Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Saudi Arabia’s new Personal Data Protection Law (PDPL), gives data subjects, with some exceptions, the right to access their personal data, including the right to obtain a copy of their personal data free of charge.
Controllers (such as employers) are able to restrict the right to access when:
- necessary to protect the data subject or other parties against any damage in accordance with the provisions set by the executive regulations;
- the controller is a public entity and the restriction is required for security purposes, under law or for judicial purposes; and,
- if any circumstances set out in PDPL Article 16(1) to (6) apply, including disclosures that pose security risks, that impact Saudi Arabia’s relationship with other countries, that prevent disclosure of a crime or which expose people to danger, etc.
Individuals have additional rights relating to their personal data, including the right:
- to be informed of personal data processing and the legal basis of the processing;
- to correct or update their personal data;
- to request the destruction of their personal data if no longer needed; and
- to file complaints with the regulatory authority.
Executive regulations are expected to specify the time periods and means for responding to requests from data subjects to exercise these rights.