First: Specific Purposes for Data Collection
The Human Rights Commission (HRC)'s collection of personal data aims to enable HRC to perform its duties efficiently and effectively. This is achieved by providing accurate and reliable information that contributes to delivering distinguished services to beneficiaries and fulfilling its mission in protecting and promoting the rights of individuals within a legal and regulatory framework. This framework ensures compliance with the provisions of the Personal Data Protection Law "PDPL" and related regulations in the Kingdom. HRC collects beneficiaries' data based on the principle of necessity, whereby data collection is limited to the purposes specified in the Privacy Policy. These purposes include supporting administrative and service processes provided to individuals when they submit a complaint, report, or request advice, support, or collaborative training related to human rights. Providing personal data in this regard by beneficiaries is considered mandatory. Furthermore, collection of personal data aims to empower data subjects to exercise their rights by granting them access to their personal data, the ability to modify it, or request its deletion. This enhances security protection and prevents impersonation or fraud. Besides, it ensures privacy protection and promotes trust. In this context, HRC emphasizes its commitment to transparency by informing individuals of the purpose of collecting their data and the approved legal basis for it. It also ensures that this data is used only within the context of the authorized purposes and in accordance with the highest standards of governance and cybersecurity.
Second: Content of Required Personal Data
HRC is committed to ensuring that the content of the personal data collected and processed is limited to the minimum amount of personal data necessary to enable HRC to perform its duties and ensure the provision of appropriate service to the beneficiary. Some mandatory personal data is collected through HRC's website by retrieving electronic login credentials and through the National Platform (Nafath), cookies, Internet Protocol (IP) files, or data provided directly by the beneficiary to HRC when submitting their request. This personal data includes: First Name, Last Name, National ID Number or Residence Permit Number, Date of Birth, National Address, Email Address, Personal Mobile Number.
Third: Means of Retention
HRC adopts a comprehensive approach to data protection by embracing the latest standards and technologies in data storage and security, in accordance with the Data Policies and Governance Guide. HRC is committed to ensuring the confidentiality and integrity of beneficiaries' data against modification or loss, protecting it from unauthorized access, and ensuring its availability through secure storage mechanisms and advanced encryption techniques. Furthermore, personal or sensitive data anonymization techniques are applied, such as masking, deletion, or redaction, when sharing data with external parties to ensure that individuals cannot be identified through their data. HRC adheres to the rules mentioned in the "Storage of Classified Data" section of the "Guidelines for Handling Classified Data" document issued by the National Cybersecurity Authority (NCA).
Fourth: Means of Disposal
HRC adopts a strict approach to ensure secure disposal of personal data whose retention period has expired in accordance with regulatory controls and approved security standards. This is achieved by using the latest digital data erasure techniques for data on physical storage media such as hard drives, digital compact discs, solid-state drives, mobile devices, and portable drives, as well as data in database logs and backup files, to ensure that it cannot be recovered. All paper-based data is also destroyed using high-quality and secure paper shredders, and the shredded paper is disposed of securely in a manner that prevents its reconstruction, making it impossible to view, recover, or specifically identify its owner. HRC prepares a detailed report on all disposed data, taking into account cybersecurity controls regarding how this data is destroyed.
Fifth: How Data is Processed
HRC adopts a strict framework for processing personal data in accordance with the PDPL and related regulations in the Kingdom. This is to ensure the protection of individuals' privacy and security of their data against any unauthorized use during the following operational stages: -
Personal Data Collection
- Personal data is collected solely to achieve the specific purposes outlined in the privacy notice to which the data subject has given their implicit or explicit consent.
- The collection process is restricted to what is consistent with the applicable laws and regulations in the Kingdom, and unnecessary data is not collected.
- The data subject is informed of the reasons for collecting their personal data, how it will be processed, and assurance is given that it will not be used for other purposes.
- Personal data is collected only from its correct sources and through legitimate means.
- The data subject is informed of their right to use their data and the possibility of withdrawing their consent to processing at any time.
- When personal data is collected indirectly, the data subject shall be notified of the source used.
Personal Data Storage
- Personal data is subject to strict standards that ensure its confidentiality, integrity, and availability when needed.
- Personal data is stored according to best security practices, including encryption, the use of masking, redaction, or deletion, and prevention of unauthorized access.
- Saving data outside the Kingdom is prohibited except with the approval of the National Data Management Office (NDMO) and relevant regulatory authorities.
- Regular backups are performed to protect personal data and ensure business continuity in the event of failures or disasters.
- Strict restrictions are imposed on data access through the application of the latest protection technologies and control of access privileges.
Personal Data Processing
- A clear, specific, and direct notice is issued that includes HRC's privacy policies and procedures, explaining the purposes for which personal data is processed.
- Processing of personal data is restricted to the purposes specified in the privacy notice, and it may not be used for any other purpose without the data subject's consent.
- It is ensured that personal data is processed within the geographical borders of the Kingdom. It is not processed outside the Kingdom except after obtaining written approval from the regulatory authority in coordination with NDMO.
- All processing stages are documented to ensure transparency and traceability, with a record of the activities performed on the data.
- Personal data required for processing is masked and concealed when necessary before sharing it, while ensuring adherence to the content.
- Security and technical controls are implemented, including data encryption in accordance with the standards issued by NCA.
- Audit logs are maintained to document updates and modifications made to personal data.
Personal Data Transfer
- Personal data may not be shared with any third party without the data subject's consent, and it shall be ensured that the processing aligns with the original purpose for which it was collected.
- Strict controls are imposed on cross-border data transfers, and data may not be transferred outside the Kingdom without approval of competent regulatory authorities.
- Data transfer is secured using heavy security protocols so that data is transferred through secure channels that prevent interception or manipulation.
- All data sharing operations are documented, clarifying the name of the receiving party, purpose of transfer, the processing period, and retention and disposal procedures.
Sixth: Rights of Personal Data Subjects
According to the PDPL and its Implementing Regulations, the personal data subject has the following rights: -
- Right to Be Informed: This involves informing the data subject of the means of communication with HRC, methods of collecting their personal data and legal basis for its collection, mechanism for processing it in a specific, clear, and explicit manner, retention period, and clarifying how to withdraw consent granted for the processing of any of their personal data. It also includes stating whether all or part of the data and its processing is mandatory or optional, and all other related details.
- Right to Access Personal Data: The data subject has the right to access their personal data held by HRC by submitting a request to HRC or through any means provided by HRC, automatically without the need to submit such a request, provided that accessing their personal data does not negatively affect the rights of others and without prejudice to provisions of Article (9) and Article (16) of the Law.
- Right to Request Copy of Personal Data: The data subject has the right to obtain a copy of their personal data in a readable and clear format, provided that this does not negatively affect the rights of others. They have the right to receive their personal data in electronic format or request it in printed form whenever possible.
- Right to Request Correction of Personal Data: If the data subject's personal data held by HRC is incorrect, they may request the restriction of its processing for a period during which HRC can verify the accuracy of the personal data. This right does not apply if the provision of such data contradicts the provisions of the Law and its Implementing Regulations. HRC may request supporting documents or evidence for the data correction request whenever necessary to update, correct, or complete their personal data, provided that these documents are destroyed after the verification process is completed. The data subject has the right to be notified without delay after the personal data has been corrected.
- Right to Request Destruction of Personal Data: The data subject has the right to request destruction of their personal data if they withdraw their consent to the collection of their personal data, provided that their consent was the sole legal basis for processing their personal data. They also have the right to withdraw their consent if they become aware that their personal data is being processed in a manner contrary to the Law. HRC has the right to retain this data after the purpose of its collection has been fulfilled if everything that leads to the specific identification of its owner has been removed, in accordance with specific controls.
Seventh: Potential Impacts and Risks of Failure to Complete Personal Data Collection Procedure
Failure by individuals to provide required personal data may lead to the following: -
- Inability or delay in completing the procedures for the requested service, whether it is submitting a report, complaint, providing advice and support, or delivering collaborative training.
- Restricted access to certain features provided by HRC to beneficiaries through the electronic platform, such as tracking their requests or communicating with them to inform them of the latest updates regarding their requests.
- Reduced level of security, as it may be difficult for HRC to verify the user's identity or protect their account due to the incomplete collection of mandatory personal data.
- Non-compliance with the PDPL, its Implementing Regulations, and related regulations in the Kingdom.