Data Privacy and Protection Policy
Website: nrc.com.sa
Effective Date: July 01, 2025
Obtain explicit, specific, freely given consent before any personal data processing. Allow users to withdraw consent at any time without affecting unrelated services. Assess and document if relying on legitimate interest as a legal basis.
Publish a clear, concise privacy notice before collecting data. Include legal justification, purpose, type of data, recipients, retention duration, and user rights.
Provide users with rights to access, correct, delete, object to processing, and withdraw consent. Ensure response within 30 days.
Only collect data necessary for clearly defined purposes. Avoid collecting unrelated or excessive data.
Implement technical and organizational safeguards (e.g., encryption, access controls). Notify SDAIA within 72 hours of a breach and users if there is a high risk involved.
Appoint a DPO if processing is large-scale or involves sensitive data. The DPO should oversee compliance, impact assessments, and act as liaison with SDAIA.
Conduct DPIAs for high-risk processing activities. Document identified risks and mitigation strategies.
Maintain a Record of Processing Activities (ROPA) for at least 5 years post-processing.
Ensure vendors and service providers comply with PDPL. Include confidentiality and breach reporting obligations in contracts.
Obtain SDAIA adequacy approval or ensure safeguards for international data transfers. Inform users and obtain consent where required.
Register with SDAIA and provide ROPA and other compliance documentation as required.
Be aware that violations can lead to fines (SAR 5M+), imprisonment, or both. Ensure compliance before the grace period expires (ended Sept 14, 2024).