Privacy Policy

1. Introduction

Mouwasat Medical Services Company (MMS) is one of the leading healthcare providers in the Kingdom of Saudi Arabia, with branches in several cities including Dammam, Al Khobar, Jubail, Qatif, Riyadh, and Madinah. Mouwasat provides comprehensive medical services, including specialized care in cardiology, orthopedic surgery, and neurosurgery. The organization is well known for its high standards, advanced technologies, and strong commitment to quality and patient care.

Based on the above, Mouwasat is committed to protecting the privacy, confidentiality, and security of patients’ personal data and to complying with the Personal Data Protection Law, its Implementing Regulations, and the guidelines issued by the National Data Management Office. This Privacy Notice explains how patients’ personal data is collected, used, stored, shared, and protected while receiving healthcare services, and clarifies data subject rights and the contact details of the Data Protection Officer at Mouwasat.

2. Notice Updates

Mouwasat may update this Privacy Notice at any time and publish the updated version on its website. The updated version will be effective immediately upon use of the website or application. You are responsible for reviewing any updates and reading this Privacy Notice regularly. By accessing or using MMS services, you acknowledge that you have read, understood, and agreed on this Privacy Notice. Where required by applicable law, explicit consent will be obtained separately.

3. Scope of Application

This Privacy Notice applies to all individuals whose personal data is collected, used, or processed by Mouwasat Medical Services Group (MMS), including but not limited to:

• Patients receiving medical or administrative services at any Mouwasat facility
• Visitors and caregivers interacting with Mouwasat systems or staff
• Users of Mouwasat digital platforms (websites, mobile applications, telemedicine services)
• Job applicants, employees, contractors, and workforce members
• Vendors, suppliers, and external service providers
• Regulatory and governmental entities interacting with Mouwasat data systems

This Notice covers all personal data processed by Mouwasat, whether collected directly or indirectly or through third parties, across physical, digital, and cloud environments.

4. Organization and Contact Information

Organization Name: Mouwasat Medical Services Company

Data Protection Officer: Amani Alharthi
Email: privacy@mouwasat.com

5. Categories of Personal Data

MMS may collect and process the following categories of personal data:

• Identification data (such as name, national ID number, passport)
• Contact information (such as phone number and email address)
• Medical records and clinical data
• Insurance and billing information
• Digital usage data from online services (IP address, browser type)

6. Purposes of Data Collection

Personal data is processed for the following purposes:

• Providing healthcare services and medical treatment
• Managing patient records and clinical operations
• Billing, insurance processing, and financial administration
• Compliance with legal and regulatory obligations
• Improving healthcare services and patient experience
• Ensuring safety and emergency response
• Conducting internal audits, reporting, and quality assurance
• Supporting medical research in accordance with applicable laws

7. Methods of Data Collection

Personal data may be collected through:

• Patient registration and admission processes
• Medical records systems
• MMS websites and mobile applications
• Patient portals and telemedicine services
• Cookies and digital tracking technologies
• Direct interactions with MMS staff

8. Use of Data for New Purposes

If Mouwasat needs to use your personal data for a purpose that was not disclosed at the time of collection, you will be notified and your explicit consent will be obtained where required by law before proceeding.

9. Legal Basis for Data Collection and Processing

• Medical necessity to provide healthcare
• Compliance with legal and regulatory obligations
• Where the data is publicly available
• Contractual necessity with the patient or the insurance company
• Explicit consent, where required by applicable laws
• Performance of contractual obligations
• De-identified (non-identifiable) data
• Where the request is from public authorities or for regulatory purposes
• To protect health, safety, or life (including medical necessity)

10. Legal Grounds for Collecting Data from a Source Other Than the Data Subject or for a Purpose Other Than That for Which It Was Collected

• If the data subject consents to this, in accordance with the provisions of the law.
• If the personal data is publicly available or has been collected from a publicly available source.
• If the controller is a public entity, and the collection or processing of personal data is required for public interest purposes, security purposes, implementation of another law, or to fulfill judicial requirements.
• If restricting such processing may cause harm to the data subject or affect their vital interests.
• If the collection or processing of personal data is necessary to protect public health or public safety, or to protect the life or health of specific individuals.
• If the personal data has been recorded or stored in a form that makes it possible to identify the data subject directly or indirectly.
• If the collection or processing is necessary to achieve legitimate interests of the controller, provided that this does not prejudice the rights of the data subject, conflict with their interests, and that the data is not sensitive.

11. Data Subject Rights

You have the right to:

• Request information on how your personal data is collected, processed, and stored, including the legal basis, processing activities, and entities with whom your data is shared
• Request access to and obtain a copy of your personal data held by Mouwasat
• Request correction or deletion of your personal data, provided this does not conflict with applicable laws or medical obligations
• Withdraw consent where processing is based on consent
• Object to the processing of your data under certain circumstances
• Submit a complaint to the Data Protection Officer in case of misuse

Requests will be handled in accordance with applicable legal and regulatory requirements.

12. Data Storage and Protection

Mouwasat applies appropriate technical and organizational security measures, including:

• Role-based access control
• Multi-factor authentication
• Secure system environments
• Regular data backups
• Physical access controls to data centers and devices
• Incident response procedures

13. Data Minimization and Purpose Limitation

MMS ensures that personal data collected is limited to what is necessary for the specified purposes and is not processed in a manner incompatible with those purposes.

14. Data Retention and Disposal

Mouwasat retains personal data only for the period necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations. Upon expiration of the retention period, data is securely disposed of in accordance with approved policies to prevent unauthorized access or unlawful use.

15. Cross-Border Data Transfers

Personal data is stored within the Kingdom of Saudi Arabia. Where transfer outside the Kingdom is required, MMS ensures that such transfers are conducted in compliance with regulatory requirements and appropriate safeguards are implemented.

16. Data Sharing and Disclosure

Mouwasat may share personal data with third parties within the scope of lawful purposes and subject to data protection safeguards and a valid legal basis and explicit consent where required, these third parties are:

• Information technology service providers for hosting or system support
• Medical laboratories and diagnostic imaging partners
• Accreditation bodies and regulatory authorities
• Legal advisors and auditors
• Insurance companies

17. Who Can Access the Data

• Authorized Mouwasat employees
• Health insurance companies
• Regulatory authorities
• Approved vendors under contractual agreements
• Emergency responders where necessary

18. Data Breach Notification

In the event of a personal data breach, MMS will take appropriate actions, including notification to competent authorities and affected individuals, in accordance with applicable legal and regulatory requirements.

19. Children’s Privacy

MMS applies enhanced protection measures for:

• Personal data of children
• Sensitive personal data, including health information

Such data is processed only when necessary and in accordance with applicable laws, including obtaining consent from legal guardians where required.

20. Privacy of Minors and Legally Incapacitated Persons

We give special care to protecting the personal data of minors and legally incapacitated persons. No personal data relating to such individuals is collected or processed except as permitted by applicable laws and based on the explicit prior consent of the legal guardian or authorized legal representative. Such data is used only for specific and legitimate purposes, and appropriate technical and organizational measures are applied to protect it from unauthorized access, disclosure, alteration, or destruction.

21. Cookies and Digital Technologies

Mouwasat digital platforms use cookies to enhance functionality and analyze traffic. You may manage your cookie preferences through your browser settings.

22. Marketing

You may be contacted to receive health updates, alerts, or promotional materials that do not involve the use of sensitive personal data. You may opt out at any time by contacting the Data Protection Officer at: privacy@mouwasat.com

23. External Links Disclaimer

Mouwasat digital platforms may contain links to external websites. Mouwasat is not responsible for the privacy practices or content of such external websites.

24. Processing Time for Data Subject Requests

Requests related to the exercise of data subject rights are processed in accordance with regulatory requirements.

25. Complaints and Contact

For inquiries or complaints related to patient data privacy, please contact the Data Management Office via email: privacy@mouwasat.com.

You have the right to escalate complaints to the Saudi Data & AI Authority (SDAIA) if you are dissatisfied with the handling of your request.