Privacy policy

Privacy Policy 
The General Authority for Foreign Trade (GAFT) was established pursuant to Council of Minister Resolution No. (211) dated 25/4/1440 AH, corresponding to January 2019, providing for the establishment of a public authority with legal personality named the “General Authority for Foreign Trade” with financial and administrative independence. Council of Ministers Resolution No. (741) dated 23/11/1441 AH, corresponding to 14 July 2020, further approved the Authority’s organizational structure to enhance the Kingdom’s international trade gains and defend its interests in the field of foreign trade, thereby contributing to the development of the national economy. 

In line with GAFT’s commitment to safeguarding users’ data and information, and to ensure the confidentiality and privacy of personal data in accordance with applicable laws and regulations, this privacy policy has been developed to clarify how personal data is collected, the purposes of its collection, methods of sharing, exchange, storage practices, and the rights of personal data subjects.

We would like to point out that the use of the Authority’s website constitutes the user’s acceptance of this privacy policy, in accordance with the statutory requirements set forth under the Personal Data Protection Law and its Implementing Regulations.

1-Pesonal Data Collected and the Purpose of Collection 
The Authority collects only the minimum necessary personal data, including: 
-    Personal Information: Full name, date of birth, national ID number, ID issuance date, age, gender.
-    Geolocation data.
-    Contact information: Email address, mobile number.
-    Current position and work phone number.
-    Cookies.
Such data is collected when using the systems and services provided through the Authority’s website for purposes including responding to inquiries, suggestions, complaints, or survey participation. 
2- Methods of Collecting Personal Data 
The Authority collects personal data through information provided directly by you via the use of electronic forms, which specify whether the data to be collected is mandatory or optional. Personal data is also collected and obtained either directly or indirectly through various methods, as follows: 
-    Direct methods of collecting personal data: Personal data is collected when the data subject voluntarily provides such data through the website.
-    Indirect methods of collecting personal data: Such as cookies collected when visiting the Authority’s website.

3- How Your Personal Data is Processed 
Personal data collected directly or indirectly is processed to perform the Authority’s mandated duties and responsibilities in line with the purposes outlined in this policy. Data is processed only by authorized personnel within the scope of their responsibilities and in accordance with approved policies. Failure to provide personal data may affect your ability to benefit from certain services offered by the Authority.
4- Is your data shared with other entities? 
the Authority complies with data-sharing policies and controls issued by regulatory authorities. Personal data will not be shared with external parties except in cases permitted under the Personal Data Protection Law and its Implementing Regulations, whether based on your prior consent or as otherwise authorized by law. 
5- Storage and Destruction of Personal Data 
Personal data is securely stored within the geographical boundaries of the Kingdom to ensure the preservation of national digital sovereignty over such data. The Authority follows best standards and practices to ensure data security and protection. It also complies with national laws and regulations governing the destruction and disposal of personal data once the purpose pf its collection has ceased, or its archiving in accordance with the applicable retention period, in a secure manner that prevents misuse or unauthorized access. 
6- Rights of the Personal Data Subject 
Under the Personal Data Protection Law, issued by Royal Decree No. (M/19) dated 09/02/1443 AH, amended by Royal Decree No. (M/148) dated 09/05/1444 AH, and its executive regulations, you have the following rights (which primarily depend on the purpose of collecting and processing personal data):
-    The right to be informed: The data subject has the right to know the methods of collecting their data, the legal basis for its collection and processing, the purpose of its collection, how it is processed, stored, and destroyed, and with whom it will be shared. You can view all the details through the privacy policy – this policy. 
-    The right to access personal data and request its provision: The data subject has the right to access their personal data and request a copy of it via the specified email, and they will be provided with it. The Authority may restrict this right according to the circumstances defined by the system and its executive regulations.
-    The right to correct personal data: The data subject has the right to request the correction of their personal data if they find it to be inaccurate, incorrect, or incomplete, through the email address provided below. The data will be reviewed and updated, and the data subject will be notified accordingly. The Authority has the right to request supporting documents and evidence for the correction request whenever necessary to correct, update, or complete the personal data. These documents or evidence will be destroyed after the verification process is completed.
-    The right to delete personal data: The data subject has the right to request the deletion of their personal data under certain circumstances unless there is a legal provision specifying a certain retention period or contractual requirements. 
-    The data subject has the right to exercise their rights by submitting a request through the following email: GERT@GAFT.GOV.SA

 
7- Privacy Policy Updates
-    The Authority reserves the right to amend this Privacy Policy when necessary.
-    The Arabic language version shall prevail in the event of any discrepancy between the Arabic and English texts.