The Controller may only collect Personal Data directly from the Data Subject and may only process Personal Data for the purposes for which they have been collected. However, the Controller may collect Personal Data from a source other that the Data Subject and may process Personal Data for purposes other than the ones for which they have been collected in the following situations:

1. The Data Subject gives their consent in accordance with the provisions of this Law.
2. Personal Data is publicly available or was collected from a publicly available source.
3. The Controller is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
4. Complying with this may harm the Data Subject or affect their vital interests
5. Personal Data Collection or Processing is necessary to protect public health, public safety, or to protect the life or health of specific individuals.
6. Personal Data is not to be recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.
7. Personal Data Collection is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.

The Controller may set time frames for exercising the right to access Personal Data stated in ParagraphData Subject shall have the following rights pursuant to this Law and as set out in the Regulations:

1. The right to be informed about the legal basis and the purpose of the Collection of their Personal Data.
2. The right to access their Personal Data held by the Controller, in accordance with the rules and procedures set out in the Regulations, and without prejudice to the provisions of Article (9) of this Law.
3. The right to request obtaining their Personal Data held by the Controller in a readable and clear format, in accordance with the controls and procedures specified by the Regulations.
4. The right to request correcting, completing, or updating their Personal Data held by the Controller.
5. The right to request a Destruction of their Personal Data held by the Controller when such Personal Data is no longer needed by Data Subject, without prejudice to the provisions of Article (18) of this Law. of 1-The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom. This includes the data of the deceased if it would lead to them or a member of their family being identified specifically.
6. The scope of applying the Law excludes the individual's Personal Data Processing for purposes that do not go beyond personal or family use, as long as the Data Subject did not publish or disclose it to others. The Regulations shall define personal and family use provided in this Paragraph. herein as stipulated in the Regulations. The Controller may limit the exercise of this right in the following cases:
   • If this is necessary to protect the Data Subject or other parties from any harm, according to the provisions set forth the Regulations.
   • If the Controller is a Public Entity and the restriction is required for security purposes, required by another law, or required to fulfill judicial requirements.
7. The Controller shall prevent the Data Subject from accessing Personal Data in some situations

The Controller shall, without undue delay, Destroy the Personal Data when no longer necessary for the purpose for which they were collected. However, the Controller may retain data after the purpose of the Collection ceases to exist; provided that it does not contain anything that may lead to specifically identifying Data Subject pursuant to the controls stipulated in the Regulations.

In the following cases, the Controller shall retain the Personal Data after the purpose of the Collection ceases to exist:

1. If there is a legal basis for retaining the Personal Data for a specific period, in which case the Personal Data shall be destroyed upon the lapse of that period or when the purpose of the Collection is satisfied, whichever longer.
2. If the Personal Data is closely related to a case under consideration before a judicial authority and the retention of the Personal Data is required for that purpose, in which case the Personal Data shall be destroyed once the judicial procedures are concluded.