Data Privacy Policy

Types of personal data collected within the University

• Personal data that is provided when communicating with us through mail or social media, or when registering for the University's electronic services.
• When applying for admission to the university, we collect personal data: name, identity data, contact data, qualifications, city, region, health and employment data. 
• When a student enrolls at the university, bank data is collected.
• Personal data collected from job applicants, including full name, identification details, region, city, contact information, academic qualifications, professional experience, and certifications.
• Upon commencement of employment, the university collects the following additional data: family details, religion, address, passport or residence permit (iqama) details, banking details, health data, and biometric data, such as fingerprints. 
• Upon student enrollment in community service center training programs, the university collects the following data: full name, identification data, contact details, educational level, region, city, and employment details.
• Personal data collected from third-party entities, including, without limitation, The Ministry of Education, The Ministry of Human Resources and Social Development, and The National Information Center (Nic).
• Personal data provided to the university through surveys and questionnaires.
• In the context of an active employment contract or commitment, personal data will be collected in compliance with regulatory and administrative requirements.
• Personal data collected through cookies.

Purpose of Collecting Personal Data and How It Is Used:

The main purposes for which personal data is used, including collecting and processing beneficiary data to improve and enhance the university's services, are:

• Organizational and administrative purposes.

• Completing requests and services for students, employees, or trainees.

• Conducting analysis and statistics for decision-makers.

• Sending awareness messages or messages related to the services provided.

• Meeting judicial or security requirements.

• Personal data is also used to complete the student admission process and follow-up on their educational journey, and to provide employers with your data after graduation.(students’)

• Authenticating the user's identity when registering for university services.

• Responding to requests and inquiries from beneficiaries.

• Developing and improving the beneficiary experience.

• Enabling and providing university services.

• Preparing studies that serve the university.

How is your personal data collected and what is the purpose of collecting it?

Some of the personal data we process is obtained from you directly or indirectly, as stated above, using direct and indirect means for the following purposes:

The primary purposes for which personal data is used are to collect and process beneficiary data to improve and enhance the university's services:

• Organizational and administrative purposes.

• Completing requests and services for students, employees, or trainees.

• Conducting analysis and statistics for decision-makers.

• Sending awareness messages or messages related to the services provided.

• Fulfilling judicial or security requirements.

• Personal data is also used to complete the student admission process and follow-up on their educational journey, and to provide employers with your data after graduation.

• Authenticating the user's identity when registering for university services.

• Responding to requests and inquiries from beneficiaries.

• Developing and improving the beneficiary experience.

• Empowering and providing university services.

• Preparing studies that serve the university.

How Do We Use Personal Data?

Personal data collected, whether directly or indirectly, is used for the following purposes:

The primary purposes for which personal data of beneficiaries is collected and processed, with the aim of improving and enhancing the quality of the University’s services, include:

• Organizational and administrative purposes.
• Completion of requests and services related to students, employees, or trainees.
• Conducting analyses and preparing statistics to support decision-makers.
• Sending awareness messages or service-related notifications.
• Compliance with judicial or security requirements.
• Facilitating student admission processes, monitoring their academic progress, and providing graduation data to potential employers.
• Verification of user identity when registering for University services.
• Responding to beneficiary requests and inquiries.
• Developing and enhancing the user experience.
• Enabling and delivering University facilities.
• Conducting studies that support the University’s objectives.

How Do We Disclose Personal Data?

Personal data shall be accessible only to authorized University employees whose roles require such access in order to provide services. Where personal data is shared, the University ensures that it is exchanged within a secure and trusted environment, and in accordance with applicable laws, regulating policies. The University takes additional measures to safeguard personal data by executing data-sharing agreements with third parties under specific terms and conditions aligned with the principles of data sharing and exchange adopted by the University. Such sharing is carried out strictly for legitimate purposes, that are legally based or justified operational needs, aimed at serving the public interest without compromising individual privacy.

Data Sharing at the University

We at the University may share your data with the following entities:

• Governmental entities related to the nature of the University’s activities for purposes of integration, including but not limited to: the Ministry of Education, the Ministry of Human Resources and Social Development, and the National Information Center.
• Entities collaborating with the University under agreements or memoranda of understanding for data exchange, for legitimate purposes including education, employment, or other services.
• Employment entities, )where we share graduate data for purposes of job coordination and providing employment opportunities.(
• Training providers or beneficiaries of training,) where we share personal data for training purposes(.
• Judicial and security authorities.

Methods of Data Sharing

Data sharing within the University is conducted according to whether the sharing is internal or external:

• Internal sharing: Data is shared between the University, its branches, colleges, departments, and administrative units through the Data Sharing Platform or via the University’s electronic systems designed to store and process your data to facilitate providing services. Examples include the Academic Portal, Masar System, etc.
• External sharing: Data is shared externally depending on the entity:
  • Governmental entities: Data is shared via the National Data Marketplace, the Data Sharing Platform, or any other government-approved platform for data sharing.
  • Other entities: Data is shared via the University of Tabuk’s system “Data Sharing System.”

Legal Basis for Collecting and Processing Your Personal Data

In accordance with the Personal Data Protection System at the University of Tabuk, and in compliance with the Personal Data Protection Law and its implementing regulations, the legal basis we rely on for processing this data includes one or more of the following justifications:
(The applicable legal basis or bases may be selected from those outlined in the regulations).

• Your explicit consent is required, and you may withdraw this consent at any time. However, withdrawal will not affect processing operations carried out under other legitimate legal bases. To do so, (In order to withdraw)  please contact the Data Governance Unit or the University's Data Protection Officer using the contact information provided below.

Personal data will not be processed without taking adequate steps to ensure its accuracy, completeness, currency, and relevance to the purpose for which it was collected. The University applies the highest security standards to protect data and information. Sensitive data, and any data that must be kept confidential under legal requirements, is encrypted and subject to additional controls and procedures. In accordance with the Personal Data Protection Policy, the University collects and processes personal data based on the following regulatory foundations:

Consent

• Your explicit consent is required, and you may withdraw it at any time. To do so, you can contact the university's Data Governance Unit.

In Compliance with Regulatory Requirements:

• Based on the Royal Decree establishing the University of Tabuk, we collect and process personal data to achieve the objectives and ensure the success of the educational process.
• In compliance with Royal Orders pertaining to data exchange between government entities.
• In fulfillment of a legal or regulatory obligation, or a request from a competent governmental authority.
• In fulfillment of a contractual obligation that requires data processing.

Serving the public interest

• To achieve the University's objectives and fulfill its specific functions.
• The university is a government entity responsible for higher education and requires the use of personal data to provide its services.

How do we store your personal data?

Your personal data is stored, processed, retained, and destroyed in a secure manner that prevents its loss, misuse, or unauthorized access, in accordance with the regulations and policies in effect at the University. This is done within the geographical boundaries of the Kingdom to ensure the preservation of national digital sovereignty over this data

Your Rights Regarding the Processing of Personal Data

Under the Personal Data Protection Law, you have the following rights, which primarily depend on the purpose of collecting and processing your personal data:

• Right to be Informed: 
  You have the right to know how we collect your personal data, the legal basis for its collection and processing, how it will be processed, stored, and destroyed, and to whom it will be disclosed. You can review all details through the Privacy Policy or contact us using the information provided below.

• Right of Access to Your Personal Data: 
  You have the right to review your personal data and obtain a copy of it in a clear format identical to the contents of our records, free of charge – in accordance with applicable regulations – without prejudice to (Article 9) of the Personal Data Protection Law. (A request for a copy of personal data can be submitted, and the beneficiary will be provided with it within 30 days via the email registered in the request. If we need additional time to process the request, the beneficiary will be informed along with the expected time frame for completion.)

To exercise your right to access personal data or the right to have personal data destroyed, please submit your request via email, including your name, contact information, and details of the request. If the request is submitted on behalf of another person, an authorization signed by that person must be provided.

• Right to Rectify Your Personal Data: 
  You have the right to request the correction of your personal data if you believe it is inaccurate, incorrect, or incomplete, by contacting the responsible department within the university. The data will be reviewed and updated within a specified period, and the beneficiary will be notified accordingly.

• Right to Request the Destruction of Your Personal Data: 
  You are entitled to request the destruction of your personal data held by us when it is no longer necessary, without prejudice to the provisions of Article 18 of the Personal Data Protection Law. Once such a request is submitted, we reserve the right to assess its feasibility and determine whether the data can be destroyed without compromising our ability to provide future services or fulfill any regulatory obligations.

• Right to Withdraw Consent for Processing Personal Data: 
  You have the right to revoke your consent to the processing of your personal data at any time, except where continued processing is required by law. Unless otherwise stipulated by law, you will not be required to pay any fees to exercise these rights. If a request to exercise any of these rights is submitted, you will receive a response within thirty (30) calendar days from the date of complete receipt of the request. Further information regarding the processing of personal data and the exercise of data subject rights may be obtained by contacting the Personal Data Protection Officer at the University of Tabuk, using the contact information provided at the end of this policy.

Implementation and Monitoring: The implementation of privacy and personal data protection policies shall be overseen by the Data Governance Unit in coordination with relevant departments, including the resolution of any disputes that may arise in this context. Personal data shall be assessed and classified by the owning departments based on its sensitivity, in accordance with the Privacy Classification Document. Appropriate controls shall then be applied in alignment with established policies and procedures to ensure the protection of such data.

Departments engaged in operational, consulting, or supply agreements with business partners, contractors, suppliers, or consultants shall be responsible for monitoring and auditing compliance with all applicable policies of the University of Tabuk. Additionally, the Data Governance Unit shall provide training to employees to support the effective implementation of this policy.

Personal Data Protection Officer 

Contact information

How to file a complaint or an objection

In case of some concerns or not abiding by personal data protection system, you can file a complaint to personal data protection officer run by personal data protection office using one of the following channels:

 

If you are not satisfied with our procedures in complaint processing, or our reply within 30 days, you may file a complaint to the Saudi Data and AI Authority using Data Governance Platform