1. Introduction 

1.1 General Introduction about Policy

Data privacy means the protection of private and sensitive information shared  between individuals and entities. In other words, privacy relates to the rights  individuals have regarding their control over the information they share and its use.  Private and sensitive data includes personal information such as name, address,  phone number, and email, as well as sensitive information like financial and criminal  data. 

1.2 Objective of Policy  

This policy aims to ensure that data is collected and used lawfully, by the  specific purposes for which it is collected, and with a defined timeframe for its retention.  It also emphasizes the commitment to adhering to cybersecurity requirements, as well  as relevant legislative and regulatory requirements. 

1.3 Policy Scope and Implementation  

This policy applies to all information retained by ECZA, whether in electronic or  physical form, including, for example: 

  • Electronic data/information stored and processed by desktop and mobile  computers, as well as storage devices. 
  • Information transmitted over networks. 
  • All paper records. 
  • Visual and imaging materials.

This policy applies throughout the lifecycle of all data and information, starting  from creation, storage, usage, and until disposal. It encompasses all employees of the  organization, contractors, and external parties who may have access to or process the  preserved and confidential information of the organization.

2. Policy Statements  

2.1 General Terms and Conditions 

2.1.1 ECZA must identify and document the applicable privacy laws and regulations.  Additionally, monitor any changes or updates regarding the applicable privacy  laws and regulations to reflect them in the privacy policy.

2.1.2 Explicit consent must be obtained from beneficiaries or employees of ECZA for  the collection and processing of their data, except when it is required by Saudi  Arabian law. 

2.1.3 Personally identifiable information must be processed legally, fairly, and  transparently concerning the data of beneficiaries or employees of ECZA. 

2.1.4 Privacy controls and mechanisms must be implemented, including  pseudonymization, encryption, anonymization, and differentiation. 

2.1.5 Privacy controls and mechanisms should include technological means that  must be evaluated by ECZA. 

2.1.6 Sources of personally identifiable information within ECZA: 

  • Directly from individuals. 
  • Indirectly, ECZA must notify individuals via email within one month. 

2.1.7 Personal data of employees and beneficiaries must be protected during the  phases of collection, transfer, processing, and disposal. 

2.1.8 ECZA must specify, document, and obtain consent for the storage of personal  data of employees and beneficiaries according to the purposes for which it was  collected and will be used. If there is no need to store or use this data, ECZA must refrain from collecting such data. If the data is collected, the following  reasons must be clarified: 

  • The necessity of collecting and categorizing personal data . 
  • Operational needs and the purpose of collecting each category of personal  data . 
  • Retention period for personal data . 
  • Details of recipients to whom the personal data has been or will be disclosed . 
  • Details of the source of personal identifying information if it is not collected  directly from the data subject. 

2.1.9 Personal identifying information must be stored, processed, and transferred  accurately and securely according to the needs, and the retention period of the  collected information, with the consent of the individuals concerned and privacy  notification.

2.1.10 Personal identifying information must not be used for training or research  purposes. 

2.1.11 Personal identifying information must be regularly reviewed and deleted as per  the business needs or retention period. 

2.1.12 Periodic evaluations of the privacy of personal identifying information must be  conducted. 

2.1.13 Data hosting must comply with the regulations of the National Cybersecurity  Authority to be located within the Kingdom of Saudi Arabia, either on ECZA's  servers or with national cloud service providers and hosting providers. 

2.1.14 Personal identifying information related to convictions, criminal offenses, or  relevant security measures should not be processed without the supervision of  the official authorities. 

2.1.15 Personal identifying information should only be processed within the Kingdom  of Saudi Arabia, and external parties must be obligated to do so by including it  in contracts or related documents. If ECZA wishes to share personal identifying  information with external parties, ECZA must obtain consent from the National  Data Management Office. 

2.1.16 ECZA must store and process personal identifying information only within the  Kingdom of Saudi Arabia and impose this requirement in contracts with external  parties or relevant documents. When ECZA needs to share personal identifying  information with an entity outside the Kingdom, it seeks approval from the  National Data Management Office. 

2.2 Personal Identifiable Information 

2.2.1 ECZA must ensure the continuous confidentiality, integrity, availability, and  ongoing flexibility of processing systems and services. 

2.2.2 ECZA must ensure the ability to recover the availability of personal data and  timely access to it in the event of a physical or technical incident. 

2.2.3 ECZA must test and evaluate the effectiveness of technical and organizational  measures to ensure the security of processing. 

2.2.4 Personal identifying information must be collected for specified, explicit, and  legitimate purposes and processed in a manner that is compatible with those purposes. Additional processing for archiving purposes, public interest, or  statistical purposes should be consistent with the initial purposes. 

2.2.5 Personal identifying information should be adequate, relevant, and limited to  what is necessary for the purposes for which it is processed. 

2.2.6 Personal identifying information must be accurate, appropriate, and up-to-date, measures should be taken to promptly erase or correct inaccurate personal  identifying information regarding the purposes. 

2.2.7 Personal identifying information should be retained in a form that allows the  identification of data subjects for the time necessary for processing personal  information. 

2.2.8 Appropriate security controls must be implemented to protect personal  identifying information from unauthorized or unlawful processing, as well as  from loss, damage, or accidental destruction, using appropriate technical or  organizational measures. 

2.2.9 If personal identifying information is obtained from sources other than the data  subject, the data subject must be informed, ECZA must also send a privacy  notice to the data subject. 

2.3 Rights of Personal Data Subjects 

2.3.1 When the data subject exercises their rights under the applicable privacy law,  ECZA must respond by taking any action required by the relevant privacy law  unless the request is unclear or unfounded. ECZA takes the necessary actions  within one month of receipt unless a different timeframe is specified under the  applicable privacy law. This applies to: 

  • The right to obtain authorization for the collection, use, retention, and sharing  of personal identifying information before its collection, or before any new uses  or disclosures of previously collected personal identifying information. 
  • The right to obtain authorization for the collection, use, maintenance, and  sharing of personal identifying information before its collection, or before any  new uses or disclosures of previously collected personal identifying  information.
  • The right to understand the consequences of granting or denying consent for  the collection, use, disclosure, and retention of personal identifying  information. 
  • The right to withdraw consent at any time. 
  • The right to access or obtain a copy of personal identifying information . The right to rectification . 
  • The right to erasure. 
  • The right to restrict data processing . 
  • The right to notification. 
  • The right to data portability. 
  • The right to object . 
  • The right to respond to complaints, concerns, or inquiries . 
  • The right to complain to the supervisory authority. 
  • The right to access the privacy notice of the organization . 
  • The right to access all information in the inventory of personal identifying  information. 

2.4 Principle of Privacy by Design 

2.4.1 ECZA must adopt the principle of privacy by design and ensure compliance  with privacy requirements on current, new, or significantly modified systems  that collect or process personal identifying information. 

2.4.2 ECZA must regularly conduct privacy impact assessments on all systems that  collect or process personal identifying information. This assessment includes  the following: 

  • Implementing principles for protecting personal identifying information .
  • Fulfilling responsibilities of the control unit . 
  • Applying security controls to safeguard personal information. 
  • Implementing principles for protecting personal identifying information .
  • Fulfilling responsibilities of the control unit .
  • Applying security controls to safeguard personal information . 
  • Ensuring that the legal basis for processing personal identifying information is  unambiguous . 
  • Ensuring that all employees involved in processing personal identifying  information understand their responsibilities . 
  • Ensuring that the collection, use, processing, storage, and sharing of personal  identifying information are conducted for the authorized purpose(s) specified  in privacy notices . 
  • Ensuring that ECZA provides effective notification to the public and data  subjects regarding any changes in its activities that impact privacy, including  collection, use, sharing, maintenance, and disposal of personal identifying  information . 
  • Following rules related to obtaining personal consent . 
  • Conduct regular reviews of procedures involving personal identifying  information . 
  • Adopting the Principle of Privacy by Design for all new or modified systems  and processes. 

2.4.3 ECZA must implement appropriate techniques for data anonymization and  encryption to protect personal identifying information. 

2.4.4 ECZA must fulfill the following authentication requirements and provide access  to them through data subjects' profiles regarding processing activities related  to personal identifying information: 

  • Objectives of processing personal identifying information . 
  • Processing activities conducted on personal identifying information .
  • Processing categories of personal identifying information . 
  • Agreements and mechanisms for transferring personal identifying information  to and from other organizations, after obtaining consent or a data subject's  request . 
  • Retention schedules for personal information .
  • Existing security controls to protect personal information.

2.4.5 ECZA must raise awareness among its employees about this policy and its role  in protecting personal identifying information. 

2.5 The Dufult Privacy 

2.5.1 ECZA must take appropriate technical and organizational measures to ensure  that personal identifying information is not processed by default without  justification. This applies to the quantity of personal identifying information  collected, the extent of its processing, the duration of its storage, and who has  access to it. In particular, ECZA must ensure that personal identifying  information is not automatically accessible to an indefinite number of individuals  without any action from the data subject 

2.5.2 Any transfer of personal identifying information must be based on the consent  or request of the individual whose personal information is being transferred. 

2.5.3 Before transferring personal identifying information outside the organization, a  privacy impact analysis must be conducted. 

2.5.4 Appropriate notification must be sent to the individual whose personal  identifying information is being transferred, including the recipients to whom the  personal identifying information will be disclosed, including the date, nature,  and purpose of each disclosure, as well as the names and addresses of the  recipients to whom the disclosure has been made 

2.5.5 The adequacy of protection for personal identifying information in the receiving  party must be ensured. This includes: 

  • Receiving the organization's name and relevant details . 
  • Objectives of processing personal identifying information . 
  • Categories of individuals and processing of personal identifying information .
  • Categories of recipients of personal identifying information . 
  • Agreements and mechanisms for transferring personal identifying information .
  • Retention schedules for personal information . 
  • Relevant technical and organizational controls implemented in ECZA.

2.6 Third Party Requirements 

2.6.1 ECZA must establish privacy requirements through a data privacy policy  document, documenting and obtaining approval for the procedures related to  the collection, use, processing, and sharing of data with contractors,  processors, and service providers. These requirements should be included in  contracts and other relevant documents. 

2.6.2 When ECZA and other controlling units jointly determine the purposes and  means of data processing, they must act as joint controllers. They should  transparently define the responsibilities of each party and ensure compliance  and adherence to applicable privacy laws and regulations. 

2.6.3 In cases where processing is carried out on behalf of ECZA, ECZA must use  processors that provide sufficient guarantees to implement appropriate  technical and organizational measures in a manner that meets the  requirements of applicable privacy laws and regulations. This ensures the  protection of the rights of individuals whose personal data is being processed. 

2.7 Records Processing and Review 

2.7.1 ECZA must record processing activities. This record should include, but is not  limited to, the following information: 

  • Name and contact details of the data processor (the entity processing the  data) . 
  • Purposes of the processing . 
  • Description of data subject categories and categories of personal data. 

2.7.2 ECZA must make the record available to the organization's auditor and the  supervisory authority upon request. 

2.7.3 ECZA must periodically review the personal identifying information stored to  ensure that only the information specified in the notice is collected and retained  and that the personal identifying information is still necessary for the lawful  purpose it was collected for.

2.8 Awareness and Training  

2.8.1 ECZA must develop a comprehensive training and awareness program,  document it, obtain approval for it, implement it, and regularly update it to  ensure that employees understand their responsibilities and privacy  procedures. This includes managing basic privacy training and role-based  privacy training for employees responsible for personal identifying information  or involved in activities involving personal identifying information. 

2.9 Privacy Notice 

2.9.1 ECZA must identify, document, approve, and implement the requirements for  providing an effective notice to the public and data subjects regarding the  following: 

  • Privacy-related activities, including the collection, use, sharing, retention, and  disposal of personal identifying information. 
  • The supervisory authority responsible for collecting personal identifying  information. 
  • Any choices individuals may have regarding the ECZA's use of personal  identifying information and the consequences of exercising or not exercising  those choices. 
  • The right to access and modify personal identifying information if necessary. 
  • The types of personal identifying information collected by ECZA and the  purpose for which such information is collected. 
  • ECZA's methods of using personal identifying information. 
  • Whether ECZA shares personal identifying information with external entities,  the categories of those entities, and the purposes of such sharing. 
  • Whether individuals can consent to specific uses or sharing of personal  identifying information and how to exercise such consent. 
  • How individuals can access or obtain personal identifying information.
  • How personal identifying information will be protected. 
  • The period for which personal identifying information will be stored.
  • The data subject's right to request access to personal data, rectification,  erasure, or restriction of processing concerning the data subject, as well as the  right to object to processing and the right to data portability. 
  • The right to withdraw consent at any time by the data subjects. 
  • The right to lodge a complaint or raise concerns or questions with ECZA and  to file a complaint with the supervisory authority. 
  • Whether the provision of personal data is legally or contractually required, as  well as whether the data subject is obliged to provide personal data and the  potential consequences of not providing such data. 
  • Changes in practices or policies affecting personal identifying information or  changes in privacy-related activities, as soon as possible before or after such  changes. 

2.9.2 ECZA must ensure the availability of its privacy practices to the public through  its organizational websites. 

2.9.3 ECZA must inform the data subject before lifting processing restrictions if the  processing is restricted by the data subject. Personal data, except for storage,  must be processed only with the consent of the data subject. 

2.9.4 ECZA must notify any correction, erasure, or restriction of personal data to each  recipient to whom the personal data has been disclosed. The data subject shall  be informed by the controller about those to whom their data has been shared  if requested. 

2.9.5 ECZA must inform and provide appropriate assurances to the data subject  when personal data is transferred to another country or an international  organization. 

2.9.6 ECZA must ensure public access to information about its identity and contact  details. 

2.9.7 ECZA must ensure that the public has the right to access information related to  its privacy-related activities and can communicate with its privacy officer.

2.10 Privacy Violation 

2.10.1 ECZA must develop, document, approve, and implement a privacy incident  response plan and execute it when necessary. 

2.10.2 If a violation occurs with the potential to endanger privacy or the protection of  personally identifiable information, ECZA must follow the response plan and  response procedures, and notify the cybersecurity management. 

2.10.3 ECZA must develop, document, approve, and implement a procedure for  reporting breaches of privacy related to personally identifiable information to  the data owners without delay.