KSA PDPL Article 6 outlines specific situations where the processing of personal data can occur without the explicit consent of the data subject, which is normally required under Article 5. This is significant because it allows organizations more flexibility in handling personal data in particular circumstances. This approach ensures that data processing remains lawful and respects the privacy rights of individuals even in scenarios where consent cannot be obtained.
Further Explanation
Article 6 allows personal data to be processed without obtaining consent from the individual (data subject) in specific situations:
- Data Subject’s Interests: If processing the data serves the actual interests of the individual (such as in emergencies) and it’s impossible or difficult to obtain their consent.
- Legal or Contractual Obligation: If processing is required by another law or based on a previous agreement involving the individual.
- Public Entity: If a public entity (e.g., government or law enforcement) needs to process data for security reasons or to meet judicial requirements.
- Legitimate Interest: If the data controller (the organization handling the data) has a legitimate interest in processing the data, as long as it doesn’t harm the individual’s rights and interests, and sensitive data isn’t involved.
General Activation Steps
To activate Article 6 in an organization:
- Identify the Scenario: Determine if the situation fits one of the cases described in Article 6 (e.g., emergency, legal requirement, public security, or legitimate interest).
- Assess Compliance: Ensure the processing aligns with the relevant provisions in the regulations, particularly that it does not harm the individual’s rights or involve sensitive data unless absolutely necessary and justified.
- Document Justification: Record the rationale for processing without consent, including how it fits into one of the allowed scenarios and any measures taken to protect the individual’s rights.
- Internal Approval: Obtain internal approval from relevant authorities or legal teams to proceed with the processing.
- Implement Safeguards: Apply necessary safeguards to minimize risk, such as data anonymization or encryption, and ensure data security.
- Monitor and Review: Continuously monitor the processing activity and review it periodically to ensure ongoing compliance with the law.
Use Cases
- Emergency Medical Care: A hospital processes a patient’s data during an emergency when the patient is unconscious, and obtaining consent is impossible.
- Contract Fulfillment: A bank processes personal data to fulfill a loan agreement that the customer has signed, without needing additional consent.
- Public Security Investigation: A government agency processes personal data as part of an investigation into a security threat.
- Legitimate Business Interests: A company processes data to prevent fraud in transactions, where obtaining consent would delay critical operations and increase risks.
Dependencies
- Legal Review: Ensuring that the processing activity is covered under relevant laws or agreements.
- Internal Policies: Having clear internal policies and guidelines for when and how to apply Article 6.
- Regulatory Guidance: Following any additional guidelines or controls set out by the KSA regulatory authorities, particularly for cases involving legitimate interest.
- Data Protection Impact Assessment (DPIA): Conducting a DPIA when processing data under legitimate interest to ensure it doesn’t infringe on the data subject’s rights.
Tools and Technologies
- Data Anonymization: Tools to anonymize data where possible.
- Consent Management Platforms: Even when consent isn’t required, these can help track and manage situations where it is applicable.
- Data Governance Frameworks: To ensure proper documentation and adherence to the regulations.
- Security Solutions: Encryption and access control systems to protect data during processing.
For Your Further Reading:
- KSA PDPL – Initial Framework
- KSA NDMO – Data Catalog and Metadata
- TOGAF – ADM (Architecture Development Method) vs. Enterprise Continuum
- KSA NDMO – DG Artifacts Control – Data Management Issue Tracking Register
- KSA NDMO – Classification Process – Data Classification Metadata
- Enterprise Architecture & Architecture Framework
- Enterprise Architecture Governance
- Data Security Standards
- Data Steward – Stewardship Activities
- Data Modeling – Metrics and Checklist
- How to Measure the Value of Data
- What is Content and Content Management?
