Terms and Conditions

Introduction

Middle Region Development Company W.L.L (hereinafter referred to as “we”, “our”, “us”, or the “Company”) respects your right to data privacy. In this Data Protection and Privacy Policy (hereinafter referred to as the “Policy”), “you” or “your” refers to the data subject (including shoppers, tenants, visitors, employees, and website visitors) whose personal data is processed by the Company.

1. Applicable Law

Any capitalized terms not defined herein shall have the meanings ascribed to them under Law No. 30 of 2018 on the Issuance of the Personal Data Protection Law as updated, amended, or replaced from time to time (hereinafter referred to as the “PDPL” or the “Law”).

2. Purpose of This Policy

This Policy explains:

How we collect, share, and use your personal data;
How you can exercise your data privacy rights under the PDPL;
How our data processing may vary depending on your interaction with us (whether as a visitor, shopper, event participant, tenant, supplier, or website/mobile application user).

Collection of Personal Data

1. Categories of Personal Data Collected

Depending on your activities on or in connection with our websites, mall facilities, events, promotions, and services, we may collect, process, store, and use the following categories of personal data:

Category	Description
Identity	First name, last name, date of birth, gender, national ID, passport copy, photographs (including CCTV footage).
Contact	Email address, phone number, physical address.
Transactional	Details about purchases, bookings, participation in events, and other transactions with us or our mall services.
Technical	IP address, browser type, cookies (refer to our Cookie Policy).
Profile	Interests, preferences, feedback, survey responses, and marketing preferences.
Usage	Information on how you use our website, facilities, services, and your interactions with our marketing emails, SMS, or mobile applications.
Marketing and Communications	Preferences regarding receiving marketing from us and your communication preferences.

2. How We Collect Personal Data

We may collect your personal data in the following scenarios:

When you visit our mall, use parking facilities, connect to mall Wi-Fi, or attend events.
When you interact with us via our website, mobile applications, or social media pages.
When you sign up for newsletters, participate in surveys, promotions, or competitions.
When you communicate with us by phone, email, or social media.
When you apply for leasing spaces or employment opportunities with us.
When you provide feedback regarding your mall experience.

3. Information Collected Through Automated Means

We may automatically collect certain information when you use our digital platforms, including:

Log Information: IP address, access dates and times, hardware and software information, device identifiers, crash data, and the pages viewed before or after using our platforms.
Cookies: We use cookies and similar technologies for functionality, preferences, and to improve user experience. Please refer to our Cookie Policy in Schedule 1 for further details.

4. Information Collected from Third Parties or Public Sources

We may receive your personal data from third parties or publicly available sources, including:

Analytics providers (e.g., Google, Facebook);
Government registers;
Advertising platforms;
Social media platforms when you interact with us through Facebook, Instagram, Twitter, LinkedIn, or similar.

We will only collect such data where we have assurances that it has been processed fairly, lawfully, and with appropriate security.

How and Why We Use Your Personal Data

1. Lawful Bases for Processing

Under the PDPL, we rely on the following lawful bases for processing your personal data:

Consent: Where you have given us explicit consent for a specific purpose.
Contractual Obligation: Where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.
Legal Requirement: Where we need to comply with applicable laws, court orders, or regulatory obligations.
Protection of Vital Interests: Where processing is necessary to protect your life or health.
Legitimate Interests: Where processing is necessary for our legitimate business interests, provided these do not override your rights and freedoms under the PDPL.

2. Purposes of Processing

We process your personal data for the following purposes, aligned with the lawful bases under the PDPL:

Purpose/Activity	Type of Data	Lawful Basis for Processing
Notifying you about changes to our terms or policies; responding to queries, reviews, or social media posts; conducting surveys; providing relevant recommendations on mall services, promotions, or events.	Identity, Contact, Technical, Profile, Usage, Marketing and Communications, Aggregated	Consent, Contractual Obligation, Legal Requirement, Vital Interests, Legitimate Interests
Administering and protecting our business, websites, and systems (including troubleshooting, data analysis, testing, maintenance, support, and hosting).	Identity, Contact, Technical, Usage	Consent, Contractual Obligation, Legal Requirement, Vital Interests, Legitimate Interests
Compliance purposes, including anti-money laundering (AML), know your customer (KYC), fraud prevention, risk management, and onboarding tenants or vendors.	Identity, Contact, Transactional	Legal Requirement, Contractual Obligation, Legitimate Interests
Delivering relevant content and advertisements and measuring the effectiveness of such advertisements.	Identity, Contact, Technical, Usage, Profile, Marketing and Communications	Consent, Legitimate Interests
Using data analytics to improve our websites, services, marketing, and customer experiences.	Technical, Usage	Consent, Legitimate Interests
Ensuring the security and safety of mall premises, customers, tenants, and visitors, including through CCTV monitoring.	Identity (including CCTV images), Contact	Legitimate Interests, Legal Requirement
Processing financial transactions related to leasing, vendor payments, or promotional activities.	Identity, Contact, Transactional	Contractual Obligation, Legal Requirement, Legitimate Interests

3. Marketing and Communications

We may use your personal data to:

Provide you with information about offers, events, promotions, and services that may be of interest to you.
Send marketing communications if you have requested information, participated in mall events or promotions, or provided your details for such purposes and have not withdrawn your consent.

You may opt-out of receiving marketing communications at any time by contacting us using the details provided in Clause 10.

4. Third-Party Marketing

We will obtain your explicit consent before sharing your personal data with third parties for their marketing purposes. You may withdraw your consent at any time.

5. Automated Decision-Making

Automated decision-making involves using your personal data to make decisions without human involvement. We may use automated decision-making only if:

It is necessary for a contract with you;
It aligns with our legitimate interests without overriding your fundamental rights;
It is necessary to protect your vital interests.

We do not currently make decisions about you solely based on automated processing that significantly affects you. If this changes, we will notify you in writing.

Who We Share Your Personal Data With

1. Categories of Recipients

We may share your personal data with the following categories of recipients, strictly for the purposes outlined in this Policy:

Third-Party Service Providers:
Including but not limited to:
- Security services and CCTV monitoring providers,
- IT support and system maintenance providers,
- Payment processors,
- Event management vendors,
- Marketing and communications agencies.
Entities Within Our Group:
For operational, administrative, or promotional purposes, in accordance with applicable data protection laws.
Regulatory Authorities, Courts, and Law Enforcement Agencies:
Where disclosure is required by applicable law, regulation, court order, or for the establishment, exercise, or defence of legal claims.
Joint Promotional Partners:
Where necessary for co-hosted events, campaigns, or promotions, ensuring data is anonymized or pseudonymized wherever possible.

2. Safeguards with Third Parties

We require all third-party recipients to:

Maintain the confidentiality and security of your personal data;
Use your personal data only for the specified purposes and in accordance with our instructions;
Comply with applicable data protection laws, including the PDPL.

We conduct due diligence on our third-party service providers and enter into appropriate agreements to ensure your personal data is protected consistently with this Policy.

3. Biometric Data

We may offer optional authentication features on our digital platforms using your device’s biometric data (e.g., fingerprint, facial recognition) to enhance user experience and security. Key points:

Biometric data is handled by your device and is not collected or stored by us unless explicitly required under applicable law.
Where biometric data is required for purposes such as identity verification or regulatory (e.g., KYC) compliance, we will obtain your explicit consent before processing such data.

How Long We Keep Your Personal Data

1. Retention Principle

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

To satisfy any legal, regulatory, accounting, or reporting requirements; and
To protect our legitimate interests or defend against potential legal claims.

2. Factors Determining Retention Period

When determining the appropriate retention period for your personal data, we consider:

The nature and sensitivity of the personal data;
The potential risk of harm from unauthorized use or disclosure;
The purposes for which we process your personal data and whether those purposes can be achieved through other means; and
Applicable legal, regulatory, and operational requirements.

3. Disposal or Anonymization

Once your personal data is no longer required for the purposes for which it was collected:

It will be securely deleted; or
It will be anonymized so that it can no longer be associated with you, unless retention is required to comply with applicable laws or to protect our legitimate interests.

How We Protect Your Personal Data

1. Security Measures

We implement and maintain strict security standards and procedures to protect your personal data from:

Unauthorized access,
Accidental loss,
Unlawful processing,
Alteration, disclosure, or destruction.

2. Measures We Use

Our security measures include, but are not limited to:

Encryption of sensitive data both in transit and at rest;
Access controls and authentication procedures to limit access to authorized personnel and service providers;
Firewalls and endpoint protection to prevent unauthorized system access;
Secure data storage and transmission practices;
Ongoing monitoring to detect and address vulnerabilities and potential security threats.

3. Employee and Third-Party Access

Access to your personal data is limited to:

Employees, contractors, and agents who have a business need to know such data to fulfill the purposes set out in this Policy; and
Third-party service providers processing data on our instructions and in accordance with this Policy.

All employees and contractors are subject to confidentiality obligations, and any breach of these obligations may result in disciplinary action, including termination of employment or contract.

4. Data Breach Procedures

We have established procedures to:

Identify, assess, and respond to any suspected personal data breach;
Notify you and the relevant authorities where we are legally required to do so under the PDPL or other applicable laws.

Knowing Your Data Protection Rights and Duties

1. Duty to Keep Us Informed

To ensure your personal data is accurate and up to date, please notify us promptly of any changes to your personal data using the contact details provided in Clause 10.

2. Your Rights Under the PDPL

Under the PDPL, you have the following rights, subject to applicable conditions and legal exceptions:

Right to Access
Request access to your personal data and information on how it is processed.
Right to Object
Object to the processing of your personal data based on reasons related to your particular situation.
Right to Object to Harmful Processing
Object to processing that may cause unjustified harm or distress.
Right to be Informed
Be informed about how your personal data is collected, used, stored, and disclosed.
Right to Notification
Request notification regarding processing activities, including the purpose, data categories, recipients, and data sources, unless restricted by intellectual property or trade secrets.
Right to Object to Direct Marketing
Object to the use of your personal data for direct marketing purposes.
Right to Object to Automated Decision-Making
Request not to be subject to decisions based solely on automated processing that significantly affects you.
Right to Rectification, Blocking, and Erasure
Request the correction or deletion of inaccurate or unlawfully processed personal data and request blocking of data in certain circumstances.
Right to Withdraw Consent
Withdraw your consent where we rely on it as the lawful basis for processing your personal data. This will not affect the lawfulness of processing conducted prior to your withdrawal.
Right to Lodge a Complaint
Lodge a complaint with the Bahrain Personal Data Protection Authority if you believe your data is being processed unlawfully or in violation of the PDPL.

3. Exercising Your Rights

To exercise any of your rights under the PDPL:

Contact us using the details provided in Clause 10.
We may need to request specific information from you to verify your identity and confirm your right to access the requested data or exercise your rights. This security measure ensures that personal data is not disclosed to unauthorized persons.

4. Response Time

Middle Region Development Company W.L.L will respond to all legitimate requests to exercise your data protection rights within the legally required timeframe under the PDPL. If we require additional time due to the complexity or number of requests, we will notify you accordingly.

Transfer of Personal Data Outside Bahrain

We may transfer your personal data outside the Kingdom of Bahrain in the following circumstances:

To perform our contractual obligations to you (e.g., enabling digital services, customer relationship management, or payment processing);
For internal administrative, operational, or promotional purposes within our group entities;
When engaging third-party service providers located outside Bahrain to deliver specific services to you.

1. Adequate Level of Protection

Transfers will primarily be made to countries that:

Are recognized by the relevant authorities in Bahrain as providing an adequate level of protection for personal data; or
Are subject to appropriate safeguards ensuring that your personal data is treated securely and in accordance with this Policy and applicable data protection laws.

2. Safeguards for Transfers

Where we transfer personal data to countries that do not offer an adequate level of protection, we will implement appropriate safeguards, which may include:

Standard contractual clauses approved by the Bahrain Personal Data Protection Authority;
Binding corporate rules (where applicable);
Other lawful transfer mechanisms under the PDPL.

We will inform you when such transfers occur and, where required by law, will obtain your explicit consent prior to transferring your personal data to jurisdictions without adequate protection.

3. Your Rights Regarding Transfers

You may request further information about the international transfers of your personal data and the safeguards implemented by contacting us using the details provided in Clause 10.

Contact Details

1. Contacting Us

If you have any questions about this Privacy Policy, the processing of your personal data, or wish to exercise your rights under the PDPL, please contact us using the following details:

Entity: Enma Mall
Email: marketing.enma@savills.me
Phone: +973 7781 5010
Postal Address: Building 493 16 Um Al Nassan، Avenue, Block 925

2. Exercising Your Rights

When contacting us to exercise your rights:

Please clearly state which right(s) you wish to exercise.
We may need to request specific information from you to confirm your identity and to ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to prevent the disclosure of personal data to any person who has no right to receive it.
We will respond to all legitimate requests within the timeframe required under the PDPL and will inform you if additional time is needed due to the complexity or volume of your request.

3. Complaints

If you believe that your personal data has been processed unlawfully or in a manner contrary to the PDPL:

We encourage you to contact us in the first instance so we can address your concerns promptly.
You also have the right to lodge a complaint with the Bahrain Personal Data Protection Authority if you are not satisfied with our response.

Policy Updates

1. Right to Update

Middle Region Development Company W.L.L reserves the right to amend or update this Privacy Policy at any time to:

Reflect changes in our data processing practices;
Comply with legal, regulatory, or operational requirements; or
Address feedback from data subjects or regulatory authorities.

2. Notification of Changes

When we update this Policy:

We will post the updated version on our Website with a revised “Last Updated” date.
Where changes are material or legally require notification, we will take appropriate steps to inform you, which may include:
- Email notifications;
- Website banners; or
- Requesting your renewed consent if the changes affect how we process your personal data based on your consent.

3. Continued Use

Your continued use of our services, facilities, Website, or applications after any changes to this Privacy Policy will constitute your acceptance of the updated terms, unless otherwise required by law.

We encourage you to review this Privacy Policy periodically to remain informed about how we protect your personal data.