Privacy and Data Protection Policy

1 Purpose

The purpose of this document is to describe RABET data protection and privacy controls and ensure compliance with data protection and privacy laws and regulations including but not limited to National Data Management office (NDMO). This policy governs and rules the collection, use and disclosure of Personal Identifiable Information (PII) during the usage of the Service and tells the user about the privacy rights and how the law protects his/her data.

1.1 Audience

The document is intended for RABET users.

2 Introduction

In its everyday business operations, RABET makes use of a variety of data about identifiable individuals, including data about:

• Current, past, and prospective employees
• Customers
• Users of its Websites/Applications
• Subscribers
• Other stakeholders

In collecting and using this data, the organization is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.

The purpose of this policy is to set out the relevant legislation and to describe the steps RABET is taking to ensure that it complies with it.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to RABET systems.

The following policies and procedures are relevant to this document:

• Information Classification Procedure
• Information Labelling Procedure
• Acceptable Use policy
• Electronic Messaging Policy
• Internet Acceptable Use Policy
• Information Security Incident Response Procedure
• Information Security Roles, Responsibilities and Authorities

3 Privacy and Personal Data Protection Policy

3.1 The National Data Management Office (NDMO)

The National Data Management Office (NDMO), as the national regulator of data in the Kingdom, has developed the framework for national data governance to set the policies and regulations required for data classification, data sharing, data privacy, Freedom of Information, open data, and others in anticipation of necessary legislation. NDMO regulation is one of the most significant pieces of legislation affecting the way that RABET carries out its information processing activities. It is RABET’s policy to ensure that our compliance with the NDMO and other relevant legislation is clear and demonstrable at all times.

3.2 Definitions

There are many definitions listed within the NDMO and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to this policy are as follows:

• Personal Data: Is any element of data, regardless of source or form whatsoever, which independently or when combined with other available information could lead to the identification of a person including but not limited to: First Name and Last Name, Saudi National Identity ID Number, addresses, Phone Number, bank account number, credit card number, health data, images, or videos of the person.
• Personal Data Processing: Processing of personal data by any means, whether manual or automated processing, including collection, transfer, recording, storage, data-sharing, destruction, analysis, extraction of their patterns, conclusion, and interconnection.
• Data Controller: Any entity, or any natural or legal person, that collects Personal Data from a Data Subject and carries out processing of that Personal Data, directly or indirectly, through a processor, pursuant to a legal basis.
• Data Processor: Any independent governmental or public entity, or any natural or legal person, which engages in the Processing of Personal Data, on behalf of a Data Controller pursuant to a legal basis.

3.2.1 RABET Definitions

• Applicable Law: means all applicable laws, statutes, orders, rules, provisions, regulations, directives and guidelines that have legal effect, whether local, national, international or otherwise, existing from time to time, including but not limited to National Cybersecurity Authority (NCA) controls, Saudi Central Bank (SAMA), National Data Management Office (NDMO), and all governmental or semi-governmental rules, requirements, standards and guidelines in the Kingdom of Saudi Arabia
• You or Data Subject: means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
• Company: (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to rabet.tech, Riyadh, Kingdome of Saudi Arabia.
• Affiliate: means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
• Account: means a unique account created for You to access our Service or parts of our Service.
• Website: refers to secure rabet.tech, accessible from rabet.tech
• Service: refers to the Website or the Mobile Application.
• Country: refers to The Kingdom of Saudi Arabia.
• Service Provider: means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analysing how the Service is used.
• Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
• Personal Data is any information that relates to an identified or identifiable individual.
• Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

3.3 Principles Relating to Processing of Personal Data

There are several fundamental principles upon which the NDMO regulations are based. These dictate that personal data shall be:

• Processed lawfully, fairly and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness and transparency’).
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Principal No.4, not be incompatible with the initial purposes (‘purpose limitation’).
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘Principle 5: Use, Retention and Destruction’).
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (‘Principle 9: Data Quality’)
• Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Principal No.4 subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘Principle 8: Data Security’).
• Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘Principle 7: Data Disclosure Limitation’).

In addition, the Controller shall be responsible for, and be able to demonstrate compliance with, Principle 1: Accountability.

RABET must ensure that it complies with all these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems. The operation of an information security management system (ISMS), SAMA Cybersecurity framework (SAMA CSF), and National cybersecurity authority essential cybersecurity controls (NCA ECC) that conform the implementation of cybersecurity and data security controls.

3.4 Rights of the individual

The Data Subject also has rights under the NDMO regulations. These consist of:

• The right to be informed of the Legal Basis and the purpose concerning the collection and processing of their personal information. Personal Data may not be collected or processed without Data Subject’s express consent and all processing must be consistent with the agreed upon Legal Basis.
• The right to withdraw his consent – at any time – unless statutory or judicial requirements require otherwise.
• The right to access his Personal Data within the possession of the Data Controller, including access to, request to correct, complete or update Personal Data, and request to destroy unnecessary data, and get a copy of such data in a clear format.

Each of these rights must be supported by appropriate procedures within RABET that allow the required action to be taken within the timescales stated in the NDMO regulations.

These timescales are shown in Table 1:

DATA SUBJECT REQUEST	TIMESCALE
The right to be informed	When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)
The right of access	One month
The right to rectification	One month
The right to erasure	Without undue delay
The right to restrict processing	Without undue delay
The right to data portability	One month
The right to object	On receipt of objection
Rights in relation to automated decision making and profiling.	Not specified

Table 1: Timescales for data subject requests

3.5 Consent

Unless it is necessary for a reason allowable in the NDMO regulation, explicit consent must be obtained from a data subject to collect and process their data.

Transparent information about RABET’s usage of personal data must be provided to Data Subjects at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.

If the personal data are not obtained directly from the Data Subject, then this information must be provided within a reasonable period after the data are obtained and within one month.

3.6 Privacy by design

RABET has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process Personal Data will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments.

The impact assessment process shall be initiated with the mindset of the ‘Open by Default’ principle unless its nature or sensitivity requires higher level of classification or protection.

The impact assessment process of the potential damages that could arise from:

• The disclosure of or the unauthorized access to such data,
• And/or unauthorized amendment or destruction of such data,
• And/or lack of access to such data in a timely manner.

The privacy impact assessment will include:

• Consideration of how Personal Data will be processed and for what purposes
• Assessment of whether the proposed processing of Personal Data is both necessary and proportionate to the purpose(s)
• Assessment of the risks to individuals in processing the Personal Data
• What controls are necessary to address the identified risks and demonstrate compliance with legislation

Use of techniques such as data minimization and pseudonymization will be considered where applicable and appropriate.

3.7 Open Data and Information Access Officer (ODIAO)

A defined role of Open Data and Information Access Officer (ODIAO) is required under NDMO regulation. The ODIAO is the operational lead of Open data within the entity. Responsibilities include:

• Open data planning – Develop the Open data plan, including the Open data prioritization methodology, and set targets and KPIs to be agreed on with the head of RABET’s office and head of RABET.
• Open data Management - Manage Open data activities within RABET, in particular:
• Open data Management
  • - Manage Open data activities within RABET, in particular:
  • - The identification of Open data
  • - The prioritization of datasets publication
  • - The preparation of datasets for publication and the documentation of metadata
  • - The publication of Open datasets on the National Open data Portal
  • - The update, maintenance, and quality review of published datasets.
• Open data Requests Consolidation – Review Open data feedback relevant to RABET and record and consolidate requests to publish specific data as Open.
• Open data Education and Awareness - Educate and raise awareness across RABET’s employees on Open data and support national awareness campaigns in coordination with the head of the RABET’s office.
• Point of Contact for NDMO (Secondary) – Act as the secondary point of contact between the RABET and NDM.

3.8 Breach notification

It is RABET’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of Personal Data. In line with NDMO regulation, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within seventy-two (72) hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.

3.9 Addressing compliance to the NDMO

The following actions are undertaken to ensure that RABET always complies with the accountability principle of the NDMO regulation:

• The legal basis for processing Personal Data is clear and unambiguous
• Open Data and Information Access Officer (ODIAO) is appointed with specific responsibility for data protection in the organization
• All staff involved in handling Personal Data understand their responsibilities for following good data protection practice
• Training in data protection has been provided to all staff
• Rules regarding consent are followed
• Routes are available to Data Subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively
• Regular reviews of procedures involving personal data are carried out
• Privacy by design is adopted for all new or changed systems and processe
• The following documentation of processing activities is recorded:
  • 1. Organization name and relevant details
  • 2. Purposes of the personal data processing
  • 3. Categories of individuals and personal data processed
  • 4. Categories of personal data recipients
  • 5. Agreements and mechanisms for transfers of personal data outside Saudi Arabia including details of controls in place
  • 6. Personal data retention schedules
  • 7. Relevant technical and organisational controls in place

These actions will be reviewed on a regular basis as part of the management review process of the information security management system.

4 Data Security and Protection Controls and Guidelines

Control	Control Description
Information Security Governance	RABET shall establishing a plan to employ the tools, personnel, and business processes to ensure security is carried out sufficiently to meet the Entity's needs for data protection.
Information Security Architecture	RABET shall adopt defense in depth security architecture to enable the purpose, context, and guidance for making security design decisions
Information Systems Design, Development and Testing	Information security and security controls to include as components into a system during its development, testing and implementation
Identity and Access Management	RABET shall Identity users and information systems requesting to have access to the RABET's information assetss
Third Party Supplier Security	RABET shall ensure Information Security requirements are reflected in RABET's engagement of third-party suppliers
Information Security Training, Awareness and Communication	RABET shall implement a comprehensive Information Security training program designed to introduce personnel the RABET's security expectations and obligations