SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
3.2 Interaction of Data Regulation and Data Protection IOT service providers must ensure that users are informed and give explicit consent before their personal data is collected through IOT devices. The PDPL requires that individuals have the right to access their data and request corrections. Both IOT providers and data processors must implement robust security measures to protect data against breaches and unauthorised access, as stipulated in the NCA’s guidelines. These obli - gations align with the PDPL’s security provisions for preventing data breaches. The PDPL mandates that personal data be destroyed when it is no longer necessary, which interacts with IOT providers’ obligations to ensure that devices or systems do not retain unnecessary data. The interaction ensures that data protection is not overlooked as IOT technologies expand, bal - ancing innovation with the protection of individu - als’ rights to privacy and security. 3.3 Rights and Obligations Under Applicable Data Regulation Requirements for the Collection, Processing and Use of Personal Data Article 10 of the PDPL stipulates that the con - troller may collect personal data only from the personal data subject. Such personal data may only be processed for the purpose for which it is collected. However, the controller may, on an exceptional basis, collect personal data from a person other than the personal data subject or process personal data for a purpose other than that for which the personal data is collected, as follows.
• Where the personal data subject consents in accordance with the provisions of the PDPL. • Where the personal data is publicly available or collected from a publicly available source. • Where the controller is a public entity, and the personal data was not collected, or pro - cessed, as required either for security pur - poses or in order to implement another law, or to fulfil judicial requirements in accordance with the provisions set out in the regulations. • Where compliance with this restriction may cause harm to the personal data subject or affect the vital interests of the personal data subject (as set out in the regulations). • Where collection or processing of personal data is necessary to protect public health or safety or to protect the life or health of a specific individual. The regulations shall set out the rules and procedures applicable in this respect. • Where the personal data will not be recorded or stored in a form that makes it possible to identify the personal data subject directly or indirectly. The regulations set out the rules and procedures applicable in this respect. Article 11 of the PDPL stipulates the following in relation to privacy, fairness and legitimate inter - est. • The purpose for which personal data is col - lected must be directly related to the con - troller’s purposes and not contravene any applicable legal provisions. • The methods and means of collecting per - sonal data must: (a) not conflict with any legal provisions; (b) be suited to the circumstances of the personal data subject; (c) be direct, clear and secure; and (d) not involve any deception, misleading or extortion.
362 CHAMBERS.COM
Powered by FlippingBook