Global Performance Audit Unit Privacy Policy

This Privacy Policy explains how GPAU Consultancy L.L.C. (“GPAU”, “GPA Unit”, “we”, “us”, “our”) collects, uses, discloses, and protects Personal Data in connection with its consultancy, training, events, research, digital platforms, and related services.

1. DEFINITIONS AND INTERPRETATION

For the purposes of this Policy:

• “Controller” means G P A U Consultancy L.L.C., with registered address at 101-331, Building – Mashreq-101, Al Suq Al Kabeer, Bur Dubai, Dubai, United Arab Emirates, registered with the Dubai Department of Economic Development under License No. 1574452.
• “Processor” means any third party, engaged by a Controller to process Personal Data on its behalf pursuant to a Data Processing Agreement (DPA).
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
• “Processing” means any operation on Personal Data, whether automated or manual, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure or destruction.
• “Data Subject” means the individual to whom Personal Data pertains.
• “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
• “UAE PDPL” means Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (United Arab Emirates).
• “PDPA” means the Personal Data Protection Act 2010 (Malaysia).
• “Privacy Act” means the Privacy Act 1988 (Cth) (Australia).
• “PDPL (KSA)” means the Personal Data Protection Law issued by Royal Decree No. M/19 of 2021 (Kingdom of Saudi Arabia), as amended.
• “GCC Data Laws” means data protection statutes, regulations, and guidelines applicable to Gulf Cooperation Council Member States (including PDPL).

2. SCOPE AND APPLICATION

2.1 This Privacy Policy establishes the comprehensive framework under which GPAU, in its capacity as Controller, Processor, or joint Controller, undertakes the Processing of Personal Data. It applies to all business activities and operations conducted by GPAU, whether directly or via affiliated entities, including but not limited to: - Consultancy services and training programmes; - Research, analytics, and benchmarking initiatives; - Events, conferences, workshops, and webinars; - Digital platforms, websites, and mobile applications; - Marketing and promotional campaigns (online and offline); - Customer relationship management and support services; - Procurement, vendor management, and supply chain engagements; - Recruitment, employment, and contractor onboarding processes.

2.2 This Policy governs Personal Data collected from or relating to all categories of Data Subjects, including clients, prospects, suppliers, vendors, contractors, employees, job applicants, website and application users, and any other individuals whose Personal Data is Processed by GPAU in the course of its operations.

2.3 The territorial scope of this Policy is global. Where Personal Data is processed in or from the United Arab Emirates, GPAU Consultancy L.L.C. complies with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and any implementing regulations. Personal Data may be Processed in any jurisdiction in which GPAU operates, subject to applicable local data protection laws. In jurisdictions imposing additional requirements (e.g., GDPR, PDPA, Privacy Act, PDPL (KSA), PDPL (UAE), CCPA/CPRA, PIPEDA (Canada) and UK Data Protection Act 2018), GPAU shall implement any necessary supplemental notices, consent mechanisms, or Processing procedures to achieve full compliance. In the event of any conflict between this Policy and mandatory local law, the latter shall prevail to the extent required.

2.4 This Policy does not apply to data that has been irreversibly anonymised or aggregated so that individuals are no longer identifiable.

2.5 GPAU personnel, affiliates, contractors, and third-party Processors engaged by GPAU are required to comply with this Policy, any related policies, and the terms of applicable Data Processing Agreements (DPAs).

3. CONTROLLER INFORMATION

3.1 Data Controller
GPAU Consultancy L.L.C. acts as the sole Data Controller for all Personal Data processed in connection with its business activities, including consultancy services, training programmes, events, research, publications, and digital platforms.

In this capacity, GPAU determines the purposes and means of processing Personal Data collected through its websites, digital services, professional engagements, and related operations.

In limited circumstances, such as co-branded events, collaborative research projects, or joint initiatives with external partners, GPAU may act as a joint controller together with one or more partner organisations. Where joint controllership applies, GPAU will clearly inform Data Subjects with clear notice of the arrangement and the respective roles and responsibilities of each Controller at, or prior to, the point of collection.

3.2 Registered Details
GPAU Consultancy L.L.C.
Registered address: 101-331, Building – Mashreq-101, Al Suq Al Kabeer, Bur Dubai, Dubai, United Arab Emirates
Licensed by the Dubai Department of Economic Development under License No. 1574452

3.3 Data Protection Contact
For any questions about this Privacy Policy or about how we process Personal Data, Data Subjects may contact: Adrian Brudan, Manager at [email protected].

3.4 Data Subject Acknowledgement
By providing Personal Data to GPAU, Data Subjects acknowledge that their information will be processed by GPAU Consultancy L.L.C. as the sole Controller, in accordance with this Privacy Policy and applicable data protection laws.

4. PERSONAL DATA COLLECTED THROUGH WEBSITE INTERACTIONS

GPAU collects Personal Data when individuals interact with its websites, digital platforms, and online services. The categories of Personal Data collected depend on the nature of the interaction and may include :

4.1 Contact forms: name, email address, organisation, role, country, message content, and any additional information voluntarily provided, processed to respond to enquiries and manage professional communications.

4.2 Event registrations (including conferences, webinars, and executive sessions): name, email address, organisation, role, country, participation details, and (where applicable) optional dietary or accessibility requirements, processed to manage participation and related communications.

4.3 Research surveys and assessments: professional profile information, organisational context, and survey responses, which may include opinions or descriptions of organisational practices, processed for research, analysis, reporting, and improvement initiatives.

4.4 Newsletter subscriptions and publications: email address, subscription preferences, and consent records, processed to deliver publications, insights, and updates.

4.5 Gated content downloads (e.g., reports, whitepapers, recordings, podcasts, on-demand webinars, The Ladder magazine): identity and professional data, together with records of accessed content and topic interests, processed to provide access and manage follow-up communications in accordance with stated preferences and applicable legal bases.

4.6 Account creation and knowledge platform access (where applicable): login credentials, access history, and usage logs, processed to manage secure access and platform functionality.

4.7 Mandatory fields are clearly identified at the point of collection. Where Personal Data is required to provide a service or resource, GPAU will indicate the consequences of not providing such data at the time of collection.

5. Transparency at the Point of Collection

When Personal Data is collected through online forms, registrations, surveys, or gated content on GPAU’s digital platforms, GPAU provides clear and concise information at the point of collection, including:

• the purpose(s) for which Personal Data is collected;
• the applicable legal basis for Processing;
• whether provision of data is mandatory or optional; and
• how Data Subjects can manage marketing preferences or withdraw consent (where applicable).

This information is presented in a clear and accessible manner to enable informed decisions prior to submission.

6. PRINCIPLES GOVERNING PROCESSING

In all jurisdictions in which GPAU operates, Personal Data shall be processed in accordance with the following binding principles, drawn from GDPR Article 5 and equivalent global standards:

6.1 Lawfulness, Fairness & Transparency
6.1.1 Processing shall be lawful only if and to the extent there exists at least one legal basis under applicable law (e.g., consent, contract performance, legitimate interests, legal obligations).
6.1.2 Data Subjects shall be provided with clear, intelligible and easily accessible information regarding Processing activities, consistent with GDPR Articles 12–14, PDPL transparency requirements, and equivalent obligations under local law.

6.2 Purpose Limitation
6.2.1 Personal Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
6.2.2 Any subsequent Processing for archiving in the public interest, scientific or historical research, or statistical purposes shall be subject to appropriate safeguards.

6.3 Data Minimisation
6.3.1 Processing shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
6.3.2 Regular reviews shall be conducted to ensure Personal Data inventories remain aligned with operational needs and legal requirements.

6.4 Accuracy
6.4.1 GPAU shall take all reasonable steps to ensure that Personal Data that are inaccurate with regard to the purposes for which they are processed are erased or rectified without delay.
6.4.2 Mechanisms for Data Subject-initiated corrections and periodic data quality audits shall be in place.

6.5 Storage Limitation
6.5.1 Personal Data shall be retained only for as long as necessary to fulfil the purposes for which they are collected and processed, or as required by applicable law.
6.5.2 Automated retention schedules and secure deletion protocols shall ensure compliance with retention obligations set forth in Section 10.

6.6 Integrity & Confidentiality
6.6.1 GPAU shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
6.6.2 Measures include, but are not limited to, encryption, pseudonymisation where appropriate, access controls, and secure disposal procedures.

6.7 Accountability
6.7.1 GPAU shall be responsible for, and be able to demonstrate, compliance with these principles ("accountability").
6.7.2 Documentation, internal policies, training programmes, impact assessments (where required), and regular audits shall form part of GPAU’s accountability regime.

7. LEGAL BASES FOR PROCESSING

Personal Data shall be processed only where at least one of the following legal bases applies. Where multiple bases exist, the most specific basis shall prevail:

7.1 Contractual Necessity
7.1.1 Processing is necessary for the performance of a contract to which the Data Subject is a party or to take steps at the Data Subject’s request prior to entering into a contract (e.g., provision of consultancy services, training programmes, or event registrations).
7.1.2 GDPR: Article 6(1)(b); PDPA: Section 6(1)(c); Privacy Act: Section 16A(1)(b); PDPL: Article 8(c).

7.2 Compliance with Legal Obligations
7.2.1 Processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g., tax, anti-money laundering, record-keeping, employment law obligations).
7.2.2 GDPR: Article 6(1)(c); PDPA: Section 6(1)(d); Privacy Act: Section 16A(1)(c); PDPL (KSA): Article 8(d), PDPL (UAE): Articles 4–6 (as applicable).

7.3 Consent
7.3.1 The Data Subject has given freely-given, specific, informed, and unambiguous consent to the Processing of Personal Data for one or more specified purposes (e.g., marketing communications, profiling, transfer to third parties).
7.3.2 Consent shall be evidenced by a clear affirmative act, and Data Subjects shall be informed of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to withdrawal.
7.3.3 GDPR: Article 6(1)(a) & Article 7; PDPA: Section 9; Privacy Act: Sections 6(1)(a), 7(1); PDPL: Article 8(a).

7.4 Legitimate Interests
7.4.1 Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, provided such interests are not overridden by the fundamental rights and freedoms of the Data Subject.
7.4.2 Legitimate interests may include, but are not limited to, fraud prevention, network security, business development, and client relationship management.
7.4.3 A documented Legitimate Interests Assessment (LIA) shall be conducted to balance the interests of the Controller against the rights of Data Subjects.
7.4.4 GDPR: Article 6(1)(f); PDPA: Section 6(1)(b); Privacy Act: Section 16A(1)(d); PDPL: Article 8(f).

7.5 Vital Interests and Public Interest (where applicable)
5.5.1 In exceptional circumstances, processing may be necessary to protect the vital interests of the Data Subject or another person, or where processing is required for the performance of a task carried out in the public interest or in the exercise of official authority.
7.5.2 GDPR: Articles 6(1)(d) & (e); PDPL: Article 8(e).

8. Marketing Communications

GPAU processes Personal Data for marketing and outreach purposes in a controlled and lawful manner, in accordance with applicable data protection laws.

Marketing communications may be sent in the following circumstances:

8.1 Subscription-based communications (Consent): where a Data Subject explicitly subscribes to receive newsletters, publications, or updates, GPAU relies on consent and maintains consent records. Consent may be withdrawn at any time.

8.2 Service-related communications (Non-marketing): where a Data Subject registers for an event, webinar, research initiative, training programme, or accesses gated content, GPAU may send communications necessary to deliver the requested service (e.g., confirmations, access details, logistical updates). Such communications are not direct marketing.

8.3 Professional relationship communications (B2B context – Legitimate Interests where permitted): where GPAU has an existing professional or contractual relationship with a Data Subject, GPAU may send limited communications relevant to the Data Subject’s professional role and interests, where permitted by applicable law and based on legitimate interests. Data Subjects may object at any time.

8.4 Data Subjects may opt out of marketing communications at any time by using the unsubscribe mechanism included in each marketing message or by contacting GPAU directly. Withdrawal of marketing consent does not affect the delivery of service-related communications or communications required to comply with legal or contractual obligations.

9. Gated Content, Follow-Up Communications and Automation

Where Data Subjects access gated content on GPAU’s digital platforms (including research reports, publications, webinars, or recorded sessions), GPAU may process Personal Data in order to:

• provide access to the requested content and deliver related service communications;
• send limited follow-up communications related to the topic accessed, in accordance with the Data Subject’s stated preferences and applicable legal bases; and
• record interactions within GPAU’s CRM systems to manage preferences, measure engagement, and improve relevance of communications.

GPAU may apply basic segmentation or classification (such as sector, professional interests, or engagement with content) to tailor communications. GPAU does not carry out automated decision-making, including profiling, that produces legal effects concerning individuals or similarly significantly affects them.

Data Subjects may opt out of follow-up marketing communications at any time using the unsubscribe mechanism provided or by contacting GPAU directly. Service-related communications necessary to deliver requested content or manage participation may continue where required.

10. Cookies, Analytics and Similar Technologies

GPAU uses cookies and similar technologies on its websites and digital platforms to support website functionality, security, measurement of usage, and improvement of user experience.

Cookies may be categorised as:

• Strictly necessary cookies (required for operation and security);
• Functional cookies (supporting enhanced functionality and preferences);
• Analytics cookies (supporting measurement and performance analytics); and
• Marketing cookies (supporting communication relevance where applicable).

Where required by applicable law, GPAU obtains user consent prior to placing non-essential cookies (including analytics and marketing cookies). Consent preferences are managed through a cookie consent banner and may be updated at any time via the cookie settings mechanism available on the relevant website.

GPAU may use analytics and marketing technologies provided by third parties (including web analytics and CRM-related tracking tools) to support performance measurement and engagement analysis. Such tools are configured and governed in accordance with applicable data protection laws and GPAU’s internal controls.

11. CATEGORIES OF PERSONAL DATA

11.1 The following categories of Personal Data may be collected, processed, and retained by GPAU in connection with its training, consultancy, research, events and related operations:

11.2 Recording of Training Sessions
Where training sessions (live or virtual) are recorded, Data Subjects will be notified in advance and provided the opportunity to object. Recordings may capture audio, video, and screen-share content and will be processed for:

• On-demand access for registered participants;
• Post-event reviews and quality improvements;
• Internal training material development;
• Compliance with contractual or regulatory record-keeping obligations.

11.3 Special Category Data
In exceptional circumstances, where participants voluntarily provide Special Category Data (e.g., health or accessibility needs), such data will only be processed with explicit consent, documented safeguards, and strictly for the purposes communicated at the point of collection.

11.4 Data Source & Collection Methods
Personal Data may be obtained directly from Data Subjects (e.g., via registration forms, surveys, assessments), indirectly from technical systems (e.g., learning management platforms, webinar tools), or from third parties (e.g., employer HR systems, accreditation bodies). All collection methods shall adhere to the principles of transparency and purpose limitation.

12. DATA SHARING, MARKETING & CRM GOVERNANCE

12.1 Use of CRM Systems
GPAU Consultancy L.L.C. maintains and operates a Customer Relationship Management (CRM) system for the purpose of managing client relationships, marketing preferences, course participation, contractual documentation, and communications history. The CRM is configured to:

• Record and manage consent and objection preferences;
• Support Data Subject rights (access, erasure, objection);
• Enforce data minimisation and retention controls.

12.2 Data Sharing with Service Providers
GPAU may share Personal Data with carefully selected third-party service providers acting as Processors, including:

• IT and cloud service providers;
• Email and marketing automation platforms;
• Event management and webinar platforms;
• Payment processors and accounting providers.

All such sharing is governed by written Data Processing Agreements and limited strictly to what is necessary for the contracted services.

12.3 Marketing Communications
GPAU may process Personal Data for direct marketing purposes only where:

• The Data Subject has given valid consent; or
• GPAU has a legitimate interest and the Data Subject has not objected.

Marketing communications may include newsletters, event invitations, publications, and service updates. Data Subjects may opt out at any time using the unsubscribe link in each communication or by contacting GPAU directly.

12.4 Collaboration & Co-Branded Initiatives
Where GPAU conducts co-branded events, publications, or projects with external partners, Personal Data will only be shared:

• With prior notice to the Data Subject;
• For clearly defined purposes;
• Under contractual safeguards and confidentiality obligations.

12.5 Prohibition on Sale of Personal Data
GPAU does not sell Personal Data to third parties.

12.6 Recordkeeping & Accountability
GPAU maintains records of:

• All Data Processing Agreements;
• Marketing consent logs;
• Objection and opt-out requests;
• Data sharing assessments.

These records form part of GPAU’s accountability framework under applicable data protection laws.

13. INTERNATIONAL DATA TRANSFERS & SAFEGUARDS

13.1 Overview of Cross-Border Transfers
13.1.1 Personal Data may be transferred outside the Data Subject’s jurisdiction to enable global service delivery, centralized processing, and collaboration across the GPAU and authorised third-party service providers.

13.2 GDPR Chapter V Compliance
13.2.1 For transfers from the European Economic Area, GPAU shall implement one or more of the following safeguards in accordance with GDPR Articles 44–50:

• Adequacy Decisions: Transfers to countries or territories deemed adequate by the European Commission (e.g., Australia).
• Standard Contractual Clauses (SCCs): Adoption of the European Commission’s SCCs, supplemented by any required technical, organisational, or contractual measures.
• Binding Corporate Rules (BCRs): Where applicable, internal governance rules providing consistent safeguards across international data transfers.
• Derogations: Specific case-by-case derogations (e.g., explicit consent, performance of contract, public interest) if no other mechanism applies.

13.3 PDPA & Privacy Act Transfers
13.3.1 Transfers from Malaysia shall comply with PDPA Sections 129–130, requiring either contractual safeguards or supervisory authority approval.
13.3.2 Transfers from Australia shall adhere to Privacy Act Part IIIC (APP 8), ensuring that overseas recipients provide comparable protections or that exceptions (e.g., consent, performance of contract) apply.

13.4 PDPL Local Transfer Restrictions
13.4.1 Under Saudi Arabia’s PDPL, outbound transfers of Personal Data are permissible only where one of the following is satisfied:

• Transfer to countries with an explicit adequacy decision by the Saudi Data & AI Authority.
• Implementation of contractual clauses approved by the Authority in accordance with PDPL Articles 36–38.
• Explicit, informed consent obtained from the Data Subject for the specific transfer. 8.4.2 In all cases, transfers shall be documented, and Data Subjects shall be informed of any intended cross-border disclosures as part of the local privacy notice.

13.5 Technical & Organisational Safeguards
13.5.1 Regardless of legal mechanism, GPAU may seek to implement robust safeguards to protect transferred Personal Data, including:

• Encryption of data in transit and at rest.
• Access controls restricting access to authorised personnel only.
• Data localisation measures where required by local law.
• Regular audits and assessments of third-party processors and their security posture.

13.6 Data Transfer Impact Assessments (DTIAs)
13.6.1 For transfers involving high-risk processing (e.g., sensitive data, volume transfers), GPAU shall conduct a documented Data Transfer Impact Assessment to evaluate:

• The nature and sensitivity of the data.
• The legal and regulatory environment of the destination country.
• The adequacy of proposed safeguards and residual risks.

13.6.2 DTIAs shall be reviewed periodically and prior to onboarding any new foreign receiving entity.

13.7 Record-Keeping and Accountability
13.7.1 GPAU shall maintain records of all cross-border transfer mechanisms, SCCs, BCR approvals, derivate consent forms, and DTIAs, in accordance with GDPR Article 30, PDPA Section 14, Privacy Act APP 1, and PDPL Article 20.
13.7.2 Such records shall be retained for a minimum of five years and be made available to supervisory authorities upon request.

14. KINGDOM OF SAUDI ARABIA (PDPL) COMPLIANCE & DATA GOVERNANCE

14.1 Commitment to PDPL Compliance
Where GPAU Consultancy L.L.C. processes Personal Data relating to individuals in the Kingdom of Saudi Arabia, it is committed to full compliance with the Saudi Arabian Personal Data Protection Law (PDPL) and all implementing regulations issued by the Saudi Data & AI Authority (SDAIA).

14.2 Data Localisation & Transfer Controls
GPAU undertakes to implement data residency, access control, and cross-border transfer mechanisms consistent with PDPL Articles 36–38, including:

• Use of cloud or hosting providers that operate data centres within the Kingdom of Saudi Arabia where required;
• Contractual safeguards approved or recognised by SDAIA;
• Explicit, informed consent from Data Subjects where legally required.

14.3 Cloud & Infrastructure Standards
GPAU requires that any cloud service providers, IT platforms, or data hosting partners used for KSA-related Personal Data processing:

• Maintain information security certifications or equivalent standards aligned with ISO/IEC 27001, ISO/IEC 27701, SOC 2, or comparable frameworks;
• Implement encryption of Personal Data at rest and in transit;
• Enforce strict access controls, logging, and monitoring.

GPAU is in the process of aligning its internal information security programme with internationally recognised standards, including ISO/IEC 27001 and NIST Cybersecurity Framework principles.

14.4 Vendor Reliance & Contractual Controls
Where GPAU relies on third-party cloud or IT providers, such reliance is governed by:

• Data Processing Agreements;
• Security and confidentiality obligations;
• Audit rights and breach notification clauses.

14.5 Breach Notification (KSA)
In the event of a Personal Data breach affecting KSA-based Data Subjects, GPAU shall notify SDAIA and affected individuals in accordance with PDPL requirements.

15. DATA RETENTION & STORAGE

15.1 General Retention Principles
15.1.1 Personal Data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, to satisfy contractual, legal, or regulatory obligations, or to establish, exercise, or defend legal claims.
151.2 Retention schedules and secure deletion protocols shall be implemented to ensure automatic archiving, anonymisation, or deletion of Personal Data upon expiry of the retention period.
15.1.3 Extensions to retention periods shall require documented justification, approval by the Data Protection Officer, and, where applicable, notification to Data Subjects.

15.2 Global Retention & Storage Matrix

15.3 Saudi Arabia (PDPL) Specific Retention & Storage
15.3.1 In compliance with PDPL and SDAIA requirements, Personal Data originating from or processed within the Kingdom of Saudi Arabia shall be subject to the following storage and retention controls:

15.4 Secure Disposal & Anonymisation Saudi Arabia (PDPL) Specific Retention & Storage
15.4.1 Upon expiry of retention periods, Personal Data shall be securely disposed of through methods including, but not limited to, irreversible anonymisation, secure deletion, or physical destruction of storage media.
15.4.2 Disposal and anonymisation activities shall be logged, retained for audit purposes, and verified periodically by the Data Protection Officer.

16. DATA SUBJECT RIGHTS & PROCEDURES

16.1 Overview of Rights
Under applicable data protection laws (GDPR, PDPA, Privacy Act, PDPL (KSA), PDL (UAE)), Data Subjects are entitled to the following rights with respect to their Personal Data:

• Right of Access: To obtain confirmation of processing and access to a copy of their Personal Data.
• Right to Rectification: To request correction of inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten): To request deletion of Personal Data where no lawful basis for retention exists.
• Right to Restriction of Processing: To limit the manner in which Personal Data is processed.
• Right to Data Portability: To receive Personal Data in a structured, commonly used, machine-readable format and transmit it to another Controller.
• Right to Object: To object to processing based on legitimate interests, including profiling and direct marketing.
• Right to Withdraw Consent: To withdraw previously given consent without affecting the lawfulness of prior processing.
• Right to Complaint: To lodge a complaint with a supervisory authority.

16.2 Procedures for Exercising Rights
16.2.1 Requests shall be submitted in writing to the Data Protection Officer (contact details in Section 3.4) or via GPAU’s designated online contact forms.
16.2.2 Upon receipt, GPAU will acknowledge the request within five (5) business days and, where feasible, provide a substantive response within one (1) month of receipt.
16.2.3 Extensions of up to two (2) additional months may apply for complex requests, with notification to the Data Subject and justification for the delay.
16.2.4 No fee shall be charged for requests, except in cases of manifestly unfounded or excessive requests, in which case a reasonable fee may be levied or the request may be refused.

16.3 Verification and Security
To protect privacy and security, GPAU may require Data Subjects to verify their identity before processing a request, using two-factor authentication, government-issued ID, or other appropriate measures.

16.4 Exceptions and Limitations
16.4.1 The rights outlined in Section 11.1 may be subject to exceptions or limitations under applicable law (e.g., freedom of expression, public interest, legal obligations, litigation).
16.4.2 Where an exception applies, GPAU will inform the Data Subject of the reason for refusal and the possibility of lodging a complaint with a supervisory authority.

16.5 Special Procedures for PDPL
16.5.1 For Saudi Arabia, Data Subjects may also submit rights requests directly to the Saudi Data & AI Authority (SDAIA) if dissatisfied with GPAU’s response.
16.5.2 GPAU shall maintain localized request forms in Arabic and English and ensure compliance with PDPL-mandated timelines for responses.

17. SECURITY MEASURES

GPAU Consultancy L.L.C. maintains and continuously develops a comprehensive information security and data protection framework designed to align with internationally recognised standards, including ISO/IEC 27001, ISO/IEC 27701, and the NIST Cybersecurity Framework. These measures are implemented proportionately based on risk, business scale, and regulatory requirements.

17.1 Organisational and Administrative Controls
17.1.1 Adoption and enforcement of robust privacy and security policies, standards, and procedures aligned with ISO/IEC 27001, NIST Cybersecurity Framework, and PDPL requirements.
17.1.2 Regular privacy and security training programmes for all personnel, including mandatory onboarding and annual refresher courses.
17.1.3 Role-based access controls (RBAC) and segregation of duties to limit access to Personal Data to authorised individuals only.
17.1.4 Background screening and confidentiality agreements for employees, contractors, and third-party vendors with access to sensitive Personal Data.

17.2 Technical and Physical Safeguards
17.2.1 Encryption of Personal Data at rest using AES-256 or equivalent, and in transit via TLS 1.2+ or equivalent protocols.
17.2.2 Network segmentation, firewalls, intrusion detection and prevention systems (IDPS), and secure configuration baselines to protect against unauthorised access.
17.2.3 Implementation of multi-factor authentication (MFA) for all administrative and remote access.
17.2.4 Logging, monitoring, and anomaly detection systems with retention of security logs for a minimum of 12 months.
17.2.5 Secure disposal of physical media in accordance with NIST SP 800-88 guidelines and secure wiping of electronic devices.

17.3 Vendor and Third-Party Security
17.3.1 Rigorous due diligence and risk assessment of third-party vendors, service providers, and cloud partners (where applicable) to verify security posture and compliance with required standards.
17.3.2 Inclusion of comprehensive security and privacy obligations in all DPAs and vendor contracts, with right-to-audit clauses and breach notification requirements.
17.3.3 Periodic review of vendor security assessments, SOC 2 reports, ISO 27001 certifications, and penetration test results.

17.4 Security Assessments and Audits
17.4.1 Regular vulnerability scanning, penetration testing, and security code reviews conducted by certified professionals.
17.4.2 Internal and external audits, including annual third-party assessments, to validate compliance with security policies and legal requirements.
17.4.3 Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for high-risk Processing activities, recorded in GPAU’s risk register.

17.5 Incident Response and Breach Management
17.5.1 A formalised Incident Response Plan (IRP) establishing roles, responsibilities, and procedures for identification, containment, eradication, recovery, and post-incident review.
17.5.2 Notification procedures to inform supervisory authorities (e.g., SDAIA, ICO, OAIC) within statutory timelines (72 hours for PDPL, GDPR, etc.) and affected Data Subjects when required.
17.5.3 Maintenance of an incident register, root cause analysis, and corrective action tracking to prevent recurrence.

17.6 Business Continuity and Disaster Recovery
17.6.1 Implementation of resilient backup and disaster recovery solutions, with regular restoration testing to ensure data integrity and availability.
17.6.2 Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems and Personal Data stores.
17.6.3 Annual reviews and tabletop exercises to validate business continuity and disaster recovery plans.

18. CHANGES TO THIS POLICY

18.1 Periodic Review and Governance
18.1.1 This Privacy Policy shall be reviewed at least annually or more frequently as required by changes in applicable law, technological developments, or business practices.
18.1.2 All revisions shall undergo legal and compliance review and be approved by the Data Protection Contact and GPAU’s executive leadership.

18.2 Automated Decision-Making and Profiling

GPAU does not carry out any decision-making based solely on automated processing, including profiling, which produces legal effects concerning individuals or similarly significantly affects them, as described in Article 22 of the General Data Protection Regulation (GDPR).

If this ever changes, we will update this Privacy Policy and ensure that such processing is subject to suitable safeguards, including the right to:

• obtain human intervention,
• express your point of view,
• and contest the decision.

18.3.3 Material Amendments and Data Subject Notifications
18.3.1 Material changes—such as new processing purposes, additional international transfers, or expanded Data Subject rights—shall be communicated to Data Subjects in advance of implementation via:

• Email notifications to all affected individuals;
• Prominent notices on GPAU’s websites and digital platforms;
• Localized communications where required by jurisdiction (e.g., Arabic notices for KSA).

18.3.2 Minor operational or editorial updates that do not affect Data Subject rights or compliance obligations may be implemented without individual notice but will be reflected in the version history.

18.4 Version Control and Historical Archive
18.4.1 Each publication of the Privacy Policy shall be assigned a version number and effective date.
18.4.2 An archive of prior versions, together with a summary of changes, shall be maintained on GPAU’s intranet and made available to Data Subjects upon request.

18.5 Severability
18.5.1 If any provision of this Policy is held invalid or unenforceable under applicable law, such provision shall be severed, and the remaining provisions shall continue in full force and effect.

18.6 Contact for Clarifications
18.6.1 Questions about this Privacy Policy, including requests for clarification on changes, should be directed to the Data Protection Officer as specified in Section 3.4.

Effective Date: January 28, 2026