• 4063 Prince Fawaz in AbdulAziz str, 7999 AR Rabwah district, 12813 Riyadh, Saudi Arabia
Contact Us

Privacy Policy

Personal Data Protection Law

 

Article 1: General Definitions

In this law, the following terms shall have the meanings assigned to them unless the context requires otherwise:

  1. Personal Data Protection Law: Refers to this law that aims to safeguard personal data.
  2. Regulations: The implementing regulations of the law.
  3. Competent Authority: The entity designated by a Council of Ministers’ decision to oversee the application and enforcement of this law.
  4. Personal Data: Any information related to an identified or identifiable individual, whether directly or indirectly, through reference to an identifier such as a name, identity number, biometric data, or other identifiers.
  5. Processing: Any operation performed on personal data, whether manually or electronically, including but not limited to collection, recording, storage, modification, use, publication, disclosure, transmission, or erasure.
  6. Data Collection: The process by which personal data is gathered for lawful and clear purposes, ensuring the data owner is aware of the collection purpose.
  7. Data Subject: The natural person to whom the personal data relates.

 

 

Article 2: Scope of Application

  1. This law applies to any processing of personal data within the Kingdom of Saudi Arabia, including the data of residents and expatriates.
  2. Personal data processed outside the Kingdom is subject to this law if it belongs to individuals residing within the Kingdom or pertains to them.
  3. Data processing for family or personal use is exempted from this law, as long as the data is not intended for public disclosure.

 

 

Article 3: Rights of Data Subjects

Data subjects shall have the following rights:

  1. The right to be informed about the collection of their personal data, the purpose of the processing, and how it will be used.
  2. The right to access their personal data and request corrections for any inaccuracies.
  3. The right to request the deletion of personal data if it is no longer needed for the purpose it was collected or processed.
  4. The right to object to or limit the processing of their personal data under certain circumstances as specified in the regulations.

 

 

Article 4: Conditions for Data Processing

  1. Personal data may only be processed with the data subject’s clear and explicit consent, except in cases where consent is not required by law.
  2. Processing without consent is permissible when necessary for public interest, legal obligations, or for the protection of the vital interests of the data subject or others.
  3. The processing of sensitive data is subject to stricter controls and may only occur under specific legal grounds and protections as detailed in the regulations.

 

 

Article 5: Data Retention

  1. Personal data must only be retained for the period necessary to fulfill the purpose for which it was collected, unless otherwise required by law.
  2. Once the purpose of processing has been achieved, personal data must be deleted or anonymized, ensuring it is no longer linked to the data subject.

 

 

Article 6: Data Transfers

  1. Personal data may not be transferred outside the Kingdom of Saudi Arabia without ensuring that adequate levels of protection are in place, consistent with the standards set forth in this law.
  2. International data transfers are only permissible under conditions that ensure data subjects’ rights and privacy are adequately protected.

 

 

Article 7: Security Measures

  1. The entity responsible for processing personal data must implement appropriate technical, administrative, and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.
  2. The Competent Authority may issue guidelines for the required security measures to ensure the safe handling of personal data.

 

 

Article 8: Breach Notifications

  1. In the event of a data breach that poses a risk to the data subject’s rights or privacy, the data controller must notify the Competent Authority without delay and take all necessary steps to mitigate the impact of the breach.
  2. Data subjects affected by the breach must be informed promptly if the breach poses a high risk to their rights or freedoms.

 

 

Article 9: Data Controller Obligations

  1. Data controllers are responsible for ensuring compliance with this law and its regulations, including securing data subject consent where necessary, maintaining accurate records of processing activities, and responding to data subject requests.
  2. Data controllers must designate a data protection officer to oversee compliance, where required by the regulations.

 

 

Article 10: Penalties for Non-Compliance

  1. Violations of this law may result in penalties, including fines and imprisonment, as determined by the Competent Authority.
  2. Fines for violations may be increased based on the severity of the breach, the volume of personal data involved, and the impact on data subjects’ rights.

 

 

Article 11: Final Provisions

  1. The provisions of this law shall be supplemented by implementing regulations issued by the Competent Authority.
  2. This law shall be published in the official gazette and will take effect 180 days after its publication.

Receive promotions, industry insights, news and updates. Subscribe to our mailing list.

Facebook-f Instagram X-twitter Tiktok Youtube

Services

Company

Copyright © 2024, All rights reserved. Designed by Beyond Agency, Artwork by Miss Sara AlAli.