SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
4.2 Personalised Advertising and Other Online Marketing Practices In relation to marketing purposes, Article 10(2) of the PDPL permits the collection of personal data from publicly available sources without the data subject’s consent, as long as the collection and processing are necessary to achieve legitimate interests of the controller, and provided that this does not prejudice the rights and interests of the data subject and that no “sensitive data” is processed. Sensitive data is defined under the PDPL as: • personal data revealing racial or ethnic origin, or religious, intellectual or political belief; • data relating to security, criminal convictions and offences; • biometric or genetic data for the purpose of identifying the person; • health data; and • data that indicates that one or both of the individual’s parents are unknown. In such a context, for a legitimate interest to be established, it must outweigh any potential harm to the data subject’s rights and freedoms. This is outlined in Article 6(4) of the PDPL. Also, the controller must inform the data subject about the processing activities, including the legal basis for processing, the purpose of processing and the types of data collected; this is required under Article 12 of the PDPL. Accordingly, the data subject has the right to object to the processing of their personal data. Otherwise – and if the processing for the above purpose cannot be justified under legitimate interests – consent from the data subject is required. Such consent must be informed, meaning the data subject is fully aware of the nature, purpose and consequences of the data
whether the personal data will be transferred, disclosed or processed outside KSA; • the potential consequences and risks that may result from not collecting the personal data; • the rights of the personal data subject pursu - ant to Article 4 of the PDPL; and • such other elements as set out in the regu - lations based on the nature of the activity performed by the controller. 3.4 Regulators and Enforcement The enforcement of data regulations in KSA involves several regulatory bodies. The primary body responsible for overseeing compliance with data protection laws is the SDAIA, which supervises the implementation of data protec - tion practices. Additionally, the CSTC regulates IOT services related to communications technol - ogies and ensures compliance with related laws. The NCA ensures that cybersecurity measures are in place to protect data, especially in IOT devices. The MoC enforces data protection laws related to electronic commerce, which also includes services that utilise IOT technol - ogy. These regulators collaborate to ensure that IOT providers comply with data protection and cybersecurity requirements.
4. Sectoral Issues 4.1 Use of Cookies
To date, no specific requirements are imposed in KSA for the use of cookies. For the general rules as regards gaining consent in relation to cookies, please see under Requirements for the Collec- tion, Processing and Use of Personal Data in 3.3 Rights and Obligations Under Applicable Data Regulation .
364 CHAMBERS.COM
Powered by FlippingBook