1.1 SAUDI TOURISM AUTHORITY (or “STA”, “we”, “us” or “our”) is the Saudi government entity responsible for promoting Saudi Arabia as a global tourism destination, developing a leading tourism brand for the Kingdom, developing the tourism sector by building partnerships with relevant stakeholders, and coordinating with destinations and attractions in Saudi Arabia to maximize target visits. We are also responsible for various types of consumer level engagement in the tourism sector, including via consumer-facing Digital Platforms.

1.2 STA considers it important to protect your Personal Data and endeavours to process it in accordance with applicable data protection laws and regulations, primarily Saudi Arabia’s National Data Management Office’s Interim Regulations on Personal Data Protection (the “Interim Regulations”) and other applicable data protection laws and regulations (the Interim Regulations and such other laws and regulations referred to generally herein as “Applicable Data Protection Law”).

1.3. For the purpose of Applicable Data Protection Law, STA is the Controller (i.e. person responsible for deciding how your Personal Data is processed) and responsible for your Personal Data.

2.1 STA respects your privacy and is committed to protecting your Personal Data. STA has adopted this Privacy Notice to notify (“you”, “your”) about the Personal Data collected, used and processed relating to you, and how you can expect your Personal Data to be used and for what purpose. It is important that you read this Privacy Notice, so that you are aware of how and why we are using such information and what your rights are under Applicable Data Protection Law.

2.2 This Notice:

1. applies to anyone visiting or using the Digital Platforms
2. sets out the types of Personal Data we collect about you
3. explains how and why we collect and use your Personal Data
4. explains how long we keep your Personal Data
5. explains how we will share your Personal Data - when, why and with whom
6. explains your rights as the Data Subject
7. sets out the legal bases we have for using your Personal Data
8. explains the effect of refusing to provide the Personal Data requested
9. explains the different rights and choices you have as a Data Subject when it comes to your Personal Data
10. explains how we use automated decision making and/or profiling – when and why

 

2.3 The Digital Platforms are not intended for children under 18 and we do not knowingly collect Personal Data from children.

We will implement measures designed to comply with Applicable Data Protection Law, including measures designed to ensure that the Personal Data we hold about you is:

1. used lawfully, fairly and in a transparent way
2. collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
3. relevant to the purposes we have told you about and limited only to those purposes
4. accurate and kept up to date
5. kept only as long as necessary for the purposes we have told you about
6. kept securely
7. kept using appropriate measures and records in a way which allows us to demonstrate compliance with Applicable Data Protection Law

We may change/update this Notice at any time in the future, at our sole discretion. Any changes will be effective immediately upon posting of the revised Notice. If the changes are material, we will provide you with additional notice, such as through a banner on our website or by sending you an updated version of this Notice in writing, including electronically where appropriate, unless you request a different delivery format. (You can request it in a different format by contacting us through this form).

5.1 We collect your Personal Data for the purposes listed further below in the Schedules. (The specific purposes vary depending on the Digital Platform.)

5.2 “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

5.3 For completeness, Personal Data does not include data where the identity has been completely removed (e.g. completely anonymous data or Aggregate Data), however, it may still include pseudonymous data. Under Applicable Data Protection Law, there may certain types of more sensitive Personal Data that require a higher level of protection (“Special Categories of Personal Data” and “Personal Data relating to criminal convictions”). Special Categories of Personal Data may include: details about your race or ethnicity, religious or philosophical beliefs, information about your health, and genetic and biometric data. Information about criminal convictions and offences may also be considered sensitive and warrant this higher level of protection.

5.4 We do not normally collect or process Special Categories of Personal Data or Personal Data relating to criminal convictions. Such categories of Personal Data may be considered more sensitive under Applicable Data Protection Law, and would typically require more stringent security measures (technical and organisational measures) whilst processing. In the exceptional case in which we may be required to collect and process such Personal Data, we would only collect it from you, and further process it, when permitted by law, such as when one of the lawful conditions for processing Special Categories of Personal Data detailed in Schedule 2 applies. Where required under Applicable Data Protection Law, we will collect a separate consent from you before processing your Special Categories of Personal Data.

5.5 We also may collect, use and share “Aggregated Data” (as that term is defined by Applicable Data Protection Law) for any purpose to the extent permitted by Applicable Data Protection Law. Aggregated Data could be derived from your Personal Data but is generally not considered Personal Data under Applicable Data Protection Law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data in accordance with Applicable Data Protection Law to calculate the percentage of users accessing a specific Digital Platform feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data, which will be used in accordance with this Privacy Notice.

The following are the different sources from which we may collect Personal Data about you:

7.1 Directly from you. This is Personal Data you provide to us, such as through visiting our Digital Platforms or through direct correspondence with us , or via other direct interactions with us such as completing a form on our Digital Platform, applying for our products or services, applying for a career with us on our Digital Platform, creating an account on our Digital Platform, subscribing to our service or publication, requesting marketing to be sent to you, entering a competition or prize draw, promotion or survey, giving feedback, contacting us by any means to submit an enquiry complaint, etc.

7.2 From an agent/third party acting on your behalf.

7.3 From publicly available sources. We may use the following public sources:

1. social media;
2. events (e.g. conferences);
3. directories.

7.4 From analytics providers, advertising networks, search information providers, or providers of technical, payment (i.e. third party payment gateways) and delivery services.

7.5 Through any marketing communication we may send you, or through email communications sent from or received by us. You can opt-out of receiving promotional emails from us at any time by following the instructions as provided in emails to click on the unsubscribe link, or emailing us at the email address set out in Section 19 below with the word UNSUBSCRIBE in the subject field of the email. Please note that you cannot opt-out of non-promotional emails, such as those about transactional relations.

7.6 Through automated technologies or interactions. As you interact with our Digital Platform or download/install our app(s), we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs, and other similar technologies. We may also receive Technical Data about you if you visit other Digital Platforms employing tracking technologies, including cookies. Please see our Cookie Policy for further details.

8.1 We want to give you the best possible user/customer experience while fulfilling our role as the Saudi Tourism Authority. In order to do so, we need to paint an accurate picture of who you are, and what your preferences are, by combining different types of Personal Data we have collected relating to you.

8.2 We will only use your Personal Data when the law, including Applicable Data Protection Law, allows us to do so. Under Applicable Data Protection Law, it may be necessary to justify the use of Personal Data under one of a number of legal grounds (lawful basis for processing). This means that we will only collect Personal Data for specified, explicit and legitimate purposes, and should not process the Personal Data in a matter incompatible with those purposes unless in limited circumstances. We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

8.3 We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you. You will receive such marketing communications from us if you have requested information from us or purchased/received goods or services from us and you have opted into receiving that marketing. You can ask us or our affiliates to stop sending you marketing messages at any time - by logging into the Digital Platform and adjusting your marketing preferences, by following the opt-out links on any marketing message sent to you, or by contacting us at any time. (Opting out of receiving marketing messages will not affect any transactional or service messages that we need to send to you in the context of transactions or services.)

8.4 In summary, we use your Personal Data to allow us to perform our contract with you, offer you the best possible customer experience in line with our legitimate interests, and to enable us to comply with all of our legal obligations. The specific purposes for which we will process your Personal Data and the corresponding lawful basis for processing are listed in the Schedules. Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

9.1 We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

9.2 We consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements - to determine the appropriate retention period for Personal Data.

9.3 In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may retain and use such information without further notice to you. Once you are no longer (as applicable) a customer, user, employee of us, then we will retain and securely destroy your Personal Data in accordance with Applicable Data Protection Law.

10.1 Our own personnel have access to your Personal Data for the performance of their duties. We may share your Personal Data with other related entities to perform our role in the Saudi tourism ecosystem, in the context of assessing or reporting on activities or our performance, in the context of the reorganisation of STA, for system maintenance support and hosting of data, and for other operational reasons of this nature.

10.2 We may also share your Personal Data with our service providers (known as “trusted third parties”) involved in the provision of the information or services you have requested from us via our Digital Platforms for lawful purposes in order to help us run our business. We rely on such trusted third parties for a range of our business operations and provision of services. We have agreements in place with these service providers to protect the confidentiality of your Personal Data. We do not share your Personal Data with third parties for their own marketing purposes, except with your specific consent.

10.3 If we share your Personal Data with trusted third parties, we:

1. only provide them with the information needed for their specific services/specific purpose;
2. enter into adequate contractual arrangements designed to ensure that they may only use your Personal Data for the exact purposes we specified in our contract with them
3. collaborate closely with our trusted third parties to ensure that your privacy and Personal Data are protected
4. where we stop using the services of our trusted third parties, we ensure any of the data held by them is securely deleted or put beyond further use

 

10.4 In summary, our trusted third parties include:

1. third party providers of payment gateways
2. suppliers/ service providers (e.g. delivery couriers, e-commerce service providers, technicians for handling complaints or fraud management, IT companies and providers who support our Digital Platform)
3. professional advisors (e.g. bankers, auditors and lawyers)
4. insurance (e.g. insurance brokers)
5. direct marketing companies that help us in our e-communications with our customers
6. outsourcing certain business functions. For example, we may use service centres to whom we outsource functions such as document and information management, office support, technology and IT services, word processing, photocopying and translation services (we have agreements in place with these service providers to protect the confidentiality and security of information (including Personal Data) shared with them)

10.4.2 We also may share your Personal Data with vendors and other parties for analytics and advertising purposes. These parties may act as our service providers, or in certain contexts, independently decide how to process your Personal Data. These thirds parties may include:

1. social media channels (e.g. Instagram, Facebook) to show you interesting products while you browse the internet, depending on your acceptance of cookies on our Digital Platform (see Cookie Policy) or your consent to direct marketing;
2. data analytics/insight companies to help us ensure your details are maintained accurate and up to date; or 

 

10.5 We may, from time to time, be required to disclose your Personal Data to authorities, such as the police, law enforcement, regulatory and/or government agencies, in relation to legal investigations or proceedings conducted anywhere in the world, if required by applicable law or regulation, or if we reasonably believe it is necessary to protect STA, other customers, or the public. We will usually notify you before responding to such queries, except where the circumstances restrict us from doing so. We take your privacy into consideration and address such requests on a case-by-case basis.

 

11. What happens if there is a change of control?

If a change happens to the organisation of STA, or the government authorities responsible for tourism in Saudi Arabia are restructured, then the new ‘successor’ entity may use your Personal Data in the same way as set out in this Privacy Notice and your Personal Data may be transferred to such new entity according to the terms of this Notice.

 

STA does not carry out processing based on automated decision-making, including profiling, however we will notify you in writing if this position changes.

14.1 We use analytics services to help us understand how users access and use the Digital Platforms. In addition, we work with agencies, advertisers, ad networks, and other technology services to place ads on other websites and services. For example, we place ads through social media platforms that you may view on their platforms as well as on other websites and services.

14.2 As part of this process, we may incorporate cookies and tracking technologies into our Digital Platforms (including our website and emails) as well as into our ads displayed on other websites and services. Some of these tracking technologies may track your activities across time and services for purposes of associating the different devices you use, and delivering relevant ads and/or other content to you (“Interest-based Advertising”).

14.3 In addition, the companies we work with to provide you with targeted ads are required to give you the choice to opt out of receiving targeted ads. To learn more about the targeted ads provided by these companies, and how to opt out of receiving certain targeted ads from them, please visit: (i) https://www.aboutads.info/choices; and (ii) https://www.networkadvertising.org/choices. Opting out only means that the selected participants should no longer deliver certain targeted ads to you, but does not mean you will no longer receive any targeted content and/or ads (e.g. in connection with the participants’ other customers or from other technology services).

14.4 Please note that if you opt out using any of these methods, the opt out will only apply to the specific browser or device from which you opt out. We are not responsible for the effectiveness of, or compliance with, any opt out options or programs, or the accuracy of any other entities’ statements regarding their opt out options or programs.

14.5 See our Cookie Policy for more details on cookies and tracking technologies.

15.1 We are required, under the Applicable Data Protection Law, to implement appropriate technical and organizational security measures to ensure your Personal Data is properly protected. These measures are designed to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

15.2 This is done in a manner designed to be proportionate to the risks faced by you if your Personal Data is compromised. We implement measures designed to protect Personal Data we hold and limit access to your Personal Data by those employees, agents, contractors and other third parties who have a business need to know. Some of these measures include putting access controls in place, and restrictions based on function and role on who can access your Personal Data, even within our organisation. These controls are designed to ensure that your Personal Information is only processed on instructions and that they are subject to a duty of confidentiality.

15.3 All of our online databases and filing systems are password protected, and restricted only to authorised personnel. We also record access to Personal Data by having access logs in place. We have a customer off-boarding process in place to ensure that once your data is no longer necessary for the specified purpose (and/or the lawful basis in the Schedules) no longer applies, all access within STA is revoked.

15.4 When storing Personal Data electronically, we use encryption measures, as appropriate, to help ensure this Personal Data is secure. Where appropriate, we may also use pseudonymisation to help secure your Personal Data, especially when special categories of Personal Data are involved. Additionally, we may anonymise Personal Data where appropriate and especially in situations where we do not require the identity of the person who the data is about and where the purposes for keeping Personal Data have elapsed but the data is of value to our business.

15.5 We have put in place organisational measures and procedures designed to deal with data security breaches and our staff is trained on the actions to take in the event of a security breach. This involves who to contact immediately, who is in charge of the investigations that follow and who escalates the incident to the related supervisory authority and to affected individuals, where necessary. In any case, where required by Applicable Law, we will inform the supervisory authority and the affected Data Subjects.

15.6 More details about such measures can be obtained by contacting us through this form.

16.1 Under Applicable Data Protection Law, and depending on your jurisdiction, you may have a number of rights when it comes to your Personal Data. Further information and advice about your rights can be obtained by contacting us through this form.

Rights	What does this mean?
The right of access	You have the right to obtain access to your Personal Data (if we’re processing it), and certain other information (similar to that provided in this Policy).   This is so you’re aware and can verify that we’re using your Personal Data in accordance with the Data Protection Law.
The right to rectification	You are entitled to have your Personal Data corrected if it’s inaccurate or incomplete.
The right to erasure	This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your Personal Data if there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
The right to restrict processing	You have rights to ‘block’ or suppress further use of your Personal Data. When processing is restricted, we can still store your Personal Data, but may not use it further. We keep lists of people who have asked for further use of their Personal Data to be ‘blocked’ to ensure the restriction is respected in future.
The right to object to processing	You have the right to object to certain types of processing, including processing for direct marketing (i.e. if you no longer want to be kept informed of our news, our marketing).
The right to lodge a complaint	You have the right to lodge a complaint about the way we handle or process your Personal Data with related supervisory authority, in particular (place of residence, place of work or place of the alleged infringement).
The right to withdraw consent	If you have given your consent to anything we do with your Personal Data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your Personal Data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your Personal Data for marketing purposes.
The right to data portability	The data subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided

16.2 We usually act on requests and provide Personal Data free of charge, but may charge a reasonable fee to cover our administrative costs of providing the Personal Data for:

1. baseless or excessive/repeated requests; or
2. further copies of the same Personal Data.

Alternatively, we may be entitled to refuse to act on the request in such circumstances.

 

16.3 Please consider your request responsibly before submitting it. We will respond as soon as we can. Generally, this will be within one month from when we receive your request but this could vary depending on the nature of the request.

17.1 We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

17.2 We may also need your contact details. We may contact you by email or social media. (If you prefer a particular contact means, please let us know.)

Our Digital Platforms may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave any of our Digital Platforms, we encourage you to read the privacy policy of every website you visit.

19.1 If you are unhappy with how we’ve handled your Personal Data, or have further questions on the processing of your Personal Data, our privacy notice and privacy practices, please contact us through this form.

19.2 You may have the right, under Applicable Data Protection Law, to make a complaint to the relevant data protection authority. We would, however, appreciate the chance to deal with your concerns before you make a complaint, so please contact us in the first instance.

We may collect the following types of personal data about you pursuant to this Privacy Policy:

Type of Personal Data	Details
A. Identity Data	First name, last name, username or similar identifier, marital status and dependants, title, date of birth and gender, identification number (e.g. passport number or national ID number)
B. Contact Data	Billing address, delivery address, email address, telephone numbers, preferences regarding marketing and communications
C. Demographic and profile data	such as your general location, origin, age, preferences, interests, feedback and survey responses
D. Transaction Data	Includes details about payments to and from you, payment card details, and other details of products and services you have purchased from us].
E. Technical Data	Includes [internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, information collected through cookies, operating system and platform, and other technology on the devices you use to access the  Digital Platform].
F. Usage Data	Includes information about how you use our Digital Platforms, products and services
G. Personal Data Concerning Health	Vaccine status; information on disabilities that may be relevant to the services you request from us; information on health insurance coverage that may be relevant to the services you request from us
H. Personal Data relating to criminal convictions or related security measures	Information on criminal convictions that may be relevant to the services you request from us
I. Personal Data revealing racial or ethnic origin (e.g. passports or visas)	Information on national origin that may be relevant to the services you request from us

www.sta.gov.sa

Type of Personal Data	Purposes of Processing	Legal Basis of Processing
A. Identity Data	Administering our service, on-boarding, determining visa eligibility, allowing you to make enquiries, communicating with you, personalizing content for you, for marketing / promotions purposes, conducting surveys, responding to complaints, identifying your location and improving our services.	Where we have obtained your consent for processing, where it is necessary to perform a contract, or where it is necessary to pursue our legitimate interests including identity verification of users, communicating with users, to monitor, protect and enhance our services and platforms.
B. Contact Data	Administering our service, on-boarding, determining visa eligibility, allowing you to make enquiries, communicating with you, personalizing content for you, for marketing / promotions purposes, conducting surveys, responding to complaints, identifying your location and improving our services.	Where we have obtained your consent for processing, where it is necessary to perform a contract, or where it is necessary to pursue our legitimate interests including identity verification of users, communicating with users, to monitor, protect and enhance our services and platforms.
C. Demographic and profile data	Personalizing content for you, identifying your location, conducting marketing research, conducting surveys, improving the services offered to you, and monitoring customer accounts to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable laws.	Where we have obtained your consent for processing, or where it is necessary to pursue our legitimate interests including identity verification of users, communicating with users, to monitor, protect and enhance our services and platforms.
D. Transaction Data	Administering our services and booking tours with our partners or affiliates.	Where we have obtained your consent for processing.
E. Technical Data	Ensuring our platforms work properly, personalizing content / our platforms for you, identifying your location, improving the services offered, monitoring online traffic and audience participation, and monitoring, protecting and enhancing our content, services and platforms.	Where we have obtained your consent for processing, where it is necessary to perform a contract, or where it is necessary to pursue our legitimate interests including identity verification of users, communicating with users, to monitor, protect and enhance our services and platforms.
F. Usage Data	Ensuring our platforms work properly, personalizing content / our platforms for you, identifying your location, improving the services offered, monitoring online traffic and audience participation, and monitoring, protecting and enhancing our content, services and platforms.	Where we have obtained your consent for processing, where it is necessary to perform a contract, or where it is necessary to pursue our legitimate interests including identity verification of users, communicating with users, to monitor, protect and enhance our services and platforms.
G. Personal Data Concerning Health (Special Categories of Personal Data)	Fulfilling your visa or e-Visa request via our platform, and / or for complying with legal obligations as necessary (including disclosure in connection with a legal process or litigation).	Where we have obtained your consent for processing, or where it is necessary to pursue our legitimate interests including identity verification of users, communicating with users, to monitor, protect and enhance our services and platforms. In addition to: where necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health, complying with a legal obligation, or where processing is necessary for the purposes of preventive or occupational medicine.
H. Personal Data relating to criminal convictions or related security measures	If necessary for the performing of a task carried out in the public interest, exercising official authority vested in us, complying with a legal obligation, or preventing, investigating and/or reporting fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable laws.	Where we have obtained your consent for processing, or where it is necessary to pursue our legitimate interests including identity verification of users, communicating with users, to monitor, protect and enhance our services and platforms. In addition to: where necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health, complying with a legal obligation, or where processing is necessary for the purposes of preventive or occupational medicine.
I. Personal Data revealing racial or ethnic origin (e.g. passports or visas)	Fulfilling your visa or e-Visa request via our platform, preventing, investigating and/or reporting fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable laws, or for compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).	Where we have obtained your consent for processing, or where it is necessary to pursue our legitimate interests including identity verification of users, communicating with users, to monitor, protect and enhance our services and platforms. In addition to: where necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health, complying with a legal obligation, or where processing is necessary for the purposes of preventive or occupational medicine.