Personal Data Protection

-

Personal Data Protection Policy

•    Definitions:
Personal Data:
Any element of data, regardless of source or form whatsoever, which independently or when combined with other available information could lead to the identification of a person, directly or indirectly.
Sensitive Data: Any personal data that includes reference to an individual's ethnic origin, tribal origin, religious, intellectual, or political beliefs, or indicates their membership in associations or civil institutions. This also includes criminal and security data, biometric data that identifies identity, genetic data, credit data, health data, location data, and data indicating that an individual is of unknown parentage or one of their parents is unknown.
Personal Data Subject: A natural person, benefiting from NCGR, to whom personal data relates, or their representative, or whoever has legal guardianship over them.
Personal Data Processing: All operations performed on personal data by any means, whether manual or automated. These operations include – but are not limited to – collecting, transferring, storing, sharing, destroying, analyzing, extracting patterns, inferring from, and linking it with other data.
Implied Consent: Consent that is not explicitly given by the data subject but is implied through the person's actions, facts, and circumstances of the situation, such as signing contracts or agreeing to terms and conditions.
Personal Data Breach: Disclosure of, acquisition of, or access to personal data without authorization or legal basis, whether intentionally or unintentionally.

•    Objective:
The purpose of the Personal Data Protection Policy is to maintain the confidentiality of personal information to ensure the preservation of beneficiaries' rights, regulate the process of collecting, processing, and sharing personal data, and maintain national digital sovereignty over it. It complies with national data governance policies and fundamental legislation for the protection of individuals' rights and privacy concerning their personal data, which are subject to the Personal Data Protection Law and related Regulations. This Policy aims to comply with the requirements of data management and governance, as well as related legislative and regulatory requirements.

•    Scope:
This Policy applies to all personal data processing activities and operations related to individuals that are carried out within NCGR by any means, including the processing of personal data related to individuals residing in the Kingdom by any means from any entity outside the Kingdom.

•    Exceptions to the Scope of this Policy:
1.    If the requesting entity for disclosure is a public authority, and this is for purposes of public interest, security purposes, the implementation of another law, or to fulfill judicial requirements.
2.    If disclosure is necessary to protect public health, public safety, or to protect the life or health of a specific individual or individuals.
3.    If the disclosure will be limited to subsequent processing in a manner that does not lead to the specific identification of the personal data subject or any other individual.
4.    If the disclosure is necessary to achieve legitimate interests of the Controller, provided that this does not prejudice the rights or conflict with the interests of the personal data subject, and the data is not sensitive data.

Purpose of Collecting Personal Data:
NCGR's need to collect, process, and store personal data is an ongoing requirement for the execution of its operations and obligations through the tasks assigned to it for the provision of financial services in cooperation with the Ministry of Finance.

Personal Data Collected
NCGR collects various types of personal data to provide its services. The minimum amount of personal data necessary for the intended purpose is collected. The personal data collected may include, but is not limited to, general and sensitive personal data 

Personal Data Protection System

View the Data Protection Policy

FAQs

PDPL shall apply to any processing of personal data of individuals residing in the Kingdom carried out in any manner, by any entity located outside the Kingdom according to Article (2) of PDPL.

Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses and contact numbers.

Yes, the collection of personal data shall be limited to the minimum amount of data that enables fulfilling the specified purposes of the collection, in accordance with Article (11) of PDPL and Article (19) of Implementing Regulations.