Majmaah University Logo
Toggle grayscale mode

Personal Data Protection Policy

Overview:

This policy sets a unified framework for the protection of personal data in accordance with the National Data Governance Policy issued by the National Data Management Office (NDMO), and in alignment with the regulations and legislation issued by the NDMO and the National Cybersecurity Authority regarding personal data protection. The policy aims to strike a balance between the benefits and risks associated with data sharing between entities in both the public and private sectors. It organizes the process of publishing open data, providing access to public information, and exchanging protected data, including personal data. This contributes to increasing the level of transparency, promoting integrity, and eliminating unnecessary confidentiality by regulating the exercise of the right to access public information through the use of administrative controls and technical measures adopted in information security policies to ensure the protection of personal data.

Objectives:

This policy aims to implement the controls related to personal data protection in accordance with the legislative requirements issued by the National Data Management Office, specifically the documents titled "Data Management, Governance, and Personal Data Protection Controls" (Version 1.5 – January 2021) and the "National Data Governance Policy" (Second Edition – 26/05/2021).

  • Principle Description
    Responsibility Privacy policies and procedures for the university's websites and electronic systems are defined and documented for both internal and external users.
    Transparency A privacy notice is prepared for all university websites and electronic systems for both internal and external users, specifying clearly, explicitly, and precisely the purposes for which personal data is processed.
    Choice and Consent All possible choices available to the data subject are specified, and their (explicit or implicit) consent is obtained regarding the collection, use, or disclosure of their data.
    Data Minimization Data collection is limited to the minimum necessary to fulfill the purposes stated in the privacy notice.
    Limiting Use, Retention, and Disposal Processing of personal data is restricted to the purposes stated in the privacy notice and for which the data subject has given implicit or explicit consent. Data is retained as long as necessary to fulfill the stated purposes or as required by laws, regulations, and policies in the Kingdom, and must be securely destroyed to prevent leakage, loss, theft, misuse, or unauthorized access.
    Access to Data Mechanisms are established and made available through which data subjects can access their personal data to review, update, or correct it.
    Limiting Disclosure of Data Data officials must restrict the disclosure of personal data to third parties to the purposes stated in the privacy notice, for which the data subject has given implicit or explicit consent.
    Data Security Data officials must protect personal data from leakage, damage, loss, theft, misuse, modification, or unauthorized access — in accordance with directives from the National Cybersecurity Authority and relevant authorities.
    Data Quality Personal data must be maintained accurately, completely, and directly relevant to the purposes stated in the privacy notice.
    Monitoring and Compliance Relevant entities follow up on compliance with privacy policies and procedures, and address complaints and disputes related to privacy.
  •  

  • Controls and Requirements for Personal Data Protection

  • The domain of personal data protection consists of 5 controls and 10 requirements in accordance with the National Data Management, Governance, and Personal Data Protection Standards and Specifications. These are a set of provisions and procedures that regulate the processing of personal data to ensure the privacy of data subjects and protect their rights.

  • Planning

  • Training and Awareness

  • Data Breach

  • Data Lifecycle Management

  • Records

  •  

  • Rights of the Data Subject

  • First: The Right to Be Informed
    Internal and external users of the university’s websites and electronic systems are notified of the legal basis or actual need for collecting their personal data, its intended purpose, and that it will not be processed later in a manner inconsistent with that purpose, for which they have given implicit or explicit consent.

  • Second: The Right to Request Access
    Data subjects have the right to request access to their personal data and view it, in accordance with the controls and procedures set by regulations, without prejudice to Article 9 of the Personal Data Protection Law. They may also request correction, completion, or updating of their data, or request the destruction of data no longer needed, and obtain a readable and clear copy of it.

  • Third: The Right to Request Data Destruction
    Data subjects have the right to request the destruction of their personal data once it is no longer needed, without prejudice to Article 18 of the Personal Data Protection Law.

  •  

  • Limitations on the Data Subject's Rights

  • Rights may be restricted in the following cases:

  • If necessary to protect personal data or others from harm, as defined by regulations.

  • If required for security purposes, to enforce another law, or to meet judicial requirements.

  •  

  • Permitted Cases for Disclosure of Personal Data

  • If the data subject consents to the disclosure, in accordance with the Personal Data Protection Law.

  • If the personal data has been collected from publicly available sources.

  • If required for public interest, security purposes, enforcement of another law, or to meet judicial requirements.

  • If necessary to protect public health or safety, or the life or health of specific individuals.

  • If the disclosure is for processing in a way that does not lead to identification of the data subject or any other individual.

  • If necessary to achieve legitimate interests of the university, provided it does not harm or conflict with the data subject's rights and the data is not sensitive.

  •  

  • Cases Where Disclosure of Personal Data is Prohibited

  • If it poses a threat to national security, damages the Kingdom's reputation, or conflicts with its interests.

  • If it affects the Kingdom’s relations with another country.

  • If it results in the violation of another individual’s privacy, as defined by regulations.

  • If it conflicts with the interest of a person who is legally incompetent.

  • If it prevents the detection of a crime or affects a defendant’s right to a fair trial, or the integrity of ongoing legal proceedings.

  • If it endangers the safety of individuals.

  • If it breaches legally established professional obligations.

  • If it violates a legal obligation, procedure, or court ruling.

  • If it reveals a confidential source whose identity must remain undisclosed in the public interest.