Privacy and data protection in Saudi Arabia

The National Unified Platform (GOV.SA) understands the importance of your privacy and personal data; Therefore, we are committed to keeping all important information and data of all users safe, secure and confidential.

The privacy policy and procedures of GOV.SA are governed by the Personal Data Protection Law (Royal Decree No. (M/19) dated 9/2/1443 AH), the main principles for the protection of personal information and the main principles and general rules for data exchange issued by the Saudi Authority for Data and Artificial Intelligence and the National Office for Management data.

The Personal Data Protection Law and its Implementing Regulations establish the legal basis for protecting your rights with respect to the processing of personal data by all entities in the Kingdom, as well as all entities outside the Kingdom that process personal data relating to individuals residing in the Kingdom using any means, including the processing of personal data via the Internet.

The basic principles of our data protection policy include:

Hold the head of the entity (or his designee) accountable for the data controller’s privacy policies and procedures.

Transparency through a privacy notice indicating the purposes for which personal data is collected.

Choice and consent obtained through implied or explicit consent in connection with the collection, use and disclosure of personal data prior to collection.

Restricting data collection to the minimum amount of data that enables the achievement of the purposes.

Use, keep and destroy strictly for the intended purpose, keep it as long as necessary to achieve the intended purposes or as required by laws and regulations and destroy it securely, preventing leakage, loss, theft, misuse or unauthorized access.

Data access through which a data subject can review, update and correct their personal data.

Restrictions on data disclosure approved by the data subject restrict third parties to the purposes set out in this Privacy Notice.

data security by protecting personal data from leakage, damage, loss, theft, misuse, modification or unauthorized access; In accordance with the controls issued by the National Cybersecurity Authority and other relevant authorities.

Data quality after verifying its accuracy, completeness and timeliness.

Monitor and comply with the Data Controller’s privacy policies and procedures, and any privacy-related inquiries, complaints and disputes.

The National Data Management and Personal Data Protection Standards cover 15 areas of data management and personal data protection. The standards apply to all government data regardless of form or type, including paper records, email messages, data stored in electronic form, audio recordings, video clips, maps, images, scripts, handwritten documents, or other recorded data.

The application of the provisions of the Personal Data Protection Law and its executive regulations shall not prejudice the competencies and tasks of the National Cybersecurity Authority as a security authority concerned with cybersecurity and its affairs in the Kingdom.

Privacy and data protection agreement

As a user of GOV.SA and its application, you accept the privacy and data protection policies and regulations of the Kingdom of Saudi Arabia; that control the platform and its application. This Agreement shall become effective immediately upon first use or access to the Platform.

IF YOU DO NOT AGREE WITH THIS POLICY, YOU MUST NOT USE ANY GOV.SA SERVICES

User data collection

The purpose of collecting personal data is directly related to the purposes of GOV.SA and does not conflict with any specific provision. The methods and means of collecting personal information are appropriate to the owner’s circumstances, direct, clear and secure, and free from deception, misleading information or extortion. If it appears that the personal data collected is no longer necessary to fulfill the purpose for which it was collected, GOV.SA will stop holding it and destroy the previously collected data immediately. read more

GOV.SA will ensure that the following criteria are met before collecting your personal data:

Justification for collecting your personal data.

The purpose of collecting your personal data, whether all or part of it, is obligatory or optional, with further information about data processing that does not conflict with the purpose of collecting it or is otherwise provided by law.

The identity and reference address of the personal data collector where applicable, unless for security purposes.

The entity or entities to which the personal data will be disclosed and its description and whether the personal data will be transferred, disclosed or processed outside the Kingdom.

Possible effects and risks of non-compliance with the personal data collection procedure.

Your privacy and data protection rights as provided by law.

Other elements determined by the regulations depending on the nature of the activity carried out by this entity.

In the event that personal data is collected from non-owners, the following conditions will be met:

If the owner of the personal data agrees to do so, as provided by law.

If the personal data is publicly available or collected from a publicly available source.

If the entity is a public entity, and the collection of personal data is not directly owned or processed for a purpose other than the purpose for which it was collected, it is required for security purposes, to implement another regime, or to satisfy judicial requirements in accordance with the provisions specified in the regulations.

If compliance with this prohibition may harm the owner of the personal data or affect his vital interests, through the provisions specified in the regulations.

If the collection or processing of personal data is necessary to protect the health, public safety, or the life or health of a specific individual or individuals.

If the personal data is not recorded or stored in a format that makes it possible to directly or indirectly identify and identify its owner.

What data do we collect?

When you visit GOV.SA, our servers automatically collect your IP address and collect information about the user’s browser, search engine, geographic location, and the date and time of the URL.

GOV.SA retrieves your personal data available on the Government Service Bus (GSB). Personal data, whatever its source or form, will explicitly identify an individual or make it possible to directly or indirectly identify an individual, and includes name, personal identification number, addresses, contact numbers, license numbers, personal records and possessions, bank account and credit card numbers, still or moving images of the individual, and other Data of a personal nature.

It includes any operation carried out on personal data by any means, whether manual or automated, including collection, recording, preservation, indexing, arrangement, formatting, storage, modification, update, integration, retrieval, use, disclosure, transfer, publication, data sharing or interconnection, blocking, scanning, and destruction.

Cookies are files that are saved on your phone, tablet or computer when you visit GOV.SA.

Why do we need your data?

The use of the IP address helps us resolve any technical problems that arise on our servers, including statistics about the use of the Platform (such as the number of visitors, the language of the computer used, etc.). Users’ geolocation will benefit from the availability of specific services on its platform and application.

We use cookies to collect and store information about how you use GOV.SA and government digital services. Cookies enhance your use of the Platform and better understand your need.

How do we process and store personal data?

Your personal data will not be processed without sufficient steps being taken to verify its accuracy, completeness, timeliness and relevance for the purpose for which it was collected by the provisions of the Regulations.

GOV.SA applies the highest security standards to protect data and information. Sensitive data and any data that must be kept confidential by legal requirements are encrypted and are subject to additional controls and procedures. Sensitive data includes an individual’s ethnic or tribal origin, religious, intellectual or political belief, or indicates membership in civic associations or institutions, in addition to criminal and security data, biometric data that identifies genetic data, insurance data, health data, location data, credit data, and data that Indicates that one or both of the individual’s parents are unknown.

Our technical staff is permitted to handle this information only to provide such services to the GOV.SA Platform that are consistent with your needs. We never allow anyone other than the GOV.SA platform technical team to know your IP address.

Your information may be made available to government officials in the exceptional circumstances where such need should arise; However, it will never be made available to the public without your prior consent. Furthermore, this information will not be circulated, exchanged, or sold to any third party without your prior consent.

Your personal data will only be disclosed in the following cases:

If you agree to disclose it in accordance with the provisions of the law.

If your personal data is collected from a publicly available source.

If the party requesting the disclosure is a public entity, for security purposes, to implement another system, or to meet judicial requirements in accordance with the provisions specified in the regulations.

If disclosure is necessary to protect public health or safety, or the life or health of an individual or individuals.

If the disclosure is limited to its subsequent processing in a way that does not lead to the identification of the personal data owner or any other individual specifically.

GOV.SA shall not disclose your personal data whenever the disclosure is characterized by any of the following:

It represents a threat to security, harms the reputation of the Kingdom, or conflicts with its interests

It affects the kingdom’s relations with other countries

It prevents disclosure of a crime, violates the rights of the accused to a fair trial, or affects the fairness of existing criminal proceedings.

It endangers the safety of an individual or individuals

It involves a violation of the privacy of an individual other than the owner of personal data as defined by the regulations

It conflicts with an incomplete or incapable interest

It violates established professional obligations

It involves a breach of an obligation, procedure or judicial ruling

It reveals a secret source of information that the public interest should not disclose.

GOV.SA will destroy your personal data as soon as the purpose for collecting it has ceased. However, it may retain this data after the end of the purpose of its collection if everything that leads to specific knowledge of the owner is removed in accordance with the controls specified in the regulations.

This platform retains personal data even after the end of the purpose of collecting it only in the following cases:

If there is a systematic justification, it must be kept for a specified period, in which case it must be destroyed after the end of this period or the purpose of collecting it, whichever is longer.

If the personal data is closely related to a case before a judicial body and its retention is required for this purpose, in which case it is destroyed after the completion of the judicial procedures of the case.

Terms of use

GOV.SA is available to all users. By accessing this Platform, you, the Users, are deemed to have entered into full agreement on all Terms of Use, including all applicable laws and regulations of the Kingdom of Saudi Arabia.

As a registered user, you have the full right to:

Access to information

getting information

Correction or modification of information

Withdraw the Agreement and delete the information by sending an email request or contacting us here.

You, as a user who owns personal data, have the right to know (including to inform) what formal or practical justification was considered for collecting your personal data, and not to subsequently process your data in a manner inconsistent with the purpose for which it was collected or otherwise. You have the right to request the destruction of your personal data available to us without prejudice to the provisions of the law.

User restrictions: By accessing this platform, you agree to avoid:

Providing or uploading files that contain unauthorized software, materials, data, or any information or other files that may contain viruses

Use this platform to send any commercial or unsolicited email or misuse the platform in any other way Post, advertise, distribute, or circulate materials and information that are defamatory or that violate the rules of the Kingdom, and any other unacceptable materials or actionable information

Use this platform to engage in any illegal or illegal activities in the Kingdom of Saudi Arabia

Using the platform to advertise any product or service that may lead to a violation of laws or rules in the Kingdom by using any tool, program or procedure that interrupts or may interrupt the operation of the platform

Take any action that places an unreasonable load or requires massive storage on the platform’s infrastructure.

TERMINATION OF USE: We have the authority, in our sole discretion, to limit a user’s right to log in, suspend or terminate its use without prior notice and for any reason, including violation of the Terms of Use or any action we may consider illegal or harmful to others. You will not be permitted to log into the Platform during such termination.

Except in circumstances stipulated by law, personal data may not be processed, or the purpose of its processing changed only with the consent of the owner. The Regulations specify the terms of consent, the circumstances under which consent must be in writing, and the terms and conditions for obtaining the consent of the legal guardian if the Personal Data Owner is incomplete or incapacitated. However, consent may not be a condition of providing a service or benefit unless the service or benefit is related to the processing of approved personal data.

Comment and e-Participation Standards: All comments in e-participation channels or on social networks are carefully reviewed to ensure that users observe the standards and regulations for making comments. This platform administration has the power to remove any comments deemed inappropriate, and users are obligated to:

Observe public morals and avoid any inappropriate phrases or use of impolite words.

Keep comments relevant and focused on the issue under discussion.

Avoid intolerance and personal criticism that does not enrich the discussion.

Ensure complete accuracy when referring to Quranic texts or religious opinions and allow only specialists to discuss such topics.

Avoid posting personal information, such as contact details, in comments.

Any further modifications to the Terms of Use shall be applied immediately upon the announcement unless otherwise specified.

Data Leakage: GOV.SA shall notify the appropriate authority as soon as it becomes aware of the leakage or corruption of personal data or unlawful access. Furthermore, if any such precedent would cause serious damage to your data, the entity will notify you immediately.

Communication: With the exception of educational materials sent by public entities, GOV.SA may not use your personal means of communication, including your postal and electronic addresses, to send advertising or educational materials, except as follows:

The consent of the intended recipient is required to send this material to him.

The sender of the material shall provide a clear mechanism, as specified by the regulations, for the intended recipient to express their desire to stop sending them when they wish to do so.

With the exception of sensitive data, personal data may be processed for marketing purposes if it is collected directly from the owner and has been agreed upon in accordance with the provisions of the law.

Furthermore, your personal data may be collected or processed for scientific, research or statistical purposes without your consent, only in the following cases:

If the personal data does not include proof of your identity

If your identity is destroyed during processing and before it is disclosed to any third party, this data is not sensitive.

If the collection or processing of personal data for these purposes is required by another system or in implementation of a previous agreement to which you are a party.

Official documents identifying the owner of personal data may not be photocopied or photocopied, except where this is in implementation of the provisions of the regulations or when such photocopying or photocopying is required by a competent public authority in the manner specified by the Rules.

Except for cases strictly necessary to preserve your life, or to prevent, test, or treat disease infection, the GOV.SA entity may not transfer your personal data outside the Kingdom or disclose it to a destination outside the Kingdom unless it is in implementation of an obligation under an agreement to which the Kingdom is a party, Or to serve the interests of the Kingdom, or for other purposes specified by the regulations, after the following conditions are met:

The transfer or disclosure shall not prejudice national security or the vital interests of the Kingdom.

Provide adequate guarantees to keep the personal data to be transferred or disclosed and confidential so that the standards for protecting personal data are not less than those stated in the law and regulations.

Transfer or disclosure is limited to the minimum amount of personal data necessary.

The approval of the competent authority for the transfer or disclosure as determined by the regulations.

Except as provided herein, the Competent Authority may release GOV.SA, on a case-by-case basis, from compliance with one of the Conditions; When the competent authority assesses individually or jointly with other parties that personal data will have an acceptable level of protection outside the Kingdom, and this data is not sensitive data.

This platform keeps records for a period specified by the regulations, where the records include the following minimum data:

Entity contact details

The purpose of processing personal data

Categories of personal data subjects.

The party to whom the Personal Data has been (or will be) disclosed.

Whether the personal data has been (or will be transferred) outside the Kingdom or disclosed to a party outside the Kingdom.

The expected period of retention of personal data.

Offenses and Penalties: Without prejudice to any severer penalty stipulated in another law, the penalty for committing the following offenses is due to its failure if:

The penalty shall be imprisonment for a period not exceeding (two years) and a fine not exceeding (three million) riyals, or one of these two penalties, if this is with the intent of harming the person who owns the data or achieving a personal benefit.

Anyone who violates the provisions of transferring or disclosing personal data outside the Kingdom shall be punished by imprisonment for a period not exceeding (one year) and a fine not exceeding (one million) riyals, or one of these two penalties.

While there is no special provision of the law, and without prejudice to any harsher penalty stipulated in another law, every person of a special or legal nature – covered by the provisions of the law – who violates any of the provisions of the law or regulations shall be punished with a warning or a fine not exceeding five million riyals. The fine penalty can be doubled in the case of a repeated violation, even if it exceeds its maximum limit if it does not exceed twice that limit.

The Public Prosecution Office is responsible for investigating and prosecuting before the competent court regarding these violations. The competent court hears cases arising from the application of this article and imposes the stipulated penalties.

The committee (or more) whose members are not less than (three), and one of whom is named as a chairman, including a Sharia or legal advisor, shall be responsible for examining the violations and imposing the penalty of warning or fine stipulated herein, according to the type of violation committed, its seriousness and the extent of its impact, provided The decision of the head of the competent authority shall issue his decision the rules of work of the committee, in which the remuneration of its members shall be determined. Anyone against the Committee’s decision has the right to appeal to a competent court.

Without prejudice to these provisions of the law, GOV.SA will hold any of its employees accountable – disciplinary – in the event of their violation of any of the provisions of the law and regulations, in accordance with the provisions and procedures for accountability and discipline set forth in the law.

Without prejudice to the penalty imposed by the law, anyone who has suffered damage due to committing any of the violations stipulated in the law or the regulations has the right to claim compensation before the competent court for material or moral damages commensurate with the extent of the damage.

Furthermore, any person who has commenced a business of processing personal data is obligated to maintain secrets relating to the data even after the termination of his employment or contractual relationship.

Evacuation responsibilaty

This Privacy and Data Protection Policy applies to GOV.SA only. You should read the Privacy and Data Protection Policy carefully when transferring to another website through this Platform.

The provisions and procedures of the law do not prejudice any provision that grants the right of the owner of personal data or decides to better protect it, provided for in another system or international agreement to which the Kingdom is a party.

No Liability: The platform has been prepared to comply with current regulations in the Kingdom of Saudi Arabia. Under this Resolution, the Digital Government Authority cannot guarantee:

Accuracy and reliability of information

Responding to an external attack or external hacking.

sustainability or effectiveness

Appropriateness of the platform content

Neither the platform nor the server will contain viruses or other harmful components.

No digital government agency or other government agency shall be held liable for direct or indirect loss or damage that may result from the use of the Platform.

Use at your own risk: The platform contains links to other websites that are not under the control of the Digital Government Authority and therefore it is not responsible for the content of those websites. Any risks arising from browsing websites through the links provided on the platform are the responsibility of the user.

The Platform contains links to other websites or portals that may attempt to protect information and privacy using different tools than those used by the Platform; Thus, we are not responsible for the content or the privacy protections used. Users are advised to review the privacy policies of these websites.

Some of the Authority’s websites use cookies; These cookies give users full access to websites. If desired, cookies can be used to remember passwords and to simplify access to the website. Cookies are stored on your computer’s hard drive if accepted and encoded.

LIMITATION OF LIABILITY: Users hereby acknowledge that they understand that online communications can be spied on or hacked by third parties. As confirmed, users understand that the platform will not change the information provided by official government agencies, in addition, all applications and administrative procedures can also be submitted online directly and carried out in person.

The Platform assumes no liability for any loss or damage that Users may suffer from using and visiting the Platform, including as a result of any information, statement or offer advertised.

Furthermore, the Platform is not responsible for any problems that may arise in accessing the Internet and any damages to machinery or software, nor can it be held liable for any misconduct or malicious comment made by other users logged into it.

Virus Protection: Users should make use of appropriate anti-virus software when attempting to download any content from the Platform. We are not responsible for any loss or damage to data or a User’s computer that may arise while using this Platform or any of its content.

Disclaimer of Claims: GOV.SA and all its services, information resources and other materials are for personal use without endorsement or warranty. The platform is not responsible for errors or omissions that may arise due to the use of its content or links, whether known or unknown.

Any communication or information that Users transmit from the Platform is neither the possession of the sender nor guaranteed in terms of privacy. In addition, any interactive use by users of the Platform does not guarantee any rights, licenses, or privileges.

Indemnifications: Users hereby agree to never act against the Digital Government Authority or its directors, including all authorized agencies, employees or agents responsible for managing or updating the GOV.SA platform for unified government services. This clause is considered a legal exemption from obligations or responsibilities related to claims resulting from the user’s violation of the terms, conditions of use or other relevant regulations inside and outside the Kingdom of Saudi Arabia.

References

1- Networks and Information Security.. by Manal El-Belaksy.

This book mostly talked about networks and information security in a technical way. It did not touch much on what was mentioned in the new Saudi regulations or the international systems for the protection of information, but I added it to find out how penetration takes place, by whom, and how to protect and follow up to stop the theft.

2- Trends in Information Security and Security.. by the author Sari Muhammad Al-Khaled.

As for this book, he touched on the mechanism of information protection and how to fill the gaps in it, and he touched on some countries that have established correct laws to prevent anyone who tries to steal personal information and how it is protected legally and technically.

3- Criminal Protection for Electronic Security.. by Hazem Hassan Al-Jamal.

In this book, the writer touched on the Saudi system and that there is no system that protects electronic data, but this book was before the new system was put in place, and in most of the book it talks about crimes and how they can be solved by setting criminal penalties that deter anyone who tries to commit this crime from doing it.

4- Cybernetics and Law (Accidents and Issues) by Aseel Al-Juaid.

In this book, the author spoke about cybersecurity and how it is a set of procedures and precautions for technical information, and he spoke in particular about the Kingdom of Saudi Arabia and that it seeks to establish cybersecurity to reduce these crimes in cooperation with the competent authorities in this.

5- Intellectual property rights (their role in protecting digital works) by Khaled Hassan Lotfy.

In this book, the author talked about intellectual property rights in detail and in all global systems, and how he can legally protect his intellectual property rights, and what penalties are imposed on anyone who violates this right, even if they are international.

6- Protecting privacy through the digital environment.. by the author in the name of Mohamed Fadel.

In this book, the author spoke about that countries have begun to keep pace with developments in making most and most of the information preserved digitally, and how the information privacy of each individual is protected through the digital environment, which is now a very large reference that may be subject to theft or penetration.

7- Cyber Security and Information Security Protection by Dahan Hizam Al-Quraiti.

In this last book, the author spoke about cyber security in all countries of the world and how laws are set to protect information security, and he touched on some strict international laws under this context to protect information.

This article was written by Abdulrahman AlTuwejri from PMU University

1