Personal Data Protection Policy

This policy aims to meet the requirements of the National Data Management Office, and to enhance the protection of the data of users of Najran University systems and their privacy, and the methods of handling, storing, and destroying data through:

  • Protecting the privacy of personal data and the confidentiality of sensitive data and not sharing it with other parties without the consent of system users.
  • Ensuring the rights of individuals in dealing with personal data at Najran University.
  • Promoting transparency and establishing governance by distributing roles and responsibilities.
  • Supporting integrity and combating corruption.

This is based on the two documents: Data Management and Governance Controls and Personal Data Protection (Version 1.5 - January 2021), and National Data Governance Policies (Second Edition dated 26/05/2021 AD) issued by the National Data Management Office.

Scope of Work

This policy applies to all departments of Najran University and its branches to ensure the protection of personal data that is processed partially or completely by them. The provisions of this policy also apply to external entities that process data of individuals residing in the Kingdom via the Internet or any other means.

However, the following cases are excluded from the scope of this policy: collecting personal data without the knowledge of its owner, processing it for purposes other than those for which it was collected, disclosing it without consent, or transferring it outside the Kingdom, according to the following conditions:

  • If the controlling entity is a government entity, personal data may be collected or processed if this is necessary to meet regulatory requirements in accordance with the laws, regulations, and policies approved in the Kingdom of Saudi Arabia, or to meet judicial requirements, or to implement obligations resulting from an agreement to which the Kingdom of Saudi Arabia is a party.
  • To protect public health and safety, or to ensure the vital interests of individuals.

Main Principles of Personal Data Protection

First Principle: Responsibility

Najran University is committed to identifying the requirements and policies for personal data protection, documenting them, reviewing them annually, and approving them by the University President or his delegate. It also works to disseminate them to all concerned parties to ensure their effective implementation.

Second Principle: Transparency

A notice is prepared that explains the policies and procedures for protecting the privacy of personal data at Najran University, with clearly, specifically, and explicitly defining the purposes for which personal data is processed.

Third Principle: Choice and Consent

All possible options must be provided to the owner of personal data, and his consent, whether implicit or explicit, must be obtained regarding the collection, use, or disclosure of his data.

Fourth Principle: Limiting Data Collection

The collection of personal data is limited to the minimum necessary to achieve the purposes specified in the privacy notice.

Fifth Principle: Limiting Data Use, Retention, and Disposal

The processing of personal data is restricted to the purposes specified in the privacy notice that the data owner has agreed to, whether implicitly or explicitly. Data is retained as long as necessary to achieve the specified purposes or as required by the laws, regulations, and policies in force in the Kingdom of Saudi Arabia, and is disposed of by destruction in a secure manner that prevents leakage, loss, embezzlement, or unauthorized access.

Sixth Principle: Data Access

Means must be provided that allow the owner of personal data to access his data to review, update, and correct it.

Seventh Principle: Limiting Data Disclosure

The disclosure of personal data to external parties inside or outside the Kingdom of Saudi Arabia is restricted to the purposes specified in the privacy notice that the data owner has agreed to, whether implicitly or explicitly.

Eighth Principle: Data Security

Najran University provides complete protection for personal data from leakage, damage, loss, embezzlement, misuse, or unauthorized access, in accordance with the directives of the National Cybersecurity Authority and the competent authorities.

Ninth Principle: Data Quality

Personal data is maintained accurately and completely and in a way that is directly related to the purposes specified in the privacy notice.

Tenth Principle: Monitoring and Compliance

Monitoring compliance with the privacy policies and procedures of Najran University, and addressing inquiries, complaints, and disputes related to them.

Rights of the Data Owner

  • First: The right to know, which includes informing him of the regulatory basis or actual need to collect his personal data, and the purpose of that, and that his data will not be processed later in a manner inconsistent with the purpose for which it was collected and for which he provided his implicit or explicit consent.
  • Second: The right to withdraw his consent to the processing of his personal data - at any time - unless there are legitimate purposes that require otherwise.
  • Third: The right to access his personal data at Najran University; to review it, and request its correction or update.

Obligations of Najran University

  • Najran University is committed to preparing and implementing policies and procedures related to personal data protection, and the first official at the entity - or his delegate - is responsible for approving and adopting them.
  • The University is committed to establishing a data governance unit linked to the data management office, which is assigned the responsibility of developing, documenting, and monitoring the implementation of policies and procedures approved by the senior management of the entity, provided that the tasks and responsibilities of the unit include setting appropriate standards for determining the sensitivity levels of personal data.
  • The University is committed to assessing the risks and potential impacts of personal data processing activities and presenting the assessment results to the University President - or his delegate - to determine the level of risk acceptance and approval.
  • The University is committed to reviewing and updating contracts and service and operation level agreements in accordance with the privacy policies and procedures approved by the senior management of the entity.
  • Preparing and documenting the necessary procedures for managing and addressing privacy violations and defining the tasks and responsibilities related to the specialized work team, and the cases in which the regulatory authority and the office are notified according to the administrative hierarchy based on measuring the severity of the impact.
  • The University prepares awareness programs for University employees to promote a culture of privacy and raise awareness in accordance with the privacy policies and procedures approved by the senior management of the entity.
  • The data owner is notified - in an appropriate manner at the time of data collection - of the purpose and regulatory basis/actual need and the means and methods used to collect, process, and share personal data, as well as security measures to ensure privacy protection according to the laws, regulations, and policies in force in the Kingdom.
  • The data owner is notified of other sources used if additional data is collected indirectly (from other entities).
  • The data owner is informed of the privacy notice, and his consent to the processing of his personal data is obtained based on the nature of the data and the methods of collection.
  • The data owner's consent to the processing of personal data must be obtained after determining the type of consent (explicit or implicit) based on the nature of the data and the methods of collection.
  • The purpose of data collection must be consistent with the laws, regulations, and policies in force in the Kingdom and directly related to the entity's activity.
  • The content of the data must be limited to the minimum data necessary to achieve the purpose of its collection.
  • Data collection must be restricted to pre-prepared content (shown in Rule 12) and be done fairly (directly, clearly, securely, and free from deception or misleading methods).
  • The use of data is limited to the purpose for which it was collected.
  • The University prepares and documents a data retention policy and procedures in accordance with the specified purposes and relevant laws and legislation.
  • The University stores and processes personal data within the geographical boundaries of the Kingdom of Saudi Arabia to ensure the preservation of the national digital sovereignty of this data. It may not be processed outside the Kingdom of Saudi Arabia except after the University obtains written approval from the regulatory authority, after the regulatory authority coordinates with the Office.
  • The University prepares and documents a data disposal policy and procedures to destroy data in a secure manner that prevents its loss, misuse, or unauthorized access - including operational data, archived data, and backups - in accordance with what is issued by the National Cybersecurity Authority.
  • The University includes the provisions of the personal data retention and disposal policies in contracts in case these tasks are assigned to other processing entities.
  • The University identifies and provides the means by which the data owner can access his personal data to review and update it.
  • The University verifies the identity of individuals before granting them access to their personal data in accordance with the controls approved by the National Cybersecurity Authority and the competent authorities.
  • It is prohibited to share personal data with other entities except in accordance with the specified purposes after obtaining the consent of the data owner and in accordance with the laws, regulations, and policies, provided that other entities are provided with the followed privacy policies and procedures and included in contracts and agreements.
  • The University notifies data owners and obtains consent from them in case data is shared with other entities for use for purposes other than those specified.
  • The University must obtain the approval of the Office - after coordinating with the regulatory authority - before sharing personal data with other entities outside the Kingdom.
  • The University prepares, documents, and implements the necessary procedures to ensure the accuracy, completeness, timeliness, and relevance of personal data to the purpose for which it was collected.
  • Administrative controls and technical measures approved in the entity's information security policies must be used to ensure the protection of personal data, including but not limited to:
    • Granting data access permissions according to the tasks and responsibilities of employees in a way that prevents overlapping of jurisdiction and avoids dispersion of responsibilities.
    • Implementing administrative procedures and technical measures that document the stages of data processing and provide the ability to identify the user responsible for each of these stages (usage logs).
    • Having employees who carry out data processing operations sign a pledge to maintain data and not disclose it except in accordance with policies, procedures, laws, and legislation.
    • Selecting employees who carry out data processing operations from those who are characterized by honesty and responsibility and in accordance with the nature and sensitivity of the data and the access policy approved by the entity.
    • Using appropriate security measures - such as encryption, and isolating the development and testing environment from the operating environment - to protect personal data in a manner commensurate with its nature and sensitivity and the media used to transfer and store it in accordance with what is issued by the National Cybersecurity Authority and the competent authorities.
  • Najran University is responsible for monitoring compliance with privacy policies and procedures periodically, and they are presented to the first official of the entity - or his delegate. Corrective actions to be taken in case of non-compliance are also identified and documented, and the regulatory authority and the office are notified according to the organizational hierarchy.

General Provisions

  • First: The regulatory authorities undertake to align the provisions of this policy with their regulatory documents and disseminate them to all entities affiliated with or linked to them in a manner that achieves integration and ensures the achievement of the desired goal of preparing this policy.
  • Second: The regulatory authorities monitor compliance with this policy periodically.
  • Third: The University must comply with this policy and document compliance according to the mechanisms and procedures specified by the regulatory authorities.
  • Fourth: The University must immediately notify the regulatory authorities without delay and within no more than 72 hours of the occurrence or discovery of any personal data leakage incident in accordance with the mechanisms and procedures specified by the regulatory authorities.
  • Fifth: When the University contracts with processing entities, it must periodically verify the compliance of processing entities with this policy according to the mechanisms and procedures specified by the regulatory authorities, provided that this includes any subsequent contracts made by the processing entities.
  • Sixth: The Data Office exercises the roles and tasks of the regulatory authorities on the offices of entities not subject to regulatory authorities.
  • Seventh: The regulatory authorities have the right to establish additional rules for processing specific types of personal data according to the nature and sensitivity of this data after coordination with the Office.
  • Eighth: The regulatory authorities, after coordination with the Office, prepare the mechanisms and procedures that regulate the complaints handling process according to a specific time frame and according to the organizational hierarchy of the University.
  • Ninth: The University's Data Office establishes the necessary standards that help the University know whether the appointment of a data protection officer is considered a basic or optional requirement.