Definitions
For the purposes of applying this policy, the following terms and expressions, wherever mentioned, shall have the meanings assigned to them unless the context requires otherwise:

Term

Definition

Law

The Personal Data Protection Law issued by Royal Decree No. (M/19) dated 09/02/1443H.

Regulation

The Executive Regulation of the Personal Data Protection Law.

Authority

The Transport General Authority.

Office

The Data Management and Governance Office at the Transport General Authority.

Personal Data

Any information, regardless of its source or form, that may lead to identifying an individual specifically or makes identification possible directly or indirectly, such as: name, personal ID number, addresses, contact numbers, license numbers, personal property records, bank account numbers, credit card numbers, fixed or moving images of the individual, and other personal data.

Data Processing

Any operation performed on personal data by any means, whether manual or automated, including collection, recording, preservation, indexing, arranging, formatting, storage, modification, updating, merging, retrieval, use, disclosure, transfer, publication, sharing, interconnection, blocking, erasure, and destruction.

Controller

The entity that determines the purpose and means of processing personal data, whether it directly processes the data or through a processor.

Processor

The entity that processes personal data on behalf of the controller.

Public Entity

Any ministry, department, public institution, authority, or independent entity in the Kingdom, or any of their affiliates.

Competent Authority

The Saudi Data and Artificial Intelligence Authority (SDAIA).

Personal Data Subject

The individual to whom the personal data pertains, or their representative or legal guardian.

Personal Data Protection Officer

Responsible for monitoring the implementation of the law and its regulations, supervising the procedures followed within the controller’s entity, and receiving requests related to personal data according to the law and its regulations.

Explicit Consent

Consent granted directly and explicitly by the personal data subject by any means indicating their acceptance of personal data processing, which cannot be interpreted otherwise, and must be provable.

Destruction

Any action performed on personal data that makes it impossible to access, retrieve, or identify the data subject again.

Disclosure

Enabling any person, other than the controller or processor as appropriate, to obtain, use, or access personal data by any means and for any purpose.

Transfer

Transferring personal data from one place to another for processing purposes.

Publication

Broadcasting any personal data through a readable, audible, or visual medium or making it available.

Sensitive Data

Any personal information related to an individual’s racial or ethnic origin, religious, intellectual, or political beliefs. This also includes security and criminal data, biometric identifiers, genetic data, health data, and data indicating that an individual is parentless or has unknown parentage.

Genetic Data

Any personal information related to the genetic or acquired characteristics of a natural person that uniquely identifies their physiological or health traits, derived from the analysis of a biological sample such as DNA analysis or any other analysis leading to the extraction of genetic data.

Health Data

Any personal information related to an individual’s health condition, whether physical, mental, or psychological, or related to specific health services.

Credit Data

Any personal information related to an individual’s application for or receipt of financing, whether for personal or family purposes, from an entity practicing financing, including any information related to their ability to obtain credit or fulfill it, or their credit history.

Personal Data Breach

Any incident leading to the disclosure, damage, or unauthorized access to personal data, whether intentional or unintentional, by any means, whether automated or manual.

Vital Interest

Any essential interest necessary for preserving the life of the personal data subject.

Realized Interest

Any moral or material interest of the personal data subject directly linked to the purpose of personal data processing, where processing is necessary to achieve that interest.
Purpose of the Policy
The Transport General Authority believes in the importance of personal data privacy as a fundamental principle and respects the privacy of every visitor to its electronic portal. It ensures that personal data will be collected and used in accordance with the Personal Data Protection Law. According to this law, the Authority acts as the controller (i.e., the entity responsible for determining how your personal data is processed) and is accountable for it.
Information about the Authority
the Transport General Authority supervises rail, maritime, and land transport services in accordance with its regulation issued by the Council of Ministers Resolution No. 323 dated 14 Ramadan 1434 AH, which mandates the Authority to undertake regulatory and legislative authority over the rail, maritime, and land transport industry in the Kingdom of Saudi Arabia. This includes licensing rail, land, and maritime transport activities and monitoring the quality and safety of services in these vital activities
  • Al-Olaya Main Road - Al-Sahafa District, P.O. Box 11634, Riyadh 87078
  • Unified Number:19929
  • Email: 19929@tga.gov.sa
Personal Data to be Collected
Certain types of personal data will be collected for the purposes of processing mentioned in Article 5 of this policy, categorized as follows
  • Account Data:Information requested when creating an account or profile on our platforms.
  • Payment Data:Data collected for processing payment transactions.
  • Cookies Data:Information collected through website logs, cookie technologies, or other technologies, including IP address, browser type and version, operating system, login details, browsing data, internet traffic monitoring, and other online identifiers.
  • Identity Data:Name, date of birth, gender, ID/Iqama number, nationality, personal ID photos, and static personal images.
  • Contact Data:Email address, phone number, and mobile number.
  • Establishment Data:Establishment name, license numbers, commercial registration number, commercial registration images, license images, and permit details.
  • Vehicle Data:Vehicle information, vehicle plate number, vehicle serial number, chassis number, and violations.
  • Geographic Location Data:National address, short address, and geographic location on maps.
Cookies
Our website may store what are known as "first-party cookies" on your device when you visit the General Transport Authority's websites and platforms. First-party cookies are those we place directly and use exclusively. We primarily use session cookies, which store user information during the session and website navigation only. These cookies are deleted immediately after the user leaves our website and closes the browser window. The purpose of using cookies is to facilitate your experience on our website and improve our services. To ensure the protection of your privacy and personal data at all times, we have provided control options that allow you to enable or disable cookies in your internet browser. Most internet browsers also allow you to choose whether to disable all cookies or only third-party cookies. By default, most internet browsers accept cookies, but this can be changed. You may choose to delete existing cookies on your device at any time. However, you may lose any information that allows you to access our website quickly and efficiently, including, but not limited to, login settings and customization preferences.
Legal Basis for Collecting and Processing Your Personal Data
By using the Transport General Authority's platforms, you explicitly consent to the collection and processing of your data in accordance with the specified purposes outlined in Article 7 of this policy. Your consent serves as the legal basis for collecting and processing your personal data.
Purpose of Using and Processing Your Personal Data
Your personal data is used for specific and explicit purposes, as we are the regulatory, supervisory, and oversight authority for the public transport sector in the Kingdom of Saudi Arabia, according to the Authority's regulation issued by the Council of Ministers' Decision No. 323 dated 14 Ramadan 1434 AH. We aim to develop rail, maritime, and land transport activities to provide a highly efficient and cost-effective transport environment. Therefore, all the Authority's data usage and processing are intended to implement the competences specified in the mentioned regulation, serve beneficiaries, and regulate the public transport sector. The purposes are limited to the following services—without prejudice to the exceptions stipulated in the Personal Data Protection Law and related regulations:
  1. Issuance of licenses, operation cards, and driver cards for establishments in all activities overseen and regulated by the Authority.
  2. Issuance of permits, operation cards, and driver cards for individuals in all activities overseen and regulated by the Authority.
  3. Monitoring the operation, service quality, and safety in these critical activities.
  4. Processing personal data related to violations and objections, including but not limited to: recording violations, analyzing them, receiving objections to violations, and handling them.
  5. Enabling beneficiaries to carry out operations and procedures related to the sector across more than 23 activities in integration with relevant government entities.
  6. Enabling carriers and freight brokers to issue goods transport documents and truck load statements on land roads and verify shipment information and status.
  7. Enabling carriers to book truck entry appointments to cities during restricted times, contributing to mitigating the negative impacts of the current situation.
  8. Regulating vehicle rental operations and issuing unified rental contracts to safeguard the rights of all relevant parties.
  9. Sending, transmitting, and receiving government correspondence within and outside the Authority with other entities and exchanging documents and letters.
  10. Receiving beneficiary reports, handling, and analyzing them.
  11. Sending periodic email and SMS messages—to process requests, provide updates and information about your request, and share general news and updates about the Authority and related products.
  12. Conducting various studies on all activities under its supervision and regulation to implement and achieve sector strategies, focusing on beneficiaries, improving transport services' competitiveness, and analyzing the market to identify opportunities and risks to enhance and improve the safe mobility of passengers and goods. Additionally, this includes developing executive regulations, ensuring compliance, employing technology in monitoring and control activities, ensuring fair competition among service providers, and protecting user interests, as the services provided by the Authority and its licensees are essential for supporting economic and social development in the Kingdom.
  13. Receiving, processing, and sorting job applications submitted by applicants for vacant positions listed on the Authority's website.
Additionally, we use technical data, usage data, and profile data for the following purposes:
  1. Using the Transport General Authority's website for your Internet Protocol (IP) address helps diagnose issues occurring on its servers and assists in generating statistics necessary to measure site usage (number of visitors, computer language, and browser type used). No external party outside the technical team is allowed to access your IP address.
  2. Enhancing user experience by improving and developing the General Transport Authority's website to meet users' needs and services.
  3. Improving beneficiary services by responding more effectively to customer service requests and support needs.
  4. Using "Google Analytics" reports for website analysis, which obtains information from IP addresses, displaying data such as country, city, device, pages visited, and session time per page. These reports are used internally for analysis and website development purposes only.
  5. The Authority may process your personal data for purposes not listed in this policy as stipulated in Paragraph 3 of Article 10 of the Personal Data Protection Law.
Rights of the Personal Data Subject
According to Article 4 of the Personal Data Protection Law, the law guarantees you the following rights:
  1. Right to be informed: This includes being informed about the legal basis for collecting your personal data and the purpose of its collection.
  2. Right to access your personal data: You have the right to access your personal data available with us according to the controls and procedures specified by the regulations.
  3. Right to request your personal data: You may request your personal data available with us in a readable and clear format, according to the controls and procedures specified by the regulations.
  4. Right to request the correction, completion, or updating of your personal data: You may request that any incomplete or inaccurate data be corrected.
  5. Right to request the deletion of your personal data: You may request the deletion of your personal data that is no longer needed, without prejudice to what is stipulated in Article 18 of the Law.
To exercise any of your rights under the law or in case of any modification or update to your personal data, you may contact us using the contact information provided below.
According to Clause (b) of Paragraph 1 and Paragraph 2 of Article 9 of the Law, your right to access your personal data as mentioned in Paragraph 2 above may be restricted. This may result in denying your ability to access your personal data.
Protection of Your Personal Data
Your personal data will only be accessible to the Authority’s employees or authorized third-party employees, who are trusted data processors handling data on behalf of the Authority. Contractual agreements have been established with these parties to ensure the secure use of data in compliance with the Personal Data Protection Law and to guarantee that they can only use your personal data for specified purposes.
  1. We confirm that appropriate technical and organizational security measures are implemented to protect your personal data in accordance with the Personal Data Protection Law. These measures include, but are not limited to:
    • Vulnerability scanning and penetration testing.
    • Encryption of data during transmission and storage.
    • Regular application of updates and security patches.
    • Reviewing security settings and system hardening configurations.
    • Applying security standards based on best practices for website and application development.
  2. Data is collected within a secure technical infrastructure that adheres to the Authority’s approved cybersecurity policies and standards, which are aligned with regulations and guidelines issued by the National Cybersecurity Authority.
  3. Security procedures are established based on the Authority’s approved cybersecurity policies and standards, in line with regulations issued by the National Cybersecurity Authority, to prevent accidental loss of personal data, unauthorized access, misuse, alteration, or disclosure.
  4. The Authority implements necessary procedures for managing data sharing, ensuring that personal data will not be publicly available or shared with any third party without prior consent, unless required by relevant laws and regulations.
  5. The Authority applies necessary access control measures, ensuring that only authorized individuals providing services for the Transport General Authority’s website and relevant government entities contributing to service development and user journey facilitation can access personal data.
Disclosure of Your Personal Data
Without prejudice to paragraphs (3, 4, 5) of Article 15 of the Personal Data Protection Law, you agree to the sharing of your personal data with relevant entities, whether private or public, based on legal grounds that authorize the requester to obtain the data. All regulatory, administrative, and technical controls will be applied before sharing data, as stipulated in Article 19 of the law.
Storage of Your Personal Data
By using the Authority’s platforms, you agree to the storage, processing, and use of your personal data by the Authority. Your personal data will be securely stored within the Authority’s infrastructure or with authorized third parties within Saudi Arabia. No data will be stored outside the Kingdom unless in compliance with the regulations outlined in the executive regulations for transferring personal data outside the Kingdom.
Retention and Destruction Period
Your personal data will be retained for as long as necessary to fulfill the purpose for which it was collected. Upon the completion of the purpose or upon your request, your data will be securely deleted in a manner that ensures it cannot be recovered, taking into consideration other applicable regulatory or legal requirements in Saudi Arabia, without prejudice to the exceptions mentioned in Article 18 of the Personal Data Protection Law.
Exceptionally, personal data collected for the purpose of (receiving, processing, and sorting job applications for vacancies announced on the Authority’s website) and personal data collected for the purpose of (handling and analyzing reports and complaints) will be retained for three years after the purpose has been completed.