1. Purpose
According to Data Privacy Principles for ICT from CITC, Salam Mobile creates this policy to commit to the regulator’s requirements. This policy aims to maintain personal data privacy for users and protect their rights according to international best practices.
2. Scope
This policy covers all Salam Mobile services or products that contain personal identifiable information (PII) and is applied to Salam Mobile (employees, contractors, and customers) and third parties that interact with personal data.
3. Policy
3.1. Procedures of launching services or products that contain user personal data or sharing personal data:
- Must do the following steps before launching services or products that depend on user personal data or sharing personal data:
o Verify the need for doing a “privacy impact assessment” on Privacy Impact Assessment Procedure (Data Privacy Initial Screening Questions Table) and document the verifying result.
o CITC must be informed when launching services or products that depend on user personal data or sharing personal data using CITC Notice Form
3.2. Essential principles to maintain personal data privacy for users
-
Salam Mobile should formally process personal data and ensure processing result is not affecting negatively the personal data owners.
-
Salam Mobile should process personal data for specific and clear purposes for the user.
-
Salam Mobile should collect minimum personal data to achieve processing purposes.
-
Salam Mobile should not retain personal data for more than the specified duration that achieves the purposes of the data processing.
-
Salam Mobile should protect personal data to ensure its privacy and prevent unauthorized access, leakage, tampering or any misuse.
3.3. Service Provider Commitments
-
Salam Mobile should develop, execute and maintain a program that protects data privacy for users, and shall cover the development, documentation, and execution of policies and procedures related to maintain personal data privacy and maintain its compliance.
-
Salam Mobile should develop, approve and publish a personal data privacy policy, which must include types of processing on data, the purpose of processing if third-parties are part of data processing, data retention duration, data protection security controls, users’ rights regarding their data and how they use these rights.
-
Salam Mobile should process the personal data within Saudi Arabia. Salam Mobile must acquire CITC approval before any project to process user data outside of Saudi Arabia.
-
Salam Mobile must commit to retaining personal data for specific purposes and durations based on CITC regulations.
-
Third-party compliance checks must be performed by Salam Mobile on regular basis to maintain personal data privacy compliance.
-
In case of user data leakage, Salam Mobile must report to CITC immediately through approved CITC mechanisms.
3.4. Users’ rights regarding their data
-
User personal data should not be processed without data owner consent, which can be withdrawn at any time.
-
Salam Mobile should enable users to review the personal data privacy policy before making any processing of their data.
-
Salam Mobile should enable users to access their data at any time and allow users to correct it if required, e.g. in case of wrong or inaccurate data.
-
Salam Mobile should enable users to get an electronic copy of their data as per CITC regulations.
4. References
