The Zakat, Tax, and Customs Authority ("ZATCA") is keen on the privacy and confidentiality of the personal data of the website users ("the website") and the digital platforms and smartphone applications associated with it and dedicated to provide ZATCA's services. Placing it at the top of its priorities in accordance with the regulations stipulated in the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443 AH and its implementing regulations ("the Law"). This privacy policy aims to inform you of the general rules regarding the processing of personal data, your rights as a data owner, the mechanism for practicing your rights, the personal data collected, the methods of collecting this data, the purposes for which your personal data is used, as well as the legal justifications for collecting and processing your personal data.
ZATCA does not collect your personal data when you visit the website and digital platforms unless you are aware of and choose to provide this data to ZATCA.
ZATCA uses your personal data to achieve the purpose of its processing, such as obtaining information or providing services according to ZATCA activities. By using ZATCA's website, platforms, and applications associated with it, you acknowledge that you have read and agree to the privacy policy and any continuous adjustments made to it as needed and according to the nature of the work.
ZATCA takes appropriate and suitable measures and procedures to securely maintain the personal data it possesses, ensuring its protection from loss, unauthorized access, misuse, unauthorized adjustments, and unauthorized disclosure. Among the most important measures implemented by ZATCA – for example, but not limited to:
· The strict procedures and measures to protect information security and technology that we use to prevent fraud and unauthorized access to our systems.
· Regular and periodic updates of protection procedures and regulations according to the best standard criteria.
· Training and educating employees on respecting the confidentiality of personal data.
· Collect the minimum amount of personal data that serves its purpose.
· Implementing a high level of data protection in accordance with the requirements of the National Cybersecurity Authority, including data encryption and protection against leakage, loss, misuse, or any unauthorized access or adjustments.
Visitors to the website and beneficiaries of ZATCA 's services must continuously review the privacy and confidentiality principles and terms to be aware of any updates made to them. It should be noted that the management of the website, platforms, and applications associated with it is not required to announce any updates made to these terms and principles.
ZATCA is not responsible under any circumstances for any direct, indirect, incidental, consequential, special, or exceptional damages arising from the use or inability to use the website and its associated platforms and applications. This privacy policy is an integral part of the terms and conditions for using the website and all its associated platforms and applications, as well as the direct services available on the website.
First: Definitions
Personal data: Any statement - regardless of its source or form - that can lead to the identification of an individual specifically or make it possible to identify them directly or indirectly, including: name, ID number, addresses, contact numbers, license and registration numbers, personal property numbers, bank account and credit card numbers, still or moving images of the individual, and other personal data.
Data Owner: The individual to whom the personal data relates.
Legal Basis: The legal basis on which ZATCA relies in its activities that require the collection and processing of personal data.
Data Processing: Any operation performed on data by any means, whether manual or automated, including: collection, recording, saving, indexing, arranging, coordinating, storing, adjustments, updating, merging, retrieving, using, disclosing, transferring, publishing, data sharing or interlinking, blocking, deleting, and destroying.
Second: The Purpose and Legal Justifications for Collecting Personal Data
ZATCA 's need to collect, process, and store personal data is a continuous necessity to carry out its operations and obligations as stipulated in its regulations issued by Council of Ministers No. (570) dated 22/09/1442 AH, including the collection of zakat, taxes, and customs duties, and achieving the highest levels of compliance by those obligated to fulfill their duties according to the relevant regulations and legislation.
Accordingly, the data obtained by ZATCA in accordance with the nature of its work is considered ZATCA 's proprietary data for the implementation of regulations and legislation related to ZATCA 's work and enabling other government entities in the Kingdom of Saudi Arabia to provide government services related to ZATCA's work. This necessitates that ZATCA store, process, and use the data according to its legally given powers without a time limit or providing the data owner the option to withdraw their approval for data processing.
ZATCA collects and uses personal data for several purposes in accordance with the relevant regulations and laws, including but not limited to:
· Providing zakat collection services, tax collection, customs duties, and all other services related to ZATCA's activities.
· Sending notifications, messages, and awareness materials to the taxpayer individuals and all stakeholders benefiting from the ZATCA's services.
· Management, development, and improvement of the services available to the taxpayer individuals and all stakeholders benefiting from ZATCA's services.
· Responding to requests, inquiries, or complaints.
· For research and analysis purposes.
· Monitoring and detecting violations of the conditions of use, as well as other potential abuses when using the website.
· Improving the website's performance and the security of its software, systems, and network.
· User identity authentication when logging in.
Legal justifications for collecting your personal data:
· According to the regulatory foundations, ZATCA sees it appropriate.
· Achieving the public interest without conflicting with the rights of personal data owners.
· Any of the competencies stipulated in ZATCA's regulations.
· Fulfilling the legal or regulatory requirements.
· implementing an obligation in which the data owner was a party.
· Protecting vital and realized interests or preventing vital damages.
· Protecting public health or national security.
ZATCA may process personal data for additional purposes other than those for which it was collected, whenever necessary and in accordance with the law's regulations.
Third: Personal Data Collected by ZATCA
ZATCA collects personal data from website visitors and users of its services, platforms, and associated applications directly or indirectly, which include the following:
1. As soon as you visit ZATCA 's website, ZATCA's server records the user's Internet Protocol (IP) address, the date and time of the visit, and the URL of any website that referred you to the website.
Most websites, once visited, place a small file on the visitor's hard drive (browser), and this file is called "cookies." Cookies are text files, and these text files contain information that allows the website that deposited them to retrieve it when needed during the user's next visit to the website. Among the stored information are:
· Username and password may be remembered if that option is available on the website.
· Save the page settings if available on the website.
· Saving the colors selected by the user if that option is available on the website.
2. The personal data you provide to ZATCA, required when benefiting from services such as registration on ZATCA 's platforms and associated applications, or when creating your user profile, or when applying for a job or training, including but not limited to: name, ID number, address, contact numbers, email, academic qualifications, license and registration numbers, personal property numbers, bank account and credit card numbers, still or moving images of the individual, and other personal data.
3. Personal data and information exchanged through ZATCA 's communication with service beneficiaries, such as requests for customer support services, inquiries, feedback, and complaints received from you.
4. The personal data that ZATCA receives from other sources, for example, government entities and any other entities that may provide ZATCA with your personal data necessary to provide ZATCA 's services or to meet any security or criminal requirements.
By providing your data and personal information through ZATCA's website and all electronic platforms and applications associated with ZATCA, you fully agree to storing, processing, and using that data by ZATCA and government entities in the Kingdom of Saudi Arabia. You are solely responsible for the completeness, accuracy, and truthfulness of the data you submit via ZATCA 's website or its associated platforms and applications.
Fourth: Disclosure of Personal Data
ZATCA has the right to disclose personal data collected directly or indirectly to the following entities:
· To other public entities for the purposes of public interest, security purposes, implementing another system, fulfilling judicial requirements, protecting public health, public safety, protecting the life of an individual or specific individual, or protecting their health.
· To the data processing entities of ZATCA, in order to achieve a legitimate interest of ZATCA without disrupting the rights of the data owner or conflicting with their interests.
· To any entities inside or outside the Kingdom of Saudi Arabia, in the implementation of any local or international agreements that serve any legitimate interest of ZATCA or any public interest without violating the system's regulations.
Fifth: Retaining Personal Data
ZATCA securely stores your personal data either at its headquarters within the Kingdom of Saudi Arabia or through secure solutions in cloud computing services. The data is retained indefinitely, as stated in item two of this policy.
Sixth: Disclaimer
The website and services provided by ZATCA are available for your personal use, and your access to and use of these services are subject to the items stipulated in the privacy policy and the regulations of the Kingdom of Saudi Arabia. Your access to and use of these services and the website also constitutes your unconditional agreement to the items of this policy. This approval is effective from the date of your first use.
Seventh: Links to Other Websites
The website, platforms, and applications associated with ZATCA may occasionally contain links to and from other websites that may not be associated with ZATCA. If you follow any of these links to access these websites, you must review the privacy policies of those websites that are accessed through any link. ZATCA is not, in any case, responsible for the methods of collecting, processing, and protecting personal data by those websites.
Eighth: Rights of Personal Data Owners
ZATCA provides the necessary care and efforts to provide high-quality services to all personal data owners, ensuring their rights as stipulated in the regulations, which are:
· The right to be informed: This includes your knowledge of the legal justifications and the regulatory basis or the actual need for collecting your personal data. This privacy policy has been prepared to inform you and ensure your awareness of all your rights, controls, and the purposes for which your personal data is collected.
· The right to access your personal data: This includes reviewing it and obtaining a copy in a readable and clear format, in accordance with ZATCA's powers to restrict access or set a specific period to practice this right.
· The right to request the correction, completion, or update of your personal data with ZATCA, in accordance with the regulations of this right in the system.
· The right to delete your personal data: The data owner has the right to request ZATCA to delete their personal data in accordance with the provisions of the system. ZATCA will make the appropriate decision after reviewing the request, and if the request is rejected, it will be based on one of the following reasons:
- Compliance with a legal obligation.
- Protecting archival goods that serve the public interest.
- Personal data related to financial or legal claims.
· The right to withdraw the approval for the processing of your personal data: The data owner can practice this right in accordance with the regulations and in a manner that does not conflict with ZATCA's rules and regulations and does not hinder the implementation of ZATCA's procedures.
Except as provided by law, the data owner will not be required to pay any fees to practice these rights. If a request to practice any of these rights is submitted, the data subject will be responded to within ten working days from receiving the request.
For more details on the processing of your personal data and how to practice your rights, you can contact the Personal Data Protection Officer at ZATCA using the contact information provided in this policy.
Ninth: Contacting the Personal Data Protection Officer in ZATCA
In accordance with the regulations and without conflicting with ZATCA's rules and regulations, we welcome all requests, inquiries, questions, and complaints regarding the privacy policy or the rights of data owners by contacting the Data Protection and Privacy Department at the email address Privacy-Gma@zatca.gov.sa .
Tenth: Related Systems and Policies
ZATCA has issued this privacy policy in compliance with the Personal Data Protection Law, its implementing regulations, and the policies and controls issued by the National Data Management Office, as well as the relevant regulations in force in the Kingdom of Saudi Arabia. You can visit one of the following links for more information:
- Personal Data Protection System
- The implementing regulations of the Personal Data Protection Law
- Policies issued by the National Data Management Office
- The regulations issued by the National Data Management Office
- The regulations issued by the Cybersecurity Authority
- Zakat, tax, and customs systems, and related agreements
The Saudi Data and AI Authority:
Saudi Arabia, Riyadh. Website: sdaia.gov.sa
National Data Governance Platform: dgp.sdaia.gov.sa
