SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
• The content of the personal data should be appropriate and limited to the minimum amount necessary to achieve the purpose of the collection. The regulations shall set out the rules applicable in this regard. • If the personal data collected is no longer necessary for the purpose for which it has been collected, the controller must cease the collection and destroy the previously col - lected personal data. Article 15 of the Implementing Regulations also provides specifications related to the collection of data from third parties, while Article 16 of the Implementing Regulations addresses the pro - cessing of data, other than sensitive personal data, for legitimate interests by private entities. A legitimate interest is defined as any necessary interest of the controller that requires the pro - cessing of personal data for a specific purpose, provided it does not adversely affect the rights and interests of the data subject. Legitimate interests include, inter alia, the dis - closure of fraud operations and the protection of network and information security. The con - troller may process personal data to achieve a legitimate interest provided that the processing purpose is legal, but in so far as the processing of data balances the rights and interests of the data subject with the legitimate interests of the controller, and, in doing so, the controller does not adversely affect the rights and interests of the data subject. Processing should be within the reasonable expectations of the data subject. Internal or External Privacy Policies Article 12 of the PDPL stipulates that the control - ler should adopt a personal data privacy policy and make it available to personal data subjects for review prior to collecting personal data. The policy should specify:
• the purpose of collection; • the personal data to be collected; • the method of collection; • the means of storage and processing; • the manner in which the personal data shall be destroyed; and • the rights of the personal data subject in rela - tion to the personal data, and how such rights shall be exercised. Data Subject Access Rights Article 5 of the PDPL states that a data sub - ject has the right to access their personal data with the controller, provided that such access does not negatively impact on the rights of oth - ers, such as intellectual property rights or trade secrets. Article 6 also makes it clear that, subject to certain parameters, data subjects have the right to request a copy of their personal data in a readable and clear format from the controller. Article 13 of the PDPL stipulates that, when col - lecting personal data directly from the personal data subject, the controller should take appro - priate measures to inform the personal data sub - ject of the following prior to collection: • the legal basis and valid practical reasons for collecting their personal data; • the purpose of the collection, whether collect - ing some or all of the personal data is manda - tory or optional, and that the personal data collected will not be subsequently processed in a manner inconsistent with the collection purpose or in circumstances other than those stated in Article 10 of the PDPL; • the identity of the person collecting the per - sonal data and the address of such person’s representative, if necessary (unless the col - lection is for security purposes); • the entities to which the personal data will be disclosed, the capacity of such entities, and
363 CHAMBERS.COM
Powered by FlippingBook