Introduction:

Following the issuance of Law number 13 of 2016 on the Protection of Personal Data Privacy (PDPP Law), the Ministry of Transport and Communications (MOTC) released regulatory recommendations on Personal Data Privacy in January 2021. In addition to clarifications, it provides a collection of guidelines, controls, and checklists to ensure users compliance with the Law. Furthermore, it also includes guidance for individuals to become more aware of their rights and responsibilities. After discussing the (PDPP) Law in our previous article, the key features of the 2020 regulations will be reviewed briefly in this article.

  • What personal data processing do these guidelines apply to?

The guidelines apply to any personal data processed electronically, via a combination of electronic and non-electronic techniques, or via non-electronic means in advance of electronic processing. They apply to every entity that handles personally identifiable data.

  • How shall the Regulated Entities apply these standards?

The regulations highlight that any data controller shall comply with the law and the regulations if the information collected is not personal nor related to family or household purposes. A risk-based approach based on the key privacy principles mentioned in the regulations shall be adopted by controllers that need to comply. Regulated entities must evaluate how they process personal data and accept accountability for their actions.

A Personal Data Management System (PDMS) for the user’s data and privacy protection might be needed in some scenarios as per the regulations. However, the guidelines didn’t limit or determine any certain measures that regulated businesses should take. The strategy adopted by the regulated businesses and the strategy’s execution shall be determined by the business itself.

  • How will individuals benefit and commit to the guidelines?

The PDPP Law outlines people’s rights and regulated entities’ obligations in regards with personal data. Individuals have the right to have their data protected and processed legitimately. Moreover, individuals can expect their personal data to be treated in compliance with the PDPP Law, and if they think their data is not protected or used lawfully, they can submit a complain to the CDP and controllers must enable them to complain about it directly to the controller. The guidelines assist individuals in understanding when and how to exercise their rights, how to file complaints to controllers and CDP, and how CDP may investigate them.

  • What topics do the guidelines cover?
  • Controllers and Processors.
  • Data Privacy by Design and by Default.
  • Data Privacy Impact Assessment (DPIA).
  • Electronic Communications for Direct Marketing.
  • Exemptions applicable to Data Controllers.
  • Individual complaints and rights.
  • Personal Data breach notifications.
  • Personal Data Management System (PDMS).
  • Principles of Data Privacy.
  • Privacy Notice.
  • Record of Processing activities.
  • Special nature processing.

Regulated Entities should check the regulations’ updates constantly to ensure they are up to date with the newest guidelines.

For further information in regards with the PDPP Law and CDP regulations, Don’t Hesitate to contact us at Alhababi Law Firm.

Author: “Mohammad Mufid” Ratib Qurashi.

More from Alhababi Law Firm