The university is committed to protecting the privacy of the data it collects, processes, and maintains through its various systems and platforms, as part of its national responsibilities in data management and ensuring its effective and secure use. This policy is established in accordance with the national regulations issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) and the relevant laws related to personal data protection, with the aim of enhancing trust in the university’s digital transactions and ensuring compliance with the principles of privacy and data governance.

1. Purpose of the Document: The purpose of this document is to establish a clear framework for the protection of personal data within the university, in a manner that enhances trust in its services and ensures compliance with relevant national laws and regulations. It also aims to regulate the processing of personal data at all stages in accordance with best practices, and to ensure the responsible handling of beneficiaries’ information in a way that preserves their privacy and achieves compliance with regulatory requirements in the Kingdom of Saudi Arabia.

    

2. Policy Scope and Applicability: This policy applies to all processes related to the collection, processing, storage, and exchange of personal data within the university, whether conducted through electronic systems, administrative procedures, or any other channels. It covers all university affiliates and stakeholders, including students, faculty members, employees, and other beneficiaries, in addition to internal and external entities that handle personal data as part of services or projects associated with the university.

    

3. Policy Review Schedule: This policy shall be reviewed on a regular basis, at least once annually, in accordance with the directives of the General Supervisor of the policy and as requested by the University’s Data Management Office.

    

4. Compliance Monitoring: Compliance with the Data Privacy and Data Usage Policy is measured in accordance with the standards and performance indicators established by the University’s Data Management Office, in alignment with the requirements of the National Data Management Office. Compliance standards are reviewed periodically by the Director of the Data Management Office.

The university is committed to applying the national principles and standards of data privacy and data protection in accordance with the regulations of the Saudi Data and Artificial Intelligence Authority (SDAIA), as follows:

1. Lawfulness and Transparency: Data processing shall be carried out in a lawful and transparent manner for the data subject, with clear clarification of the purposes and mechanisms of use in an understandable and unambiguous way.

2. Purpose Limitation: The collection and processing of data shall be limited to specific, legitimate, clear, and declared purposes communicated to the data subject, without exceeding what is necessary to achieve those purposes.

3. Data Minimization: Collecting and processing only the minimum amount of data necessary to achieve the intended purpose, without excessive collection of information unrelated to that purpose.

4. Data Accuracy and Quality: Taking adequate measures to ensure data accuracy, completeness, and updates when necessary, and promptly correcting or addressing incorrect or inaccurate data.

5. Storage Limitation: Retaining data only for the period necessary to fulfill the intended purpose or in accordance with statutory retention periods, and securely destroying or anonymizing it once the need for retention has ended.

6. Data Subject Rights: Ensuring that data subjects are enabled to exercise their statutory rights, such as access, correction, modification, withdrawal, objection, and data deletion, in accordance with applicable controls.

7. Security and Protection: Implementing cybersecurity, technical, and organizational controls to prevent unauthorized access, loss, leakage, alteration, or unlawful destruction of data.

8. Accountability and Compliance: Assuming responsibility for data protection and compliance with laws and regulations, documenting procedures, and demonstrating compliance upon request.

9. Data Sharing in Accordance with Controls: Not sharing data with any external party except under formal agreements that comply with privacy and protection standards and serve a legitimate purpose for such sharing.

10. Privacy by Design and by Default: Integrating data protection requirements into the design of systems and services from the outset, and enabling default settings that protect users’ privacy.

Personal Data Collected

The university collects the following data:

1. Employment Data: All data related to employment inside and outside the university, from the application stage until the end of service, such as job descriptions, rank and grade, decisions, promotions, appointments, contracts, and other related information.

2. Academic Data: All data related to the academic educational process, including academic records, enrollment, schedules, and teaching loads.

3. Research Data: Research projects, funding, research partnerships, surveys, and scientific statistics, with emphasis on anonymization where required in accordance with personal data protection requirements.

4. Financial Data: Data collected for the purposes of payments and allowances, such as bank account numbers and IBANs.

5. Basic Personal Data: Includes name, gender, national ID number, nationality, marital status, and other identity-related data required by the university to perform its functions.

6. Medical and Health Data: The university includes categories of persons with disabilities, and their data is collected to provide optimal services. The university has a medical department responsible for collecting medical and health data of beneficiaries. The university also receives medical excuses in cases of illness or medical leave.

7. Contact Information and Electronic Channels: Includes data such as phone numbers, email addresses, personal address (national address), and account login data for university platforms and applications, such as usernames and passwords.

8. Contractual Data: Data related to developmental projects within the university and their implementing entities, and other information related to contractual process requirements.

How Personal Data Is Collected and the Purpose of Collection

Personal data is collected through direct methods from the data subject, or indirectly from other entities with varying areas of specialization, in accordance with Article One and Paragraph Six of the Personal Data Protection Law.

These direct and indirect methods include, but are not limited to, the following:

1. Official university communication channels for academic, research, or employment purposes.

2. Surveys and evaluations.

3. Inquiries and suggestions.

4. Electronic registration and related forms.

5. Services concerned with data collection.

6. Obtaining data from various governmental and private entities within their areas of competence.

7. Technical data recorded through IP addresses or cookies during visits to the university’s website.

The purposes of collecting and processing personal data vary depending on the entity and the nature of its activities. Accordingly, the university’s purposes for collecting and processing data are limited to its scope of responsibilities related to academic, research, administrative, and employment functions, internal developmental projects, improving outputs, and providing optimal services to beneficiaries. This is in implementation of Article Thirteen, Paragraph Two of the Personal Data Protection Law, and in line with the interests confirmed in Article One, Paragraphs Four, Five, and Six of the Executive Regulations of the Personal Data Protection Law.

This is also in accordance with Article Thirteen, Paragraph Five of the Personal Data Protection Law regarding the potential impacts and risks resulting from the failure to complete the personal data collection process.

How Your Personal Data Is Processed and Used

Personal data is processed within the university in accordance with the university’s policies and its compliance with the Personal Data Protection Law, as stipulated in Article One, Paragraph Five, and Article Thirteen of the Law, as well as the Executive Regulations issued thereunder, particularly Article Twenty-One.

Accordingly, some examples of such processing and use include, but are not limited to:

1. Organizational and administrative purposes.

2. Completing requests and services related to academic, administrative, and student staff.

3. Conducting data analysis and statistics to support decision-making.

4. Sending guidance, awareness messages, or messages related to provided services.

5. Using personal data to complete student admission processes, monitor academic progress, and provide employment entities with graduate data after graduation.

6. Responding to requests and inquiries.

7. Developing and improving beneficiaries’ experience.

8. Preparing activities and studies that serve the university and its beneficiaries.

How Your Personal Data Is Shared

The university may share your personal data after collection and processing with judicial, legal, security, governmental, or non-governmental entities, within the framework of university policies and in compliance with applicable laws and regulations. The university affirms its full compliance with all requirements ensuring the privacy and protection of personal data in accordance with laws, regulations, and policies governing data privacy and protection, including the Personal Data Protection Law and data-sharing policies.

The purpose of such sharing is to regulate the exchange and circulation of personal data and protect it from misuse or harm to data subjects. Accordingly, beneficiaries’ data within the university may not be accessed, exchanged, or shared except through controls and channels defined by applicable regulations. Some cases require consent, while others are exempted from consent for judicial or security requirements, or where the data subject’s interest is achieved, in accordance with Article One, Paragraph Five of the Executive Regulations and Articles 5, 6, and 7 of the Personal Data Protection Law.

Such sharing is preceded by multiple procedures governed by the Data Sharing Policy, including Data Sharing Agreements and Data Sharing Controls Forms. This is a key priority for the university in building trust regarding data privacy and data subjects’ rights.

Examples of Personal Data Sharing

1. Judicial and security authorities.

2. Government entities related to the nature of the university’s activities for integration purposes, including but not limited to: the Ministry of Education, the Ministry of Human Resources and Social Development, and the National Information Center.

3. Entities cooperating with the university under agreements or memoranda of understanding for lawful purposes such as education, employment, or other services.

4. Employment entities (graduate data is shared for employment coordination and job opportunities).

5. Training providers or entities benefiting from training (personal data is shared for training purposes).

Legal Grounds for Collecting and Processing Your Personal Data

1. Personal Data Protection Policy at the University of Hafr Al-Batin.

2. Personal Data Protection Law issued by Royal Decree No. (M/19) dated 09/02/1443 AH, as amended by Royal Decree No. (M/148) dated 05/09/1444 AH.

3. Executive Regulations of the Personal Data Protection Law issued by Decision No. (1516) dated 19/02/1445 AH.

4. Data Sharing Policy Document issued by the Saudi Data and Artificial Intelligence Authority (SDAIA), updated to Version 2.0.

5. Your explicit consent in accordance with Article Five of the Personal Data Protection Law, which you may withdraw at any time without affecting processing conducted based on other lawful grounds. Exceptions to explicit consent are stipulated in Article Six and its four paragraphs, and Article Seven of the same Law.

The above legal grounds may be relied upon individually or collectively as legal bases for processing personal data.

How We Store Your Personal Data

Personal data is stored, processed, retained, and destroyed securely in a manner that prevents loss, misuse, or unauthorized access, in accordance with applicable university policies and regulations. All such activities are conducted within the geographical boundaries of the university in the Kingdom of Saudi Arabia to ensure the preservation of national digital sovereignty over the data.

Your Rights Regarding the Processing of Your Personal Data

Pursuant to the Personal Data Protection Law, you have the following rights, which depend primarily on the purpose of collecting and processing personal data:

1. Right to Be Informed: This includes being informed of the legal basis and purpose of collecting your personal data. Full details are available through the Privacy Policy, or you may contact us using the details provided below.

2. Right to Access Your Personal Data: You have the right to access your personal data available to us in a readable format, in accordance with the controls and procedures specified in the regulations, without prejudice to Article Nine of the Law.

3. Right to Obtain a Copy of Your Personal Data: You have the right to obtain your personal data available to us in a clear and readable format, in accordance with regulatory controls and procedures.

4. Right to Correct Your Personal Data: You have the right to request correction, completion, or updating of your personal data by contacting the responsible entity within the university. The data will be reviewed and updated within a specified period, and you will be notified accordingly.

5. Right to Erasure of Your Personal Data: You have the right to request the destruction of personal data that is no longer needed, without prejudice to Article Eighteen of the Personal Data Protection Law. (The university reserves the right to assess the feasibility of erasure without affecting its operational capabilities, service delivery, or compliance with statutory requirements.)

6. Right to Withdraw Consent: You have the right to withdraw your consent for processing your personal data at any time, unless there are legal grounds requiring otherwise.

7. If a request is submitted to exercise any of these rights, you will be responded to within thirty (30) days from the date of receipt of a complete request.

For more details regarding the processing of your personal data and how to exercise your rights, you may contact the Personal Data Protection Officer at the University of Hafr Al-Batin using the contact details provided below.

Related Policies

• Personal Data Protection Policy at the University of Hafr Al-Batin

• Data Classification Policy at the University of Hafr Al-Batin

• Data Access Policy at the University of Hafr Al-Batin

• Data Sharing Policy at the University of Hafr Al-Batin

How to Submit a Complaint or Objection

In the event of any objections, inquiries, or concerns related to the Privacy Notice, you may submit a complaint to the competent authority through one of the following channels:

Director of the Data Management Office: dmo@uhb.edu.sa

If you are not satisfied with how your objection or complaint is handled within thirty (30) days, you may submit a complaint to:

1. Saudi Data and Artificial Intelligence Authority (sdaia.gov.sa)

2. National Data Governance Platform (dgp.sdaia.gov.sa)

The university reserves the right to update the Privacy Policy whenever necessary from time to time. You are therefore required to review any updates to this policy. In the event of a material change to this policy, notification will be provided accordingly.

References

1. Personal Data Protection Law and its Regulations.

2. Data Sharing Policy at the University of Hafr Al-Batin.