Saudi Arabia: Adopted National Data Governance Policy including Data Protection Regulation

On 5 May 2020, the National Data Management Office issued its National Data Governance Policy that includes provisions for minor and "incompetents'" data protection and freedom of information. Regarding minor and incompetents' data (referred to as minor data from now), controllers are tasked with evaluating the effects of certain data processing activities on minors. This helps them calculate the acceptable risk level. Data controllers will inform guardians of any indirectly collected minor data by other companies. Additionally, consent is required from the guardians for data processing. However, consent may be explicit or implied depending on the data type and collection methods. Data collection and processing should be limited to a specific purpose and conducted in a "fair" manner. The identity of the guardian is to be verified before providing them with any sensitive data. As for freedom of public information, barring sensitive public data, individuals and entities have the right to access publicly available information. The main standards behind freedom of public information are equality, transparency, necessity, and proportionality. Requests for public data should be made clearly in written form. A decision will be communicated with reasoning to be given if a request was denied. Appeals for these decisions are also possible.