PRIVACY POLICY

Data Privacy and Protection

1-Strategy and Planning

  • The Data and Business Intelligence Center must prepare and review a personal data protection plan to meet strategic and operational privacy requirements.
  • The Data and Business Intelligence Center should lead the process of conducting the initial assessment of personal data protection to evaluate its current status, in collaboration with data owners.
  • The Data and Business Intelligence Center, with the assistance of data owners, should assess the potential impacts of processing personal data related to any product or service provided to third parties and present the results to the Data and Business Intelligence Committee for risk identification and approval.
  •  

2-Personal Data Management and Governance

  • The Data and Business Intelligence Center must identify, document, and monitor processes related to notifying data subjects and obtaining their consent in various scenarios.
  • The Data and Business Intelligence Center must prepare and document procedures for managing and responding to privacy breaches and define roles and responsibilities associated with relevant data privacy activities.
  • Data owners/data supervisors, in collaboration with the Data and Business Intelligence Center, must compile all classified data, including personal data, within a single repository for privacy activities and maintenance.
  • The Data and Business Intelligence Center must prepare a privacy notice standard for use within the Royal Commission and support data owners in specifying the purpose of data collection and processing in line with their business requirements.
  • Data owners must ensure that all employees in their department document and send a privacy notice to data subjects before or at the time the Royal Commission requests permission to collect or process personal data.

 

3-Personal Data Collection

  • The Data and Business Intelligence Center must review the purpose of data collection to ensure it complies with regulations and is directly related to the Royal Commission’s business activities. It should also verify that the data content is limited to the minimum necessary to achieve the collection purpose.
  • Data owners must ensure that data subjects are duly informed of the purpose, legal justification, methods, and means used for collecting, processing, and sharing personal data, along with security measures to maintain privacy in accordance with regulations.
  • Data owners must notify data subjects about other sources used if data is collected indirectly (from third parties).
  • Data owners must prevent the collection of personal data from children and individuals lacking legal capacity, except for their guardian’s data, and must obtain approval from the Data and Business Intelligence Center.
  • Data collection may not require the subject’s consent when the sole purpose of collecting contact information from children and legally incapacitated individuals is to respond directly to a specific request.

 

4-Personal Data Processing

  • The Data and Business Intelligence Center must ensure that data owners provide data subjects with a copy of their personal data upon request without any charge. If it concerns children or incapacitated individuals, the guardian’s identity must be verified before granting access.
  • The Data and Business Intelligence Center must ensure that data owners correct any errors in personal data within a reasonable period and notify the data subject or guardian of the correction.
  • The Data and Business Intelligence Center must ensure data subjects can access their personal data to review and update it and verify the subject’s identity before granting access per approved cybersecurity controls.
  • Processing personal data may not require the subject’s consent in certain exceptional cases according to National Data Management Office regulations:
    • If processing benefits the data subject and contacting them is difficult or impossible.
    • If processing is required for protection or judicial compliance.
    • If processing is necessary to address an imminent public health or safety threat.
    • If personal data was collected from a public source.
    • If the personal data is anonymized.
    • If the service provided to children or incapacitated individuals is preventive or advisory in line with the Royal Commission’s specialization.
    • If the data is for scientific, research, or statistical purposes without requiring the data subject’s consent, provided:
      • The Royal Commission participates in anonymizing data to ensure subjects’ identities cannot be determined.
      • The anonymization process occurs before transferring processed data to any external party.
      • If processing is authorized under another law or subject to a pre-existing agreement allowing the agreed-upon processing, data anonymization may not be required.
  • Data owners must ensure that processing and storing data is done within the Kingdom’s geographical boundaries to maintain digital sovereignty. Data may only be processed outside the Kingdom after obtaining written approval from the National Data Management Office.

 

5-Personal Data Destruction/Deletion

  • Upon the data subject’s request, the Data and Business Intelligence Center must ensure data owners dispose of all personal data or the requested portion from all systems under the Royal Commission’s control within a reasonable time and notify the subject after deletion.
  • Data owners must ensure the timely destruction of personal data once its purpose has been fulfilled, except when retaining the data may identify the data subject or if there is a legal basis for its retention.

 

6-Sharing Personal Data

  • Personal data must not be shared with other entities except for specified purposes with the data subject’s consent and in compliance with regulations, ensuring these entities follow relevant privacy procedures included in contracts and agreements.
  • The data subject must be notified if their data is shared with other entities for different purposes and must consent to such use.
  • The Data and Business Intelligence Center must obtain approval from the National Data Management Office before sharing personal data with external parties outside the Kingdom.

 

7-Personal Data Breach/Leak

  • The cybersecurity department must conduct annual risk assessments of personal data-containing information systems and related operations, including data collection, processing, storage, and transfer, whether automated or manual.
  • The Data and Business Intelligence Center must prepare and document processes for managing privacy breaches and assign relevant tasks to the designated team. This includes notifying the cybersecurity team and relevant stakeholders of any detected breach or leak.
  • All Royal Commission employees must report personal data breaches to cybersecurity and the Data and Business Intelligence Center immediately. After the incident investigation, the center must notify the data subject of the results.