Privacy Law at Kuwait
Kuwait's data protection landscape has undergone significant reforms with the introduction of the Data Privacy Protection Regulation No. 26/2024 (DPPR) by the Communication and Information Technology Regulatory Authority (CITRA). This regulation supersedes the previous regulation No. 42/2021 and aligns Kuwait's data privacy framework with international standards, such as the European Union's General Data Protection Regulation (GDPR).
📘 Key Features of the DPPR
1. Scope and Applicability
Entities Covered: The regulation applies to all CITRA-licensed service providers, including those in telecommunications and information technology sectors, that collect, process, or store personal data within or outside Kuwait
Exemptions: Personal data processing by individuals for purely personal or household activities, and activities related to law enforcement, national security, and public safety are exempt from the regulation
2. Definitions
Personal Information: Any information related to an identified or identifiable person
Data Subject: The individual to whom the personal information pertains
Data Controller: Entity that determines the purposes and means of processing personal data
Data Processor: Entity that processes personal data on behalf of the data controller
Processing: Any operation performed on personal data, including collection, storage, use, and dissemination
3. Consent and Data Processing
Consent Requirement: Service providers must obtain explicit consent from individuals before collecting or processing their personal data
Data Processing Conditions: Processing is permitted if it is necessary for the performance of a contract, compliance with a legal obligation, protection of vital interests, or with the data subject's consent
4. Data Subject Rights
Individuals are granted several rights under the DPPR:
Right to Access: Access to personal data held by the data controller
Right to Rectification: Correction of inaccurate personal data
Right to Erasure: Deletion of personal data ('Right to be Forgotten')
Right to Restriction of Processing: Limitation of data processing activities
Right to Data Portability: Transfer of personal data to another service provider
Right to Object: Object to data processing activities
Right to Not be Subject to Automated Decision-Making: Protection against decisions made solely on automated processing, including profiling
5. Data Breach Notification
Notification Requirement: Service providers must notify CITRA within 72 hours of becoming aware of a personal data breach. If the breach poses a high risk to individuals' rights and freedoms, affected individuals must also be informed without undue delay
6. Data Security Measures
Obligations: Service providers are required to implement appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, or destruction.
7. Enforcement and Penalties
Administrative Penalties: Fines for violations can reach up to KWD 500,000, depending on the severity and duration of the infringement
Criminal Penalties: Serious violations may result in imprisonment for up to three years and fines ranging from KWD 5,000 to KWD 20,000
🛡️ Implications for Organizations
Organizations operating in Kuwait must:
Obtain Explicit Consent Ensure clear and informed consent is obtained from individuals before processing their personal dat.
Implement Data Protection Measures Establish robust data security protocols to protect personal dat.
Maintain Transparency Provide accessible information regarding data processing practices in both English and Arabi.
Comply with Breach Notification Requirements Report data breaches to CITRA within the stipulated time frame.
Uphold Data Subject Rights Facilitate individuals' rights to access, rectify, erase, and restrict the processing of their personal data.
RELATED Blog
0 comments