KAR OG DIMA DMCC

KAR OG DIMA DMCC

Privacy Policy

KAR OG Alan Sasan DMCC

KAR OG Dima DMCC– Privacy Policy

Last Updated: [Jan 2026]

This Privacy Policy explains how KAR OG Dima DMCC, its subsidiaries and affiliates (“Company”, “we”, “us”, or “our”) collect, use, disclose, store, and protect personal data in connection with our business operations in the oil and gas sector, including activities conducted in Iraq and internationally.

We are committed to processing personal data lawfully, fairly, and transparently, and in accordance with:

  • Applicable Iraqi laws and regulations (including labour, commercial, telecommunications, cybersecurity, and sector-specific obligations); and
  • The EU General Data Protection Regulation (GDPR) where applicable to individuals located in the European Economic Area (“EEA”).

 

  1. Data Controller and Contact Information

For the purposes of applicable data protection laws, the data controller is:

[KAR OG Dima DMCC]
Registered Address: Baghdad, Iraq]
Email: [addaimah@kar-k.com]
Telephone: [+964 773 453 1550]

Where required under GDPR, we have appointed an EU Representative:
KAR OG Dima DMCC Baghdad, Iraq,  +964 773 453 1550

 

  1. Scope of This Policy

This Privacy Policy applies to personal data relating to:

  • Employees, secondees, and contractors
  • Job applicants and former employees
  • Customers, joint venture partners, suppliers, and service providers
  • Visitors to our offices, sites, and facilities
  • Users of our websites, systems, and digital platforms

It applies regardless of whether personal data is collected directly from you or from third parties acting lawfully.

 

  1. Categories of Personal Data We Process

Depending on the nature of your relationship with us, we may process the following categories of personal data:

3.1 Identification and Contact Information

  • Full name
  • Nationality
  • Passport or identification details (where required by law or security regulations)
  • Business and/or personal contact details
  • Emergency contact details (for employees or site personnel)

3.2 Employment and HR Information

  • CVs, qualifications, work history
  • Employment contracts and payroll data
  • Performance, training, disciplinary, and attendance records
  • Health and safety records (where legally required)

3.3 Business and Contractual Information

  • Company affiliation and role
  • Contract performance and correspondence
  • Financial and invoicing information
  • Vendor due diligence and compliance data

3.4 Technical and Digital Information

  • IP addresses and device identifiers
  • System access logs
  • Website usage data and cookies

3.5 Security and Site Access Data

  • CCTV footage
  • Access badge and entry/exit records
  • Incident and investigation records

 

  1. Purposes of Processing

We process personal data for legitimate business and legal purposes, including:

  • Performing and managing contracts and commercial relationships
  • Operating oil and gas projects safely and efficiently
  • Human resources administration and workforce management
  • Compliance with legal, regulatory, and contractual obligations
  • Health, safety, security, and environmental protection
  • IT systems management and cybersecurity
  • Investigations, audits, and dispute resolution
  • Business continuity and risk management

Personal data will not be processed in a manner incompatible with these purposes.

 

  1. Legal Bases for Processing (GDPR)

Where GDPR applies, our processing is based on one or more of the following legal grounds:

  • Performance of a contract (Article 6(1)(b))
  • Compliance with a legal obligation (Article 6(1)(c))
  • Legitimate interests pursued by the Company (Article 6(1)(f)), including business operations, security, and risk management
  • Consent, where required (Article 6(1)(a))

Where Iraqi law applies, processing is carried out in accordance with applicable statutory, contractual, and regulatory requirements.

 

  1. Disclosure and Sharing of Personal Data

We may disclose personal data to:

  • Affiliates and group companies for legitimate operational purposes
  • Third-party service providers (e.g., IT, payroll, security, professional advisers) acting under contractual obligations
  • Joint venture partners, where necessary for project operations
  • Government authorities or regulators, where required by law or licence conditions

All third parties are required to implement appropriate confidentiality and security measures.

 

  1. International Transfers

Given the international nature of oil and gas operations, personal data may be transferred outside Iraq or the EEA.

Where data is transferred from the EEA:

  • We rely on Standard Contractual Clauses, or
  • Other lawful transfer mechanisms recognised under GDPR.

Where data is transferred under Iraqi law, we take reasonable steps to ensure adequate protection consistent with industry standards.

 

  1. Data Retention

Personal data is retained only for as long as necessary to:

  • Fulfil the purposes for which it was collected
  • Comply with legal, regulatory, or contractual obligations
  • Resolve disputes or enforce agreements

Retention periods may vary depending on the category of data and applicable law.

 

  1. Data Subject Rights

9.1 Rights under GDPR (EEA Individuals)

Where GDPR applies, you may have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Request erasure or restriction of processing
  • Object to processing based on legitimate interests
  • Withdraw consent at any time
  • Request data portability
  • Lodge a complaint with a supervisory authority

9.2 Rights under Iraqi Law

Where Iraqi law applies, individuals may request access, correction, or deletion of personal data, subject to applicable legal and regulatory limitations.

Requests may be submitted to: addaimah@kar-k.com

 

  1. Security Measures

We implement appropriate technical and organisational safeguards to protect personal data, including:

  • Access controls and authentication
  • Network and system security measures
  • Confidentiality obligations
  • Physical security at facilities and sites

Despite these measures, no system is completely secure.

 

  1. Cookies and Tracking Technologies

Our websites may use cookies and similar technologies to improve functionality and performance. For further information, please refer to our Cookie Policy.

 

  1. Children’s Personal Data

Our services are not directed to children, and we do not knowingly collect personal data from minors.

 

  1. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Updated versions will be made available on our website or otherwise communicated where required by law.

 

  1. Contact and Complaints

If you have questions, concerns, or complaints regarding this Privacy Policy or our data processing practices, please contact:

[KAR OG Dima DMCC]
Email: addaimah@kar-k.com
Address: [Baghdad, Iraq]