top of page

Privacy Policy

Thank you for visiting our website. At Al Thuraya Holdings (and across our Group) we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose and safeguard your information when you visit our website(s) or engage in our services. This policy was last updated: December 2023.

Al Thuraya Holdings (referred to as ‘ATH’, ‘we’ or ‘Data Controller’) comprises a group of companies providing a variety of services and products. All companies within Al Thuraya Holdings (ATH) are committed to protecting and respecting your privacy; this privacy policy outlines what personal data may be processed within the Group, why it is held, how it is protected and what your rights are. 

Accordingly, Al Thuraya Holdings aspires to comply fully with the European Union’s General Data Protection Regulations (GDPR) 2016/679 of 27 April and the Organic Law 3/2018 of 5 December (LOPDGDD). 

Changes to the Privacy Notice


Al Thuraya Holdings reserves the right to amend this privacy policy which can change at any time. You are advised to visit this website section periodically in order to keep up to date with any amendments. Companies under the ATH brand work adhere to this notice. Any changes made to this notice become effective immediately once updated on this page. 


Questions or queries


If you have any questions, concerns or complaints about this Privacy notice or ATH & Group of Companies; privacy practices please email us at We’re registered and located at Calle Alfonso XII, 30, Madrid Spain 28001.



Your personal data


ATH and companies may process personal data belonging to anyone who has expressed an interest in or made contact with the Group, or one of its companies; these may include (but are not restricted to) the following interested parties (often referred to as ‘you’) – employees, contractors, consultants, directors, beneficiary owners, recruitment candidates, clients, and suppliers. 

The data which Al Thuraya Holdings (ATH), (or its related companies) process depends upon the nature of the relationship with the interested party concerned. Our data retention policy determines that we only keep data necessary for engagement or to provide services, or as long as is required. Please see “Why we process this data” below. Personal data may include (but is not restricted to) the following:

  1. Personal and Contact Details:  Title, Name, Address, Telephone and Electronic contact details (examples are: Email address, Skype, Facebook, WhatsApp, Twitter, Linked-in);

  2. Date of Birth and Gender;

  3. Passport details plus Nationality and citizenship;

  4. Next of Kin (NOK) details;

  5. Financial information (such as bank, tax and insurance details);

  6. Medical data including psychometric test results;

  7. Criminal record checks (for example, CRB);

  8. CV with employment, experience, education and qualifications records – with appropriate verifications, including details of references and referees plus information provided by them;

  9. Data on marketing engagements and surveys;

  10. Records of communications with interested parties;


Why we process this data  

The purpose for processing personal data is to facilitate, manage and, whenever possible, enhance the services provided by Al Thuraya Holdings (ATH) to our interested parties. Whilst the reasons vary they are dependent upon the nature of your relationship with us, but include (not restricted to) the following:

  1. To enable us to fulfil contractual requirements;

  2. To ensure that recruitment process is efficient and provides appropriately qualified staff in terms of aptitude and attitude;

  3. To ensure that you are properly insured, paid correctly, and that your NOK can be informed in the event of an incident;

  4. To meet requirements of public interest and management standards;

  5. Compliance with legal and regulatory obligations;

  6. To manage marketing information effectively;

  7. To facilitate swift responses to the above;


Legal basis


Under GDPR the lawful reasons for processing data are the following:

  1. Consent;

  2. Contractual;

  3. To meet public interests;

  4. Legitimate interests;

The data, which Al Thuraya Holdings (ATH) and its component companies process is deemed to be the minimum necessary and is justified by one or more of the aforementioned legal criteria.


How we source data


There are three main ways in which Al Thuraya Holdings (ATH) source personal data, all are legal, transparent and fair:

  1. Information You Give Us. Information which you give us when completing registration forms and the recruitment process or requested through our due diligence procedure.

  2. Information We Collect. Al Thuraya Holdings (ATH) collects information about you from our websites, email and telephone contacts plus our due diligence procedures.

  3. Third Parties.   We may collect information from third parties – in particular, we may use third party organizations to conduct background checks and verifications.  Additionally, we may use the web and social media sources, all of which are publicly available and strictly open source.


How we store data


The vast majority of personal data that is processed by Al Thuraya Holdings (ATH) is stored electronically, predominantly in cloud-based systems, which are protected through encryption (both when static and in transit).  Access is carefully managed and restricted appropriately. Any data that is held on servers or on hard drives is subject to restricted access and most of it is encrypted. Any hard copies of processed data are held in secure cabinets with restricted access.  It must be noted that information received over the internet or from personal emails may not always be secure; Al Thuraya Holdings (ATH) is not liable for corrupted information received from such sources.

As a consequence, the Data Controller guarantees that it has implemented appropriate technical and organizational policies to apply the security measures established by the GDPR and the LOPDGDD in order to protect the rights and freedoms of the Users.


How we protect the data we collect


To safeguard your Personal Data from unauthorized access, destruction, alteration, or disclosure, we have established and consistently uphold reasonable security measures, methodologies, and technologies tailored to the specific characteristics of the information. This encompasses limiting access to Personal Data only to personnel with a genuine need to be aware of it, educating our staff on the significance of preserving the privacy and security of Personal Data, and enforcing internal policies and procedures that govern the acquisition, utilization, retention, and disclosure of Personal Data.



How long do we store data


ATH will only store data for the minimum time necessary, which will vary but can be defined as follows:

  1. For as long as we have reasonable business needs, such as managing our relationship with you and managing our operations.

  2. For as long as we provide goods and/or services to you and then for as long as someone could bring a claim against us.

  3. Retention periods in line with legal and regulatory requirements and guidance.


Sharing data


ATH reserves the right to release Personal Data in order to comply with applicable law and when we believe that disclosure is necessary to comply with a relevant judicial proceeding, court order, or legal process. We may also release data to enforce or apply the terms and conditions applicable to our products or services, protect our Group or others against fraudulent activities, or otherwise protect the rights, property or safety of ATH, affiliates, clients, or others. More specifically, we may share your personal information with:

  1. Other Entities with Al Thuraya Holdings (ATH). Where the Al Thuraya Holdings (ATH) entity lies outside the EEA, we would only transfer data where appropriate safeguards were in place or restrict the information being given.

  2. Selected third parties with whom we work – for example, clients or potential clients, insurers, solicitors, travel agents and sub-contractors.

  3. Any Al Thuraya Holdings (ATH) entity or third party that you consent to giving your information to for marketing purposes (such consent will be sought prior to our sharing this data).

  4. Legal Requirement.   Any other third parties where necessary to enable us to enforce our legal rights, or to protect the rights, property or safety of our employees or where such disclosure may be permitted or required by law.


Your rights


All interested parties have the following rights under GDPR and AL Thuraya Holdings (ATH) fully respects them:

  • Right of access: Any person has the right to obtain from the Data Controller confirmation of whether or not personal data concerning him/her are being processed and, if so, the right of access to personal data.

  • Right of correction: This is the right to obtain rectification of personal data held by us concerning him/her.

  • Right of deletion: This is the right to obtain the deletion of your personal data.

  • Right to limitation of processing: This is the right to have your data cease to be subject to the corresponding processing operations when any of the following conditions are met:

    • When you have exercised the rights of rectification or opposition and the Data Controller is in the process of determining whether the request proceeds.

    • If the data processing is unlawful, which implies the deletion of the data, but you do not want your data to be deleted by the Data Controller.

    • When the data is no longer necessary for the processing, which implies the deletion of the data, but you want the Data Controller to limit the processing of the data and to keep them in order to formulate, exercise or defend claims.


  • Right to portability: This is the right to obtain from the Data Controller, in the event of automated processing of your data, a copy of the data in a structured, commonly used and machine-readable format or to have such copy transmitted directly to the Data Controller indicated by you. Please note that this right does not apply to:

    • The data of third parties that you have provided to the Data Controller.

    • The data concerning you, but which have been provided to the Data Controller by third parties.


  • Right of opposition: This is the right to object to your personal data being processed. As far as the processing carried out by the Data Controller is concerned, you may object to the sending of commercial communications both own and third parties.


Applicability of this privacy notice internationally


This Privacy notice is accordance with and subject to EU and Spanish law. If you would like more information about your rights, we suggest that you visit the website of the Spanish Data Protection Agency (AEPD) and the EU General Data Protection Regulation (GDPR) website. If you access one of our Groups’ sites from a location outside of the EU then you agree that your use of the site is subject to the terms of this Notice and recognize these countries may not be considered to offer an equivalent level of data protection as your home country, or may be deemed to have insufficient data privacy laws in relation.

These rights can be exercised by sending an email to clearly indicating which right you wish to exercise and providing a copy of your identity card to prove your identity. 

In addition, we inform you about the possibility of filing a complaint with the competent Control Authority, in this case, the Spanish Data Protection Agency, in particular if you have not obtained satisfaction in the exercise of your rights.

You can contact the Spanish Data Protection Agency by telephone on 901 100 099 and 912 663 517 or by visiting them at their address C/ Jorge Juan, 6. 28001 Madrid.

Please note that there may be occasions where you object to, or ask us to restrict, or stop, processing of your personal information, or erase it, but we shall be unable to comply with such requests for legal reasons.

bottom of page