Personal Data Protection Policy
Learn about the Personal Data Protection Policy, designed to ensure the security and confidentiality of information, detailing how data is collected, stored, and used in compliance with Kingdom regulations and laws.
Personal Data Protection Policy
The Introduction
The Personal Data Protection Policy aims to ensure that documents and content containing personal data are created within the Authority and appropriately stored, accessed, managed, and disposed of in a manner that reflects business and regulatory compliance requirements and in line with applicable standards. This document provides clear guidance on managing obligations under the protection area. Personal data at the National Data Management Office (NDMO).
-
Scope
This policy applies to all types of personal data collected, processed, stored, archived, and disposed of by the Authority. In addition to all systems processing personal data, and all employees using personal data to achieve organizational goals.
-
Main Principles
First Principle: Responsibility
Privacy policies and procedures specific to the Authority are defined, documented, approved by the Authority's management (or their delegate), and disseminated to all relevant parties.
Second Principle: Transparency
The Authority's privacy policies and procedures - Privacy Notice - must be posted, indicating the purposes for which personal data will be collected in clear and understandable language.
Third Principle: Choice and Consent
The purpose of collecting any personal data must be explained to the data subject, and their consent (implicit / explicit) must be obtained regarding the collection, use, and / or disclosure of personal data before collection.
Fourth Principle: Limiting Data Collection
Collecting any personal data is limited to the minimum data necessary to achieve the purposes specified in the Privacy Notice.
Fifth Principle: Limiting Data Use, Retention, and Disposal
The use of personal data is limited to the purposes specified in the Privacy Notice, which the data subject has implicitly or explicitly consented to. Additionally, data must be retained as long as necessary to achieve the intended purposes or as required by laws and regulations. Furthermore, data must be securely destroyed to prevent leakage/loss, theft, misuse, unauthorized access to data.
Sixth Principle: Data Access
The Authority must provide a means for any data subject to review, update, and correct their personal data.
Seventh Principle: Limiting Data Disclosure
Disclosure of personal data to a third party is limited to the purposes specified in the Privacy Notice, which has been consented to by the data subject.
Eighth Principle: Data Security
Personal data must be protected from leakage/loss, destruction, loss, theft, misuse, modification, or unauthorized access - in accordance with the controls issued by the National Cybersecurity Authority and relevant authorities.
Ninth Principle: Data Quality
Personal data must be retained after verification of its accuracy, completeness, and timeliness, and this data must be directly relevant to the purposes specified in the Privacy Notice.
Tenth Principle: Monitoring and Compliance
Compliance with the Authority's privacy policies and procedures must be monitored, and any inquiries, complaints, and disputes related to privacy must be addressed.
-
Authority's Responsibility
The Saudi Electricity Regulatory Authority is not responsible for intellectual products, studies, or reports based on this data, in addition to any harm or misuse suffered by parties due to the use of this data published on the Authority's electronic portal. The Authority is also not responsible for any errors or missing data in open data and does not guarantee the continuity of the availability of this data or any part thereof. Furthermore, the Authority bears no responsibility towards users of this data, and any harm or loss they may incur due to its reuse.
-
Visitors and Site Beneficiaries Responsibility
Visitors to the portal and beneficiaries of The Saudi Electricity Regulatory Authority's electronic portal should continuously and periodically review the terms and principles of privacy and information confidentiality to be aware of any updates made to them, knowing that the site management is not required to announce any updates made to those terms and principles, and your use of the Authority's website means your acknowledgment and acceptance of those terms and principles and any continuous amendments thereto.
-
Data Reuse
This privacy and information confidentiality-related information has been prepared to assist visitors to the Authority's portal in understanding the nature of the data collected from them when visiting the site and how to deal with it.
The Information Technology Management and Site Management take appropriate measures and measures to secure the personal information they have in a manner that ensures its protection from loss, unauthorized access, misuse, modification, and unauthorized disclosure.
-
Related Legislation
- National Data Governance Policies issued by the Saudi Data and Artificial Intelligence Authority (SDAIA): (Principal Guidelines for Personal Data Protection)
- National Data Management, Governance, and Personal Data Protection Regulations and Specifications