Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.Find out more
We are excited to share the latest edition of the Law Update, beautifully and appropriately titled “Sustainable Horizons: The Saudi Arabian Vision.” Giving special honor to the Kingdom’s 2030 vision, this update focuses on a collection of both informative and inspiring articles.
For those in construction, you can learn about how the tendering environment impacts risk-pricing for contractors, the updates on the legal framework of the construction industry and how contractors can protect themselves against financial difficulties.
There is good news too from the kingdom’s banking sector, from which the practice of “Open Banking” is being pushed for! But what is open banking? We’re answering that too.
Also . . . Are there any women trail blazers in Saudi Arabia you can name? We’ll help you with that. We cover how the Middle East has been making strides in empowering women in the entrepreneurial space,most notably in STEM fields.Read the full edition
Sana Saleem - Associate - Digital & Data
Nick O’Connell - Partner, Head of Digital & Data - Saudi Arabia - Digital & Data / Intellectual Property
In a data protection context, a ‘data controller’ can broadly be understood as someone (usually a corporate entity) who determines the purposes for which personal data is processed. ‘Personal data’ can generally be understood as data relating to an identifiable natural person, and a ‘data subject’ can be understood as the identifiable natural person to whom such personal data relates. The concept of ‘processing’ is very broad, and can include the collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, erasure or destruction of personal data.
Data controllers need to provide data subjects with certain information to ensure that the processing of such data subjects’ personal data is fair and legitimate. This needs to be considered when preparing or reviewing privacy policies intended to serve as formal notification to data subjects of such personal data processing activities.
Whether or not personal data is collected directly from data subjects, in each of the relevant jurisdictions data subjects must be informed of the identity of the data controller, the purposes of the intended processing of personal data, and any further information necessary to guarantee fair processing in relation to the data subject; having regard to the specific circumstances in which the personal data is collected. The latter may include:
Where personal data is collected directly from the data subject, information on whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply, should also be communicated to the data subject to ensure fair processing. Where personal data is not collected directly from the data subject, information on the category of personal data concerned should also be communicated to the data subject to ensure fair processing.
The data controller need not provide information that the data controller reasonably expects the data subject already has. Additionally, in the case of personal data not collected directly from the data subject, the provision of the information contemplated above is not required if it proves impossible to do so or would involve a disproportionate effort.
The manner in which such information is communicated to the data subject is not prescribed, although it needs to be consistent with the general obligation to process personal data fairly.
Right to access; right to rectify
In addition to the right to be provided with certain information as outlined above, the data protection laws and regulations in the DIFC, ADGM and QFC also provide data subjects with certain other rights with regard to access to, and rectification, erasure or blocking of, personal data, as well as a right to object to processing.
A data subject has the right to obtain from the data controller upon request, at reasonable intervals and without excessive delay or expense:
A data subject also has the right to object to the processing of personal data at any time on reasonable grounds relating to the data subject’s particular situation; and the right to be informed before personal data is disclosed for the first time to third parties or used for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.
Data subject access rights do not apply to the actions of the various regulators, authorities and companies’ registrars in the relevant jurisdictions if the application of such provisions would be likely to prejudice the proper discharge of the powers and functions of these entities, in so far as those powers and functions are designed to protect members of the public against dishonesty, malpractice or other seriously improper conduct.
Data controllers operating in the DIFC, ADGM and QFC need to be aware of their obligations with regard to properly informing data subjects of personal data processing involving such data subjects’ personal data, and addressing legitimate data subject access requests.
Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data and data protection issues throughout the Middle East. For further information please contact Nick O’Connell (firstname.lastname@example.org) or Sana Saleem (email@example.com).
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.