Tamara - Candidate Privacy Notice

Last updated: December 12, 2025

Who is responsible for your Personal Data

Tamara Finance Company, having its registered seat at King Abdullah bin Abdulaziz Road, King Salman Dist, Building No. 2907, Riyadh, Saudi Arabia, is the data controller and the party responsible for your Personal Data (referred to in this Notice as "Tamara" or the pronouns “we”, “our” or "us"). As such, Tamara processes your personal data in compliance with the KSA Personal Data Protection Law (PDPL) and its Implementing Regulations. You can contact Tamara at privacy@tamara.co

We have an appointed Data Protection Officer (DPO), who is responsible for following up on inquiries related to this privacy notice and ensuring compliance with the PDPL. The DPO also serves as the primary contact point for data subjects and the competent supervisory authority regarding data protection matters.

Categories of Personal Data

For each category of Candidate Data and Sensitive Candidate Data listed below, Tamara processes this data only for specific, legitimate purposes as described in this Notice. Our processing is underpinned by a clear legal basis as required by the KSA Personal Data Protection Law (PDPL).

We process the following Candidate Data about you:

  • Identification & Contact Data: your name, title, home address, phone number, personal email address, nationality, date of birth, and similar data provided in your application.
  • Application & Assessment Data: CV/resumé, cover letters, application form responses, interview notes, results of assessments or tests.
  • Background & Reference Data (where lawful and relevant to the role): referees’ contact details, reference responses, education and employment verification, criminal-record checks for regulated roles.
  • Communication Data: correspondence with Tamara during the recruitment process (emails, scheduling, recruitment portal logs limited to the process).

We may also process the following Sensitive Candidate Data, but only where permitted or required by law:

  • Health or disability information to enable reasonable adjustments during recruitment.
  • Biometric identification data if used for identity verification or access to Tamara systems.
  • Criminal conviction data for regulated roles, where legally required.
  • Religious data only if needed to meet statutory obligations.

Methods of Collecting and Sources of Personal Data

The source from which your Personal Data originates is typically from you as the candidate, and from third parties lawfully engaged in the recruitment process.

We may collect your Personal Data in the ways listed below:

  • Directly from you, such as through application forms, CV/resumé submissions, interviews, and assessments.
  • Generated during the recruitment process, such as assessment results or interview notes created by Tamara.
  • From third parties, such as referees, background-check providers, or public authorities, but only to the extent permitted by applicable law and relevant to the role you applied for.

Processing Purposes and Legal Bases

We process your Personal Data to the extent permitted or required under applicable law for the following purposes:

  • Recruitment and Selection Purposes: Evaluating your skills, experience, and suitability for the role; scheduling and conducting interviews or assessments; communicating with you about the recruitment process.

Legal basis: pre-contractual steps necessary to enter into an employment contract; Tamara’s legitimate interests in staffing and recruitment.

  • Background and Reference Check Purposes: Where lawful and relevant to the role, conducting background checks and contacting referees to verify your information.

Legal basis: legal obligation for certain regulated roles; Tamara’s legitimate interests; where required by PDPL, explicit consent for specific sensitive data.

  • Regulatory and Compliance Purposes: Responding to lawful requests from regulators or authorities and complying with applicable laws and regulations.

Legal basis: legal obligation.

  • Future Opportunities (Talent Pool) Purposes: If you consent, retaining your application data to consider you for other positions at Tamara. 

Legal basis: explicit consent (you may withdraw at any time).

Sensitive Candidate Data – Purposes and Legal Basis

We may process certain types of sensitive personal data, but only where permitted or required under the KSA Personal Data Protection Law (PDPL) and relevant regulations.

The following categories may be processed in the recruitment context:

  • Health or Disability Information: to provide reasonable adjustments during assessments, interviews, or other stages of the recruitment process.
  • Biometric Identification Data: if used for identity verification or access to Tamara’s recruitment systems.
  • Criminal Conviction Data: for roles where required by applicable laws or regulatory obligations.
  • Religious Data: only where legally necessary to meet statutory obligations.

Legal basis:

  • Legal obligation (e.g., roles subject to regulatory checks).
  • Explicit consent where PDPL requires it (e.g., retaining sensitive data beyond recruitment).
  • Legitimate interests in ensuring a fair, safe, and compliant recruitment process, balanced against your rights and freedoms.

Cross-Border Data Transfers

Tamara operates regionally and internationally, and as part of the recruitment process your Personal Data may be transferred to destinations outside the Kingdom of Saudi Arabia. This may include other Tamara group companies or third-party service providers (such as background-check or recruitment system providers) engaged to support the hiring process.

Whenever Candidate Data is transferred outside of the Kingdom, Tamara applies the requirements of the KSA Personal Data Protection Law (PDPL) and its Implementing Regulations. This includes ensuring that appropriate safeguards are in place, such as:

  • Transfers to jurisdictions deemed to provide an adequate level of protection,
  • The use of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), or
  • Other legally recognized transfer mechanisms.

Tamara would only transfer the minimum amount of Candidate Data necessary for the recruitment process, and apply appropriate organizational and technical measures to protect your Personal Data during any transfer.

Retention Periods and Deletion

We keep your Personal Data only as long as necessary to fulfill the purposes set out in this Notice and in accordance with PDPL Regulation. 

  • Non-hired candidates: Recruitment records (e.g., CVs, interview notes, application data) are retained for 12 months following the end of the recruitment process, after which they are securely deleted or anonymized, unless we are required by law to keep them longer, or you consent to us retaining them for future opportunities.
  • Hired candidates: If you join Tamara, your data becomes part of your personnel file and is processed under the Employee Privacy Notice, with retention periods that apply to employees (e.g., personnel files retained for 5 years after the end of employment).

In some cases, data may be retained longer where required for litigation, regulatory obligations, or public interest purposes, in line with the PDPL and our Data Retention Policy. Once the retention period expires and no lawful basis remains, your Personal Data will be securely destroyed or anonymized so that it can no longer identify you.

Your Rights under PDPL

As a candidate, you have the following rights in relation to your Personal Data, under the KSA Personal Data Protection Law (PDPL) and its Implementing Regulations:

  • To be informed of the legal basis and purposes of processing your Personal Data.
  • To access your Personal Data and obtain a copy.
  • To request rectification of inaccurate or incomplete data.
  • To request erasure of your Personal Data where there is no lawful basis to continue processing.
  • To object to certain types of processing or withdraw your consent where processing is based on consent.
  • To request restriction of processing in certain circumstances.
  • To request portability of your Personal Data to another controller, where technically feasible.
  • To lodge a complaint with the competent authority.

To exercise your rights, please contact privacy@tamara.co. We will respond in line with PDPL requirements and within the statutory timelines.

Data Transfers, Recipients and Legal Justification

We share Candidate Data, where necessary and lawful, with the following categories of recipients:

  • Tamara Group Companies: Other Tamara entities may access Candidate Data to support recruitment, HR, and compliance processes, always subject to the same safeguards and PDPL requirements.
  • Regulators, Authorities, and External Advisors: Where required by law, we may disclose Candidate Data to regulatory bodies, courts, or professional advisors (e.g., auditors, legal counsel) in connection with regulatory obligations or legal proceedings.
  • Third-Party Service Providers: We engage service providers to support the recruitment process, such as background-check providers, applicant tracking system (ATS) vendors, and recruitment software/platforms. These providers process Candidate Data solely under Tamara’s instructions and are bound by confidentiality and security obligations.

All transfers are made only where there is a lawful basis under PDPL, and only the minimum necessary data is shared.

Information Security

Tamara applies organizational, administrative, and technical measures to protect Candidate Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Access to Candidate Data is restricted to individuals who have a legitimate business need-to-know in the recruitment process, and all such individuals are bound by confidentiality obligations.

Tamara maintains procedures to identify, investigate, and respond to actual or suspected data incidents. Where required under the PDPL, we will notify the competent authority and affected individuals without undue delay.

Automated Decision-Making

Tamara does not take decisions about candidates that are based solely on automated processing and that produce legal or similarly significant effects.

If this changes in the future, Tamara will provide you with specific information about the logic involved, the significance and potential consequences of such processing, and your related rights under the PDPL.

How to Contact Us

If you have any questions about this Notice or wish to exercise your rights under the PDPL, you may contact us at:

  • Email: privacy@tamara.co
  • Data Protection Officer (DPO): appointed by Tamara to oversee compliance with this Notice and the PDPL, and to act as the primary contact point for candidates and relevant authorities.