The KPI Institute Privacy Statement

Welcome! This Privacy Statement explains how The KPI Institute collects your personal and technical information, why we use it, and the measures we take to protect it. You’ll learn what types of data we gather and for which purposes, the legal bases that allow us to process your information, and the security safeguards we have in place. We also explain your rights—how you can access, correct, delete, or restrict our use of your data—and provide clear instructions for exercising them. If you have any questions or need assistance, our Data Protection Officer is ready to help at dataoffice@kpiinstitute.org. For full details and legal definitions, please continue to the sections that follow.

1. DEFINITIONS AND INTERPRETATION For the purposes of this Statement:

• “Controller” means The KPI Institute Pty. Ltd. (ACN 109 262 366), or, where applicable, any entity within the KPI Institute Group determining the purposes and means of processing Personal Data.
• “Processor” means any third party, including intra‑Group entities, engaged by a Controller to process Personal Data on its behalf pursuant to a Data Processing Agreement (DPA).
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
• “Processing” means any operation on Personal Data, whether automated or manual, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure or destruction.
• “Data Subject” means the individual to whom Personal Data pertains.
• “KPI Institute Group” or “Group” means The KPI Institute Pty. Ltd. and its affiliated legal entities listed in Section 3.
• “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
• “PDPA” means the Personal Data Protection Act 2010 (Malaysia).
• “Privacy Act” means the Privacy Act 1988 (Cth) (Australia).
• “PDPL” means the Personal Data Protection Law (Crown Prince Court Order No. 4 of 2021) (Saudi Arabia).
• “GCC Data Laws” means data protection statutes, regulations, and guidelines applicable to Gulf Cooperation Council Member States (including PDPL).

2. SCOPE AND APPLICATION

2.1 This Privacy Statement establishes the comprehensive framework under which the KPI Institute Group, in its capacity as Controller, Processor, or joint Controller, undertakes the Processing of Personal Data. It applies to all business activities and operations conducted by the Group, whether directly or via affiliated entities, including but not limited to: – Consultancy services and training programmes; – Research, analytics, and benchmarking initiatives; – Events, conferences, workshops, and webinars; – Digital platforms, websites, and mobile applications; – Marketing and promotional campaigns (online and offline); – Customer relationship management and support services; – Procurement, vendor management, and supply chain engagements; – Recruitment, employment, and contractor onboarding processes.

2.2 This Statement governs Personal Data collected from or relating to all categories of Data Subjects, including clients, prospects, suppliers, vendors, contractors, employees, job applicants, website and application users, and any other individuals whose Personal Data is Processed by the Group in the course of its operations.

2.3 The territorial scope of this Statement is global. Personal Data may be Processed in any jurisdiction in which the Group operates, subject to applicable local data protection laws. In jurisdictions imposing additional requirements (e.g., GDPR, PDPA, Privacy Act, PDPL, CCPA/CPRA, PIPEDA (Canada) and UK Data Protection Act 2018), the Group shall implement any necessary supplemental notices, consent mechanisms, or Processing procedures to achieve full compliance. In the event of any conflict between this Statement and mandatory local law, the latter shall prevail to the extent required.

2.4 This Statement does not apply to data that has been irreversibly anonymised or aggregated so that individuals are no longer identifiable.

2.5 All Group personnel, affiliates, contractors, and third party Processors engaged by the Group are required to comply with this Statement, any related policies, and the terms of applicable Data Processing Agreements (DPAs).

3. CONTROLLERS WITHIN THE KPI INSTITUTE GROUP

3.1 Principal Controller
The KPI Institute Pty. Ltd. (ACN 109 262 366), Level 3, 406 Collins Street, Melbourne, VIC 3000, Australia, shall act as the principal Controller for all Group-wide Processing activities, determining the purposes and means of Personal Data processing.

3.2 Joint Controllers
Where two or more Group entities jointly define Processing objectives and methods (e.g., co‑development of digital platforms or co‑hosting of events), they shall be deemed Joint Controllers. In such cases, the respective Joint Controllers shall conclude a Joint Controller Agreement specifying:

• Allocation of responsibilities for compliance with Data Subject rights and GDPR Article 26 obligations.
• Mechanisms for Data Subject communications and exercise of rights.
• Indemnification and liability arrangements between the Joint Controllers.

3.3 Appointed Processors
The following intra‑Group entities and selected third‑party service providers shall operate as Processors under binding Data Processing Agreements (DPAs), processing Personal Data exclusively on documented instructions:

• Connected Performance Training Institute – 718620 (AE)
• Connected Performance Sdn. Bhd. – 1128752‑H (MY)
• The KPI Institute for Training – 1009067330 (KSA)
• Integerperform S.R.L. – J12/1644/2002 (RO)
• Skills Mandate S.R.L. – J12/4901/2017 (RO)
• Biomimicry S.R.L. – J12/4885/2017 (RO)
• TKI HUB S.R.L. – J32/1162/2017 (RO)
• Lereroworld S.R.L. – J32/420/2019 (RO)
• Acumen Integrat S.R.L. – J12/4194/2004 (RO)
• Fundația Worldskills România – RO36134470 (RO)

DPAs shall incorporate, at a minimum, the following provisions:

• Scope, nature, and purpose of processing.
• Types of Personal Data and categories of Data Subjects.
• Duration of Processing and retention obligations.
• Technical and organisational security measures.
• Sub‑processor engagement rules and audit rights.
• Breach notification obligations.

3.4 Data Protection Officer

• Global DPO: Merut Stefan – Head of Legal and Compliance, Email: dataoffice@kpiinstitute.org

3.5 Data Subject Acknowledgement
By providing Personal Data to any Group entity, Data Subjects acknowledge and consent to:

• Inter‑Group transfer and joint Processing of their Personal Data.
• Processing by both Controllers and Processors as specified in this Statement and related DPAs.

4. PRINCIPLES GOVERNING PROCESSING

In all jurisdictions in which the Group operates, Personal Data shall be processed in accordance with the following binding principles, drawn from GDPR Article 5 and equivalent global standards:

4.1 Lawfulness, Fairness & Transparency
4.1.1 Processing shall be lawful only if and to the extent there exists at least one legal basis under applicable law (e.g., consent, contract performance, legitimate interests, legal obligations).
4.1.2 Data Subjects shall be provided with clear, intelligible and easily accessible information regarding Processing activities, consistent with GDPR Articles 12–14, PDPL transparency requirements, and equivalent obligations under local law.

4.2 Purpose Limitation
4.2.1 Personal Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
4.2.2 Any subsequent Processing for archiving in the public interest, scientific or historical research, or statistical purposes shall be subject to appropriate safeguards.

4.3 Data Minimisation
4.3.1 Processing shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4.3.2 Regular reviews shall be conducted to ensure Personal Data inventories remain aligned with operational needs and legal requirements.

4.4 Accuracy
4.4.1 The Group shall take all reasonable steps to ensure that Personal Data that are inaccurate with regard to the purposes for which they are processed are erased or rectified without delay.
4.4.2 Mechanisms for Data Subject-initiated corrections and periodic data quality audits shall be in place.

4.5 Storage Limitation
4.5.1 Personal Data shall be retained only for as long as necessary to fulfil the purposes for which they are collected and processed, or as required by applicable law.
4.5.2 Automated retention schedules and secure deletion protocols shall ensure compliance with retention obligations set forth in Section 10.

4.6 Integrity & Confidentiality
4.6.1 The Group shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
4.6.2 Measures include, but are not limited to, encryption, pseudonymisation where appropriate, access controls, and secure disposal procedures.

4.7 Accountability
4.7.1 The Group shall be responsible for, and be able to demonstrate, compliance with these principles (“accountability”).
4.7.2 Documentation, internal policies, training programmes, impact assessments (where required), and regular audits shall form part of the Group’s accountability regime.

5. LEGAL BASES FOR PROCESSING

Personal Data shall be processed only where at least one of the following legal bases applies. Where multiple bases exist, the most specific basis shall prevail:

5.1 Contractual Necessity
5.1.1 Processing is necessary for the performance of a contract to which the Data Subject is a party or to take steps at the Data Subject’s request prior to entering into a contract (e.g., provision of consultancy services, training programmes, or event registrations).
5.1.2 GDPR: Article 6(1)(b); PDPA: Section 6(1)(c); Privacy Act: Section 16A(1)(b); PDPL: Article 8(c).

5.2 Compliance with Legal Obligations
5.2.1 Processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g., tax, anti‑money laundering, record‑keeping, employment law obligations).
5.2.2 GDPR: Article 6(1)(c); PDPA: Section 6(1)(d); Privacy Act: Section 16A(1)(c); PDPL: Article 8(d).

5.3 Consent
5.3.1 The Data Subject has given freely‑given, specific, informed, and unambiguous consent to the Processing of Personal Data for one or more specified purposes (e.g., marketing communications, profiling, transfer to third parties).
5.3.2 Consent shall be evidenced by a clear affirmative act, and Data Subjects shall be informed of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to withdrawal.
5.3.3 GDPR: Article 6(1)(a) & Article 7; PDPA: Section 9; Privacy Act: Sections 6(1)(a), 7(1); PDPL: Article 8(a).

5.4 Legitimate Interests
5.4.1 Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, provided such interests are not overridden by the fundamental rights and freedoms of the Data Subject.
5.4.2 Legitimate interests may include, but are not limited to, fraud prevention, network security, business development, and client relationship management.
5.4.3 A documented Legitimate Interests Assessment (LIA) shall be conducted to balance the interests of the Controller against the rights of Data Subjects.
5.4.4 GDPR: Article 6(1)(f); PDPA: Section 6(1)(b); Privacy Act: Section 16A(1)(d); PDPL: Article 8(f).

5.5 Vital Interests and Public Interest (where applicable)
5.5.1 In exceptional circumstances, processing may be necessary to protect the vital interests of the Data Subject or another person, or where processing is required for the performance of a task carried out in the public interest or in the exercise of official authority.
5.5.2 GDPR: Articles 6(1)(d) & (e); PDPL: Article 8(e).

6. CATEGORIES OF PERSONAL DATA

6.1 The following categories of Personal Data may be collected, processed, and retained by the Group in connection with its training, consultancy, research, events and related operations:

6.2 Recording of Training Sessions
Where training sessions (live or virtual) are recorded, Data Subjects will be notified in advance and provided the opportunity to object. Recordings may capture audio, video, and screen‑share content and will be processed for:

• On-demand access for registered participants;
• Post-event reviews and quality improvements;
• Internal training material development;
• Compliance with contractual or regulatory record‑keeping obligations.

6.3 Special Category Data
In exceptional circumstances, where participants voluntarily provide Special Category Data (e.g., health or accessibility needs), such data will only be processed with explicit consent, documented safeguards, and strictly for the purposes communicated at the point of collection.

6.4 Data Source & Collection Methods
Personal Data may be obtained directly from Data Subjects (e.g., via registration forms, surveys, assessments), indirectly from technical systems (e.g., learning management platforms, webinar tools), or from third parties (e.g., employer HR systems, accreditation bodies). All collection methods shall adhere to the principles of transparency and purpose limitation.

7. DATA PROCESSING AGREEMENTS & CROSS‑MARKETING

7.1 Applicability and Structure of Data Processing Agreements (DPAs)
7.1.1 All Processors—whether intra‑Group entities or external service providers—and Joint Controllers shall enter into a written Data Processing Agreement in compliance with GDPR Article 28, PDPA Section 11, Privacy Act APP 11, PDPL Article 21, and equivalent provisions under applicable law.
7.1.2 Each DPA shall, at a minimum, set forth:

• The subject matter, duration, nature, and purpose of the Processing;
• The types of Personal Data and categories of Data Subjects;
• The obligations and rights of Controllers and Processors;
• Detailed technical and organisational security measures;
• Terms governing the engagement of sub‑processors, including prior written authorisation and flow‑down obligations;
• Procedures for Data Subject requests, audit rights, and compliance reviews;
• Breach notification and remediation obligations, specifying timelines and communication protocols.

7.2 Cross‑Marketing and Data Sharing under DPAs
7.2.1 Subject to the Data Subject’s valid consent (where required) and/or legitimate interest assessments, Group entities may share Personal Data for cross‑marketing purposes, including:

• Joint promotional campaigns for training programmes, publications, and benchmarking services;
• Targeted communications tailored to professional profiles, industry sectors, or geographic regions;
• Co‑sponsored events and webinars announced through combined mailing lists.
  7.2.2 Prior to any inter‑Group marketing initiative, Controllers shall ensure:
• Compliance with applicable marketing consent requirements under GDPR Article 21, PDPA Section 12, Privacy Act APP 7, and PDPL Article 10;
• Maintenance of up‑to‑date opt‑in/opt‑out records, with mechanisms to facilitate immediate withdrawal of consent or objection;
• Execution of updated DPAs or addenda reflecting the specific scope of cross‑marketing Processing.

7.3 Third‑Party Marketing Partners
7.3.1 Where the Group engages third‑party marketing platforms or agencies, such engagement shall be governed by a DPA and a Marketing Services Agreement, ensuring:

• Restricted use of Personal Data solely for the contracted marketing campaign;
• Prohibition of onward transfers without prior Controller approval;
• Assurance of data accuracy and deletion upon campaign completion.
  7.3.2 Third parties shall provide evidence of compliance with international privacy standards (e.g., ISO 27701, PCI DSS or equivalent representations and warranties) and permit audits by the Controller or its designated auditor.

7.4 Data Subject Rights in Cross‑Marketing
7.4.1 Data Subjects retain the right to object to Processing for direct marketing at any time, free of charge and without detriment to other Processing activities.
7.4.2 Controllers shall honor objections within one month of receipt, ceasing all marketing communications and confirming cessation to the Data Subject.

7.5 Record‑Keeping and Accountability
7.5.1 Controllers shall maintain comprehensive records of all DPAs, cross‑marketing assessments, and consent registers, as required by GDPR Article 30, PDPA Section 14, Privacy Act APP 1, and PDPL Article 20.
7.5.2 Such records shall be retained for a minimum of five years and be available for inspection by supervisory authorities or internal auditors.

7.5.3 The Group maintains and operates a centralized Customer Relationship Management (CRM) system, which serves as a core data repository for storing Personal Data, including but not limited to contact details, marketing preferences, consent status, course participation history, and correspondence logs. This CRM system is configured to reflect Data Subject rights and support obligations under applicable data protection laws. Periodic audits are conducted to ensure integrity, accuracy, and compliance with consent-based marketing requirements.

8. INTERNATIONAL DATA TRANSFERS & SAFEGUARDS

8.1 Overview of Cross‑Border Transfers
8.1.1 Personal Data may be transferred outside the Data Subject’s jurisdiction to enable global service delivery, centralized processing, and collaboration across the KPI Institute Group and authorised third‑party service providers.

8.2 GDPR Chapter V Compliance
8.2.1 For transfers from the European Economic Area, the Group shall implement one or more of the following safeguards in accordance with GDPR Articles 44–50:

• Adequacy Decisions: Transfers to countries or territories deemed adequate by the European Commission (e.g., Australia).
• Standard Contractual Clauses (SCCs): Adoption of the European Commission’s SCCs, supplemented by any required technical, organisational, or contractual measures.
• Binding Corporate Rules (BCRs): Group‑wide internal rules approved by EU supervisory authorities, providing consistent safeguards across all intra‑Group transfers.
• Derogations: Specific case‑by‑case derogations (e.g., explicit consent, performance of contract, public interest) if no other mechanism applies.

8.3 PDPA & Privacy Act Transfers
8.3.1 Transfers from Malaysia shall comply with PDPA Sections 129–130, requiring either contractual safeguards or supervisory authority approval.
8.3.2 Transfers from Australia shall adhere to Privacy Act Part IIIC (APP 8), ensuring that overseas recipients provide comparable protections or that exceptions (e.g., consent, performance of contract) apply.

8.4 PDPL Local Transfer Restrictions
8.4.1 Under Saudi Arabia’s PDPL, outbound transfers of Personal Data are permissible only where one of the following is satisfied:

• Transfer to countries with an explicit adequacy decision by the Saudi Data & AI Authority.
• Implementation of contractual clauses approved by the Authority in accordance with PDPL Articles 36–38.
• Explicit, informed consent obtained from the Data Subject for the specific transfer. 8.4.2 In all cases, transfers shall be documented, and Data Subjects shall be informed of any intended cross‑border disclosures as part of the local privacy notice.

8.5 Technical & Organisational Safeguards
8.5.1 Regardless of legal mechanism, the Group may seek to implement robust safeguards to protect transferred Personal Data, including:

• Encryption of data in transit and at rest.
• Access controls restricting access to authorised personnel only.
• Data localisation measures where required by local law.
• Regular audits and assessments of third‑party processors and their security posture.

8.6 Data Transfer Impact Assessments (DTIAs)
8.6.1 For transfers involving high‑risk processing (e.g., sensitive data, volume transfers), the Group shall conduct a documented Data Transfer Impact Assessment to evaluate:

• The nature and sensitivity of the data.
• The legal and regulatory environment of the destination country.
• The adequacy of proposed safeguards and residual risks.

8.6.2 DTIAs shall be reviewed periodically and prior to onboarding any new foreign receiving entity.

8.7 Record‑Keeping and Accountability
8.7.1 The Group shall maintain records of all cross‑border transfer mechanisms, SCCs, BCR approvals, derivate consent forms, and DTIAs, in accordance with GDPR Article 30, PDPA Section 14, Privacy Act APP 1, and PDPL Article 20.
8.7.2 Such records shall be retained for a minimum of five years and be made available to supervisory authorities upon request.

9. SAUDI ARABIA PDPL LOCALISATION

9.1 Local Compliance Obligations
9.1.1 In respect of operations in the Kingdom of Saudi Arabia (KSA), the Group complies with all PDPL requirements, including those set forth in Crown Prince Court Order No. 4 of 2021, and any implementing regulations issued by the Saudi Data & AI Authority (SDAIA).

9.2 Data Residency and Transfer Limitations
9.2.1 Personal Data collected in KSA is maintained within Saudi territory by default, utilising AWS Middle East Region data centers, in accordance with SDAIA’s Cloud Computing Regulatory Framework (CCRF) and PDPL Articles 36–38.
9.2.2 Any transfer of Personal Data outside the Kingdom shall only occur pursuant to:

• SDAIA-approved contractual clauses reflecting PDPL transfer requirements; or
• Explicit, informed consent obtained from the Data Subject for the specific transfer.

9.2.3 All transfers are documented and transparent to Data Subjects through localized Privacy Notices.

9.3 Cloud Computing Regulatory Framework (CCRF) Adherence
9.3.1 The Group’s AWS-hosted services operate under the SDAIA’s CCRF, ensuring compliance with technical standards for cloud service providers, including security, data segregation, and audit requirements.
9.3.2 KPI Institute devices and applications leveraging AWS infrastructure are configured to enforce encryption at rest and in transit, access controls, and logging mechanisms as prescribed by the CCRF.

9.4 Reliance on AWS Compliance Representations
9.4.1 The Group utilises Amazon Web Services (AWS) cloud and data center facilities pursuant to the AWS Customer Agreement and AWS Data Processing Addendum.
9.4.2 While AWS holds certifications and attestations (e.g., ISO 27001, ISO 27018, SOC 1/2/3, and certifications recognized by SDAIA), and represents compliance with PDPL-equivalent standards, KPI Institute relies on AWS’s warranties and published compliance documentation.
9.4.3 KPI Institute does not assume responsibility for AWS’s security or compliance lapses beyond the scope of AWS’s contractual commitments and indemnities.

9.5 Breach Notification and Reporting
9.5.1 In the event of a Personal Data breach affecting KSA-based Data Subjects, the Group shall notify the SDAIA within 72 hours of becoming aware of the incident, in accordance with PDPL Article 20.
9.5.2 Data Subjects shall be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms, with sufficient details to enable mitigation measures.

10. DATA RETENTION & STORAGE

10.1 General Retention Principles
10.1.1 Personal Data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, to satisfy contractual, legal, or regulatory obligations, or to establish, exercise, or defend legal claims.
10.1.2 Retention schedules and secure deletion protocols shall be implemented to ensure automatic archiving, anonymisation, or deletion of Personal Data upon expiry of the retention period.
10.1.3 Extensions to retention periods shall require documented justification, approval by the Data Protection Officer, and, where applicable, notification to Data Subjects.

10.2 Global Retention & Storage Matrix

10.3 Saudi Arabia (PDPL) Specific Retention & Storage
10.3.1 In compliance with PDPL and SDAIA requirements, Personal Data originating from or processed within the Kingdom of Saudi Arabia shall be subject to the following storage and retention controls:

10.4 Secure Disposal & Anonymisation Saudi Arabia (PDPL) Specific Retention & Storage
10.4.1 Upon expiry of retention periods, Personal Data shall be securely disposed of through methods including, but not limited to, irreversible anonymisation, secure deletion, or physical destruction of storage media.
10.4.2 Disposal and anonymisation activities shall be logged, retained for audit purposes, and verified periodically by the Data Protection Officer.

11. DATA SUBJECT RIGHTS & PROCEDURES

11.1 Overview of Rights
Under applicable data protection laws (GDPR, PDPA, Privacy Act, PDPL), Data Subjects are entitled to the following rights with respect to their Personal Data:

• Right of Access: To obtain confirmation of processing and access to a copy of their Personal Data.
• Right to Rectification: To request correction of inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten): To request deletion of Personal Data where no lawful basis for retention exists.
• Right to Restriction of Processing: To limit the manner in which Personal Data is processed.
• Right to Data Portability: To receive Personal Data in a structured, commonly used, machine-readable format and transmit it to another Controller.
• Right to Object: To object to processing based on legitimate interests, including profiling and direct marketing.
• Right to Withdraw Consent: To withdraw previously given consent without affecting the lawfulness of prior processing.
• Right to Complaint: To lodge a complaint with a supervisory authority.

11.2 Procedures for Exercising Rights
11.2.1 Requests shall be submitted in writing to the Data Protection Officer (contact details in Section 3.4) or via the Group’s designated online contact forms.
11.2.2 Upon receipt, the Group will acknowledge the request within five (5) business days and, where feasible, provide a substantive response within one (1) month of receipt.
11.2.3 Extensions of up to two (2) additional months may apply for complex requests, with notification to the Data Subject and justification for the delay.
11.2.4 No fee shall be charged for requests, except in cases of manifestly unfounded or excessive requests, in which case a reasonable fee may be levied or the request may be refused.

11.3 Verification and Security
To protect privacy and security, the Group may require Data Subjects to verify their identity before processing a request, using two-factor authentication, government-issued ID, or other appropriate measures.

11.4 Exceptions and Limitations
11.4.1 The rights outlined in Section 11.1 may be subject to exceptions or limitations under applicable law (e.g., freedom of expression, public interest, legal obligations, litigation).
11.4.2 Where an exception applies, the Group will inform the Data Subject of the reason for refusal and the possibility of lodging a complaint with a supervisory authority.

11.5 Special Procedures for PDPL
11.5.1 For Saudi Arabia, Data Subjects may also submit rights requests directly to the Saudi Data & AI Authority (SDAIA) if dissatisfied with the Group’s response.
11.5.2 The Group shall maintain localized request forms in Arabic and English and ensure compliance with PDPL-mandated timelines for responses.

12. SECURITY MEASURES

To safeguard Personal Data throughout its lifecycle, the Group implements a comprehensive security framework comprising the following measures:

12.1 Organisational and Administrative Controls
12.1.1 Adoption and enforcement of robust privacy and security policies, standards, and procedures aligned with ISO/IEC 27001, NIST Cybersecurity Framework, and PDPL requirements.
12.1.2 Regular privacy and security training programmes for all personnel, including mandatory onboarding and annual refresher courses.
12.1.3 Role-based access controls (RBAC) and segregation of duties to limit access to Personal Data to authorised individuals only.
12.1.4 Background screening and confidentiality agreements for employees, contractors, and third-party vendors with access to sensitive Personal Data.

12.2 Technical and Physical Safeguards
12.2.1 Encryption of Personal Data at rest using AES-256 or equivalent, and in transit via TLS 1.2+ or equivalent protocols.
12.2.2 Network segmentation, firewalls, intrusion detection and prevention systems (IDPS), and secure configuration baselines to protect against unauthorised access.
12.2.3 Implementation of multi-factor authentication (MFA) for all administrative and remote access.
12.2.4 Logging, monitoring, and anomaly detection systems with retention of security logs for a minimum of 12 months.
12.2.5 Secure disposal of physical media in accordance with NIST SP 800‑88 guidelines and secure wiping of electronic devices.

12.3 Vendor and Third-Party Security
12.3.1 Rigorous due diligence and risk assessment of third-party vendors, service providers, and cloud partners, including AWS, to verify security posture and compliance with required standards.
12.3.2 Inclusion of comprehensive security and privacy obligations in all DPAs and vendor contracts, with right-to-audit clauses and breach notification requirements.
12.3.3 Periodic review of vendor security assessments, SOC 2 reports, ISO 27001 certifications, and penetration test results.

12.4 Security Assessments and Audits
12.4.1 Regular vulnerability scanning, penetration testing, and security code reviews conducted by certified professionals.
12.4.2 Internal and external audits, including annual third-party assessments, to validate compliance with security policies and legal requirements.
12.4.3 Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for high-risk Processing activities, recorded in the Group’s risk register.

12.5 Incident Response and Breach Management
12.5.1 A formalised Incident Response Plan (IRP) establishing roles, responsibilities, and procedures for identification, containment, eradication, recovery, and post-incident review.
12.5.2 Notification procedures to inform supervisory authorities (e.g., SDAIA, ICO, OAIC) within statutory timelines (72 hours for PDPL, GDPR, etc.) and affected Data Subjects when required.
12.5.3 Maintenance of an incident register, root cause analysis, and corrective action tracking to prevent recurrence.

12.6 Business Continuity and Disaster Recovery
12.6.1 Implementation of resilient backup and disaster recovery solutions, with regular restoration testing to ensure data integrity and availability.
12.6.2 Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems and Personal Data stores.
12.6.3 Annual reviews and tabletop exercises to validate business continuity and disaster recovery plans.

13. CHANGES TO THIS STATEMENT

13.1 Periodic Review and Governance
13.1.1 This Privacy Statement shall be reviewed at least annually or more frequently as required by changes in applicable law, technological developments, or business practices.
13.1.2 All revisions shall undergo legal and compliance review and be approved by the Global Data Protection Officer and the executive leadership team.

13.2 Automated Decision-Making and Profiling

The KPI Institute does not carry out any decision-making based solely on automated processing, including profiling, which produces legal effects concerning individuals or similarly significantly affects them, as described in Article 22 of the General Data Protection Regulation (GDPR).

If this ever changes, we will update this Privacy Statement and ensure that such processing is subject to suitable safeguards, including the right to:

• obtain human intervention,
• express your point of view,
• and contest the decision.

13.3 Material Amendments and Data Subject Notifications
13.3.1 Material changes—such as new processing purposes, additional international transfers, or expanded Data Subject rights—shall be communicated to Data Subjects in advance of implementation via:

• Email notifications to all affected individuals;
• Prominent notices on the Group’s websites and digital platforms;
• Localized communications where required by jurisdiction (e.g., Arabic notices for KSA).

13.3.2 Minor operational or editorial updates that do not affect Data Subject rights or compliance obligations may be implemented without individual notice but will be reflected in the version history.

13.4 Version Control and Historical Archive
13.4.1 Each publication of the Privacy Statement shall be assigned a version number and effective date.
13.4.2 An archive of prior versions, together with a summary of changes, shall be maintained on the Group’s intranet and made available to Data Subjects upon request.

13.5 Severability
13.5.1 If any provision of this Statement is held invalid or unenforceable under applicable law, such provision shall be severed, and the remaining provisions shall continue in full force and effect.

13.6 Contact for Clarifications
13.6.1 Questions about this Privacy Statement, including requests for clarification on changes, should be directed to the Data Protection Officer as specified in Section 3.4.

Effective Date: April 30, 2025**

Integrity Policy for the E-Learning and Training Environment

1. Concept of Integrity

Our institution is committed to fostering a culture of honesty, fairness, and trust in all learning and training activities. Academic and professional integrity means that all participants—learners, instructors, and administrators—adhere to ethical principles, produce their own work, and demonstrate respect for the rights of others. Integrity is the foundation of credibility in our qualifications, certificates, and the learning experience as a whole.

2. Forms of Integrity Violations

Any action that compromises fairness, authenticity, or the credibility of the learning process is considered a violation of integrity. Examples include, but are not limited to:

1. Cheating – Using unauthorized materials, aids, or assistance in assessments or assignments.
2. Impersonation – Having another person complete training, assessments, or participate in activities on one’s behalf.
3. Exploitation of Cooperation – Misusing group work or collaboration to submit work that is not one’s own or to gain unfair advantage.
4. Forgery – Altering, falsifying, or creating fake documents, certificates, results, or official communications.
5. Plagiarism – Copying another person’s work, ideas, or materials without proper acknowledgment.
6. Unauthorized Access or Distribution – Accessing or sharing learning platform content, assessments, or confidential materials without permission.

3. Procedures and Penalties for Violations

When an integrity violation is suspected or reported, the following procedures will be applied:

3.1 Investigation

• The entity will conduct a confidential review of the incident, which may include examining submitted work, system logs, communication records, and witness statements.
• The concerned participant will be notified in writing and given the opportunity to respond to the allegations.

3.2 Decision and Penalty

If a violation is confirmed, one or more of the following penalties may apply depending on the severity and recurrence of the offense:

1. Warning – Formal written warning recorded in the participant’s file.
2. Nullification of Work – Cancellation of the specific assessment, assignment, or project in which the violation occurred.
3. Suspension – Temporary suspension from the course, program, or platform.
4. Dismissal – Permanent removal from the course, program, or platform, with forfeiture of any fees paid.
5. Revocation of Certificates – Withdrawal of any certificate, badge, or qualification obtained through dishonest means.

4. Commitment

By enrolling in our courses or training programs, all participants agree to uphold this Integrity Policy and accept the consequences of any violations. Our collective commitment to integrity ensures that the value of our learning environment is preserved for everyone.

Online Attendance Policy

Standard 1.1.9

Having an attendance policy that ensures that online attendance is counted as equivalent to regular attendance

Attendance Policy

1. Purpose

This policy ensures that electronic attendance is treated the same as regular in-person attendance. It sets clear rules for minimum attendance and outlines steps to address any non-compliance. The policy also provides a framework for monitoring trainees consistently in both live (synchronous) and self-paced (asynchronous) training formats, helping maintain high training standards.

2. Scope

This policy applies to all trainees enrolled in training programs offered in various formats. These include live virtual sessions conducted synchronously, face-to-face programs delivered on-site and in person, and asynchronous training programs, which are fully self-paced and conducted online.

3. Policy Statements
   • Equivalence of Attendance

Attendance in live virtual sessions is regarded as equivalent to attendance in face-to-face classes.

• Minimum Attendance Requirements for Professional Training Courses

For live virtual courses, trainees are required to attend a minimum of 3 out of the 5 scheduled training days, which is equivalent to 12 hours, ensuring at least 60% attendance. For face-to-face courses, trainees must attend a minimum of 2 out of the 3 scheduled training days, amounting to 16 hours, with a minimum attendance of 66%. It is important to note that the total hours for face-to-face training differ due to the inclusion of additional activities, such as lunch and coffee breaks, which are integral to the in-person format.

• Asynchronous Training Attendance

For asynchronous training attendance, participants are required to achieve 100% completion as recorded in the Lerero LMS. This full completion is considered equivalent to 100% attendance. Participants who do not reach 100% completion will not be eligible to receive the diploma.

4. Attendance Monitoring

Attendance for live virtual courses will be monitored through the Learning Management System (LMS) and virtual meeting logs. For face-to-face courses, attendance will be recorded using physical sign-in sheets. In asynchronous training, attendance will be determined based on the completion of all activities within the respective course.

5. Actions for Non-Compliance

Failure to meet the minimum attendance requirements will result in disqualification from the certification process, rendering participants ineligible to receive the certificate.

Beneficiary Communication Policy

Standard 1.1.10

Clarity of communication policy for beneficiaries in the e-learning/training environment

1. Purpose

This policy outlines the communication standards and guidelines for all participants involved in The KPI Institute’s training programs. It aims to ensure respectful and effective communication between trainers/teachers and learners/trainees, as well as among learners/trainees themselves.

2. Scope

This policy applies to all beneficiaries of our training services, including trainers and participants, across all platforms used for online learning and communication.

3. Communication Tools and Channels

To support learning and collaboration, the following communication tools and channels are made available:

• Email – For direct communication with instructors or support staff.
• Discussion Forums – For group discussions related to course topics.
• Messaging Systems (platform-specific) – For real-time communication between participants and trainers.

All communication through these tools should be used strictly for educational and training purposes.

4. Communication Etiquette

To maintain a professional and inclusive learning environment, all participants are expected to adhere to the following guidelines:

• Respect – Communicate with courtesy and professionalism at all times.
• Non-abusive behavior – Avoid language or behavior that is offensive, aggressive, or inappropriate.
• Neutrality – Do not engage in political or religious discussions within the training environment.
• Constructive feedback – Offer opinions respectfully and with the intent to support learning.

Any form of harassment, discrimination, or disruptive behavior will not be tolerated.

5. Violations and Disciplinary Actions

In case of a violation of this communication policy, The KPI Institute reserves the right to take one or more of the following actions:

• Issue a formal warning to the individual involved.
• Temporarily restrict access to communication tools or training content.
• Permanently remove the individual from the course or platform in serious or repeated cases.
• Escalate the matter to higher management or HR, where applicable.

Each case will be reviewed individually, and actions will be taken based on the severity and frequency of the violation.

The KPI Institute

Document on the Prevention of Identity Theft and Fraud in the E-Learning Environment

1. Purpose of the Document

This document describes the mechanisms implemented by The KPI Institute to prevent identity theft and fraud in e-learning or professional training programs, in particular for those programs with a duration of more than one month. The measures mainly aim to properly examine the work of learners and ensure the authenticity of their participation.

2. Preventing fraud in student assessment

To prevent fraud related to student or intern work:

Randomized and personalized tests:

Tests are randomly generated from an extensive question base, so that each student receives a unique version.

Plagiarism and Originality:

All written work is checked and assessed by an evaluator, to ensure that it is original and that it meets all the certification process requirements.

3. Proctoring Control

Full Screen Mode Enforcement
When full screen mode is enforced, the exam interface occupies the entire display, preventing the test taker from minimizing, switching tabs, or navigating to other applications or websites during the assessment. This ensures the candidate remains fully engaged with the test environment, reducing the possibility of external resource usage.

Right-Click Functionality Restriction
Right-click actions are disabled throughout the exam session. This prevents test takers from accessing browser context menus, developer tools, or other shortcut features that could aid in retrieving unauthorized information.

Copy-and-Paste Blocking
All copy (Ctrl/Cmd + C) and paste (Ctrl/Cmd + V) operations are blocked during the exam attempt. This measure eliminates the ability to transfer text or data between the test and external documents, search engines, or communication platforms, ensuring all responses are original and unaided.

Identity Verification via OTP
An additional security layer is implemented through a One-Time Password (OTP) system. Before starting the exam, test takers must verify their identity by entering an OTP sent to their registered email or mobile device. This step strengthens proctoring measures, confirming the authenticity of the participant and reducing the risk of impersonation.

4. Consequences of non-compliance with the policy

Any attempt at fraud or use of another identity is considered a serious misconduct and may lead to:

Invalidation of the assessment or the entire course;

Suspension or expulsion from the program.

5. Responsibilities

The student: Is responsible for complying with the rules of academic ethics and using his/her own account.

The technical team: Ensures the security of the platform and the implementation of authentication measures.

Program coordinators: Monitor compliance with the described policies.

6. Policy review

This document is reviewed annually or whenever necessary, depending on technological developments and identified risks.

Date of last review:

Responsible for implementation: