Privacy and Data Protection

The Kingdom of Saudi Arabia has put in place strong personal data protection laws and policies to safeguard Users' privacy and sensitive data. How the Unified National Platform (GOV.SA) will collect, use, store and publish the users' data, is summarized in the sections below.

Privacy and data protection 

The Unified National Platform (GOV.SA) is aware of the importance of your privacy and personal data; therefore, we commit to keeping all critical information and data of all Users safe, secure, and confidential.

The privacy policy and procedures of the GOV.SA is governed by the Personal data protection law (Royal Decree No. (M/19) dated 1443/2/9 AH), the Main Principles of Personal Information Protection and the Main Principles and General Rules for Sharing Data issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) and National Data Management Office (NDMO).


The Personal Data Protection Law and its executive regulations set the legal basis for the protection of your rights regarding the processing of personal data by all entities in the Kingdom, as well as all entities outside the Kingdom that process personal data related to individuals residing in the Kingdom using any means, including online personal data processing.


The fundamental principles of our data protection policy include:        

  • Accountability by the head of the entity (or his designee) for the Data Controller's privacy policies and procedures.
  • Transparency through Privacy Notice indicating the purposes for which personal data is collected.
  • Choice and Consent obtained through implicit or explicit approval regarding the collection, use and disclosure of personal data before collection.
  • Limiting Data Collection to minimum data that enables fulfilment of purposes.
  • Use, Retention and Destruction strictly for the purpose, retained as long as necessary to achieve intended purposes or as required by laws and regulations and destroyed safely, preventing leakage, loss, theft, misuse or unauthorized access.
  • Access to data by which any Data Subject can review, update and correct their personal data.
  • Data Disclosure Limitation approved by Data Subject restricts third parties to the purposes provided in Privacy Notice. 
  • Data security by protecting personal data from leakage, damage, loss, theft, misuse, modification, or unauthorized access; according to the controls issued by the National Cybersecurity Authority and other relevant authorities.
  • Data quality after verification of its accuracy, completeness and timeliness.
  • Monitoring and Compliance with Data Controller's privacy policies and procedures, and any privacy-related inquiries, complaints, and disputes.


The National Data Management and Personal Data Protection Standards cover 15 Data Management and Personal Data Protection domains. The Standards apply to all government data regardless of form or type, including paper records, emails, data stored in electronic form, voice recordings, videos, maps, photos, scripts, handwritten documents, or other recorded data.
The application of the provisions of the Personal Data Protection Law and its executive regulations is without prejudice to the competencies and tasks of the National Cyber Security Authority as a competent security authority for cybersecurity and its affairs in the Kingdom.

Agreement on the privacy and data protection

As a User of the GOV.SA and its application, you accept the privacy and data protection policies and regulations of the Kingdom of Saudi Arabia; that control the Platform and its application. This agreement becomes effective immediately upon first using or accessing the Platform.
If you disagree with this policy, you should not use any of the GOV.SA services.

Users Data Collection

The purpose of collecting personal data is directly related to the purposes of the GOV.SA and shall not conflict with any prescribed provision. The methods and means of collecting personal information be appropriate to the owner's circumstances, direct, clear and secure, and free from deception, misinformation or extortion. If it turns out that the personal data collected is no longer necessary to achieve the purpose of its collection, GOV.SA will stop hoarding it and destroy the previously collected data immediately. Read more

The GOV.SA will ensure fulfilment of the following criteria before collecting your personal data:

  1. The justification for collecting your personal data.
  2. The purpose of collecting your personal data, whether all or part of its collection, is mandatory or optional, with further information about processing the data which is not contrary to the purpose of its collection or otherwise provided by the Law.
  3. The identity and reference address of the collector of personal data where appropriate, unless it is for security purposes.
  4. The entity or entities to which the personal data will be disclosed, described, and whether the personal data will be transferred, disclosed or processed outside the Kingdom.
  5. Possible effects and risks of non-compliance with the personal data collection procedure.
  6. Your privacy and data protection rights as stipulated in the Law.
  7. Other elements as determined by the regulations depending on the nature of the activity exercised by this entity.

In case personal data is collected from the non-owners, the following conditions will be met: 

  1. If the owner of personal data agrees to do so, by the provisions of the Law.
  2. If personal data is publicly available or collected from a publicly available source.
  3. If the entity is a public entity, and the collection of personal data is not directly owned or processed for a purpose other than the one for which it was collected, is required for security purposes or to implement another system or to meet judicial requirements in accordance with the provisions specified by the regulations.
  4. If compliance with this prohibition may harm the owner of personal data or affect his vital interests, by the provisions specified by the regulations.
  5. If the collection or processing of personal data is necessary to protect the health or public safety or the life or health of a particular individual or individuals. 
  6. If the personal data will not be recorded or stored in a format that makes it possible to identify and identify its owner directly or indirectly. 

What data we collect 
When you visit GOV.SA, our servers automatically gather your IP address and collect information about the user's browser and search engine, geolocation, and the URL's date and time. 
GOV.SA retrieves your personal data available on the Government Service Bus (GSB). The personal data, whatever its source or form, would expressly identify the individual or make it possible to identify it directly or indirectly, and includes name, personal identification number, addresses, contact numbers, license numbers, records and personal property, bank account and credit card numbers, fixed or moving images of the individual, and other data of a personal nature. 

It includes any process performed on personal data by any means, whether manual or automated, including collection, recording, preservation, indexing, arrangement, coordination, storage, modification, updating, integration, retrieval, use, disclosure, transmission, publication, data sharing or interconnection, blocking, scanning, and destruction.

Cookies are files saved on your phone, tablet or computer when visiting GOV.SA.

Why we need your data 

Using the IP address helps us solve any technical problems arising on our servers, including statistics about the utilization of the Platform (such as the number of visitors, the language of the computer used, etc.). Identifying users' geolocation will benefit from the availability of specific services on its platform and application.
We use cookies to collect and store information about how you use the GOV.SA and government digital services. The cookies enhance your use of the platform and better understand your need.

How we process and store personal data
Your personal data will not be processed without taking sufficient steps to verify its accuracy, completeness, novelty and relevance to the purpose for which the provisions of the regulations collected it.
GOV.SA applies the highest security standards to protect the data and information. The sensitive data and any data that should be kept confidential under legal requirements are encrypted and subject to additional controls and procedures. Sensitive data includes an individual’s ethnic or tribal origin, religious, intellectual or political belief, or indicates membership in civil associations or institutions, as well as criminal and security data, biometric data that identifies genetic data, insurance data, health data, location data, credit data and data indicating that the individual’s parents are anonymous or one of them.
Our technical staff is only permitted to handle this information to provide such services of GOV.SA platform that is consistent with your needs. We never let any party other than the technical team of the GOV.SA platform to know your IP address.
Your information may be made available to government officials in the exceptional circumstances that this need should arise; however, it will never be made available to the public without your prior consent. Further, this information will not be circulated, exchanged, or sold to any third party without your prior consent.

Your personal data will be disclosed only in the following circumstances:

  1. If you agree to disclose it in accordance with the provisions of the Law.
  2. If your personal data has been collected from a publicly available source.
  3. If the entity requesting the disclosure is a public entity, for security purposes, to implement another system, or to meet judicial requirements per the provisions specified by the regulations.
  4. If disclosure is necessary to protect the public health or safety, the life of a particular individual or individuals, or their health. 
  5. If the disclosure will be limited to its subsequent processing in a manner that does not lead to the identification of the owner of the personal data or any other individual specifically. 

GOV.SA shall not disclose your personal data whenever the disclosure is characterized by any of the following:

  1. It represents a threat to security, harms the reputation of the Kingdom, or conflicts with its interests
  2. It affects the Kingdom’s relations with other countries
  3. It prevents the disclosure of a crime or infringes on the rights of an accused to a fair trial, or affects the integrity of existing criminal proceedings.
  4. It endangers the safety of an individual or individuals
  5. It entails a violation of the privacy of an individual other than the owner of personal data as determined by the regulations
  6. It is contrary to an incomplete or incapable interest
  7. It violates established professional obligations
  8. It involves a breach of an obligation, proceeding or court ruling
  9. It discloses a confidential source of information that the public interest should not disclose.

GOV.SA will destroy your personal data as soon as the purpose of collecting it has expired. However, it may retain such data after the purpose of collecting it has expired if everything that leads to the specific knowledge of the owner has been removed in accordance with the controls specified by the regulations.

GOV.SA will destroy your personal data as soon as the purpose of collecting it has expired. However, it may retain such data after the purpose of collecting it has expired if everything that leads to the specific knowledge of the owner has been removed in accordance with the controls specified by the regulations.

This platform shall retain personal data even after the purpose of collecting it has expired in the following cases only:
•    If there is a systemic justification that must be retained for a specified period, in which case it shall be destroyed after the end of this period or the expiry of the purpose of its collection, whichever is longer.
•    If the personal data is closely related to a case before a judicial body and its retention is required for this purpose, in which case it is destroyed after the completion of the judicial proceedings of the case.

Terms of Use

GOV.SA is available to all Users. By accessing this Platform, you, the Users, are considered to have entered into a complete agreement to all terms of use, including all applicable laws and regulations of the Kingdom of Saudi Arabia.
As a registered User, you have the full right to:

  • Access to the information
  • Obtain the information
  • Correct or modify the information
  • Withdraw the agreement and delete the information by sending an email request or contacting us here

You, as a User, who is the owner of personal data, have the right to know, including informing of the formal or practical justification considered for collecting your personal data, and for this purpose, and not to process its data later in a manner contrary to the purpose of its collection or otherwise. You have the right to request the destruction of your personal data available with us without prejudice to the provisions of the law.

User Restrictions: By accessing this Platform, you agree to avoid:

  • Providing or uploading files that contain unlicensed software, material, data or any other information or files that might/or contain viruses
  • Using this Platform to send any commercial or unsolicited email or misuse the Platform in any other way
  • Disseminating, announcing, distributing or circulating materials and information that are defamatory or violate the rules of the Kingdom, and any other unacceptable material or actionable information
  • Using this Platform to participate in any illegal or illegitimate activities in the Kingdom of Saudi Arabia
  • Using the Platform to announce any product or service that may result in the violation of laws or rules in the Kingdom
  • Using any tool, Program or action that interrupts or may interrupt the operation of the Platform
  • Doing any action that places an unreasonable load or requires huge storage on the Platform’s infrastructure.

Termination of Use: We have the authority as per our absolute evaluation to limit, suspend or terminate a User's right to log in or use the Platform with no prior notification and for any reason, including violating the terms of use or any action that we may consider as illegal or as causing harm to others. You will not be authorised to log in to the Platform during such termination.

Except in the circumstances provided for in the Law, personal data may not be processed, or the purpose of its processing changed only with the owner's consent. The regulations set out the conditions for consent, the circumstances in which consent must be in writing, and the terms and conditions relating to obtaining consent from a legitimate guardian if the owner of personal data is incomplete or incapacitated. However, the consent may not be a condition for providing a service or benefit unless the service or benefit is related to processing the approved personal data.


Standards for Comments and eParticipation: All comments in eParticipation channels or on social networks are thoroughly reviewed to ensure that Users have observed the standards and regulations relating to making comments. This platform administration has the power to exclude any comments deemed inappropriate, and Users are enjoined to:
    Observe general ethics and avoid any inappropriate phrases or use of impolite words
    Keep comments relevant and focused on the issue under discussion
    Avoid fanaticism and personal criticism that does not enrich the debate
    Be entirely sure of their accuracy when referring to Qura'anic texts or religious views and permit only specialists to discuss such topics.
    Avoid posting personal information, such as contact details, within the comments.
Any further modifications to the terms of use shall be applied immediately upon announcement unless otherwise stated.


Leakage of data: GOV.SA shall notify the competent authority as soon as it becomes aware of a leak, damage to personal data, or illegal access. Further, if any preceding would cause serious harm to your data or herself, the entity will notify you immediately.

Communication: Except for awareness materials sent by public entities, the GOV.SA may not use personal means of communication, including your postal and electronic addresses, to send advertising or awareness materials, except by the following:

  1. The consent of the target recipient to send these materials to them shall be taken.
  2. The sender of the materials shall provide a clear mechanism, as determined by the regulations, that enables the target recipient to express their desire to stop sending them to him when he wishes to do so.
  3. Except for sensitive data, personal data may be processed for marketing purposes if collected directly from the owner and agreed to do so by the provisions of the law. 

Further, your personal data may be collected or processed for scientific, research or statistical purposes without your consent, in the following cases only:

  1. If the personal data does not include evidence of your identity
  2. If your identity is destroyed during its processing process and before it is disclosed to any other party and that data is not sensitive.
  3. If the collection or processing of personal data for these purposes is required by another system or in implementation of a previous agreement to which you are a party.

Official documents identifying the owner of personal data may not be photocopied or copied, except when this is in implementation of the provisions of the regulations or when a competent public authority requests that such documents be photographed or copied as determined by the rules.

Except in cases of extreme necessity to preserve your life or to prevent, examine or treat a pathological infection, GOV.SA may not transfer your personal data outside the Kingdom or disclose it to a destination outside the Kingdom unless this is in implementation of an obligation under an agreement to which the Kingdom is a party, or to serve the interests of the Kingdom, or for other purposes as determined by the regulations, after the following conditions are met:

  1. The transfer or disclosure shall not prejudice national security or the vital interests of the Kingdom.
  2. Provide adequate safeguards to preserve and confidential the personal data to be transferred or disclosed so that the standards for the protection of personal data shall not be less than those contained in the Law and Regulations.
  3. The transfer or disclosure is limited to the minimum amount of personal data needed.
  4. The approval of the competent authority to transfer or disclosure as determined by the regulations.
  5. Except for the requirement set forth here, the competent authority may exempt GOV.SA, on a case-by-case basis, from being bound by one of the conditions; when the competent authority individually or jointly with other parties assesses that personal data will have an acceptable level of protection outside the Kingdom, and such data is not sensitive data.

This platform shall keep records for a period specified by the regulations, where records include a minimum of the following data:

  1. The contact details of the entity 
  2. The purpose of processing personal data
  3. The categories of personal data subjects.
  4. The party to whom personal data has been (or will be) disclosed.
  5. Whether personal data has been (or will be) transferred outside the Kingdom or disclosed to a party outside the Kingdom.
  6. The expected period to retain personal data.

Offences and Penalty: Without prejudice to any more severe penalty provided for in another system, the penalty for committing the following offences shall be by its failure if :

  1. Anyone who discloses sensitive data or publishes it in violation of the provisions of the Law shall be punished by imprisonment for a period not exceeding (two years) and a fine not exceeding (three million) riyals, or one of these two penalties if this is with the intention of harming the data owner or to achieve personal benefit.
  2. Anyone who violates the provisions of transfer or disclosure of personal data outside the Kingdom shall be punished by imprisonment for a term not exceeding (one year) and a fine not exceeding (one million) riyals or one of these two penalties.

While there is no special provision of the Law, and without prejudice to any more severe penalty stipulated in another system, every person of a special natural or legal nature - covered by the provisions of the law - who violates any of the provisions of the law or regulations shall be punished by warning or a fine not exceeding (five million) riyals. The penalty of the fine may be doubled in case of repeated violation even if it exceeds its maximum limit if it does not exceed double this limit.

The Public Prosecution shall be competent in investigating and prosecuting before the competent court for these violations. The competent court shall hear cases arising from the application of this Article and the imposition of the prescribed penalties.

A committee (or more) whose members shall not be less than (three), one of whom shall be called a Chairman, including a legitimate or statutory adviser, shall be responsible for the consideration of violations and the imposition of the warning penalty or fine provided here, according to the type of violation committed, its gravity and the extent of its impact, provided that the decision of The head of the competent authority shall, by his decision, issue the rules of work of the committee, in which the remuneration of its members shall be determined. Anyone against a committee decision has the right to appeal to a competent court.

Without prejudice to these provisions of the law, the GOV.SA shall hold any of its employees accountable - disciplinarily - in case they violate any of the provisions of the Law and Regulations, in accordance with the provisions and procedures of accountability and discipline prescribed by law.

Without prejudice to the penalty imposed in the law, whoever has suffered harm due to committing any of the violations stipulated in the Law or Regulations, has the right to claim before the competent court for compensation for material or moral damage commensurate with the extent of the damage.

Further, anyone who has initiated a work of processing personal data is obliged to preserve the secrets related to the data even after the end of their job or contractual relationship.

Disclaimer

This privacy and data protection policy applies to GOV.SA only. You should carefully read their privacy and data protection policy when transferring to another website through this platform. 
The provisions and procedures in the law shall not prejudice any provision granting a right to the owner of personal data or deciding to protect it better, provided for by another regime or international agreement to which the Kingdom is a party.


No Responsibility: The Platform has been prepared to comply with current regulations in Saudi Arabia. Under this resolution, Digital Government Authority cannot guarantee:

  • The accuracy and reliability of the information
  • Responsiveness to external attack or hacking
  • Sustainability or effectiveness
  • Propriety of Platform Content
  • Neither the Platform nor the server will contain viruses or other malicious elements.
  • Neither Digital Government Authority nor any other government agency may be held legally responsible for direct or indirect loss or damage that may result from using the Platform.

Use at Your Own Risk: The Platform contains links to other websites that are not subordinate to the Digital Government Authority supervisors and so are not responsible for the content of those sites. Any dangers arising from browsing sites through the links provided on the Platform are the User's responsibility.
The Platform contains links to other websites or portals that may attempt to protect information and privacy using tools different from those used by the Platform; consequently, we are not responsible for the content or the means of privacy protection used. We advise Users to review the privacy policies of these websites.
Some of the Authority’s websites use Cookies; these files give Users full access to websites. If desired, Cookies can be used to remember passwords and simplify accessing the website. Cookies files are stored on the computer's hard disk if they have been accepted and coded.


Limits of Liability: Users hereby acknowledge their awareness that online communications can be spied upon or hacked by third parties. As confirmed, Users are aware that the Platform will not alter information made available by official government agencies and that, in addition, all online applications and administrative procedures can also be made directly and executed in person.
The platform takes no responsibility for any loss or damage Users may suffer from using and visiting the Platform, including as the result of any information, statement or view announced on it.
Further, the Platform is not responsible for any problems that may arise in accessing the Internet and any damages to machines or software, nor can it be held accountable for any misconduct or malicious comment made by other users logged in to it.


Protection from Viruses: Users shall avail themselves of the appropriate Antivirus Programs when attempting to download any content from the Platform. We are not responsible for any loss or damage to data or the User computer that may arise during the use of this Platform or any of its content.


Assignment of Claims: GOV.SA and all its services, sources of information and other materials are for personal use without acknowledgement or warranty. The Platform is not responsible for errors or excesses that may arise due to the use of its content or links, whether known or unknown.
Any communication or information sent by Platform Users is not the possession of the sender nor guaranteed concerning privacy. In addition, any interactive use by Platform Users does not secure any rights, licenses, or privileges.


Compensations: Users hereby acknowledge never to act against the Digital Government Authority or its administrators, including all agencies, employees or authorised agents responsible for managing or updating the GOV.SA Platform of Unified Government Services. This clause is considered a legal exemption of obligations or responsibilities regarding claims resulting from user violation of terms, conditions of use, or other relevant regulations inside and outside Saudi Arabia.

Copyright Notice

This Platform is under the supervision of the Digital Government Authority, a government agency that aims to regulate digital government work in government agencies.
All content available on the GOV.SA is protected by the national rules and regulations related to publications, brand names, and intellectual property rights. All intellectual property rights relating to the Platform's content are protected and considered the property of the Digital Government Authority.
Except where otherwise stated, Users are not authorised to sell, license, lease, modify, copy, reproduce or download, publicise, transport, distribute or edit any materials explicitly derived from the content of this Platform without the prior written approval of the GOV.SA Platform Management.
It is prohibited to change or modify any of the Platform’s content. In addition, all pictures and media included within the Platform are protected by publication copyright, and it is not permitted to copy or use such content without the prior written approval of the GOV.SA Platform Management.


Jurisdiction: Users hereby agree to comply exclusively with the Kingdom of Saudi Arabia's jurisdiction about any issue or dispute arising due to the use of this Platform.

The Privacy and data protection policy Updates

GOV.SA has the right to update and change its privacy and data protection policy as needed. We’ll update this policy when our data and information handling practices change. 

Contact Us

If you have any questions about our privacy and data protection policy, need help, or complain, please let us know through:

  • Phone: 199099
  • SMS: 1990099
  • E-mail: info@1990099.gov.sa
  • Contact Form: Here
  • Working hours: 24/7 
  • Response time: 24 hours 

For further information, see:

Personal Data Protection Regulations

Other relevant legislation and regulations

Children and Incompetents’ Privacy Protection Policy

The Children and Incompetents’ Privacy Protection Policy sets the legal basis for preserving the children and protecting their rights in relation to collecting and processing their personal data by any means. The Policy is in accordance with the provision of the Data Protection Regulation and the UN Convention on the Rights of the Child and its optional protocols. The objectives are to protect children from the:

  • Negative effects of inappropriate content and advertisements spread on the Internet.
  • Helping the competent authorities protect children from potential risks - violence, abuse, abuse, threat, harm or exploitation, resulting from the collection and processing of their personal data through websites and digital applications.
  • Finding a balance between negative effects, potential risks and the need to collect and process personal data children.

The policy provisions apply to all entities (public, private, and non-profit entities) in the Kingdom that collect and process personal data of children, whether manual or electronic. The provisions also apply to all entities outside the Kingdom that collect personal data of children residing in the Kingdom online.

General rules for transfer of personal data outside the Kingdom

The General rules for transfer of personal data outside the Kingdom set the rules and the standards for the transfer of personal data outside the geographical borders of the Kingdom to ensure the preservation of national sovereignty over this data, as well as maintaining the privacy of personal data owners and protecting their rights by defining the obligations of the controllers and processors regarding transfers of personal data outside the Kingdom. The provisions of this document apply to all entities (public, private, and non-profit entities) in the Kingdom which transfer personal data to other parties outside the geographical borders of the Kingdom for the purpose of processing.