Personal Data Protection

​ What is personal data?

Personal data is defined as: Any statement, regardless of its source or form, that specifically identifies user or makes it identifiable directly or indirectly, including but not limited to names, personal identification numbers, addresses, contact numbers, license numbers, records, personal property, bank account numbers, credit cards, still and moving user photos, and other data of a personal nature.​ Personal data is known as direct identifiers if they directly indicate identity of the person, as there are indirect identifiers for the user, and the following are examples of direct and indirect identifiers.​​

1

Direct identifiers

Name, personal photos, fingerprints, records numbers (national ID, passport number, license number, bank account number), credit card, contact number, home address, user's usage behavior, digital (IP), email, health data.

Why is personal data significant? Data contributes to strategic decision-making and helps improve performance and business efficiency, by processing and benefiting from data in several aspects, including conducting studies and analysis and creating data-driven products and services, and accelerating reliance on data worldwide. Most countries have tended to enact regulations and legislations that govern processing of personal data, to maintain its privacy and maintain its owners’ rights. Personal data in the Kingdom is regulated through the national data supervisor, which in turn adopts strategies, proposes draft laws and regulations and approves data-related policies and regulations in coordination with relevant authorities.

What is CST’s role towards Personal Data Protection in telecommunications, information technology, and space sector?

In accordance with the Telecommunications Act, its Implementing Regulations and CST powers granted thereby, including those related to maintaining personal data privacy, CST’s role is to regulate handling and governance of personal data as one of CST core strategic priorities in telecommunications, information technology, and space sector in the Kingdom CST has also issued a number of regulatory documents related to personal data privacy, to regulate several aspects, including processing of personal data, placing obligations on teleco​mmunications, information technology, and space service providers, and granting users their rights against service providers. Such regulatory documents include:

The main document for preserving privacy of users’ personal data, protecting their rights in line with international best practices, raising confidence in preserving personal data in CST-supervised or regulated sectors. Such Principles aim to enable telecommunications, information technology, and space service providers to invest and innovate in services and applications that provide added value to users by making use of personal data. Generally, such Principles cover key principles and legal bases recognized internationally and locally in dealing with personal data, in addition to service provider obligations to ensure protection of users personal data. The principles also included core rights of users regarding their personal data, most notably, accessing, modifying, updating, and obtaining a copy of such data.

Such Procedures are to regulate and govern procedures for launching services or products relying on user personal data/personal data sharing. The Procedures apply to telecommunications, information technology, and space service providers, and clarify CST regulatory, procedural and temporal requirements for raising “Objection” or “No-Objection” request to share data and launch services/ products that rely on users personal data

​The Guide aims to provide guidance to telecommunications, information technology, and space service providers on the process of assessing privacy risks in services and products that rely on personal data, and to clarify the proce​ss of assessing privacy risks and its basic components for service providers to fulfill approved privacy requirements. The Guide covers key aspects in assessing privacy risks, including defining roles, responsibilities, and detailed steps for conducting evaluation. This includes defining purpose and legal justification, defining personal data, scope and description of all types of data processing, defining security controls to be enforced, as well as risks of privacy violations and documentation processes.​​​

The document aims to identify situations where the service provider is not obligated and is exempt from conducting a privacy impact assessment. The document applies to providers of telecommunications, space, and technology services and includes criteria for determining the need for a privacy impact assessment, as well as a model for notifying the authority.
Your response has been submitted.