The Controller may only collect Personal Data directly from the Data Subject and may only
process Personal Data for the purposes for which they have been collected. However, the
Controller may collect Personal Data from a source other that the Data Subject and may
process Personal Data for purposes other than the ones for which they have been collected
in the following situations:
The Data Subject gives their consent in accordance with the provisions of this Law.
Personal Data is publicly available or was collected from a publicly available source.
The Controller is a Public Entity, and the Collection or Processing of the Personal Data is
required for public interest or security purposes, or to implement another law, or to fulfill
judicial requirements.
Complying with this may harm the Data Subject or affect their vital interests
Personal Data Collection or Processing is necessary to protect public health, public
safety, or to protect the life or health of specific individuals.
Personal Data is not to be recorded or stored in a form that makes it possible to directly
or indirectly identify the Data Subject.
Personal Data Collection is necessary to achieve legitimate interests of the Controller,
without prejudice to the rights and interests of the Data Subject, and provided that no
Sensitive Data is to be processed.
The Controller may set time frames for exercising the right to access Personal Data
stated in ParagraphData Subject shall have the following rights pursuant to this Law and as set out in the Regulations:
The right to be informed about the legal basis and the purpose of the Collection of their
Personal Data.
The right to access their Personal Data held by the Controller, in accordance with the
rules and procedures set out in the Regulations, and without prejudice to the provisions of
Article (9) of this Law.
The right to request obtaining their Personal Data held by the Controller in a readable and
clear format, in accordance with the controls and procedures specified by the Regulations.
The right to request correcting, completing, or updating their Personal Data held by the
Controller.
The right to request a Destruction of their Personal Data held by the Controller when such
Personal Data is no longer needed by Data Subject, without prejudice to the provisions of
Article (18) of this Law. of 1-The Law applies to any Processing of Personal Data related to individuals that takes
place in the Kingdom by any means, including the Processing of Personal Data related to
individuals residing in the Kingdom by any means from any party outside the Kingdom. This
includes the data of the deceased if it would lead to them or a member of their family being
identified specifically.
The scope of applying the Law excludes the individual's Personal Data Processing for
purposes that do not go beyond personal or family use, as long as the Data Subject did not
publish or disclose it to others. The Regulations shall define personal and family use
provided in this Paragraph. herein as stipulated in the Regulations. The Controller
may limit the exercise of this right in the following cases:
If this is necessary to protect the Data Subject or other parties from any harm,
according to the provisions set forth the Regulations.
If the Controller is a Public Entity and the restriction is required for security
purposes, required by another law, or required to fulfill judicial requirements.
The Controller shall prevent the Data Subject from accessing Personal Data in some situations
The Controller shall, without undue delay, Destroy the Personal Data when no longer
necessary for the purpose for which they were collected. However, the Controller
may retain data after the purpose of the Collection ceases to exist; provided that it
does not contain anything that may lead to specifically identifying Data Subject
pursuant to the controls stipulated in the Regulations.
In the following cases, the Controller shall retain the Personal Data after the purpose
of the Collection ceases to exist:
If there is a legal basis for retaining the Personal Data for a specific period, in which
case the Personal Data shall be destroyed upon the lapse of that period or when the
purpose of the Collection is satisfied, whichever longer.
If the Personal Data is closely related to a case under consideration before a judicial
authority and the retention of the Personal Data is required for that purpose, in
which case the Personal Data shall be destroyed once the judicial procedures are
concluded.