GIB

PRIVACY POLICY

Please click here for the Meem Privacy Policy


-    First Publication date: 27 December 2022
-    Last updated on: 9th December 2025


Dear Customer,


Gulf International Bank - Saudi Arabia (“GIB”, “GIB KSA”, “Bank”, “we”, “us”, or “our”) seeks to protect the privacy of your information. This privacy notice (“Privacy Notice” and/or “Notice”), together with Our Terms and Conditions of Use and any other documents referred to therein, explains the basis on which any Personal Data (as defined below) that we collect from you or third parties, or that you provide to us, will be processed by us.

 
Please read the following provisions carefully to understand our views and practices regarding your Personal Data (as defined below) and how we will handle it.

1. OVERVIEW AND PURPOSE


Gulf International Bank - Saudi Arabia, a Saudi Closed Joint Stock Company registered in the Kingdom of Saudi Arabia with Unified Number 7001399042 and Commercial Registration Number 2052001920, licensed by the Saudi Central Bank (“SAMA”) to operate as a bank in the Kingdom of Saudi Arabia with banking license number 2007, whose principal address is at PO Box 93, Al Khobar 31952, National Address Number 5515, Kingdom of Saudi Arabia, is committed to safeguarding your Personal Data. We maintain physical, electronic, and procedural safeguards that comply with applicable laws and regulations to protect your information from unauthorised access and use, accidental or unlawful alteration and destruction, and other unlawful or unauthorised forms of processing. We engage in continuous training of our employees in the secure management of Personal Data. 


At GIB, we take data privacy very seriously and provide our customers with all necessary data security measures to protect their Personal Data from unauthorised access. We require any third parties acting on our behalf to comply with appropriate compliance standards to protect your information.  Accordingly, this Privacy Notice reflects the requirements set out in the Saudi Personal Data Protection Law (“KSA PDPL” or the “Law”).


The purpose of this Notice is to help you understand the nature of the Personal Data we collect, use, store, share, or process during and after your interactions with us to offer you more personalised products and services, as well as the legal bases on which we do so within the Kingdom of Saudi Arabia. Furthermore, this Notice explains the various measures we have in place to protect the security of your Personal Data and to minimise the risk of its unauthorised use, disclosure, or destruction.

2. DEFINITIONS 


PERSONAL DATA:
Means any data – regardless of its source or form – that identifies an individual specifically, or makes it possible to identify him or her directly or indirectly, including name, personal identification number, address, contact numbers, license numbers, records, personal property, location data, bank account and credit card numbers, fixed or moving images of the individual, and other data of a personal nature.


SENSITIVE DATA:
Means any Personal Data that reveals racial or ethnic origin, or religious, intellectual, or political belief, data relating to security, criminal convictions and offenses, biometric or genetic data for the purpose of identifying the person, health data, and data that indicates that one or both of the individual’s parents are unknown. 


3. THE INFORMATION WE COLLECT


We limit the collection and use of personal information to the minimum necessary to deliver our services to our customers. This includes providing advice on our products, services and other opportunities, as well as administering our business operations. 


In addition, the type of data collected may vary depending on your capacity – whether you are acting in a personal capacity, or on behalf of another individual, or as a representative of an entity.


What Personal Data Do We Collect?
We collect, use, store, and transfer different elements of Personal Data through various channels, including, but not limited to, cases where it is mandatory for us to collect your data:


1.    Identifying Information:
•    Full name
•    National ID or residency number
•    Date of birth
•    Gender
•    Nationality 
•    Assessment of whether you are a Politically Exposed Person (“PEP”)
•    Employer name / occupation
•    Education level 
•    Disability status and type (if applicable) 

 

2.    Contact Information:

•    Mobile phone number
•    Email address
•    Mailing address
•    National address


3.     Basic Financial Information (when applicable):
•    Bank account number
•    Your credit behaviour, as reported by credit bureaus
•    Credit or debit card number (if voluntarily submitted through specific forms)
•    Details of paid compensation 


4.    Technical Usage Data:
•    Internet Protocol (IP) address
•    Device type and operating system
•    Browser type
•    Browsing activity on the Bank’s website
•    Cookies and similar tracking technologies


5.    Digital Banking Information:
•    Access to online banking or mobile applications
•    User preferences and interaction data on the Bank’s digital platforms


6.    Original Documents (where applicable to each product or service):
•    Copy of ID, Family Card, or passport (for validation purposes if you are a representative of the customer, or for employment purposes)
•    Power of Attorney
•    Death certificates
•    Medical reports (for risk assessment purposes if you are a customer, or for medical insurance purposes if you are a staff member, or to confirm your fitness to work with us upon onboarding)
•    Court rulings issued by the Ministry of Justice (where applicable)
•    Commercial Papers governed by the Commercial Papers Law
•    Proof of income letter
•    Proof of residency letter
•    Salary certificate
•    Salary assignment letter
•    Bank statement letter
•    Tax exemption certificate
•    Title deeds
•    Permit letter for construction
•    Real estate site map 
•    Personal guarantee letters


7.    Additional Information if You apply for a Job with Us 
In addition to the above, if you are applying for a job opportunity with us, we will collect the following information: 


•    Name, Date of Birth, Address, Email ID, Contact Number, CV, passport and / or visa & residence permit, education & qualifications


8.    Information You Voluntarily Provide (non-compulsory):
•    Responses submitted through online forms (e.g., Contact Us, complaints)
•    Uploaded attachments (such as IDs or supporting documents)
•    Your consent to receive marketing material via your contact information


4. HOW DO WE COLLECT INFORMATION?


We collect your Personal Data both directly (through online forms, drop-down lists, option lists, banking forms, etc.) and indirectly (through cookies, automated data collection, website analytics, etc)
We collect your Personal Data when:
•    You provide us with information directly.
•    You open an account or perform transactions, such as making deposits or withdrawals from your account, and in relation to your payment history and transactions records.
•    You apply for a job opportunity at GIB.
•    You act as a third-party representative with us.
•    You apply for a loan or use your credit or debit card.
•    You seek advice about your investments.
•    You seek information from our customer service providers, including providing information related to complaints and disputes.
•    We obtain information about your credit history from credit bureaus.
•    You provide account information, such as personal details (e.g., name, gender, date and place of birth), contact information (e.g., address, email address, mobile number), and employment information.
•    You provide identity information (e.g., photo ID, passport details, national ID card, and nationality).
•    You use your login credentials for online banking or mobile banking apps. We also collect information about your computer or mobile device, including collecting your IP address, operating system and browser type. This information is used for system administration and our own commercial purposes.
•    We conduct necessary investigations, including due diligence checks, anti-money laundering, counter-fraud, and counter-terrorism checks, and obtain information to support our regulatory obligations (e.g., transaction details and detection of any suspicious or unusual activities).
•    We may record conversations you have with us – including phone calls, face-to-face meetings, letters, emails, and other forms of contact – for the purposes of verifying your instructions to us and improving our product and service delivery.
•    We may collect information about your computer or mobile device, including (where available) your IP address, operating system, and browser type. This information is used for system administration purposes. 
When processing your Personal Data collected from other sources, we will provide you with the required information as per Article 4(1) of the KSA PDPL Implementation Regulations, in addition to the categories of personal data being processed and the source from which it was obtained, within a period not exceeding 30 days. We will also ensure that the processing is lawful, necessary, and proportionate to the specified purpose, and it does not affect your rights and interests. 


5. HOW WE USE YOUR INFORMATION


•    We will only use your information where you have provided your consent, or where we are required to do so by law. If you refuse to provide us with your consent (where applicable) to use and/or share your Personal Data, we may not be able to offer you the products or services for which consent is required, due to regulatory restrictions, 
•    We use the information we collect to provide customers with high-quality products and services, manage our business, and deliver an enhanced and personalised customer experience.
•    We make appropriate use of your data to manage transactions, respond to your requests, and provide products and services that are more relevant to you.
•    We use your information to deliver our products and services, carry out your instructions, and support the provision of online banking, mobile banking, and other digital services.
•    We process this information to detect and prevent financial crimes, including fraud, terrorist financing, and money laundering. This is necessary to ensure security and maintain business continuity.
•    Automated decision-making for payment facilitation and/or fraud minimisation systems.
•    We use your information to meet our compliance obligations, fulfil legal and regulatory requirements, and share it with regulators when absolutely necessary.
•    Where we have your consent, we may use Personal Data such as your email address, mobile number, or mailing address to send you marketing communications that may interest you, including special offers, updates, and advertising via our websites or directly. 
•    We may send you general announcements or important updates relating to your account. 


6. WHO WE SHARE YOUR INFORMATION WITH?


At GIB, in our efforts to provide you with high-quality products and services, we may need to outsource certain parts of our service delivery. This will always be done in accordance with relevant laws and regulations. We may share your Personal Data with internal parties (e.g., GIB entities and/or affiliates) and external parties (e.g., regulatory authorities, service providers, third parties, etc.) to the extent necessary to fulfil the purposes described in this Notice.
We may also share your information where we have a legal or public duty to do so; when we need it to complete regulatory reporting; and when we have requested and received your consent to share it. In certain cases, where permitted by law, this may involve transferring your Personal Data outside the Kingdom of Saudi Arabia (KSA). Any such transfer will be carried out in compliance with applicable data protection laws. Where we transfer your personal information outside the region, we will ensure that appropriate safeguards are in place to maintain the same level of data protection required under the law.


Under the existing relationship between you and us, we may disclose or share your Personal Data with trusted third parties, on an occasional basis (one-time) or periodically and recurrently, depending on the nature of the service provided or relevant legal and regulatory requirements. This includes, but is not limited to, implementing regular operations such as billing cycles, completing transactions, submitting applications for new banking products or services, conducting periodic reviews for KYC and AML/CTF compliance, and handling complaints, disputes, or enquiries. For security and safety reasons, we may use CCTV cameras and surveillance systems on our premises. Recorded footage may be used to monitor and investigate security incidents, prevent fraud, and ensure the safety of our customers, employees, and assets.
If you have a joint account with one or more other individuals, please note that we may disclose account information and transaction details to all joint account holders. Each joint account holder is responsible for ensuring they have the necessary authority and consent to provide and access Personal Data related to the joint account.


7. LEGAL BASIS


We will collect and use your Personal Data in accordance with the Personal Data Protection Law and its implementing regulations (collectively referred to as the PDPL) and any other rules or regulations issued thereunder from time to time, or by competent authorities, including SAMA, the Saudi Data and AI Authority (SDAIA), and any other competent authority in accordance with the PDPL.


Depending on the reason behind processing your Personal Data, the legal basis for processing your Personal Data should be one of the following:


•    The conclusion and implementation of an agreement: To take the necessary steps to enter into or implement a contract or agreement with you regarding the services or products you request, or to fulfil our obligations under such contract or agreement.
•    Compliance with legal and regulatory requirements: To comply with any legal obligations or requirements imposed by competent regulatory authorities, including conducting necessary checks to ensure compliance with legal and regulatory requirements and disclosing information to competent regulatory and supervisory authorities.
•    Consent: In specific cases where your consent has been obtained (when required by law) or where the consent of the data owner is required by law, including the requirement to obtain explicit consent for specific types of data under the PDPL.
•    Actual interest: In some cases, if it is necessary to perform an action that would achieve an actual interest of the data owner (whether material or moral) and contacting the data owner was impossible or difficult.
•    Legitimate interest: If data processing is necessary to achieve the legitimate interest of the Bank without prejudice to any of your rights or interests, and to the extent that the Personal Data is necessary for the purpose for which the data is being processed. This does not include sensitive data.
Examples of legitimate interest include (but are not limited to) the following, provided they do not conflict with any of your rights under the PDPL:
o    Improving our products, services, and your experience across our channels, promoting new financial and investment products and services that may be of interest to you, and understanding your needs as a customer and your eligibility for products and services.
o    Receiving and processing complaints, requests, or reports submitted by you or third parties to us.
o    Taking the necessary steps to improve our products, services, and use of technology, and conducting market research.
o    Cooperating in carrying out any request or enquiry submitted by actual or potential public authorities or judicial bodies, and providing evidence and support in relation to litigation proceedings.
o    Enabling us to provide you with products and services.
o    Protecting you from fraud by conducting identity and credit checks and conflicts of interest procedures.
o    In order to protect the security of our information and network, we may process your Personal Data to monitor and identify security risks, prevent unauthorised access to our systems, and ensure the integrity and confidentiality of your information and our services. Implementing precautionary measures includes encryption, firewalls, and intrusion detection systems (IDS), as well as conducting security audits to identify and mitigate vulnerabilities.


8. COOKIES


We use 'cookies' to monitor how users interact with our website www.gib.com. A cookie is a piece of data stored on your computer's hard drive that records information about your visit to a website. Cookies help us understand how our customers use our website, enabling us to develop and improve it. A separate ‘Cookie Notice’ will be provided to you (along with the ‘Cookie Banner’ if any non-essential cookies are used) by GIB.


9. APPLICABILITY


This Privacy Notice applies to Personal Data and Sensitive Data, or information collected by us or our affiliates, whether directly from the customer or through our online portals, mobile applications, and electronic communications. It also covers any information collected by our servers via the customer’s browser.


10. SECURITY PRACTICES & PROCEDURES


The security of Personal Data is a top priority for us and is safeguarded through physical, electronic, and procedural measures that comply with applicable laws and regulations. We take reasonable steps and measures to protect customer’s Personal Data from misuse, loss, unauthorised access, alteration, or disclosure. We maintain our security systems to ensure that the customers’ Personal Data is appropriately protected and follows standard encryption norms for the transmission of information. We also ensure that our employees and affiliates uphold strict confidentiality obligations with regard to any Personal Data in our possession.


11. RETENTION OF PERSONAL DATA


At GIB, we retain your Personal Data only for as long as required by regulatory authorities and for the purposes outlined in this Privacy Notice. We will retain and use your information only to the extent necessary to comply with our legal obligations (for example, where we are required to retain data under applicable laws), to resolve disputes, and to enforce our legal agreements and policies, in accordance with the Electronic Banking Services instructions and other applicable rules and regulations within the relevant jurisdiction. 


We are committed to protecting Personal Data by applying the highest standards of security and compliance, in accordance with (including but not limited to) the Personal Data Protection Law (PDPL), the regulations of the National Data Management Office (NDMO), and any other applicable legislation. The following outlines our practices concerning data storage, geographic location, and the secure disposal of data:

 

1. Data Storage:
•    Personal Data is stored in secure environments that utilise advanced technologies to prevent unauthorised access, modification, or loss.
•    Data is stored in our data centres located within the Kingdom of Saudi Arabia, or with a cloud service provider (CSP) inside or outside the Kingdom of Saudi Arabia, or at any approved locations that comply with applicable data protection regulations while ensuring data sovereignty is maintained.
•    In cases where cross-border data transfers are necessary, they are carried out in accordance with legal requirements governing international data transfers, while ensuring that appropriate safeguards are in place to protect the data.


2. Data Disposal:
•    We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws and regulations.
•    Once the purpose is fulfilled or the retention period expires, Personal Data is securely disposed of using approved technical methods that ensure it cannot be recovered or accessed again. Where information is subject to specific legal retention requirements, it will be archived accordingly. These methods include:
o    Secure deletion from electronic systems.
o    Physical destruction of storage media such as hard drives or portable devices.
o    Documented disposal processes to ensure transparency and accountability.


12.COLLECTION OF DATA FROM MINORS


If you are a resident of the Kingdom of Saudi Arabia and under the age of 18, or if you reside elsewhere and have not yet reached the age of majority in your jurisdiction, we are not permitted to contract with you directly. Where required by local legislation, by agreeing to this Privacy Notice, your guardian acknowledges and consents to its terms on your behalf. If we seek your consent to process your Personal Data for a specific purpose under this Privacy Notice, such consent must be granted by your guardian on your behalf.


13. PRIVACY NOTICE CHANGES


The effective date of this Notice is indicated above. Any updates or changes to the Notice will be posted on this website with the new revised date, which will reflect the effective date of those changes. Your continued use of this website constitutes your acceptance of any such changes to this Notice. Therefore, we recommend you review this Notice periodically to stay informed of the most current version.


14. DATA SUBJECT RIGHTS QUERIES


You may have certain rights relating to your Personal Data, depending on the country from which you access our KSA website. In some cases, and in accordance with applicable legislation such as the Kingdom of Saudi Arabia’s Personal Data Protection Law (KSA PDPL), these rights may include the right to be informed. This right allows you to receive information from us about the Personal Data we collect and how we use it. The purpose of this Privacy Notice is to fulfil that right.


YOUR RIGHTS – LEGAL RIGHTS AVAILABLE TO HELP MANAGE YOUR PRIVACY


Right to Know / Information
You have the right to know about our contact details, the exact purpose for which your data is collected, the methods used for data collection, and whether the collected data will be shared or sold.
Right to Request Access or Copy
You have the right to access your Personal Data held by us and to obtain a copy of it in a clear and readable format, consistent with the content of the records, at no cost.
Right to Request Correction
You have the right to request correction of any Personal Data we hold about you if it is incomplete, inaccurate, or obsolete. 
Right to Request Destruction
You have the right to request the destruction of your Personal Data collected about you. This may apply if you withdraw your consent for data collection or if the data no longer serves the purpose for which it was collected. 
Right to withdraw Consent from Processing
You have the right to withdraw your consent at any time, which you previously gave in relation to processing of your Personal Data, to the extent permitted by applicable laws and regulations, as we are required to retain certain data for a period of time. 
Right to Limit/Restriction of Processing
You have the right to limit or refuse the processing of your Personal Data by GIB in certain circumstances and for a limited period of time. Although this right is not explicitly provided under the KSA PDPL, the regulatory authority has released a set of FAQs clarifying its application.
We are required to ensure that you are appropriately informed about these rights and have established dedicated channels for you to exercise them. We must fulfil these requests within 30 days and keep a record of all data subject requests received.
These rights are neither absolute nor applicable in all circumstances. You are entitled to any other additional rights granted by applicable laws and regulations.


Additionally, if you suffer damage as a result of our violation of the requirements of the PDPL or its Implementing Regulations, you may apply exclusively to the competent court in the Kingdom of Saudi Arabia for proportionate compensation for material or moral damage.
If you wish to exercise these rights, please contact the Data Privacy / Protection Team (Data Management Office) through the following email: or or call 8001166336 locally or +966920026336 internationally.


15. DISCLAIMER


This Privacy Notice is not intended to, nor does it, create any contractual rights whatsoever or any other legal rights, nor does it impose any obligations on us in respect of any other party or on behalf of any party. When you log in to third-party websites, you are not subject to or governed by this Privacy Notice. We are not responsible for the content of those websites, and we do not represent third parties. Therefore, we recommend you review the privacy and security policies of any third-party websites you access.
We also emphasise the importance of protecting your login credentials and notifying us immediately of any unauthorised access or use of your accounts with us.


CONTACT US


If you have any questions, concerns, or complaints regarding our compliance with this Privacy Notice and the KSA PDPL, or if you wish to exercise your rights, please contact us. We will investigate and attempt to resolve complaints and disputes, making every reasonable effort to honour your wish to exercise your rights as quickly as possible, and in any event within the timescales prescribed by applicable data protection laws or regulations.


For any questions or comments regarding the processing of your Personal Data, our privacy practices, or if you would like us to update information or preferences you have provided to us, please contact the Data Privacy / Protection Team (Data Management Office) through email: or


If you are not satisfied with how we have addressed your Personal Data complaint, you may contact the Saudi Central Bank (SAMA).
 

Gulf International Bank - Saudi Arabia, a Saudi Closed Joint Stock company with a capital of SAR (7,500,000,000), Commercial Registration No. (2052001920), Unified Number (7001399042), P.O. Box 93, Al Khobar 31952, Kingdom of Saudi Arabia, Telephone +966 13 866 4000, National Address: 5515 Cooperative Council Road - Al Khuzama Area, Unit No. 54, Al Khobar 34721-8208, Website: www.gib.com, Licensed with number: (2007) and it is under the supervision and control of The Saudi Central Bank.