Privacy Policy
Introduction
The Nuclear & Radiological Regulatory Commission (NRRC) supervises and regulates nuclear and radiological activities in the Kingdom of Saudi Arabia. Its mission is to ensure nuclear and radiological safety and security and to protect society and the environment from radiation exposure in line with the highest international standards. Its functions include licensing, issuing regulations, monitoring compliance and raising public awareness of the safe use of nuclear and radiological energy.
Believing in the importance of Personal Data privacy for users of the NRRC website (nrrc.gov.sa), and in compliance with the applicable laws and regulations in the Kingdom related to Personal Data Protection, this Policy has been prepared to enable the Data Subject to understand the nature and content of the Personal Data collected by the Commission, the purpose of collecting it, the methods of Collection and Storage, how it is Processed and destroyed, and the Data Subject’s rights under the laws of the Kingdom of Saudi Arabia.
________________________________________
Contact Details:
|
Name of the Controller |
Nuclear & Radiological Regulatory Commission |
|
Address |
Kingdom of Saudi Arabia, Riyadh 13315, Al-Sahafa District 2555, Al-Olya Street |
|
Contact number |
112232999 |
|
|
________________________________________
What Personal Data Are Collected
The NRRC is committed to limiting the content of Personal Data collected and Processed to the minimum necessary to perform its tasks and provide services within its mandate. Through its website, Personal Data are collected indirectly, including the following mandatory data:
• Indirect identifiers such as Internet Protocol (IP) address, URL address, referral URL, and the date and time of the website visit.
• Cookies Data: information collected via website logs and cookies technologies, such as the IP address used by the user’s device. Information stored in cookies may include saving page settings to provide a personalised user experience.
In some cases, specific Personal Data are collected from Data Subjects on the basis of a legal basis and/or the Data Subject’s explicit consent, to enable the NRRC to exercise its statutory functions and provide its various services. Such data include, by way of example and without limitation, the following:
1. Identity data: such as full name, date of birth, national ID number or residency (Iqama) number, address, and login details via the National Single Sign-On (NAFATH), for the purposes of identity verification and the provision of statutory services (such as licensing and registration), or functional and administrative services, or training programmes.
2. Contact data: such as phone number and e-mail address, for official communication, sending notifications related to requests, training, or employee matters, and handling enquiries or complaints.
3. Professional and eligibility data: such as academic qualifications, certificates, test results (such as the Radiation Safety Officer (RSO) test), and documents required for licensing radiological practices, employment, or participation in training programmes.
4. Financial data: such as payment details and bank account numbers or credit card details, where fees are paid for certain services, tests, or training programmes, or in connection with employment-related rights and entitlements.
5. Sensitive data: such as workers’ radiation dose data, health data related to exposure to ionizing radiation, and security screening data required for certain licenses or sensitive positions. Such data are Processed in accordance with applicable legal requirements and/or based on the Data Subject’s explicit consent where applicable.
6. Data exchanged with the Commission: such as reports, support requests, official correspondence, or documents submitted for functional, training, or service-related purposes, which are retained for follow-up and implementation purposes.
________________________________________
How Personal Data Are Collected
Personal Data are collected by NRRC through information provided directly via electronic forms, paper forms, or through documents attached to licensing, employment, or training requests, as well as through reports and official correspondence. Personal Data are also collected indirectly through Cookies technologies and interconnection with other entities in cases where Processing relating to the Data Subject is required, in accordance with the applicable laws and regulations in the Kingdom of Saudi Arabia, including, by way of example and without limitation, the following:
1. Browser-usage information: collected while using NRRC’s website or applications, such as browsing data, profiles, and timestamps.
2. Contact information: the data necessary to obtain feedback to improve services and handle complaints, such as e-mail address and phone number.
________________________________________
Purpose of Collecting Personal Data
NRRC ensures that the collection and Processing of Personal Data are closely and directly linked to its tasks and regulatory mandate, in order to achieve any of the following purposes:
• Identity and contact authentication: to verify the identity of users, trainees, and employees and to provide effective communication channels.
• Enabling NRRC to perform its assigned tasks and responsibilities: and to provide services pursuant to relevant laws and regulations.
• Understanding user needs and working to develop and improve them: including, by way of example and without limitation, receiving and Processing enquiries, requests, and complaints.
• Improving the user experience: to enhance service performance, develop services, and ensure continuity of service delivery at the required quality.
• Security and protection: monitoring activity on the website to ensure data protection and prevent unauthorized access, including through anti-fraud and cybersecurity measures.
• Notifications: providing Data Subjects with timely notices of changes to accounts or other notifications relating to various operations (such as trainings, information, and registrations).
• Advisory and awareness communication: informing Data Subjects of security measures, necessary precautions, and best practices to protect accounts and Personal Data.
________________________________________
How Personal Data Are Processed
Personal Data collected directly or indirectly are Processed to carry out the tasks and responsibilities entrusted to NRRC and in a manner that fulfils the purposes specified in this Policy. Personal Data will be Processed only by authorized persons in accordance with their roles and responsibilities and as determined by the policies approved for this purpose.
________________________________________
Legal Bases for Collecting and Processing Personal Data
The legal basis on which NRRC relies to collect and Process Personal Data is the fulfilment of statutory obligations and requirements assigned to it. Personal Data will not be Processed unless NRRC has a legal basis to do so. The legal bases applied for collecting and Processing Personal Data include the following:
1. Consent: the consent provided by the Data Subject to Process their Personal Data for a specific purpose communicated in advance.
2. Processing required under applicable laws: where Processing is necessary to comply with applicable laws, regulations, and decisions.
3. Processing necessary to achieve a legitimate interest: where Processing aims to achieve a legitimate interest of NRRC, provided that it does not prejudice the rights and interests of Data Subjects and that such data are not Sensitive Data.
4. Processing necessary to perform contractual obligations: where Processing is necessary for the performance of a contract to which the Data Subject is a party, such as employment, training, or service contracts.
5. Processing for the public interest: where Processing is necessary to protect nuclear and radiological safety or security, or to protect people, society, and the environment.
6. Processing to protect vital interests of individuals: where Processing is necessary to protect individuals’ health, safety, or life from a confirmed or potential risk.
________________________________________
How We Disclose Your Personal Data
The NRRC is committed to the Data-Sharing Policy and Controls issued by the regulatory authorities and does not share Personal Data with any party outside the NRRC except in the disclosure cases specified in the Personal Data Protection Law and its Implementing Regulations. Personal Data may be disclosed in the following cases:
• Where the Data Subject’s explicit consent is obtained.
• Where a public authority requests disclosure for security purposes, to implement another law, or to meet judicial requirements in accordance with the provisions set out in the Regulations.
• Where disclosure is necessary to protect public health or safety, or to protect the life or health of a specific individual or individuals.
• Where disclosure is necessary to achieve the legitimate interests of NRRC without prejudice to the rights and interests of Data Subjects.
________________________________________
How Personal Data Are Stored
Personal Data are stored and retained securely in NRRC’s systems or on its approved servers located within the Kingdom of Saudi Arabia. All necessary measures are taken to ensure secure storage. Appropriate technical and organizational measures, as well as protection policies and procedures, are in place to safeguard Personal Data against accidental loss and against unauthorized access, use, modification, or disclosure.
________________________________________
Retention Period for Personal Data
Personal Data are retained for the period necessary to fulfil NRRC’s intended obligations, taking into account compliance with applicable legal requirements. Once the purpose of Processing has ended, Personal Data are securely destroyed in a manner that prevents them from being accessed or recovered, in accordance with the provisions of the Personal Data Protection Law.
________________________________________
Data Subject Rights Regarding the Processing of Personal Data
Under the Personal Data Protection Law, the Data Subject has the following rights:
• Right to be informed: to be informed of the methods of collecting Personal Data, the legal basis for collecting such data, and the mechanism of Processing, including the reason and method of collection, the purpose, with whom the data will be shared, and all other details related to the Processing of Personal Data.
• Right of access and to obtain Personal Data: to request access to Personal Data and obtain a copy in a clear, readable format that matches the records whenever technically possible, in accordance with applicable laws and regulations, without prejudice to the restrictions and exceptions contained therein, and subject to any periods NRRC may impose to exercise or restrict this right.
• Right to request correction and update: to request correction and update of Personal Data that are considered inaccurate, incorrect, or incomplete.
• Right to request destruction: to request destruction of Personal Data that are no longer needed, unless a legal basis stipulates a retention period, in accordance with Article 18 of the Personal Data Protection Law.
• Right to withdraw consent: to withdraw consent to the Processing of Personal Data, unless there are legitimate purposes or legal bases that require otherwise.
________________________________________
How to Exercise Rights or Submit a Complaint or Objection
• Data Subjects may exercise their rights by submitting a request via e-mail to PDP@nrrc.gov.sa, or by accessing the Beneficiaries Services Portal CRM and submitting a Data Subject Rights request through the designated electronic form.
• Requests will be responded to within 30 days from the date of receipt. This period may be extended if the request requires unexpected effort, and the requester will be notified accordingly.
• If there is a complaint or objection regarding the Processing of Personal Data, the Data Subjects may contact NRRC’s Privacy Management Team via: PDP@nrrc.gov.sa.
________________________________________
For More Details
For further information on the Processing of Personal Data and how to exercise rights, the Data Subject may contact the Personal Data Protection Officer (DPO) at PDP@nrrc.gov.sa.
________________________________________
Last Update Date
This Privacy Policy is updated periodically, and NRRC recommends reviewing it regularly to stay informed of any changes. The most recent update to this Privacy Policy was on 20/11/2025.
________________________________________
Relevant Legislation:
• Electronic Transactions Law
• Data-Sharing Policy
• Anti-Cybercrime Law
• Essential Cybersecurity Controls
• Policies and Controls of the Saudi Data & AI Authority (SDAIA)
• Personal Data Protection Law
• The Implementing Regulations of the Personal Data Protection Law