Privacy Policy

1. Introduction:
The King Abdulaziz Center for Cultural Communication (KACCC) was established on July 24, 2003, with the aim of promoting a culture of dialogue and understanding among various segments of society, and fostering the values of tolerance and mutual respect. The Center organizes events and programs that address key national issues and enhance national unity through constructive dialogue. Headquartered in Riyadh, the Center actively works to engage the community and achieve its mission of promoting peaceful coexistence and cultural understanding.
KACCC also seeks to expand its mission to the international level through collaboration with global organizations and entities to foster cultural dialogue and knowledge exchange among nations. Through these efforts, the Center aims to build communication bridges between individuals and institutions at both local and international levels, thereby contributing to a cohesive and cooperative society built on mutual respect.

2. Purpose of the Policy:
This Privacy Policy constitutes the legal framework that defines the principles and regulations governing the handling of personal data by the King Abdulaziz Center for Cultural Communication. It outlines how personal data is collected, used, disclosed, and managed, with a strong emphasis on protecting privacy and confidentiality in accordance with best practices. Personal data includes any information that can identify individuals, such as names, addresses, dates of birth, marital status, identity data, financial records, and other sensitive information.
The policy outlines the regulatory bases for data collection and processing, ensuring support for the Center’s mission while protecting the rights of all concerned. All KACCC employees and contractors, whether permanent or temporary, are obligated to comply with this policy in line with the Personal Data Protection Law (PDPL) and relevant regulations in the Kingdom of Saudi Arabia, to ensure full compliance and safeguard the privacy and confidentiality of personal data.

3. Scope:
This Privacy Policy applies to all KACCC clients, beneficiaries, and employees in the Data Management Office, as well as to all contractors, seconded personnel, agents, affiliates, business partners, and all departments and divisions of the Center, regardless of their location or legal entity. The policy also covers all information systems (and users thereof) owned or operated by the Center or managed by third parties on behalf of the Center.

4. Definitions:

  • The Center: The King Abdulaziz Center for Cultural Communication.
  • Data Subject/User: Any individual who benefits from the Center’s services or interacts with the Center by providing personal data through its website or any affiliated platform.
  • Privacy Policy: A legally binding agreement between the data subject and KACCC, outlining the Center’s commitment to respecting individuals’ privacy and detailing its practices regarding the collection, storage, processing, protection, and disclosure of personal data.
  • Data Management: The development, implementation, and oversight of plans, policies, programs, and practices that enable the Center to govern data and enhance its value as a strategic asset.
  • Data Management Office: An independent department within KACCC responsible for data governance and management, including policy development, compliance enforcement, and ensuring data quality and integrity in line with the Center’s strategic goals.
  • Personal Data Protection Law (PDPL): A binding regulation that applies to any processing of personal data of individuals within the Kingdom by any means, including processing of data related to residents of the Kingdom by entities outside it. This includes data on deceased persons if such data could lead to their identification or that of their family members. The law does not apply to individuals processing data for purely personal or family purposes, provided the data is not published or shared with others.

5. Data Collected:
The Center collects various types of personal information from users and service beneficiaries through its platforms, applications, or any other electronic or manual interaction, including:

  • Data voluntarily provided by users during registration, account creation, or service requests.
  • Personal identification data: full names, family names, titles, and national ID or civil registry information.
  • Health-related data: including health conditions relevant to services provided, and health insurance coverage.
  • Academic and professional data: qualifications, specializations, job titles, and employment information.
  • Contact information: phone numbers, email addresses, and other communication methods.
  • Demographic and profile data: geographic location, social context, age, affiliations, preferences, interests, survey responses.
  • Credit data: banking details, account numbers, and any related financial information.
  • Communications with the Center: such as customer support inquiries, feedback, and complaints.
  • Data from other sources: including affiliated websites and services managed by the Center or third-party partners, including government entities that provide relevant data.

6. Methods and Sources of Data Collection:
The Center gathers personal data through various sources and means, including:

  • Directly from users via the Center’s digital platforms through account registration, job applications, service requests, feedback forms, and surveys.
  • From third parties acting on behalf of data subjects, such as service providers or partners.
  • From publicly available sources such as social media or public records.
  • From surveys conducted by the Center to assess user needs and improve services.

7. Data Retention and Disposal:
The Center securely stores personal data, whether digitally or manually, in accordance with best practices and the PDPL. Only authorized, trained personnel have access to this data.
Data is retained only when there is a legitimate need—such as legal, regulatory, or security purposes. Upon request from the data subject, or when the purpose for which the data was collected ceases to exist, or in the event of unlawful processing, the Center takes action to delete the data using secure methods (e.g., shredding paper records, permanently deleting digital files). Regular audits are conducted to ensure ongoing compliance.

8. Compliance with PDPL Principles:
The Center implements the following principles to comply with the PDPL:

  • Lawful, fair, and transparent use of data with clear communication to individuals.
  • Collection for specified, legitimate purposes only.
  • Data minimization—only collecting relevant data.
  • Accuracy and regular updates.
  • Limited retention aligned with the purpose.
  • Secure storage with measures to prevent unauthorized access or breaches.
  • Maintaining records and demonstrating compliance when required.

9. Legal Basis for Data Processing:
KACCC processes personal data based on the following legal grounds:

  • Explicit Consent: obtained prior to data collection and can be withdrawn at any time.
  • Public Interest: aligned with the Center’s societal and cultural mandate.
  • Legitimate Interests: processing necessary for the Center’s operations, without infringing on individual rights.
  • Contractual Necessity: to fulfill agreements involving the data subject.
  • Vital Interests: in emergencies to protect individuals’ safety or well-being.

10. Purpose of Data Collection:

  • Enhance website management and service delivery.
  • Support the Center’s mission and public interest activities.
  • Comply with legal obligations.
  • Fulfill specific user requests or services.
  • Detect abuse and improve performance and security.
  • Deliver educational and marketing content (with opt-out options).

11. Data Sharing:
The Center adheres to core data-sharing principles:

  • Promoting a culture of responsible data sharing.
  • Legal purpose, authorized access, and transparency.
  • Ethical use and shared accountability.
  • Accuracy and data quality.

Data may be shared internally as needed and externally under these conditions:

  • With official authorities for legitimate processing.
  • Without consent, when required by law or for security/investigative purposes.
  • With third parties under binding agreements ensuring proper use and protection.
  • When anonymized or encrypted to prevent identification.
  • From publicly available sources or with express consent.

12. Use of Personal Data:
Data is used across the Center’s official platforms and branches to improve services and operations. It is processed only for authorized purposes and retained only as long as necessary. Access is restricted, and all handling is in line with legal obligations and data protection standards.

13. Data Subject Rights:
Data subjects have the right to:

  1. Be informed about the purpose and legal basis of data collection.
  2. Access and review their data.
  3. Request correction or updates to their data.
  4. Request deletion when no longer necessary.
  5. Obtain a copy of their personal data.
  6. Withdraw consent at any time (without affecting prior lawful processing).

14. Data Breach Notifications:
KACCC will notify the competent authority within 72 hours of becoming aware of a data breach, unless justified otherwise. Affected individuals will also be informed promptly if the breach may significantly impact their rights, including risk descriptions, mitigation steps, and recommended actions.

15. Security Measures:
The Center enforces robust security standards, aligned with national cybersecurity and data governance authorities. Only authorized personnel access personal data. Physical, digital, and procedural safeguards are in place. Third-party processors are audited and required to comply with KSA data protection regulations.

16. Cross-Border Data Transfer:
KACCC may transfer personal data outside Saudi Arabia only when legally justified—for international agreements, national interests, or legal obligations. Transfers require:

  • Adequate data protection in the recipient country.
  • Legal safeguards such as:
    • Binding Corporate Rules (BCRs)
    • Standard Contractual Clauses (SCCs)
    • Certification mechanisms
    • Enforceable Codes of Conduct
  • Regulatory approvals if no other guarantees exist.

17. Changes to the Privacy Policy:
KACCC may update this policy annually or as needed. Significant changes will be communicated to users. Continued use of the Center’s platforms after updates constitutes acceptance of the revised policy.

18. Inquiries and Complaints:
For inquiries, complaints, or exercising your data rights, please contact:
📧 privacy@kaccc.org.sa

19. Final Provisions:
This policy is governed by the Personal Data Protection Law and its implementing regulations and serves as the primary reference for all data-related practices at the Center.

20. Regulatory Authority:
Saudi Authority for Data and Artificial Intelligence (SDAIA)
📍 Riyadh, Kingdom of Saudi Arabia
🌐 Official Website / National Data Governance Platform

    Scroll