Data Protection System in the Kingdom of Saudi Arabia

02 08

In a data-driven world, protecting personal information is more than just a necessity, it’s an obligation that fosters trust between individuals and organizations.

In the age of digitalization... Data is the new fuel

In today’s world, where data has become the backbone of an organization’s success, it is no longer just a scattered number and information, but a valuable resource for strategic decision-making.

 Organizations rely mainly on data to develop their strategies and achieve more effective performance. However, to make the most of this vital resource, it is imperative to manage data in a professional and thorough manner.

Here, the role of data management and protection emerges as one of the most important elements that contribute to protecting privacy and improving the efficiency of organizations.

Data Management: The Beating Heart of Enterprise Decisions

Data management involves the development and implementation of policies and strategies that help organizations strike a balance between data governance, data analysis, and privacy protection, enhancing organizations’ abilities to innovate sustainably in a rapidly changing environment.

 By effectively managing data, organizations can make accurate decisions based on correct and informed information, thereby increasing the effectiveness of their day-to-day operations.

Strategic Objectives of the Data Management Office

The Data Management Office aims to achieve several objectives to regulate data management and protection, including the following:

  • Aligning data management with the overall goals of the organization.
  • Assign roles, controls, and policies for data management.
  • Assign roles, controls, and policies for data management.
  • Production of data management documents
What is the difference between public personal data and sensitive personal data?
Personal Data General
  • Name
  • Address
  • Phone Number
  • Mobile
  • Email address
  • Date of birth
  • Job position
Sensitive Personal Data
  • Race or Ethnic Origin
  • Religious beliefs
  • Memberships & Subscriptions
  • Genetic data or biometric data
  • Health Data
  • Financial and Banking Statements
Data is not just information, it is an asset protected by laws and regulations to enhance trust and security.

With the Personal Data Protection System, organizations are confidently moving towards a secure and sustainable digital future.

Contact us

What is a Personal Data Protection System?

The Personal Data Protection Law in the Kingdom is the legal framework that regulates the collection and processing of personal data to ensure the protection of individuals’ privacy. The Law, issued by Royal Decree No. (M/19) dated 9/2/1443 H and amended by Royal Decree No. (M/148) dated 5/9/1444H, aims to enhance the protection of individuals’ digital rights and ensure that their data is used in accordance with the highest legal and security standards.

The Importance of a Personal Data Protection System

Regulation of Processing: The system sets strict limits on regulating data processing within government and private entities.

Privacy Protection: It aims to ensure that individuals’ rights to privacy are protected and not violated.

02 04

The 10 most important principles of the Personal Data Protection System in the Kingdom

Responsibility

Define and enforce privacy policies by the organization's administrators.

Transparency

Inform individuals about how their data is collected and used.

Selection and approval

Giving individuals the right to consent to the processing of their data.

Limiting data collection

Collect only necessary data.

Access to data

Enabling individuals to access their personal data.

Limiting Disclosure

Disclosure of data only for the purposes specified.

Data Security

Secure data against leakage and unauthorized access.

Data Quality

: Maintain accuracy and update data periodically.

Monitoring and Compliance

Monitor compliance with data protection policies.

Limiting usage

Use of data for specified purposes only.

Personal Data Protection System Ideas and Clauses

  1. Personal Data Subject’s Rights and Exceptions
  2. Purpose of Collection and Processing of Personal Data
  3. Cases of non-owner-specific personal data collection
  4. Disclosure of Personal Data
  5. Personal Data Processing Provisions
  6. Use cases of personal data
  7. Transfer of personal data outside the Kingdom
  8. Destruction of personal data
  9. Provisions of Violating the Personal Data Protection Law
02 05
What are the rights of the personal data subject according to the Personal Data Protection Regulation?

The Personal Data Protection Law has approved a number of clauses that grant the personal data subject’s rights to protect and circulate their data.

  • The right to know, including informing the individual of the legal justification for the collection of his personal data and the purpose for which he or she collected it.
  • The right to access personal data.
  • The right to request his/her personal data available at the ceremony in a readable and clear form.
  • The right to request the correction, completion or update of his/her personal data available at the ceremony.
  • The right to request the destruction of his/her personal data when it is no longer needed.
  • The personal data subject may withdraw the consent at any time and the system shall determine the necessary controls for this purpose.
  • Personal data may not be processed or the purpose of processing may be changed without the consent of the owner.
  • The personal data subject has the right to submit to the competent authority any complaint arising from the application of the Law and Regulations.

Use cases of individuals' personal data

The protection and handling of personal data in accordance with strict controls is one of the priorities of the system. However, there are specific cases in which the personal data of individuals can be used for marketing, educational, research, or statistical purposes, provided that the following controls are adhered to:

Pre-approval

Personal means of communication may not be used by the subject of personal data for advertising, marketing, educational, research, or statistical purposes without obtaining the consent of the intended recipient.

Stop mechanism

The sending party shall provide a clear and specific mechanism, as determined by the Regulations, to enable the recipient to express his/her wish to stop receiving such materials at any time.

Marketing Processing

Except for sensitive data, personal data may be processed for marketing purposes if the data subject consents to this.

Use of Personal Data for Scientific or Statistical Purposes

With respect to personal data used for scientific, research or statistical purposes, it may be collected or processed without the consent of the data subject in the following cases:

Anonymity

If the personal data does not include any indication of the identity of the owner, directly or indirectly.

Destruction of identity

If any information indicating the identity of the data subject was destroyed before it was disclosed to any party, and did not include sensitive data.

Legal Compatibility

If the collection or processing of data for these purposes is necessary based on another system or pursuant to a previous agreement to which the data subject is a party.

Provisions for the processing of personal data in accordance with the Personal Data Protection Law

With respect to personal data used for scientific, research or statistical purposes, it may be collected or processed without the consent of the data subject in the following cases:

02 06
Data subject's consent

 The data subject’s consent to obtain a service cannot be required unless the service relates to the processing of their data.

Processing in accordance with data protection laws

The Protocol must ensure that processors comply with data protection laws, and ensure this periodically.

Comply with a Privacy Policy

There should be a clear privacy policy that explains how the data is collected, its purposes, and the rights of its owners, and it should be made available to them when collecting their data.

Data Accuracy

The collected data must be ensured to be accurate, and not processed unless it is correct and complete.

Periodically update and correct data

Establish periods for data updates and corrections, and inform third parties of adjustments as needed.

Data Protection

All necessary measures must be taken to protect personal data, especially when it is transferred.

Report a data leak

The competent authorities must be informed if a data leak occurs, as well as the data subject if it may affect him.

Responding to data subjects' requests

The Protocol must respond to the requests of data subjects within a specified period and by appropriate means.

Assessing the impact of data processing

The impact of data processing on products or services provided to the public must be assessed.

Photocopying documents legally

Documents that identify the data subject can only be photocopied or copied if it is lawful.

Confidentiality of information

Everyone who handles data must keep it confidential even after the work is done.

Transfer of personal data outside the Kingdom

The system allows the transfer of personal data beyond the Kingdom’s borders in certain cases, with the aim of achieving a balance between protecting the privacy of individuals and the requirements of international transactions.

International commitments

If the data transfer is carried out in implementation of an obligation stemming from an international convention to which the Kingdom is a party.

Serving the Kingdom's interests

If the transfer is necessary to protect or promote the Kingdom’s vital interests.

Personal Commitments

If the transfer is necessary to carry out obligations to which the personal data subject is a party.

Other Purposes

If the transfer is carried out for specific purposes as stipulated in the regulations.

Conditions to be met when transferring personal data outside the Kingdom

Protect national security: Ensure that the data transfer does not compromise the national security or vital interests of the Kingdom.

  • Level of Protection:  The recipient must have a level of protection that is equal to or exceeds the level of protection stipulated in the Law and Regulations.
  • Bottom line: Data transfer must be limited to the minimum necessary to achieve the purpose of the transfer or disclosure.
  • Exceptions to necessity:  Special exceptions apply in emergency situations, such as to preserve the life of the data subject, protect their vital interests, or in cases of disease prevention, screening, or treatment.
02 07

Exceptional cases of non-owner-specific collection of personal data

As part of the protection of personal data, the system adheres to strict controls to regulate the collection and processing of data.

However, there are some exceptional cases where personal data can be collected from a non-owner or processed for a different purpose than the one for which it was collected.

Pre-approval

The data can be collected if the data subject expressly consents, in accordance with the applicable provisions and legislation in the Law.

Publicly available data

If personal data is publicly available, or collected from a public source, it may be processed without the consent of the owner.

Public interest or security

If the collection or processing of personal data is required to serve the public interest, for security purposes, to implement another law or legislation, or to comply with judicial requirements.

Protecting vital interests

Where compliance with the embargo may harm the personal data subject or affect their vital interests, the collection of data is permitted without their consent.

Public Health and Safety

In cases of necessity where it is necessary to protect public health or the lives of an individual or group of individuals, personal data may be collected and processed.

Non-Specific Data

If the personal data will not be recorded or stored in such a way that it is impossible to identify the owner, either directly or indirectly.

Legitimate interests

Data may be collected or processed for legitimate interests, provided that it does not conflict with the rights or privacy of individuals.

Digital Transformation and the Future of Data Protection

Thanks to the Personal Data Protection System, Saudi institutions will remain in a privileged position and ensure the protection of individuals’ data and enhance trust between customers and businesses. With the escalation of digital challenges, the protection of personal data is more important than ever.

mis

It is time for all organizations in the Kingdom to adhere to data protection rules, and ensure that they are handled responsibly and professionally, to enhance digital security in the modern era.

Contact us