Privacy Policy of the Saudi Center for Accreditation of Health Facilities
Article 1: Introduction The Saudi Center for Accreditation of Health Facilities is the official body authorized to grant accreditation certificates to all healthcare facilities operating in both the public and private sectors in the Kingdom of Saudi Arabia. The center emerged from the Saudi Health Council as a non-profit organization. Its main tasks include establishing standards for healthcare quality and patient safety, based on which all healthcare facilities are assessed to demonstrate compliance with these standards. In late 2013, a Cabinet resolution changed the official name of the center to "Saudi Center for Accreditation of Health Facilities," also mandating the center with national accreditation for all healthcare facilities. Additionally, the Ministry of Health has stated that the accreditation issued by the Saudi Center for Accreditation of Health Facilities is a prerequisite for renewing operating licenses. The Saudi Center for Accreditation of Health Facilities fully recognizes the importance of personal data privacy. It is committed to maintaining the integrity, security, and confidentiality of all information and personal data of all users. By using the website of the Saudi Center for Accreditation of Health Facilities, users consent to the privacy policy. The website is intended for individuals aged 18 and older and/or those legally competent. If a data subject is under 18 years old or lacks legal capacity, the consent of a parent or guardian must be obtained on their behalf, as the center requires consent for the collection and processing of personal data of the data subject. This privacy policy has been established in accordance with the Personal Data Protection Law and applicable regulations in the Kingdom of Saudi Arabia. It aims to clarify how the center processes your personal data to help users understand why it is collected, used, shared, and stored, as well as the steps taken by the center to ensure its confidentiality and security.
Article 2: Data to Be Collected and Purpose of Collection First: Personal Data to Be Collected Type of Data Details Personal Data Name, nationality, photo ID, gender, date, and place of birth. Contact Data Email address or residential address (national address), work address, and contact phone number. Identity Data National ID number, residency number, passport number, and any similar data. Technical Data Username, passwords, cookies data, IP addresses, session details, or any related data. Educational/Employment Data Education details, previous work experiences, certificates, compensations, and any data obtained during the employment or onboarding phase. Conversation Data Phone conversations when contacting our call center, as well as metadata such as call date, time, and duration. We also collect conversations via email or social media used to communicate with our customer service team. Health Data In some cases, we may collect medical reports or health status reports, whether physical, mental, or psychological.
Second: Purpose of Collecting Personal Data Personal data is collected for several purposes, including but not limited to: Identity verification, among others. Responding to requests and inquiries from regulatory bodies, government entities, or any other authorized partners. Addressing your inquiries or complaints, including monitoring conversations and posts on social media to identify discussions, impressions, and complaints about the center, as well as issuing notifications about changes to the terms and conditions of our products and services. Using automated technologies, such as cookies, to provide services tailored to your specific needs. Improving our products and services by monitoring and recording our communications with you, including phone calls, for training and quality purposes, customer surveys, and providing services that suit you better. Article 3: Methods of Data Collection Data is collected either directly from the user or indirectly from our approved external parties. It is gathered from a variety of sources, including but not limited to: The website of the Saudi Center for Accreditation of Health Facilities. Application forms. Digital channels. Surveys and feedback forms shared with potential users. Direct communication channels (including telephone, email, or social media). Cookies collected when visiting the site. Government portals, integration channels, or authorized entities. Databases provided by official authorities and approved government sources to update/verify your documents. Legal external parties for the purpose of providing legal products and services. Publicly available sources. Article 4: Use of Personal Data Personal data is used to provide the user with the services or products they request. If the center does not receive the required personal data, it will be unable to provide the user with those products and services.
Article 5: Storage and Disposal of Personal Data Personal data is stored within the Kingdom of Saudi Arabia on the servers of the National Information Center through the National Dammam Cloud (managed by the Saudi Data and Artificial Intelligence Authority (SDAIA)), and on the center's local servers. These servers are protected using the best technologies in accordance with the policies and regulations of the National Cybersecurity Authority and international standards, to ensure unauthorized access is prevented and cybersecurity risks are minimized. The center stores user personal data for any period required by regulatory regulations, as long as the personal data remains necessary for the purpose for which it was collected or processed, or is required by law, or when the center needs it for legitimate purposes, such as maintaining records for analysis or review, responding to inquiries or complaints, defending, or taking certain legal actions, and responding to requests from regulatory bodies. The Saudi Center for Accreditation of Health Facilities disposes of user personal data once the purpose of collection is fulfilled. However, the center may retain this data after the purpose of collection has ended if all identifiers are removed in accordance with the specified controls in the regulatory regulations. In exceptional circumstances, the center may retain personal data for longer periods, especially when it needs to prevent its destruction or disposal based on a court order, or an investigation by competent authorities and enforcement agencies or the center's regulatory bodies. The purpose of this is to enable the center to provide records of user information retention as evidence if required.
Article 6: Legal Basis for Collecting and Processing Personal Data Personal data is collected and processed based on the consent of the data subject, who may withdraw their consent for the collection and processing of their personal data at any time unless there is another legal basis. To do so, you can contact the center's data management office at the following email address: dmo@cbahi.gov.sa. Users are responsible for ensuring that the personal data they provide to the center is accurate and up to date and must inform the center as soon as possible if any of that data changes. If a user provides personal data concerning another person (such as a legally designated person on behalf of someone else, a dependent, or otherwise), they must inform that person of the privacy policy outlined here and obtain their consent for the center to use their personal data for the specified purpose.
Article 7: Rights of the Data Subject The Saudi Center for Accreditation of Health Facilities is committed to ensuring accountability and transparency in its operations. In accordance with applicable regulatory regulations for personal data protection, the center is keen to ensure the rights of data subjects in line with applicable laws and standards, as follows: Right to be Informed: The data subject has the right to be informed about the collection and use of their personal data, including the reason and method of collection, processing purposes, and the entity with which it will be shared. They can access all details through this privacy policy or by contacting the center as indicated at the end of this policy. Right to Access Personal Data: The data subject has the right to access their personal data held by the center in a structured, readable, and clear format. This can be requested via the email provided at the end of this policy, and they will be provided with it—free of charge—within 14 working days via email. Right to Rectify Personal Data: The data subject may request to correct their personal data (if it is inaccurate), complete it (if it is incomplete), or update it (if it is outdated). This can also be done via the email provided at the end of this policy, and they will be notified via email. Right to Erasure of Personal Data: The data subject has the right to request the deletion of their personal data under certain circumstances unless there is a legal provision specifying a certain retention period or contractual requirements. Right to Withdraw Consent: The data subject has the right to withdraw consent for the collection and processing of their personal data unless legal or regulatory requirements and contractual necessity dictate otherwise. Withdrawal of consent does not affect the processing of personal data based on another legal basis other than consent.
Article 8: Sharing/Disclosing Personal Data User personal data is processed and disclosed internally within the center based on the services chosen. The Saudi Center for Accreditation of Health Facilities does not disclose this data externally except based on legal grounds and for the specified purpose only. The center may share user personal data externally with the following stakeholders—including but not limited to: Public or Regulatory Bodies: The center may be legally obliged to share user personal data in response to legal proceedings or court orders issued by the government. The center may also disclose user personal data to competent authorities when requested to do so under applicable laws or regulations, or at the request of those authorities. Any Other External Parties: The center may share user personal data with external parties when the user separately agrees to this sharing or upon their request, in addition to the disclosures outlined in this policy. Under Exceptional Circumstances: User personal data may be made available to government officials. However, it will not be made publicly available without the user's prior consent. Moreover, user personal data will not be traded, shared, or transferred to any external party without obtaining the user's prior consent. User personal data will only be disclosed under the following circumstances: If the user consents to its disclosure in accordance with the provisions of the law. If the user personal data is collected from a publicly available source. If the requesting entity is a public body, for security purposes, to enforce another law, or to meet judicial requirements as specified in the provisions of the executive regulations. If disclosure of that information is necessary to protect public health, public safety, or the life or health of a specific individual or individuals. If the disclosure of user personal data is limited to processing it later in a way that does not lead to the identification of the personal data owner or any other individual specifically. If the disclosure poses a threat to the security of the Kingdom or harms its reputation, conflicts with its interests, or affects its relations with other countries. If it endangers the safety of an individual.
Article 9: External Links Links to other websites are provided on the center's website to accommodate user needs. The center is not responsible for any content on those websites, nor for any person’s use of them, or for their proper functioning, or for any issues that may arise from their use. The user is responsible for all actions taken while using any websites they visit through those links.
Article 10: Exercising Rights of the Data Subject The data subject has the right to request access/correction/deletion of their data by contacting the data management office at the following email: dmo@cbahi.gov.sa.
Article 11: Personal Data Protection Officer Name: Data Management Office at the Saudi Center for Accreditation of Health Facilities. Email: dmo@cbahi.gov.sa.
Article 12: Complaints and Inquiries For general complaints, please contact the center via email at: cbahi@cbahi.gov.sa. For any inquiries regarding the privacy policy, please contact the data management office at the following email: dmo@cbahi.gov.sa.
Article 13: Updates to the Privacy Policy The privacy policy was last updated on 6/8/2025. The center reserves the right to make changes to this policy at any time and for any reason. Users will be notified of any changes by updating the "Last Updated" date mentioned at the beginning of this policy. Any changes or amendments will take effect immediately upon the publication of the updated policy on the website. The center recommends that users regularly review this policy to stay informed of the latest updates. Users will be considered informed of the changes and will be subject to them, and they will be deemed to have accepted those amendments in any amended policy by continuing to use the website after the publication date of the amended policy.
Article 14: Management of the Authority's Website Name of the supervising entity for the website: Saudi Center for Accreditation of Health Facilities.
