Alumni Visitors (Hotel)

1. What Personal Data are we processing? 
   

   For alumni visitors staying in a hotel, we may collect and/or process the following Personal Data for your profile in our visitor management system (“VMS”): your first and last name; Alumni KAUST ID number; date of birth; nationality; ID number and type; a copy of your ID; a copy of your driver’s license; your mobile number; email address; dependent information and IDs; emergency contact details; and your vehicle’s model, make, license number, registration, and insurance. This profile, once created, will allow you to make future visit requests.
   

   For specific visit requests, we additionally request the dates you will be visiting, contact details, and confirmation that you are not staying with a host (in which case, you would be required to go through the visit application process as a personal visitor).

2. What sensitive Personal Data is being collected?  
   
   
   No sensitive data is being collected. We may collect Personal Data about children visitors over the age of 12. You are not required to provide information about children below the age of 12 who are accompanying you on a visit to KAUST. Children are considered a vulnerable category under data protection laws.

3. Where do we get your Personal Data? 
   
   
   KAUST permanently retains data about its former students, including your name, KAUST ID, KAUST email address, government ID, date of birth, and nationality. We collect new information about you and, when applicable, your dependents when you create or update your profile in the visitor management system.

4. Why do we process your Personal Data? 
   
   We process your Personal Data to approve your visit to KAUST and to provide you with access through the gate . We will use the phone number and email you provided in your visit request to email and/or text you notifications about applicable KAUST policies and procedures and entry and exit information. Your Personal Data will not be processed later in a manner inconsistent with this purpose, except as provided or required by law.  

5. Do I need to provide all the information requested? 
   
   
   Mandatory fields in your VMS profile and visit request are marked with an asterisk. No registration is required for children under the age of 12.  

6. Why are we able to process your Personal Data? 
   
   
   We rely on your consent to process your Personal Data for the purpose of visiting the University. Under the GDPR, KAUST has a legitimate interest to process Personal Data related to its visitors ensure the security of its community and its facilities.  

7. Does the processing involve profiling and/or any automated decision-making? 
   
   No, KAUST does not rely on any automated decision-making or conduct any profiling in this process.      

8. Who do we share your Personal Data with, and how do they process the Personal Data? 
   
   
   Your Personal Data is not shared outside of KAUST, and it is never sold. Only the Visitor Center has access to the profile you create or update on its visitor management system. 

9. How do we protect your Personal Data? 
   
   
   Your Personal Data will be held strictly confidential. All KAUST employees are required to sign and comply with KAUST's Confidentiality Agreement, which requires handling confidential information with the highest diligence and carefulness, in compliance with data privacy laws, and prohibits disclosure beyond a strict need to know.  
   
   KAUST protects your Personal Data with its firewall and with encryption in transit and at rest in its systems and applications. Any Personal Data received over email will be stored with strict access-controls and password protection. For more information about the technical measures KAUST applies to protect your Personal Data, please see KAUST's Minimum Security Standard, Information Security Policy, and Data Classification Procedure. 

10. How long do we keep your Personal Data?  
    
    Your Personal Data is retained in accordance with the retention periods listed below and then securely destroyed or anonymized.
    
    

    • Visit request application & visitor profile: 5 years after the end date of the visit
    • Entrance and exit logs, final checkout, and notification logs: 5 years after entry creation
    • License plate capture: 1 year from date of record
    • CCTV footage: 90 days unless required to investigate an incident.