The Saudi Authority for Data and Artificial Intelligence is working to control the protection of personal data in the Kingdom, and has put the final touches to activate the executive regulations of the protection system with the aim of clarifying the provisions and procedures related to the system to enable those addressed by its provisions to know their legal rights and obligations related to personal data.
This includes direct marketing by communicating with the personal data subject by any physical or electronic means with the aim of directing marketing material, including but not limited to advertisements or promotions even if this does not include marketing for the sale of a product or service.
And the draft regulation revealed (a copy of which “Okaz” viewed) that before processing personal data for direct marketing purposes, the intermediary party must obtain the consent of the data owner and inform him upon obtaining his consent of the types of his personal data that will be used in direct marketing and provide a mechanism that allows the data owner Withdraw his consent to the processing of his personal data for the purpose of direct marketing, and stop receiving relevant marketing materials at any time, provided that the mechanism is simple and fast without financial consideration, and that the procedures for revoking consent are similar or easier than the procedures for obtaining it.
The new system disclosed the prohibition of photocopying or copying official documents issued by public agencies that identify the owner of personal data, except at the request of a competent public authority, or when this is in implementation of the provisions of a system, and the controlling authority must provide the necessary protection for these documents, and destroy them immediately. The end of its purpose, unless there is a legal requirement to keep it.
The system requires the intermediary, before sending promotional or educational materials, to obtain the express consent of the target recipient, in the absence of prior interaction between the controlling entity and the target recipient. The regulation granted the owner of the personal data to submit a complaint to the competent authority within a period not exceeding 90 days from the date of the incident in question or the owner of the personal data becoming aware of it. Personal from filing his complaint during this period. The regulation obligated the controlling authority to take organizational, technical, technical and administrative measures and means to ensure the preservation of credit data from any illegal use, misuse, access by unauthorized persons, or use for purposes other than the purpose for which it was collected. The regulation also obligates the control authorities to have the competent authority in the event of an incident of leakage of personal data within a period not exceeding 72 hours from the time of becoming aware of the incident, if that incident is liable to harm the personal data or the owner of the personal data or is inconsistent with his rights or interests.