Marking the Data Privacy Day, the Compliance and Data Protection Department at the Ministry of Transport and Communications (MoTC) on Sunday announced the release of the guidelines of the Personal Data Privacy Protection Law No. 13 of 2016.
This is to help the target audience; individuals, regulated entities and stakeholders understand their respective responsibilities, rights and practices as per the law, a statement from the MoTC explained.
“The law provides a set of guidelines, controls, assistive tools, checklists and templates for regulated entities addressed by the provisions of the law to support compliance," MoTC's acting assistant undersecretary of Cyber Security Affairs Othman Salem al-Hamoud said.
"They also include guidance for individuals to become more aware of their rights and responsibilities as per the law,” the official clarified while stressing the need for regulated entities to refer to these guidelines and reposition according to their individual role either as data processor or data controller, without prejudice to the provisions of the law and, thereby, avoiding liability.
Compliance and Data Protection Department director Dana al-Abdulla called upon the regulated entities addressed by the provisions of the law to strike a balance between ensuring the protection of personal data privacy and their right to technological advancement and the use of techniques and data to achieve individuals’ rights.
She pointed out the importance of taking into consideration the fundamental personal data processing principles provided for by law: transparency, honesty, respect of human dignity, data minimisation, accuracy, storage limitation, integrity and confidentiality, purpose limitation and accountability.
In the guidelines, the department has explained these principles and how to put them into practice.
Al-Abdulla advised regulated entities to take into consideration the methods they control and/or process the personal data and be responsible for the same. She also confirmed the importance of adopting a methodology based on risk analysis, as per privacy principles, and putting such principles in the heart of the approach of processing and controlling the personal data.
Personal data privacy is concerned with the use of individuals’ personal data in technological systems – a field that combines technology and respect of individual’s privacy within a regulatory, law framework that regulates the relation between the individual and the entity that collects and uses their data.
A data controller is a natural or legal person who, whether acting individually or jointly with others, determines how personal data may be processed and determines the purpose(s) of personal data processing. A data processor is a natural or legal person who processes personal data for the controller.
Personal data processing is defined as gathering, receipt, registration, organisation, storage, preparation, modification, retrieval, usage, disclosure, publication, transfer, withholding, destruction, erasure and cancellation of data.
According to Article 8 of the Law, the ‘controller shall abide by the controls related to designing, changing or developing products, systems and services pertinent to Personal Data Processing and shall take appropriate administrative, technical and financial precautions to protect Personal Data, in accordance with what is determined by the Competent Department’. This has been explained by the Compliance and Data Protection Department in the guidelines.
The department provided several assistive tools for the audience the law addresses to help them reposition in line with the provisions of the law. Such tools include but are not limited to ‘Record of Processing Activities” (RoPA), “Personal Data Management System’ (PDMS) and ‘Data Protection Impact Assessment’ (DPIA).
Al-Abdulla added that the Compliance and Data Protection Department will organise workshops and panel discussions for all sectors, Arabic and English awareness forums for individuals and publish awareness messages on MoTC’s social media accounts.
The guidelines are available here. Compliance and Data Protection Dept. can be reached at [email protected] or 44069991 or via its websites.
“The law provides a set of guidelines, controls, assistive tools, checklists and templates for regulated entities addressed by the provisions of the law to support compliance," MoTC's acting assistant undersecretary of Cyber Security Affairs Othman Salem al-Hamoud said.
"They also include guidance for individuals to become more aware of their rights and responsibilities as per the law,” the official clarified while stressing the need for regulated entities to refer to these guidelines and reposition according to their individual role either as data processor or data controller, without prejudice to the provisions of the law and, thereby, avoiding liability.
Compliance and Data Protection Department director Dana al-Abdulla called upon the regulated entities addressed by the provisions of the law to strike a balance between ensuring the protection of personal data privacy and their right to technological advancement and the use of techniques and data to achieve individuals’ rights.
She pointed out the importance of taking into consideration the fundamental personal data processing principles provided for by law: transparency, honesty, respect of human dignity, data minimisation, accuracy, storage limitation, integrity and confidentiality, purpose limitation and accountability.
In the guidelines, the department has explained these principles and how to put them into practice.
Al-Abdulla advised regulated entities to take into consideration the methods they control and/or process the personal data and be responsible for the same. She also confirmed the importance of adopting a methodology based on risk analysis, as per privacy principles, and putting such principles in the heart of the approach of processing and controlling the personal data.
Personal data privacy is concerned with the use of individuals’ personal data in technological systems – a field that combines technology and respect of individual’s privacy within a regulatory, law framework that regulates the relation between the individual and the entity that collects and uses their data.
A data controller is a natural or legal person who, whether acting individually or jointly with others, determines how personal data may be processed and determines the purpose(s) of personal data processing. A data processor is a natural or legal person who processes personal data for the controller.
Personal data processing is defined as gathering, receipt, registration, organisation, storage, preparation, modification, retrieval, usage, disclosure, publication, transfer, withholding, destruction, erasure and cancellation of data.
According to Article 8 of the Law, the ‘controller shall abide by the controls related to designing, changing or developing products, systems and services pertinent to Personal Data Processing and shall take appropriate administrative, technical and financial precautions to protect Personal Data, in accordance with what is determined by the Competent Department’. This has been explained by the Compliance and Data Protection Department in the guidelines.
The department provided several assistive tools for the audience the law addresses to help them reposition in line with the provisions of the law. Such tools include but are not limited to ‘Record of Processing Activities” (RoPA), “Personal Data Management System’ (PDMS) and ‘Data Protection Impact Assessment’ (DPIA).
Al-Abdulla added that the Compliance and Data Protection Department will organise workshops and panel discussions for all sectors, Arabic and English awareness forums for individuals and publish awareness messages on MoTC’s social media accounts.
The guidelines are available here. Compliance and Data Protection Dept. can be reached at [email protected] or 44069991 or via its websites.
