1. Scope of Policy Application
The provisions of this policy apply to all entities within Jouf University that fully or partially process personal data, as well as to external parties that process personal data related to the university’s affiliates or beneficiaries of its services, whether conducted via the internet or any other medium.
Excluded from the scope of this policy are cases involving the collection of personal data not directly from the data subject—without their knowledge—or processing it for purposes other than those for which it was collected, or disclosing it without the subject’s consent, or transferring it outside the Kingdom, under the following circumstances:
- Where the collection or processing of personal data is required to fulfill regulatory obligations in accordance with applicable laws, regulations, or policies within the Kingdom, or to meet judicial requirements, or to execute obligations under an international agreement to which the Kingdom is a party.
- Where the collection or processing of personal data is necessary for the protection of public health, public safety, or to safeguard the vital interests of individuals.
2. Core Principles for Personal Data Protection
Principle 1: Accountability
The data controller must define, document, and obtain approval of its privacy policies and procedures by the head of the entity (or an authorized delegate), and ensure they are communicated to all relevant stakeholders.
Principle 2: Transparency
A privacy notice must be prepared by the data controller that clearly, explicitly, and specifically outlines the purposes for which personal data is being processed.
Principle 3: Choice and Consent
All available options must be provided to the data subject, and explicit or implicit consent must be obtained regarding the collection, use, or disclosure of their personal data.
Principle 4: Data Minimization
Personal data collection must be limited to the minimum necessary to fulfill the purposes stated in the privacy notice.
Principle 5: Limiting Use, Retention, and Disposal
The processing of personal data must be restricted to the purposes identified in the privacy notice and for which the data subject has granted implicit or explicit consent. Data must be retained only for as long as necessary to fulfill the stated purposes or as required by applicable laws, regulations, or policies. Disposal must occur through secure means that prevent leakage, loss, theft, misuse, or unauthorized access.
Principle 6: Access to Data
Mechanisms must be defined and made available to enable the data subject to access, review, update, and correct their personal data.
Principle 7: Limiting Disclosure
Disclosure of personal data to third parties must be restricted to the purposes identified in the privacy notice and for which the data subject has provided explicit or implicit consent.
Principle 8: Data Security
Personal data must be protected against leakage, damage, loss, theft, misuse, alteration, or unauthorized access, in accordance with the guidelines issued by the National Cybersecurity Authority and other relevant authorities.
Principle 9: Data Quality
Personal data must be retained in a manner that is accurate, complete, and relevant to the purposes specified in the privacy notice.
Principle 10: Monitoring and Compliance
Compliance with the data controller’s privacy policies and procedures must be monitored, and all privacy-related inquiries, complaints, and disputes must be addressed accordingly.