It is also necessary to indicate the rights of the data subject in the privacy statement, which must be communicated to the data subject before the personal data are collected and processed. The Kingdom of Saudi Arabia has issued its first comprehensive data protection law. Data Protection Act (DPA) aims to protect the privacy of individuals` personal data and to regulate the collection, processing, disclosure or storage of personal data by organizations. In addition to the PDPL, the Basic Law of Governance of 1992 (Royal Decree No A/91 of 1992, `the Basic Law`) defines privacy as a right to personal dignity, guarantees the secrecy of communications and generally prohibits surveillance, with some exceptions. The Basic Law also contains Sharia principles against invasion of privacy or disclosure of secrets. In addition, the Prevention of Cybercrime Act 2007 (Royal Decree No. M/17), the E-Commerce Act 2019 and other industry regulations contain provisions on data protection. These laws define the regulatory powers of the National Cybersecurity Authority and the Communications and Information Technology Commission (CITC) in their respective sectors. In particular, the CITC has published rules on general rules for the privacy of users` personal data in the telecommunications and information technology sector (only available in Arabic here) and the Data Protection Guide for Risk Assessment for Telecommunications Service Providers and criteria for determining the need for protection risk assessments. data (only available in Arabic here). The concept of “data protection impact assessment” takes the form of an obligation for the controller to assess the impact of a product or service provided by the controller on the protection of personal data. The Data Protection Act does not provide for regulatory measures regarding cookies.
Accordingly, the general data protection provisions of data protection law also apply to online privacy. The law imposes restrictions on disclosure that apply to some of these scenarios, including if the disclosure poses a risk to national security, compromises the integrity of ongoing criminal investigations, violates the privacy of another individual, or violates professional or other confidentiality obligations. The PDPL comes into force on September 17. March 2023, but this period can be delayed by up to five years for companies outside Saudi Arabia that process personal data of Saudi residents. The objective of the PDPL is to ensure the protection of personal data, regulate the exchange of data and prevent the misuse of personal data. In particular, the PDPL includes key principles such as purpose limitation and data minimisation, obligations of controllers including the recording and keeping of records of data processing, rights of data subjects and sanctions for breaches of regulations. Following a series of data protection developments in the Middle East, the most recent is Saudi Arabia`s first data protection law, namely the Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Decision No. 98 of 14 September 2021 (“PDPL”), published in the Official Journal on 24 September 2021. This article aims to summarize the key provisions of the HPPA, as well as key considerations and challenges for practitioners, in developing and advancing their privacy programs towards compliance with the HPPA. It should also be noted that, according to an opinion of the Commissioner on the protection of personal data on the websites of public and private controllers, data subjects have the right to be informed by the controller if their personal data has been compromised (lost or stolen data or if their online privacy is likely to be compromised). To our knowledge, the Commissioner`s view in this notice is for guidance purposes only and has no binding effect.
Combining reliability, intelligence and simplicity, Securiti is working on the PrivacyOps framework to enable end-to-end automation of businesses. Securiti can help you comply with the PDPL and other privacy and security regulations worldwide. See how it works. Request a demo today. In addition, in the event of a personal data breach, the entrepreneur providing publicly available electronic communications services shall immediately inform the Electronic and Postal Communications Authority (ECHA).