Article One: Introduction
Insurance Authority was established pursuant to cabinet decision No. (85) dated 28/01/1445 AH (15.8.2023 G), and is organizationally linked to the Prime Minister. Insurance Authority enjoys an independent legal personality as well as financial and administrative autonomy. It aims to regulate, supervise, and oversee the insurance sector in the Kingdom of Saudi Arabia, in a way that supports and enhances its efficiency. Insurance Authority also works to promote insurance awareness, protect the rights of policyholders and beneficiaries, ensure the stability of the insurance sector, contribute to financial stability, strengthen and develop the insurance industry, and establish the key principles of contractual relationships in the insurance field.
Insurance Authority is committed to protecting the personal data of users, beneficiaries, and parties dealing with it. In recognition of the importance of personal data and the need to preserve the privacy of its owners—and in line with the Authority's commitment to providing high -quality services—this Policy has been prepared to help data subjects understand the nature of personal data processed by the Authority. It also clarifies the purpose of collection, type of personal data collected, method of collection, means of storage, processing procedures, destruction methods, data subject rights, and how those rights can be exercised.
Using Insurance Authority's website, electronic platforms, or submitting personal data through any official channel of the Insurance Authority shall constitute full and implicit consent to the terms of this Privacy Policy.
Article Two: Purposes of Collecting and Processing Personal Data:
Insurance Authority uses personal data for the following purposes:
1.To perform its duties and responsibilities as set out in its regulation, issued pursuant to cabinet decision No. (85) dated 28/01/1445 AH.
2.To understand the needs of service beneficiaries and work towards improving them, including but not limited to handling inquiries, requests, complaints, and claims related to the insurance sector.
3.To implement technical updates and enhancements to the electronic services provided by the Authority, and to monitor system usage to address any potential security threats.
Article Three: Personal Data Collected:
Insurance Authority may collect personal data directly or indirectly when individuals interact with its services, systems, or platforms. This may include, but is not limited to:
1.Personal Data: Name, national ID number, address, and contact details.
2.Financial Data: Bank account numbers, payment details related to insurance products.
3.Professional Data: Educational qualifications, job titles, professional records.
4.Technical Data: IP address, cookies, browsing history.
5.Complaint Data: Information required to handle and process complaints or requests submitted by the data subject, in accordance with the Personal Data Protection Law (PDPL).
6.Geolocation Data.
7.Usage Information and Updates.
Article Four: Methods of Data Collection
1. Direct Collection: Through the Authority's website, its affiliated electronic portals, approved mobile applications, telephone communication, in-person visits to Insurance Authority's headquarters, or other official channels approved by the Authority.
2. Indirect Collection: Through relevant entities or institutions supervised by Insurance Authority, in cases where it is necessary to process a request related to the data subject.
Article Five: Legal Basis:
Insurance Authority relies on the following legal bases for the collection and processing of personal data:
1.The Regulation of the Insurance Authority.
2.Other laws and regulations related to Insurance Authority's mandate.
3.The Personal Data Protection Law and its implementing regulations. Personal data is collected and processed based on the consent of the data subject, who may withdraw such consent at any time, unless another legal basis applies. To exercise this right as data subject you may contact the Data Management Office via email at: PDP@ia.gov.sa.
Article Six: Processing of Personal Data:
1.Personal data is processed to enable Insurance Authority to perform its assigned duties and responsibilities, in accordance with the relevant laws, regulations, policies, and procedures.
2.Processing of personal data is conducted only by individuals authorized by the Authority, in line with its approved internal policies.
3.While the Authority will not share personal data with any third party without prior consent, it reserves the right to disclose such data to competent authorities when necessary for public interest, national security, law enforcement, judicial requirements, complaint handling, or protection of public health or safety, as stipulated under applicable laws and regulations.
Article Seven: Storage of Personal Data:
Personal data is securely stored at Insurance Authority's headquarters or on its own servers. Insurance Authority applies the highest information security standards and best practices to ensure data protection.
Article Eight: Data Retention and Disposal:
Insurance Authority retains personal data only for the purposes for which it was collected, and to meet regulatory, supervisory, documentation, or judicial requirements. Once the purpose of collection has been fulfilled, the data shall be securely deleted or destroyed in a manner that prevents loss, misuse, or unauthorized access, in accordance with relevant laws and instructions.
Article Nine: Rights of Data Subjects:
In accordance with the Personal Data Protection Law, data subjects have the following rights:
Right to be Informed: To know how the Authority collects, uses, stores, and disposes of their personal data, the legal basis for processing, and with whom it may be shared. Full details are provided in this Privacy Policy or via the email listed in Article Ten.
Right of Access: To request a copy of their personal data by emailing the address provided in Article Ten. Copies shall be provided via email free of charge within the statutory timeframe.
Right to Rectification: To request correction of not updated, inaccurate, incorrect, or incomplete personal data via the email listed in Article Ten. The data will be reviewed, updated, and the data subject will be notified by email.
Right to Erasure: To request deletion of personal data in certain circumstances, unless retention is required by law or under contractual obligations.
Article Ten: Exercising Data subject Rights and Submitting Complaints
Data subjects may exercise their rights or file complaints by contacting the Data Protection Officer via email: PDP@ia.gov.sa. A response will be provided within thirty (30) days without undue delay. This period may be extended for an additional thirty (30) days if the request requires unexpected effort, or if multiple requests are received.
Article Eleven: Policy Updates:
1. Insurance Authority reserves the right to amend this Policy at any time. Any amendment shall take effect upon its publication on the Authority's official website. Continued use of the website or communication with the Authority after such amendments constitutes acceptance of the updated Policy. It is therefore recommended to review the Privacy Policy periodically. The latest update was issued on 01/10/2025.
2.The Arabic version is the official and binding language for the application and interpretation of this Policy. In case of any discrepancy between the Arabic text and other translations, the Arabic text shall prevail.
3.This Policy is governed by the laws and regulations of the Kingdom of Saudi Arabia, and the courts of the Kingdom shall have exclusive jurisdiction over any disputes arising from its implementation.