Privacy policy

Kalsa, with offices registered in Riyadh, Saudi Arabia as Data Controller in charge of data processing (hereinafter the “Controller”) of the website (hereinafter the “Website”), inform visitors of the Website (hereinafter the “Data Subjects”) about the General Data Protection Regulation (GDPR), pursuant to Art. 13 of European Regulation No. 2016/679.
The Controller is aware of the importance of processing Data Subjects’ personal data, hence he indicates which and how data are processed. By browsing the Website or indicating the willingness to use the services provided by the same, Data Subjects declare that they have read and accepted this policy (hereinafter “Policy”), thus granting their consent to the processing of their personal data by the Controller.
For any information, queries or requests relating to this Policy, the Data Controller provides the Data Subjects with the following email address:

What are the Data Subjects’ rights in relation to the processing of personal data?

Data Subjects have the following rights:

  • The right to be informed if their data are being processed and, if so, to access their personal data
  • The right to rectify their personal data
  • The right to erasure (right to be forgotten) of their personal data
  • The right to restrict the processing of their personal data
  • The right to data portability to receive – or have transmitted to another data controller – their personal data in a structured, commonly used and machine-readable format
  • The right to object to the processing of their personal data
  • The right to withdraw the consent previously granted
  • The right to lodge a complaint with the competent authorities for breach of personal data processing.
How to exercise one’s rights

Data Subjects may exercise their rights by writing to the email address indicated above.
The Controller would like Data Subjects to exercise their rights without incurring any costs. However, to do so the Controller may require specific information to follow up on the Data Subjects’ enquiries in relation to their rights.
Enquiries are usually dealt with within 30 days from receiving them. However, if this deadline cannot be met (e.g. due to a high volume of requests or complexity of the response) it will be the Controller’s responsibility to inform the Data Subjects and keep them updated on the developments.

Which personal data are processed?

The personal data provided to the Controller by both the Data Subjects and third parties, are processed to fulfil the Data Subjects’ contact requests (hereinafter the “Services”) received through the Website.
a) Data provided directly by the Data Subjects

Personal data category
Types of data
Identification and contact data
Name, surname, email address, residence/domicile address, telephone number, tax code/VAT number
Technical data
IP Address
Payment details
IBAN and bank details
Behavioural data
Information regarding the Data Subjects’ behaviour and interests based on their online activity
Online presence data
Links to personal, public and social media pages, personal websites and other material concerning Data Subjects

b) Data collected from third parties

The Controller does not collect personal data from third parties other than the Data Subjects.

Aggregated data

Due to various purposes, the Controller may collect, use and share aggregated data, such as statistical or demographic data.
Aggregated data may come from personal data given by the Data Subjects, but they are not considered as personal data since, as specified by the GDPR, they allow neither the direct nor the indirect identification of the Data Subjects. However, if the Controller combine or connect aggregated data with the Data Subjects’ personal data so that they can directly or indirectly identify the latter, the Controller will process the combined data in accordance with the privacy notice.

Special data

The Controller does not process any Data Subjects’ special data (special data means data relating to ethnic or racial origin, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, genetic, biometric and health data), as well as data relating to criminal convictions and crimes.

Why are personal data processed?

The Controller processes personal data for the purposes indicated in the table below.
The GDPR requires that the Controller has a legal basis to carry out the processing of each personal data.
The Controller may process Data Subjects’ personal data after their consent, and use these as the legal basis for the processing. Consent may be withdrawn at any time. However, the processing carried out until consent is withdrawn shall not be affected.
The summary table below, highlights the purposes and their description:

Delivering, maintaining and updating the Services and the Website
Through the Website, Data Subjects may request to be contacted, to receive information, schedules or number of activities carried out by the Controller.
Providing support to Data Subjects
Resolving technical issues encountered by the Data Subjects while browsing, providing the latter with assistance or requested support, as well as improving the Services and the Website.
The Controller may send Data Subjects updates to inform them on the development of their business, as well as agreements with business partners and participation in events.
Making sure that the Data Controller’s activity complies with legal, regulatory and protection obligations
The Controller may process Data Subjects’ Personal Data in order to conform to legislative and regulatory obligations, as well as to comply with the provisions of the judicial and administrative authorities.
The Controller may also process the data to protect their rights and interests. These include judicial protection or due diligence in the evaluation of corporate structure changes.
What happens if Data Subjects do not provide the necessary personal data?

If data are essential to provide the Services, the Controller shall not be able to provide them and support Data Subjects with their requests. In this case, the Controller may request an integration to the personal data or delete the Data Subjects’ personal data, stopping Services from being provided.

To whom are personal data communicated and disseminated?

a) Communication
Data Subjects’ personal data might be communicated to third parties instead of the Joint Controllers, as better indicated in the table below:

Purpose of the communication
The Joint Controllers’ providers support them in the provision of Services with, but not limited to, development of the Website, hosting, maintenance, backup, virtual infrastructure.
Business Partners
The Joint Controllers may communicate the data to business partners who help them with the development of their Products and planning of fairs and other events in which they participate.
External consultants
In the event of legal obligations or obligations relating to a relationship established with the Data Subjects, the Joint Controllers might communicate personal data to external consultants. These include accountants and lawyers.
Judicial authorities and proceedings
The Joint Controllers might communicate the Data Subjects’ personal data to state and/or administrative and/or judicial authorities if this is mandatory under the law, regulations or provisions of the authorities or to defend their own rights and/or interests.


b) Dissemination
Data Subjects’ personal data will not be disseminated.

How long are personal data stored?

Cookies are kept for as long as necessary to achieve the above-mentioned purposes. For more details on the storage times of each cookies’ individual category (as indicated in the table above), the Data Subjects can contact the Controller by email at

Where do we keep personal data?

Controller keeps personal data in paper files stored at the headquarters, as well as on computer archives located within the European Union, but also outside it – if these are essential to the pursuit of the purposes indicated in letter a). In the latter case, the Controller ensures that companies established outside the European Union, process personal data with the utmost confidentiality in compliance with adequacy decisions adopted by the European Commission, any Privacy Shield or, if necessary, entering into agreements that guarantee an adequate level of protection.

What is the policy on the processing of minors’ data?

The Controller is aware that the processing of data relating to minors is a sensitive matter. It is noted that Services are not intended for minors under the age of 14, hence the Controller does not voluntarily process these data. In this sense, Data Subjects under the age of 14 should not request any Service.
The Controllers encourages parents or those responsible for minors under the age of 14 to check that they do not request Services and, in any case, to warn them not to disclose their personal data through the Website.
If the Controller becomes aware that some personal data belong to minors under the age of 14, they will make sure to delete them.

What happens if there are links to other websites?

The Controller informs Data Subjects that this Policy applies exclusively to the Website. However, the Data Subjects are recommended to verify the information present on other websites before disclosing their personal data.
The Controller takes no responsibility for personal data disclosed by Data Subjects on other websites.

How are personal data processed?

The Controller processes the Data Subjects’ personal data by adopting appropriate security measures aimed at preventing unauthorised access, disclosure, modification and destruction.
The processing of data is carried out through telematic procedures, electronic means and, alternatively, on paper by specially authorised internal personnel as well as external managers (if appointed), depending on the contractual agreements in place.
The processing can also be carried out through the use of automated means.

Policy Changes

Controller reserves the right to amend this Policy at any time. In case of changes, the Controller will upload the new policy on this page and the Data Subjects shall check the changes carried out on the Policy: Data Subjects will be able to review the Policy history by checking the date.
By continuing to use the Website following the changes to the Policy, the Data Subjects accept the new conditions and consent to the processing of data as modified.



Updated: 27 January 2021