Yes, the collection of personal data shall be limited to the minimum amount of data that enables fulfilling the specified purposes of the collection, in accordance with Article (11) of PDPL and Article (19) of Implementing Regulations.

Yes, Personal Data may be disclosed in the following cases:

If the Data Subject’s consent to the disclosure is obtained according to the provisions of PDPL.
If the personal data was collected from a publicly available source.
If the entity requesting the disclosure is a public entity, and the request is for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
If the disclosure is necessary to protect the health or public safety, or the life or health of a specific individual/s.
If the disclosure will be limited to processing it later in a way that does not lead to identifying the Data Subject or any other individual in particular.
If the disclosure is necessary to achieve lawful interests of the controller, unless it is prejudicing the Data Subject's rights or conflicting with their interests, provided that the data is not sensitive, according to Article (15) of PDPL and subject to provisions of Article (20) of Implementing Regulations.

PDPL shall apply to any processing of personal data of individuals residing in the Kingdom carried out in any manner, by any entity located outside the Kingdom according to Article (2) of PDPL.

Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature, according to paragraph (4) in Article (1) of PDPL.

No, the entity can keep the data as long as necessary to achieve the specified purposes for which it was collected or only as required by the laws, regulations, and policies in force in the Kingdom, according to Article (18) of PDPL.

Controller: Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.

Processor: Any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller, according to Paragraph (18) and (19) in Article (1) of PDPL.

SDAIA receives all complaints related to PDPL, in accordance with Article (34) of PDPL.