” means any third party, including intraGroup entities, engaged by a Controller to process Personal Data on its behalf pursuant to a Data Processing Agreement (DPA).
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
- “Processing” means any operation on Personal Data, whether automated or manual, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure or destruction.
- “Data Subject” means the individual to whom Personal Data pertains.
- “KPI Institute Group” or “Group” means The KPI Institute Pty. Ltd. and its affiliated legal entities listed in Section 3.
- “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
- “PDPA” means the Personal Data Protection Act 2010 (Malaysia).
- “Privacy Act” means the Privacy Act 1988 (Cth) (Australia).
- “PDPL” means the Personal Data Protection Law (Crown Prince Court Order No. 4 of 2021) (Saudi Arabia).
- “GCC Data Laws” means data protection statutes, regulations, and guidelines applicable to Gulf Cooperation Council Member States (including PDPL).
- SCOPE AND APPLICATION
2.1 This Privacy Statement establishes the comprehensive framework under which the KPI Institute Group, in its capacity as Controller, Processor, or joint Controller, undertakes the Processing of Personal Data. It applies to all business activities and operations conducted by the Group, whether directly or via affiliated entities, including but not limited to: – Consultancy services and training programmes; – Research, analytics, and benchmarking initiatives; – Events, conferences, workshops, and webinars; – Digital platforms, websites, and mobile applications; – Marketing and promotional campaigns (online and offline); – Customer relationship management and support services; – Procurement, vendor management, and supply chain engagements; – Recruitment, employment, and contractor onboarding processes.
2.2 This Statement governs Personal Data collected from or relating to all categories of Data Subjects, including clients, prospects, suppliers, vendors, contractors, employees, job applicants, website and application users, and any other individuals whose Personal Data is Processed by the Group in the course of its operations.
2.3 The territorial scope of this Statement is global. Personal Data may be Processed in any jurisdiction in which the Group operates, subject to applicable local data protection laws. In jurisdictions imposing additional requirements (e.g., GDPR, PDPA, Privacy Act, PDPL, CCPA/CPRA, PIPEDA (Canada) and UK Data Protection Act 2018), the Group shall implement any necessary supplemental notices, consent mechanisms, or Processing procedures to achieve full compliance. In the event of any conflict between this Statement and mandatory local law, the latter shall prevail to the extent required.
2.4 This Statement does not apply to data that has been irreversibly anonymised or aggregated so that individuals are no longer identifiable.
2.5 All Group personnel, affiliates, contractors, and thirdparty Processors engaged by the Group are required to comply with this Statement, any related policies, and the terms of applicable Data Processing Agreements (DPAs).
- CONTROLLERS WITHIN THE KPI INSTITUTE GROUP
3.1 Principal Controller
The KPI Institute Pty. Ltd. (ACN 109 262 366), Level 3, 406 Collins Street, Melbourne, VIC 3000, Australia, shall act as the principal Controller for all Group-wide Processing activities, determining the purposes and means of Personal Data processing.
3.2 Joint Controllers
Where two or more Group entities jointly define Processing objectives and methods (e.g., codevelopment of digital platforms or cohosting of events), they shall be deemed Joint Controllers. In such cases, the respective Joint Controllers shall conclude a Joint Controller Agreement specifying:
- Allocation of responsibilities for compliance with Data Subject rights and GDPR Article 26 obligations.
- Mechanisms for Data Subject communications and exercise of rights.
- Indemnification and liability arrangements between the Joint Controllers.
3.3 Appointed Processors
The following intraGroup entities and selected thirdparty service providers shall operate as Processors under binding Data Processing Agreements (DPAs), processing Personal Data exclusively on documented instructions:
- Connected Performance Training Institute – 718620 (AE)
- Connected Performance Sdn. Bhd. – 1128752H (MY)
- The KPI Institute for Training – 1009067330 (KSA)
- Integerperform S.R.L. – J12/1644/2002 (RO)
- Skills Mandate S.R.L. – J12/4901/2017 (RO)
- Biomimicry S.R.L. – J12/4885/2017 (RO)
- TKI HUB S.R.L. – J32/1162/2017 (RO)
- Lereroworld S.R.L. – J32/420/2019 (RO)
- Acumen Integrat S.R.L. – J12/4194/2004 (RO)
- Fundația Worldskills România – RO36134470 (RO)
DPAs shall incorporate, at a minimum, the following provisions:
- Scope, nature, and purpose of processing.
- Types of Personal Data and categories of Data Subjects.
- Duration of Processing and retention obligations.
- Technical and organisational security measures.
- Subprocessor engagement rules and audit rights.
- Breach notification obligations.
3.4 Data Protection Officer
- Global DPO: Merut Stefan – Head of Legal and Compliance, Email: [email protected]
3.5 Data Subject Acknowledgement
By providing Personal Data to any Group entity, Data Subjects acknowledge and consent to:
- InterGroup transfer and joint Processing of their Personal Data.
- Processing by both Controllers and Processors as specified in this Statement and related DPAs.
- PRINCIPLES GOVERNING PROCESSING
In all jurisdictions in which the Group operates, Personal Data shall be processed in accordance with the following binding principles, drawn from GDPR Article 5 and equivalent global standards:
4.1 Lawfulness, Fairness & Transparency
4.1.1 Processing shall be lawful only if and to the extent there exists at least one legal basis under applicable law (e.g., consent, contract performance, legitimate interests, legal obligations).
4.1.2 Data Subjects shall be provided with clear, intelligible and easily accessible information regarding Processing activities, consistent with GDPR Articles 12–14, PDPL transparency requirements, and equivalent obligations under local law.
4.2 Purpose Limitation
4.2.1 Personal Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
4.2.2 Any subsequent Processing for archiving in the public interest, scientific or historical research, or statistical purposes shall be subject to appropriate safeguards.
4.3 Data Minimisation
4.3.1 Processing shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4.3.2 Regular reviews shall be conducted to ensure Personal Data inventories remain aligned with operational needs and legal requirements.
4.4 Accuracy
4.4.1 The Group shall take all reasonable steps to ensure that Personal Data that are inaccurate with regard to the purposes for which they are processed are erased or rectified without delay.
4.4.2 Mechanisms for Data Subject-initiated corrections and periodic data quality audits shall be in place.
4.5 Storage Limitation
4.5.1 Personal Data shall be retained only for as long as necessary to fulfil the purposes for which they are collected and processed, or as required by applicable law.
4.5.2 Automated retention schedules and secure deletion protocols shall ensure compliance with retention obligations set forth in Section 10.
4.6 Integrity & Confidentiality
4.6.1 The Group shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
4.6.2 Measures include, but are not limited to, encryption, pseudonymisation where appropriate, access controls, and secure disposal procedures.
4.7 Accountability
4.7.1 The Group shall be responsible for, and be able to demonstrate, compliance with these principles (“accountability”).
4.7.2 Documentation, internal policies, training programmes, impact assessments (where required), and regular audits shall form part of the Group’s accountability regime.
- LEGAL BASES FOR PROCESSING
Personal Data shall be processed only where at least one of the following legal bases applies. Where multiple bases exist, the most specific basis shall prevail:
5.1 Contractual Necessity
5.1.1 Processing is necessary for the performance of a contract to which the Data Subject is a party or to take steps at the Data Subject’s request prior to entering into a contract (e.g., provision of consultancy services, training programmes, or event registrations).
5.1.2 GDPR: Article 6(1)(b); PDPA: Section 6(1)(c); Privacy Act: Section 16A(1)(b); PDPL: Article 8(c).
5.2 Compliance with Legal Obligations
5.2.1 Processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g., tax, antimoney laundering, recordkeeping, employment law obligations).
5.2.2 GDPR: Article 6(1)(c); PDPA: Section 6(1)(d); Privacy Act: Section 16A(1)(c); PDPL: Article 8(d).
5.3 Consent
5.3.1 The Data Subject has given freelygiven, specific, informed, and unambiguous consent to the Processing of Personal Data for one or more specified purposes (e.g., marketing communications, profiling, transfer to third parties).
5.3.2 Consent shall be evidenced by a clear affirmative act, and Data Subjects shall be informed of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to withdrawal.
5.3.3 GDPR: Article 6(1)(a) & Article 7; PDPA: Section 9; Privacy Act: Sections 6(1)(a), 7(1); PDPL: Article 8(a).
5.4 Legitimate Interests
5.4.1 Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, provided such interests are not overridden by the fundamental rights and freedoms of the Data Subject.
5.4.2 Legitimate interests may include, but are not limited to, fraud prevention, network security, business development, and client relationship management.
5.4.3 A documented Legitimate Interests Assessment (LIA) shall be conducted to balance the interests of the Controller against the rights of Data Subjects.
5.4.4 GDPR: Article 6(1)(f); PDPA: Section 6(1)(b); Privacy Act: Section 16A(1)(d); PDPL: Article 8(f).
5.5 Vital Interests and Public Interest (where applicable)
5.5.1 In exceptional circumstances, processing may be necessary to protect the vital interests of the Data Subject or another person, or where processing is required for the performance of a task carried out in the public interest or in the exercise of official authority.
5.5.2 GDPR: Articles 6(1)(d) & (e); PDPL: Article 8(e).
- CATEGORIES OF PERSONAL DATA
6.1 The following categories of Personal Data may be collected, processed, and retained by the Group in connection with its training, consultancy, research, events and related operations:
Category | Description & Examples | Purposes | Legal Basis |
Identity & Contact Data | Full name, title, employer, business address, email address, telephone number | Participant registration, account administration | Contract, Consent |
Professional & Academic Data | Job title, department, organisation, qualifications, professional certifications, educational background | Eligibility assessment, courseplacement, reporting | Legitimate Interest, Consent |
Training Registration Data | Course selections, attendance records, registration dates, payment details | Course scheduling, attendance tracking, invoicing | Contract, Legal Obligation |
Training Content & Evaluation Data | Assessment scores, test results, certification outcomes, feedback forms, trainer evaluations | Certification issuance, performance analysis, quality assurance | Contract, Legitimate Interest |
Audio/Video Recording Data | Video recordings of live training sessions, webinar recordings, photographs, participant Q&A transcripts | Training delivery, ondemand access, compliance with contract terms | Legitimate Interest, Consent |
Technical & Usage Data | IP address, device identifiers, browser type, access times, clickstream data | Platform security, system performance monitoring | Legitimate Interest |
Communications Data | Email correspondence, chat logs, support tickets, survey responses | Customer support, marketing communications | Consent, Legitimate Interest |
Marketing & Preference Data | Subscription status, marketing preferences, optin/optout records, profiling data | Direct marketing, personalised promotions | Consent, Legitimate Interest |
Transactional & Financial Data | Billing information, transaction history, contract documents | Billing, financial reconciliation, audit compliance | Legal Obligation |
Sensitive Data (where applicable) | Government ID numbers, nationality, professional membership IDs (e.g., ISO, PMI), special dietary requirements | Regulatory compliance, event accommodation | Consent, Legal Obligation |
6.2 Recording of Training Sessions
Where training sessions (live or virtual) are recorded, Data Subjects will be notified in advance and provided the opportunity to object. Recordings may capture audio, video, and screenshare content and will be processed for:
- Ondemand access for registered participants;
- Postevent reviews and quality improvements;
- Internal training material development;
- Compliance with contractual or regulatory recordkeeping obligations.
6.3 Special Category Data
In exceptional circumstances, where participants voluntarily provide Special Category Data (e.g., health or accessibility needs), such data will only be processed with explicit consent, documented safeguards, and strictly for the purposes communicated at the point of collection.
6.4 Data Source & Collection Methods
Personal Data may be obtained directly from Data Subjects (e.g., via registration forms, surveys, assessments), indirectly from technical systems (e.g., learning management platforms, webinar tools), or from third parties (e.g., employer HR systems, accreditation bodies). All collection methods shall adhere to the principles of transparency and purpose limitation.
- DATA PROCESSING AGREEMENTS & CROSSMARKETING
7.1 Applicability and Structure of Data Processing Agreements (DPAs)
7.1.1 All Processors—whether intraGroup entities or external service providers—and Joint Controllers shall enter into a written Data Processing Agreement in compliance with GDPR Article 28, PDPA Section 11, Privacy Act APP 11, PDPL Article 21, and equivalent provisions under applicable law.
7.1.2 Each DPA shall, at a minimum, set forth:
- The subject matter, duration, nature, and purpose of the Processing;
- The types of Personal Data and categories of Data Subjects;
- The obligations and rights of Controllers and Processors;
- Detailed technical and organisational security measures;
- Terms governing the engagement of subprocessors, including prior written authorisation and flowdown obligations;
- Procedures for Data Subject requests, audit rights, and compliance reviews;
- Breach notification and remediation obligations, specifying timelines and communication protocols.
7.2 CrossMarketing and Data Sharing under DPAs
7.2.1 Subject to the Data Subject’s valid consent (where required) and/or legitimate interest assessments, Group entities may share Personal Data for crossmarketing purposes, including:
- Joint promotional campaigns for training programmes, publications, and benchmarking services;
- Targeted communications tailored to professional profiles, industry sectors, or geographic regions;
- Cosponsored events and webinars announced through combined mailing lists.
7.2.2 Prior to any interGroup marketing initiative, Controllers shall ensure:
- Compliance with applicable marketing consent requirements under GDPR Article 21, PDPA Section 12, Privacy Act APP 7, and PDPL Article 10;
- Maintenance of uptodate optin/optout records, with mechanisms to facilitate immediate withdrawal of consent or objection;
- Execution of updated DPAs or addenda reflecting the specific scope of crossmarketing Processing.
7.3 ThirdParty Marketing Partners
7.3.1 Where the Group engages thirdparty marketing platforms or agencies, such engagement shall be governed by a DPA and a Marketing Services Agreement, ensuring:
- Restricted use of Personal Data solely for the contracted marketing campaign;
- Prohibition of onward transfers without prior Controller approval;
- Assurance of data accuracy and deletion upon campaign completion.
7.3.2 Third parties shall provide evidence of compliance with international privacy standards (e.g., ISO 27701, PCI DSS or equivalent representations and warranties) and permit audits by the Controller or its designated auditor.
7.4 Data Subject Rights in CrossMarketing
7.4.1 Data Subjects retain the right to object to Processing for direct marketing at any time, free of charge and without detriment to other Processing activities.
7.4.2 Controllers shall honor objections within one month of receipt, ceasing all marketing communications and confirming cessation to the Data Subject.
7.5 RecordKeeping and Accountability
7.5.1 Controllers shall maintain comprehensive records of all DPAs, crossmarketing assessments, and consent registers, as required by GDPR Article 30, PDPA Section 14, Privacy Act APP 1, and PDPL Article 20.
7.5.2 Such records shall be retained for a minimum of five years and be available for inspection by supervisory authorities or internal auditors.
7.5.3 The Group maintains and operates a centralized Customer Relationship Management (CRM) system, which serves as a core data repository for storing Personal Data, including but not limited to contact details, marketing preferences, consent status, course participation history, and correspondence logs. This CRM system is configured to reflect Data Subject rights and support obligations under applicable data protection laws. Periodic audits are conducted to ensure integrity, accuracy, and compliance with consent-based marketing requirements.
- INTERNATIONAL DATA TRANSFERS & SAFEGUARDS
8.1 Overview of CrossBorder Transfers
8.1.1 Personal Data may be transferred outside the Data Subject’s jurisdiction to enable global service delivery, centralized processing, and collaboration across the KPI Institute Group and authorised thirdparty service providers.
8.2 GDPR Chapter V Compliance
8.2.1 For transfers from the European Economic Area, the Group shall implement one or more of the following safeguards in accordance with GDPR Articles 44–50:
- Adequacy Decisions: Transfers to countries or territories deemed adequate by the European Commission (e.g., Australia).
- Standard Contractual Clauses (SCCs): Adoption of the European Commission’s SCCs, supplemented by any required technical, organisational, or contractual measures.
- Binding Corporate Rules (BCRs): Groupwide internal rules approved by EU supervisory authorities, providing consistent safeguards across all intraGroup transfers.
- Derogations: Specific casebycase derogations (e.g., explicit consent, performance of contract, public interest) if no other mechanism applies.
8.3 PDPA & Privacy Act Transfers
8.3.1 Transfers from Malaysia shall comply with PDPA Sections 129–130, requiring either contractual safeguards or supervisory authority approval.
8.3.2 Transfers from Australia shall adhere to Privacy Act Part IIIC (APP 8), ensuring that overseas recipients provide comparable protections or that exceptions (e.g., consent, performance of contract) apply.
8.4 PDPL Local Transfer Restrictions
8.4.1 Under Saudi Arabia’s PDPL, outbound transfers of Personal Data are permissible only where one of the following is satisfied:
- Transfer to countries with an explicit adequacy decision by the Saudi Data & AI Authority.
- Implementation of contractual clauses approved by the Authority in accordance with PDPL Articles 36–38.
- Explicit, informed consent obtained from the Data Subject for the specific transfer. 8.4.2 In all cases, transfers shall be documented, and Data Subjects shall be informed of any intended crossborder disclosures as part of the local privacy notice.
8.5 Technical & Organisational Safeguards
8.5.1 Regardless of legal mechanism, the Group may seek to implement robust safeguards to protect transferred Personal Data, including:
- Encryption of data in transit and at rest.
- Access controls restricting access to authorised personnel only.
- Data localisation measures where required by local law.
- Regular audits and assessments of thirdparty processors and their security posture.
8.6 Data Transfer Impact Assessments (DTIAs)
8.6.1 For transfers involving highrisk processing (e.g., sensitive data, volume transfers), the Group shall conduct a documented Data Transfer Impact Assessment to evaluate:
- The nature and sensitivity of the data.
- The legal and regulatory environment of the destination country.
- The adequacy of proposed safeguards and residual risks.
8.6.2 DTIAs shall be reviewed periodically and prior to onboarding any new foreign receiving entity.
8.7 RecordKeeping and Accountability
8.7.1 The Group shall maintain records of all crossborder transfer mechanisms, SCCs, BCR approvals, derivate consent forms, and DTIAs, in accordance with GDPR Article 30, PDPA Section 14, Privacy Act APP 1, and PDPL Article 20.
8.7.2 Such records shall be retained for a minimum of five years and be made available to supervisory authorities upon request.
- SAUDI ARABIA PDPL LOCALISATION
9.1 Local Compliance Obligations
9.1.1 In respect of operations in the Kingdom of Saudi Arabia (KSA), the Group complies with all PDPL requirements, including those set forth in Crown Prince Court Order No. 4 of 2021, and any implementing regulations issued by the Saudi Data & AI Authority (SDAIA).
9.2 Data Residency and Transfer Limitations
9.2.1 Personal Data collected in KSA is maintained within Saudi territory by default, utilising AWS Middle East Region data centers, in accordance with SDAIA’s Cloud Computing Regulatory Framework (CCRF) and PDPL Articles 36–38.
9.2.2 Any transfer of Personal Data outside the Kingdom shall only occur pursuant to:
- SDAIA-approved contractual clauses reflecting PDPL transfer requirements; or
- Explicit, informed consent obtained from the Data Subject for the specific transfer.
9.2.3 All transfers are documented and transparent to Data Subjects through localized Privacy Notices.
9.3 Cloud Computing Regulatory Framework (CCRF) Adherence
9.3.1 The Group’s AWS-hosted services operate under the SDAIA’s CCRF, ensuring compliance with technical standards for cloud service providers, including security, data segregation, and audit requirements.
9.3.2 KPI Institute devices and applications leveraging AWS infrastructure are configured to enforce encryption at rest and in transit, access controls, and logging mechanisms as prescribed by the CCRF.
9.4 Reliance on AWS Compliance Representations
9.4.1 The Group utilises Amazon Web Services (AWS) cloud and data center facilities pursuant to the AWS Customer Agreement and AWS Data Processing Addendum.
9.4.2 While AWS holds certifications and attestations (e.g., ISO 27001, ISO 27018, SOC 1/2/3, and certifications recognized by SDAIA), and represents compliance with PDPL-equivalent standards, KPI Institute relies on AWS’s warranties and published compliance documentation.
9.4.3 KPI Institute does not assume responsibility for AWS’s security or compliance lapses beyond the scope of AWS’s contractual commitments and indemnities.
9.5 Breach Notification and Reporting
9.5.1 In the event of a Personal Data breach affecting KSA-based Data Subjects, the Group shall notify the SDAIA within 72 hours of becoming aware of the incident, in accordance with PDPL Article 20.
9.5.2 Data Subjects shall be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms, with sufficient details to enable mitigation measures.
- DATA RETENTION & STORAGE
10.1 General Retention Principles
10.1.1 Personal Data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, to satisfy contractual, legal, or regulatory obligations, or to establish, exercise, or defend legal claims.
10.1.2 Retention schedules and secure deletion protocols shall be implemented to ensure automatic archiving, anonymisation, or deletion of Personal Data upon expiry of the retention period.
10.1.3 Extensions to retention periods shall require documented justification, approval by the Data Protection Officer, and, where applicable, notification to Data Subjects.
10.2 Global Retention & Storage Matrix
Data Category | Retention Period | Rationale | Storage Locations (Primary) |
Identity & Contact Data | 5 years postrelationship | Statute of limitations, audit | AU, AE, MY, RO |
Transactional & Financial Data | 7 years from transaction date | Tax and financial regulations | AU, RO |
Technical & Usage Data | 2 years rolling | Service optimisation, security | AU (Cloud) |
Marketing & Preference Data | Until withdrawal + 1 year | Proof of consent | AU, AE, MY |
Audio/Video Recordings & Photographs | 2 years after event/session | Ondemand access, quality review | AU (Cloud), RO |
Sensitive Data | As required by local law | Regulatory mandates | AU, RO, KSA |
10.3 Saudi Arabia (PDPL) Specific Retention & Storage
10.3.1 In compliance with PDPL and SDAIA requirements, Personal Data originating from or processed within the Kingdom of Saudi Arabia shall be subject to the following storage and retention controls:
Data Category | Retention Period | Rationale | Storage Locations (KSA) |
Identity & Contact Data | 5 years postrelationship | PDPL statutory limits, audit | AWS Middle East |
Transactional & Financial Data | 7 years from transaction date | Tax, audit, and regulatory compliance | AWS Middle East |
Technical & Usage Data | 2 years rolling | Security, monitoring | AWS Middle East |
Marketing & Preference Data | Until withdrawal + 1 year | Consent proof, marketing compliance | AWS Middle East |
Audio/Video Recordings & Photographs | 2 years after event/session | Ondemand access, quality review | AWS Middle East |
Sensitive Data | As required by PDPL | Explicit consent, PDPL mandates | AWS Middle East |
10.4 Secure Disposal & Anonymisation Saudi Arabia (PDPL) Specific Retention & Storage
10.4.1 Upon expiry of retention periods, Personal Data shall be securely disposed of through methods including, but not limited to, irreversible anonymisation, secure deletion, or physical destruction of storage media.
10.4.2 Disposal and anonymisation activities shall be logged, retained for audit purposes, and verified periodically by the Data Protection Officer.
- DATA SUBJECT RIGHTS & PROCEDURES
11.1 Overview of Rights
Under applicable data protection laws (GDPR, PDPA, Privacy Act, PDPL), Data Subjects are entitled to the following rights with respect to their Personal Data:
- Right of Access: To obtain confirmation of processing and access to a copy of their Personal Data.
- Right to Rectification: To request correction of inaccurate or incomplete data.
- Right to Erasure (Right to be Forgotten): To request deletion of Personal Data where no lawful basis for retention exists.
- Right to Restriction of Processing: To limit the manner in which Personal Data is processed.
- Right to Data Portability: To receive Personal Data in a structured, commonly used, machine-readable format and transmit it to another Controller.
- Right to Object: To object to processing based on legitimate interests, including profiling and direct marketing.
- Right to Withdraw Consent: To withdraw previously given consent without affecting the lawfulness of prior processing.
- Right to Complaint: To lodge a complaint with a supervisory authority.
11.2 Procedures for Exercising Rights
11.2.1 Requests shall be submitted in writing to the Data Protection Officer (contact details in Section 3.4) or via the Group’s designated online contact forms.
11.2.2 Upon receipt, the Group will acknowledge the request within five (5) business days and, where feasible, provide a substantive response within one (1) month of receipt.
11.2.3 Extensions of up to two (2) additional months may apply for complex requests, with notification to the Data Subject and justification for the delay.
11.2.4 No fee shall be charged for requests, except in cases of manifestly unfounded or excessive requests, in which case a reasonable fee may be levied or the request may be refused.
11.3 Verification and Security
To protect privacy and security, the Group may require Data Subjects to verify their identity before processing a request, using two-factor authentication, government-issued ID, or other appropriate measures.
11.4 Exceptions and Limitations
11.4.1 The rights outlined in Section 11.1 may be subject to exceptions or limitations under applicable law (e.g., freedom of expression, public interest, legal obligations, litigation).
11.4.2 Where an exception applies, the Group will inform the Data Subject of the reason for refusal and the possibility of lodging a complaint with a supervisory authority.
11.5 Special Procedures for PDPL
11.5.1 For Saudi Arabia, Data Subjects may also submit rights requests directly to the Saudi Data & AI Authority (SDAIA) if dissatisfied with the Group’s response.
11.5.2 The Group shall maintain localized request forms in Arabic and English and ensure compliance with PDPL-mandated timelines for responses.
- SECURITY MEASURES
To safeguard Personal Data throughout its lifecycle, the Group implements a comprehensive security framework comprising the following measures:
12.1 Organisational and Administrative Controls
12.1.1 Adoption and enforcement of robust privacy and security policies, standards, and procedures aligned with ISO/IEC 27001, NIST Cybersecurity Framework, and PDPL requirements.
12.1.2 Regular privacy and security training programmes for all personnel, including mandatory onboarding and annual refresher courses.
12.1.3 Role-based access controls (RBAC) and segregation of duties to limit access to Personal Data to authorised individuals only.
12.1.4 Background screening and confidentiality agreements for employees, contractors, and third-party vendors with access to sensitive Personal Data.
12.2 Technical and Physical Safeguards
12.2.1 Encryption of Personal Data at rest using AES-256 or equivalent, and in transit via TLS 1.2+ or equivalent protocols.
12.2.2 Network segmentation, firewalls, intrusion detection and prevention systems (IDPS), and secure configuration baselines to protect against unauthorised access.
12.2.3 Implementation of multi-factor authentication (MFA) for all administrative and remote access.
12.2.4 Logging, monitoring, and anomaly detection systems with retention of security logs for a minimum of 12 months.
12.2.5 Secure disposal of physical media in accordance with NIST SP 80088 guidelines and secure wiping of electronic devices.
12.3 Vendor and Third-Party Security
12.3.1 Rigorous due diligence and risk assessment of third-party vendors, service providers, and cloud partners, including AWS, to verify security posture and compliance with required standards.
12.3.2 Inclusion of comprehensive security and privacy obligations in all DPAs and vendor contracts, with right-to-audit clauses and breach notification requirements.
12.3.3 Periodic review of vendor security assessments, SOC 2 reports, ISO 27001 certifications, and penetration test results.
12.4 Security Assessments and Audits
12.4.1 Regular vulnerability scanning, penetration testing, and security code reviews conducted by certified professionals.
12.4.2 Internal and external audits, including annual third-party assessments, to validate compliance with security policies and legal requirements.
12.4.3 Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for high-risk Processing activities, recorded in the Group’s risk register.
12.5 Incident Response and Breach Management
12.5.1 A formalised Incident Response Plan (IRP) establishing roles, responsibilities, and procedures for identification, containment, eradication, recovery, and post-incident review.
12.5.2 Notification procedures to inform supervisory authorities (e.g., SDAIA, ICO, OAIC) within statutory timelines (72 hours for PDPL, GDPR, etc.) and affected Data Subjects when required.
12.5.3 Maintenance of an incident register, root cause analysis, and corrective action tracking to prevent recurrence.
12.6 Business Continuity and Disaster Recovery
12.6.1 Implementation of resilient backup and disaster recovery solutions, with regular restoration testing to ensure data integrity and availability.
12.6.2 Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems and Personal Data stores.
12.6.3 Annual reviews and tabletop exercises to validate business continuity and disaster recovery plans.
- CHANGES TO THIS STATEMENT
13.1 Periodic Review and Governance
13.1.1 This Privacy Statement shall be reviewed at least annually or more frequently as required by changes in applicable law, technological developments, or business practices.
13.1.2 All revisions shall undergo legal and compliance review and be approved by the Global Data Protection Officer and the executive leadership team.
13.2 Automated Decision-Making and Profiling
The KPI Institute does not carry out any decision-making based solely on automated processing, including profiling, which produces legal effects concerning individuals or similarly significantly affects them, as described in Article 22 of the General Data Protection Regulation (GDPR).
If this ever changes, we will update this Privacy Statement and ensure that such processing is subject to suitable safeguards, including the right to:
- obtain human intervention,
- express your point of view,
- and contest the decision.
13.3 Material Amendments and Data Subject Notifications
13.3.1 Material changes—such as new processing purposes, additional international transfers, or expanded Data Subject rights—shall be communicated to Data Subjects in advance of implementation via:
- Email notifications to all affected individuals;
- Prominent notices on the Group’s websites and digital platforms;
- Localized communications where required by jurisdiction (e.g., Arabic notices for KSA).
13.3.2 Minor operational or editorial updates that do not affect Data Subject rights or compliance obligations may be implemented without individual notice but will be reflected in the version history.
13.4 Version Control and Historical Archive
13.4.1 Each publication of the Privacy Statement shall be assigned a version number and effective date.
13.4.2 An archive of prior versions, together with a summary of changes, shall be maintained on the Group’s intranet and made available to Data Subjects upon request.
13.5 Severability
13.5.1 If any provision of this Statement is held invalid or unenforceable under applicable law, such provision shall be severed, and the remaining provisions shall continue in full force and effect.
13.6 Contact for Clarifications
13.6.1 Questions about this Privacy Statement, including requests for clarification on changes, should be directed to the Data Protection Officer as specified in Section 3.4.
Effective Date: April 30, 2025**