Personal Data Protection Policy

Definitions

• Data: A set of facts in its raw form or in an unorganized format, such as numbers, letters, still images, videos, audio recordings, or emojis.
• Personal Data: Any information—regardless of its source or form—that can directly or indirectly identify an individual when combined with other data.
• Authentication: Ensuring the identity of any user, operation, or device as a fundamental requirement to grant access to technical resources.
• Personal Data Processing: All operations performed on personal data by any means, manual or automated, including (but not limited to) collection, transfer, retention, storage, sharing, destruction, analysis, pattern extraction, inference, and linkage with other data.
• Data Subject: The natural person to whom the personal data relates, or their representative, or their legal guardian.
• Controlling Unit: Any administrative unit affiliated with the university that works with personal data.
• Personal Data Breach: Disclosure of personal data, or obtaining or enabling access to it without authorization or legal basis, whether intentional or unintentional.
• Implied Consent: Consent that is not explicitly granted by the data subject but is implied through their actions and the circumstances, such as signing contracts or agreeing to terms and conditions.

Objective

The purpose of the Personal Data Protection Policy is to maintain the confidentiality of personal information to ensure the rights of individuals, organize the process of collecting, processing, and sharing personal data, and preserve national digital sovereignty over it. This policy complies with national data governance policies and fundamental legislation for protecting individuals’ rights and privacy regarding their personal data, as governed by the Personal Data Protection Law.

Scope

This policy applies to all controlling units that wholly or partially process personal data, as well as external parties processing personal data of university affiliates, whether via the Internet or any other means. Exceptions include collection of personal data from sources other than the data subject directly—without their knowledge—or processing it for a purpose other than that for which it was collected, or disclosing or transferring it outside the Kingdom in specific legal or judicial cases, or to protect public health, safety, or vital interests of individuals.

Main Principles of Personal Data Protection

• Responsibility: Privacy policies and procedures must be defined and documented by the Data Management Office, approved by the University President (or their delegate), and communicated to all concerned parties.
• Transparency: A privacy notice must be prepared, clearly stating the purposes for which personal data is processed.
• Choice and Consent: All possible choices for the data subject must be specified, and their (implied or explicit) consent must be obtained regarding the collection, use, or disclosure of their data.
• Data Minimization: Personal data collection must be limited to the minimum necessary to achieve the specified purposes in the privacy notice.
• Limiting Use, Retention, and Disposal: Processing of personal data must be restricted to the purposes specified in the privacy notice for which consent was given. Data must be retained only as long as necessary and securely destroyed afterward.
• Data Access: Means must be provided for data subjects to access, review, update, and correct their personal data.
• Limiting Data Disclosure: Disclosure of personal data to external parties must be restricted to the specified purposes in the privacy notice for which consent was given.
• Data Security: Personal data must be protected from leakage, damage, loss, misuse, unauthorized modification, or unauthorized access.
• Data Quality: Personal data must be retained accurately, completely, and directly related to the purposes specified in the privacy notice.
• Monitoring and Compliance: Compliance with privacy policies must be monitored, and privacy inquiries, complaints, and disputes must be addressed.