Privacy policy
Introduction
Saudi German Health operated by Middle East Healthcare Company (MEAHCO), is committed to protecting the privacy and confidentiality of personal data processed during the delivery of healthcare services and the operation of hospital functions. As a healthcare organization, SGH processes a significant volume of personal data, including sensitive personal data such as medical and health information, patient records, and operational data related to patients, visitors, and service providers.
This Privacy Policy establishes the principles and responsibilities governing how personal data is handled by SGH. It ensures that all personal data is processed in a lawful, fair, transparent, and secure manner in accordance with the Kingdom of Saudi Arabia Personal Data Protection Law (PDPL), its Implementing Regulations, and other applicable regulatory requirements.
Objective
This Privacy Policy aims at:
- Supporting Saudi German Health commitment to implementing the Personal Data Protection Law (PDPL) and its Implementing Regulations across all hospital activities and services.
- Encouraging the adoption of best practices in personal data privacy and protection within a healthcare environment, where sensitive health information is routinely processed.
- Providing patients, visitors, employees, and all individuals who interact with SGH with clear guidance on how their personal data is collected, used, stored, and protected.
- Helping data subjects understand and exercise their rights under the PDPL, including the right to access, correct, delete, and withdraw consent over their personal data.
- Protecting the privacy and dignity of every patient and individual whose personal data is processed by SGH in the course of delivering healthcare services.
1. What is Personal Data and Sensitive Personal Data
Under the KSA Personal Data Protection Law (PDPL), personal data refers to any information relating to an identified or identifiable individual. An individual may be identified directly or indirectly through identifiers such as a name, identification number, location data, or other factors related to the individual's identity.
Examples of personal data that SGH may process include:
- Patient name, contact details, and identification numbers
- National ID or Iqama number
- Date of birth, gender, and nationality
- Contact information such as phone number and address
- CCTV recordings within hospital premises
SGH also processes Sensitive Personal Data, which requires a higher level of protection under the PDPL. Sensitive personal data includes, but is not limited to:
- Health and medical information such as diagnoses, treatment records, and laboratory results
- Biometric data used for identification purposes
- Financial information related to healthcare billing and insurance
Because healthcare operations require the processing of sensitive health information, SGH applies enhanced safeguards and strict access controls to ensure such data is processed only when necessary and in compliance with applicable laws.
A. Collecting and Processing Personal Data
SGH collects and processes personal data to support its core mission of delivering safe and effective healthcare services, managing hospital operations, and complying with regulatory obligations.
Personal data may be collected from various sources, including:
- Patients and their families during registration, diagnosis, treatment, and billing
- Visitors entering hospital facilities
- Service providers and contractors supporting hospital operations
- Digital platforms and marketing channels, where the individual has given consent
Personal data is processed for purposes including:
- Providing medical care and treatment
- Maintaining patient medical records
- Managing appointments and hospital admissions
- Processing insurance and billing transactions
- Ensuring hospital safety and security
- Sending health awareness and marketing communications, with your consent only
- Complying with legal, regulatory, and reporting requirements
SGH ensures that personal data is processed only when a lawful basis exists under the PDPL. SGH also ensures that individuals are provided with clear information explaining how their personal data is collected, used, and protected.
B. Scope and Applicability
This Privacy Policy applies to all personal data processed by SGH as part of its healthcare operations and administrative activities. It provides individuals with clear information on how their personal data is handled throughout its lifecycle.
Policy Coverage
This policy applies to all personal data processed by SGH regardless of the form in which the data exists, whether through electronic systems, clinical applications, physical records, communication platforms, or surveillance systems. It covers the entire lifecycle of personal data processing including its collection, storage, use, sharing, retention, and deletion.
Applicable Activities
This policy applies to all patient-facing and administrative functions of SGH. Processing activities covered include patient registration, medical treatment and clinical documentation, appointment scheduling, insurance and billing processes, digital marketing and health communications (consent-based), facility access control, visitor management, and regulatory reporting.
Personal Data and Data Subjects
The provisions of this policy apply to personal data relating to individuals who interact with SGH in different capacities. Within SGH, personal data may relate to patients, family members or guardians involved in patient care, visitors accessing our facilities, and individuals who interact with our digital channels and marketing platforms with their consent.
2. Contact Information and Update Record
A. Contact Details
| Entity Name | Saudi German Health |
|---|---|
| Operating Company | Middle East Healthcare Company (MEAHCO) |
| Address | King Abdul Aziz Rd, Ash Shati, Jeddah 23412 |
| Telephone | +966 11 268 5555, Ext. 7051 |
| Website | www.sghgroup.net |
| DPO Email | [email protected] |
B. Update Record
SGH reviews and updates this Privacy Policy periodically to reflect changes in our services, technology, or legal requirements. When we make material changes, we will notify you through our website, mobile app, or by SMS if you have opted in to communications from us. The current version is always available on our website, mobile app, and at our patient services desk.
| Current Version | 2.0 |
|---|---|
| Date of Issue | 20 April 2026 |
| Applies To | All patients, visitors, and individuals who interact with SGH |
| Governing Law | Personal Data Protection Law (PDPL), Kingdom of Saudi Arabia |
| Supervisory Authority | Saudi Data and AI Authority (SDAIA) |
3. Personal Data to Be Collected
A. Personal Data That SGH Collects
SGH collects and processes personal data as part of delivering healthcare services, managing operational activities, and fulfilling regulatory obligations. SGH applies the principle of data minimization, only the personal data required for a specific purpose is collected and processed.
Patients
As part of providing medical care, SGH collects and processes personal and sensitive personal data including:
- Personal identification details: Name, National ID or Iqama number, date of birth, gender, nationality, and contact information
- Contact information: address, phone number, and email address
- Medical and health information: medical history, diagnoses, treatment records, laboratory results, radiology reports, prescriptions, and clinical records
- Appointment, admission, and discharge records
- Insurance and billing information required for claims processing
Employees and Medical Staff
SGH processes personal data relating to employees and medical professionals working within the organization. This may include:
- Personal identification details such as name, national ID or Iqama, passport details, date of birth, gender, and contact information.
- Employment information includes job title, department, employment contract details, and employment history.
- Educational background, professional certifications, licenses, and training records.
- Payroll and financial information necessary for salary payments and benefits administration.
- Attendance records, access logs, and internal system usage records.
In certain cases, limited health-related information may be processed for occupational health, workplace safety, or medical leave management.
Job Applicants
During recruitment activities, SGH collects personal data from job applicants to assess their suitability for employment. This may include:
- Name and contact details.
- Curriculum vitae (CV) or resume.
- Educational qualifications and professional certifications.
- Previous employment history.
- References or recommendation details.
Vendors, Contractors, and Service Providers
SGH may collect personal data relating to representatives of vendors, contractors, and service providers engaged by the organization. This may include:
- Name and contact information of company representatives.
- Job titles and professional roles.
- Business contact details.
- Identification information required for compliance, facility access, or contractual purposes.
Visitors
For facility security and management purposes, SGH may collect:
- Name and contact details when required for visitor registration
- CCTV recordings captured within SGH premises for safety and security purposes
Marketing and Communication - Consent-Based Only
If you have given your explicit consent to receive health awareness or promotional communications from SGH, we may collect the following for that purpose only:
- Phone number and email address
- General location (city) and type of healthcare service you are interested in
- Interaction history with our health awareness communications
Our communication channels include SMS, Email, WhatsApp, Mobile Application and SGH Website.
Opting out will not affect your healthcare or any other service you receive from SGH.
Important: This data is collected and used solely for marketing communications. We will never collect or use your clinical records, diagnoses, or medical history for marketing purposes. This is entirely optional and you can withdraw your consent at any time without affecting your care.
How to Opt-Out
You can withdraw your marketing consent and opt out of all marketing communications at any time by:
- Email us through: DPO@sghgroup
- Using the opt-out option available in any marketing message we send you on WhatsApp
- Clicking the unsubscribe link included in any marketing message we send you
- Updating your communication preferences in the SGH Mobile Application.
Opting out will not affect your healthcare or any other service you receive from SGH.
B. Cookies and Digital Tracking
SGH may use cookies and similar technologies on its website and digital platforms to support functionality, improve user experience, and ensure the secure operation of online services. Cookies are small text files stored on your device when you visit our website or use our mobile app. Where cookies are used, SGH ensures their use is consistent with applicable PDPL requirements.
Types of Cookies
| Essential Cookies | These are necessary for the operation of the website or patient portal. They enable features such as secure log-in, page navigation, and basic system functionality. These cannot be disabled as the service cannot function without them. |
|---|---|
| Performance Cookies | These help us understand how users interact with our website by collecting aggregated information about page visits and navigation patterns. The information is used to improve the functionality of our digital services. |
| Functional Cookies | These allow the website to remember certain preferences or settings, such as language preferences or system configuration options, to improve your experience. |
Consent and Control
Where required, you will be informed about the use of cookies when accessing SGH's website or digital platforms. You may have the option to accept or manage cookie preferences through website settings or browser controls. You can also modify your browser settings to block or delete cookies. However, disabling certain cookies may affect the functionality of some online services.
Data Collected Through Cookies
Information collected through cookies may include technical data such as IP address, browser type, device information, and pages visited. This information is used primarily to maintain the security and functionality of SGH's digital platforms and to improve user experience. Any personal data collected through cookies is handled in accordance with this Privacy Policy.
4. Collecting Personal Data Methods and Purposes
A. Data Collected Directly from You
SGH collects personal data directly from you through the following means:
- During patient registration at our hospital or through our mobile app
- During appointments, emergency visits, or inpatient admissions
- Through consent forms signed before treatment or procedures
- When you contact our staff in person, by phone, or by email
- When you give your explicit consent to receive health awareness or marketing communications
B. Data Collected Indirectly
SGH also obtains personal data indirectly from the following authorized sources:
- From insurance providers: to verify coverage and process claims
- Through government health portals: for insurance eligibility verification at the point of registration
- From external healthcare partners: when we refer you for tests or specialist services and receive results back
- Through CCTV systems: when you are on our premises
- Through digital marketing platforms: when you respond to our digital health campaigns, with your prior explicit consent
C. Purpose of Collection and Legal Basis
SGH collects and processes personal data to support its core mission of delivering safe and effective healthcare while maintaining efficient operations. Personal data is used to:
- Provide medical care and treatment to patients
- Maintain accurate medical records and support clinical continuity
- Manage appointments, admissions, and discharges
- Process insurance claims and manage billing
- Comply with legal and regulatory reporting requirements
- Maintain the safety and security of SGH facilities
- Send health awareness and marketing communications, only with your explicit consent
SGH processes personal data only when there is a lawful basis for doing so under the PDPL. All processing activities must be justified by one or more lawful grounds.
Consent
In certain situations, SGH processes personal data based on the explicit consent of the individual. Consent must be freely given, specific, informed, and clearly recorded.
SGH relies on consent as the legal basis in the following situations:
- Sending health awareness messages, promotional communications, digital advertisements, and marketing campaigns via SMS, email, or social media
- Publishing patient or physician testimonials, images, or success stories on any platform
- Any other processing activity where consent is specifically required by law
Your right to withdraw: Where your consent is the legal basis for processing, you have the right to withdraw it at any time. To withdraw consent, you can:
- Email [email protected]
- Call 0112685555 and ask for the Data Privacy Office
- Use the unsubscribe option in any message we send you
- Update your preferences in the SGH Patient Portal app.
Withdrawing consent will not affect your healthcare or any processing that has already taken place based on your prior consent.
Contractual Necessity
Personal data may be processed when it is necessary to fulfil a contractual obligation or to take steps prior to entering a contract. Within SGH, this applies to processing insurance and billing information to manage the service arrangement between you, SGH, and your insurance provider, and to processing online payment details to complete financial transactions you have requested.
Legal Obligation
SGH processes personal data when required to comply with legal or regulatory obligations under applicable laws in the Kingdom of Saudi Arabia. This includes mandatory reporting to the Ministry of Health for communicable diseases, ICU admissions, births, and deaths, compliance with healthcare regulations and patient safety requirements, reporting sick leave certificates, and compliance with financial, tax, and labour regulations.
Protection of Vital Interests
In certain circumstances, personal data may be processed to protect the vital interests of the patient or another individual. Within a healthcare environment, this applies during medical emergencies where clinical staff must access or process patient data to provide urgent treatment, and in situations where processing is necessary to protect a patient's life, health, or physical safety.
Public Interest
Personal data may be processed where it is necessary for tasks carried out in the public interest or to fulfil responsibilities that support public health and safety. This may include regulatory reporting, public health monitoring, compliance with healthcare standards, and cooperation with regulatory authorities where required by law.
Legitimate Interests
In certain situations, SGH may process personal data to pursue legitimate operational interests, provided such interests do not override the rights and freedoms of individuals. Examples include maintaining the safety and security of SGH facilities through CCTV surveillance and using anonymized and aggregated data to improve service quality and clinical outcomes.
5. Personal Data Processing
SGH maintains structured documentation of its personal data processing activities to ensure transparency, accountability, and compliance with the PDPL. Proper documentation and risk assessment enable SGH to understand how personal data flows through the organization and to identify potential risks to individuals' privacy.
A. Record of Processing Activities (RoPA)
SGH maintains a Record of Processing Activities (RoPA) that documents all personal data processing activities carried out within the organization. The RoPA includes:
- The purpose of each processing activity
- Categories of personal data processed
- Categories of data subjects involved
- Data retention periods
- Third parties with whom personal data may be shared
- Security measures applied to protect personal data
The RoPA is reviewed and updated whenever there are significant changes to processing activities, including the introduction of new services or processing purposes.
B. Data Protection Impact Assessments (DPIAs)
SGH conducts Data Protection Impact Assessments (DPIAs) when a new project, service, or process involving personal data may present a higher risk to the privacy or rights of individuals. A DPIA may be required in situations such as:
- Processing of sensitive personal data, including health and medical information
- Implementation of new technologies or digital health services
- Large-scale processing of patient data
- Introducing new marketing or data sharing arrangements with third parties
- Integration of new systems that may increase privacy risks
By maintaining an up-to-date RoPA and conducting DPIAs where appropriate, SGH ensures that personal data processing activities are properly documented, monitored, and managed.
C. Security Measures to Protect Personal Data
SGH is committed to protecting the confidentiality, integrity, and availability of personal data processed within its operations. SGH implements appropriate technical and organizational security measures to safeguard personal data against unauthorized access, disclosure, alteration, loss, or destruction.
D. Commitment to Data Protection
SGH recognizes that protecting personal data is a critical responsibility, particularly in a healthcare environment where sensitive health information is processed. All employees and authorized personnel are required to comply with SGH's data protection policies and procedures when accessing or processing personal data. Access to personal data is limited to authorized individuals who require it to perform their duties.
Technical Security Measures
SGH implements a range of technical safeguards to protect personal data. Technical controls include:
- Encryption of personal data during storage and transmission
- Role-based access control mechanisms to ensure only authorized personnel can access personal data
- Secure authentication procedures for system access
- Continuous monitoring of system activity and access logs
- Network security controls including firewalls and intrusion detection mechanisms
- Security Operations Centre (SOC) providing 24/7 monitoring
Organizational Security Measures
In addition to technical controls, SGH implements organizational safeguards to ensure that personal data is handled responsibly. These include clearly defined data protection responsibilities for all staff, mandatory confidentiality obligations for employees and contractors, and procedures governing access to personal data.
SGH also ensures that third parties processing personal data on its behalf are subject to appropriate contractual obligations requiring them to implement adequate security measures and comply with applicable data protection requirements.
6. Personal Data Sharing
SGH may share personal data with third parties when necessary to support healthcare services, operational activities, or to comply with legal and regulatory obligations. SGH ensures that personal data is shared only for legitimate purposes and only to the extent necessary. We do not sell your personal information to anyone.
A. Types of Third Parties
SGH may share personal data with the following categories of organizations:
- Healthcare partners (external laboratories and radiology centers involved in patient care)
- Insurance providers and claims administrators for processing insurance and billing
- Payment service providers for processing online payments
- Government and regulatory authorities where disclosure is required by law
- Authorized service providers supporting hospital operations, including IT support, Cybersecurity, Digital marketing (consent-based), SMS delivery, and audit services.
B. Types of Data Shared
The type of personal data shared depends on the purpose. This may include patient identification details and medical information for healthcare and insurance purposes, contact details for consent-based marketing communications, and operational or billing data for service delivery. SGH shares only the minimum data necessary to fulfil the intended purpose.
C. Purpose of Data Sharing
| Who We May Share With | Type of Information | Why |
|---|---|---|
| Government Health Authorities | Patient identification and relevant health data | Mandatory reporting required by Saudi law — communicable diseases, births, deaths, ICU admissions, sick leave. |
| Your Insurance Provider | Patient identification, medical and billing information | To verify eligibility, obtain treatment approvals, and process claims. |
| External Healthcare Partners | Patient identification and relevant clinical information | When we refer you to an external laboratory or radiology centre for tests that are part of your care. |
| Payment Service Providers | Payment and transaction details only | To process your online payments securely. |
| Authorized Service Providers | As required for the specific service | IT support, digital marketing (consent only), SMS delivery, audit services — under strict data protection agreements. |
| Financial and Regulatory Authorities | Aggregated or required financial data | To comply with tax, labour, and regulatory obligations. |
D. Contractual Safeguards
Where third parties process personal data on behalf of SGH, appropriate contractual safeguards are established to ensure that personal data is handled securely and in compliance with applicable data protection laws. These include Data Processing Agreements (DPAs) that define the responsibilities of the third party, confidentiality obligations, and requirements to implement appropriate technical and organizational security controls.
E. International Transfers
Your personal information is primarily processed and stored within the Kingdom of Saudi Arabia. In some circumstances, it may be necessary to transfer or process your information outside the Kingdom for example, when authorized service providers that operate internationally support our back-office operations, IT systems, or digital marketing services (the latter only with your consent).
Whenever your personal information is transferred outside the Kingdom of Saudi Arabia, SGH:
- Ensures that appropriate legal safeguards are in place in accordance with the PDPL and applicable SDAIA regulations
- Transfers only the minimum amount of information necessary for the specific purpose
- Requires all international service providers to sign data protection agreements committing them to protect your data
- Obtains necessary approvals from competent authorities where required by law or healthcare regulations
7. Personal Data Storage, Retention Period, and Destruction
SGH ensures that personal data is stored securely and retained only for as long as necessary to fulfil the purposes for which it was collected. All storage and retention practices are aligned with the requirements of the PDPL and applicable Saudi healthcare and regulatory requirements. Retention periods are determined based on legal obligations, the nature of the data, and the purpose for which it was collected.
A. Retention Overview
SGH retains personal data only for the period necessary to achieve the purpose for which it was collected or to comply with applicable legal obligations. Once the retention period expires, personal data is securely deleted or anonymized.
B. Data Storage
Personal data within SGH may be stored in electronic systems such as hospital management systems and secure databases, as well as physical records maintained within controlled, access-restricted environments. SGH ensures that appropriate technical and organizational safeguards are implemented to protect stored personal data, including access controls, secure system configurations, and encryption where appropriate.
Your personal data is stored primarily within the Kingdom of Saudi Arabia. Where it is necessary to store or process data outside the Kingdom, appropriate safeguards are applied in accordance with the PDPL. See Section 6 for details on international transfers.
C. Data Deletion and Anonymization
When personal data is no longer required and the applicable retention period has expired, SGH ensures that it is securely removed. Personal data may be deleted or anonymized so that individuals can no longer be identified. Physical records are destroyed by authorized contractors with a certified confirmation of destruction.
Please note: Some information must be retained even if you request deletion, because we are legally required to keep it, for example, your medical records must be retained for a minimum period as required by the Ministry of Health. We will always inform you if this applies to your request.
8. Personal Data Subjects Rights
SGH recognizes and respects the rights of individuals regarding the processing of their personal data in accordance with the PDPL and its Implementing Regulations. These rights are free of charge. We will respond to requests within 30 days. If a request is complex, we may take up to 60 days and will notify you in advance.
Please note that some rights may be subject to legal limitations, for example, we may be unable to delete certain information that we are required to keep by law, such as your medical records.
- The Right to be informed, which includes informing Data Subjects of the legal basis and purpose of collecting data while ensuring that Data Subjects' data will not be subsequently processed in any way inconsistent with the purpose of collecting such data, for which Data Subjects provided their explicit or implicit consent.
- The Right to access their Personal Data held by the Controller, which includes Data Subjects' access to their Personal Data upon request or through means provided by the Controller that enables Data Subjects to have access to their Personal Data Automatically without the need to submit a request.
- The Right to request access to Personal Data held by the Controller in a readable and clear format consistent with the content of records, whether such Personal Data is in a commonly used format if feasible or providing a printed hard copy of such data.
- The Right to request correction, completeness, and update of Personal Data held by the Controller.
- The Right to request the destruction of Personal Data held by the Controller if Personal Data is no longer necessary to achieve the purpose for which it was collected.
- The Right to withdraw consent for Personal Data Processing at any time, unless there is a legal basis that requires otherwise, in addition to elaborating how to withdraw such consent by providing means and methods to ensure a prompt response to requests related to exercising rights according to measures stated in Article (12) of the Implementing Regulation of the Law.
- The Right to submit any complaint related to applying the provisions of the Law to the Competent Authority.
Exercising Your Rights
| By Email | [email protected] |
|---|---|
| By Phone | +966 11 268 5555, Ext. 7051 |
| In Person | Our patient services desk at SGH |
| Response Time | 30 days |
| Complex Requests | May take up to 60 days. We will notify you in advance. |
| Cost | Free of charge |
9. Complaint and Objection Filing Mechanism
We take all privacy concerns seriously. If you believe we have not handled your personal information correctly, or if your rights under the PDPL have not been respected, please follow the steps below.
A. Contact Our Data Privacy Officer
Please contact our Data Privacy Officer in the first instance. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 calendar days.
| [email protected] | |
| Phone | +966 11 268 5555, Ext. 7051 |
| Acknowledgement | Within 5 business days |
| Resolution Target | Within 30 calendar days |
If you are not satisfied with our response within 30 days, you may submit a complaint to the Saudi Data and Artificial Intelligence Authority (SDAIA).
10. Availing and Providing Access to Privacy Policy
SGH is committed to making this Privacy Policy accessible to all individuals whose personal data we process. The current version of this Privacy Policy is always available through the following channels:
- Our website: www.sghgroup.net
- The SGH Patient Portal mobile application
- At our reception desk you will find a banner
- Email us through [email protected] to request a copy
When we make material changes to this policy, we will notify you through our website, mobile app, or by SMS if you have opted in to communications from us. Where required by law or where a change significantly affects how we process your personal data, we will seek your renewed consent or provide you with a direct notification before the change takes effect.
Book Now