Login using IAM
Direct Marketing: Communicate with the Data Subject by any direct physical or electronic means with the aim of directing marketing material, this includes but is not limited to advertisements or promotions.
Subject to the provisions of Article (12) of the Law, the Controller shall ensure the following requirements are met when drafting the Privacy Policy:
1. The Privacy Policy shall be articulated in clear, simplified, and comprehensible language to accommodate the diverse levels of understanding among the various categories of Data Subjects.
2. The language employed in the Privacy Policy shall be consistent with the language customarily used for the provisioning of services or products to the respective categories of Data Subjects whose data is being processed.
1. Controller shall obtain Consent from a targeted recipient before sending advertising or awareness material in case of the absence of a prior interaction between the Controller and the targeted recipient.
2. Conditions for obtaining the targeted recipient's consent for advertising or awareness materials shall be as follows:
a. Consent shall be given freely, and no misleading methods shall be used to obtain it.
b. Targeted recipient shall be enabled to specify the options related to advertising or awareness material subject to consent.
c. Consent of a targeted recipient shall be documented in a manner allowing future verification.
1. Prior to processing Personal Data for the transmission of advertising or awareness materials, the Controller shall adhere to the following:
a. Obtain consent from the targeted recipient, where such consent shall be given freely, and no misleading methods shall be used to obtain it.
b. Targeted recipient shall be enabled to specify the options related to advertising or awareness material subject to consent.
c. Consent of the targeted recipient shall be documented in a manner allowing future verification.
1. Without prejudice to the Telecommunication and Information Technology Law or any other related laws, before processing Personal Data for Direct Marketing purposes, the Controller shall abide by the following:
a. Obtain consent from the Data Subject in accordance with the provisions of Article (11) of this Regulation.
b. Provide a mechanism that enables the Data Subject to halt the reception of marketing material whenever desired, and ensure that the procedure for halting the reception of such material are as simple and easy as the process for obtaining consent to receive such materials.
2. When sending direct marketing material to a Data Subject, the identity of the sender shall be clearly disclosed.
3. When the Data Subject withdraws their consent for Direct Marketing purpose, the Controller shall halt without undue delay sending marketing material.
1. Without prejudice to the Telecommunication and Information Technology Law or any other related laws, before processing Personal Data for Marketing purposes, the Controller shall abide by the following:
b. Provide a mechanism that enables the Data Subject to withdraw their consent, according to Article (12) herein.
2. When the Data Subject withdraws consent to Personal Data processing for Marketing purposes, the Controller shall halt without undue delay.
3. The personal data protection officer is responsible for monitoring the implementation of the provisions of the Law and its Regulations, overseeing the procedures adopted by the Controller, and receiving requests related to Personal Data in accordance with the provisions of the Law and its Regulations. Specifically, their responsibilities include:
a. Acting as the direct point of contact with the Competent Authority and implementing its decisions and instructions regarding the application of the provisions of the Law and its Regulations.
b. Supervising impact assessment procedures, audit and control reporting related to Personal Data protection requirements, documenting assessment results, and issuing necessary recommendations.
c. Enabling the Data Subject to exercise their rights as stipulated in the Law.
d. Notifying the Competent Authority of Personal Data Breach incidents.
e. Responding to requests from Data Subjects and addressing complaints filed by them in accordance with the provisions of the Law and its Regulations.
f. Monitoring and updating the records of Personal Data processing activities of the Controller.
g. Handling the Controller's violations related to Personal Data and taking corrective actions accordingly.
4. The Competent Authority shall issue rules for the appointment of the data protection officer, which shall include the circumstances under which a data protection officer shall be appointed.
3. The Controller shall document the appointment of the Personal Data Protection Officer.
4. Pursuant to Article (34) herein, the Controller shall, immediately upon appointment of the Personal Data Protection Officer, provide the Competent Authority with the Personal Data Protection Officer's contact information via the Competent Authority's Platform, and shall update such information whenever the Personal Data Protection Officer is replaced.
5. The Personal Data Protection Officer is responsible for monitoring the implementation of the provisions of the Law and its Regulations, overseeing the procedures adopted by the Controller, and receiving requests related to the rights stipulated in the Law. Specifically, their responsibilities include:
b. Providing internal support and counsel to the Controller regarding the implementation of the provisions of the Law and Regulations, and promoting awareness thereof.
e. Responding to requests from Data Subjects and addressing complaints filed by them in accordance with the provisions of the Law and the Regulation.
h. Overseeing impact assessment procedures and review and audit reports related to Personal Data protection controls, documenting the assessment results, and issuing the necessary recommendations in this regard.
1. The Controller shall keep a record of Personal Data Processing activities during all the period Personal Data is being processed, and till to five years after the date of end of any Personal Data Processing activity.
2. Records of Personal Data Processing activities shall be written.
3. The Controller shall ensure that the records of Personal Data processing activities are accurate and up to date.
4. Controller shall provide access to the records of Personal Data Processing activities to the Competent Authority upon request.
5. The record of Personal Data Processing activities shall include, at a minimum, the
following:
a. Controller`s name and relevant contact details.
b. Information about the Data Protection Officer, where required in accordance with paragraph (1) of Article (32) of this Regulation.
c. Purposes of the personal data processing.
d. Description of Personal Data categories being processed and data Subjects categories.
e. Retention periods for each Personal Data category, where possible.
f. Categories of entities to which Personal Data is disclosed.
g. Description of operations of Personal Data transfer outside the Kingdom, including the legal basis for the transfer and recipient parties.
h. Description of the procedures and organizational, administrative, and technical measures in place that ensure the security of Personal Data, where possible.
6. Competent Authority shall provide templates of records of Personal Data Processing activities.
1. The Controller shall keep a record of Personal Data processing activities, as stipulated in Article (31) of the Law, for the entire duration of such processing activities, and up to five (5) years commencing from the termination date of each respective Personal Data processing activity.
2. The Controller shall ensure that the records of Personal Data processing activities are accurate and up to date.
3. The Controller shall provide access to the records of Personal Data processing activities to the Competent Authority upon request.
1. The Controller shall be obligated to register in the National Register of Controllers through the Competent Authority's Platform if any of the following conditions are met:
a. If the Controller is a public entity.
b. If the Controller's primary activity is based on the processing of Personal Data.
c. If the Controller transfers Personal Data outside the Kingdom or discloses it to entities outside the Kingdom, in accordance with Article (4) of the Regulation on Personal Data Transfer Outside the Kingdom.
d. If the Controller processes sensitive data.
e. If the Controller processes the Personal Data of individuals lacking partial or full legal capacity.
2. The Competent Authority's Platform shall contain a separate register for each Controller, wherein the records referred to in Article (31) of the Law and other necessary documents or information related to Personal Data processing are recorded.
3. The obligation stipulated in Paragraph (1) of this Article shall apply to individuals if they are included in the definition contained in Article 1(18) of the Law, in cases where they process Personal Data for purposes that go beyond personal or family use.
1. A Data Subject may submit a complaint to the Competent Authority within a period not exceeding ninety (90) days from the date of the incident in question or from the date the Data Subject became aware of it. The Competent Authority may determine the admissibility of a complaint submitted after this period if it finds that there were reasonable grounds that prevented the Data Subject from filing the complaint within the specified timeframe.
2. The Competent Authority shall receive the complaints that are submitted to it, through the means it adopts and according to procedures that ensure celerity and quality.
3. The Competent Authority shall keep a record of the complaints filed in a register specifically created for this purpose.
4. The complaint shall include the following information:
a. Place and time of the violation.
b. Name, identification, address, and telephone number of the complainant.
c. Information about the entity subject to the complaint.
d. Clear and specific description of the violation, along with the evidence and the information provided with the complaint.
e. Any other requirements specified by the Competent Authority.
5. The Competent Authority shall examine and study the complaints, their documents, and may communicate with the complainant as needed to request the relevant documents and information.
6. The Competent Authority shall take the necessary measures regarding the complaints submitted to it and inform the complainant of the outcome.
1. The Competent Authority shall receive the complaints that are submitted to it, through the means it adopts and according to procedures that ensure celerity and quality.
2. The Competent Authority shall keep a record of the complaints filed in a register specifically created for this purpose.
3. The complaint shall include the following information:
b. Name, identification, address, and telephone number of the complainant or their representative.
4. The Competent Authority shall examine and study the complaints and their documents, and may communicate with the complainant as needed to request the relevant documents and information.
5. The Competent Authority shall take the necessary measures regarding the complaints submitted to it and inform the complainant of the outcome.
Last update: 21 April 2025
You can browse the portal by giving voice commands using the microphone
Speak Now...
Please give voice commands from the following options:
Disclaimer: Translation into other languages depends on the Google translation, Therefor the NCC is not responsible for the accuracy of the information in the new language.
