Kuwait’s DPPR

Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The DPPR sanctions regulatory obligations on Communications and Information Technology Service Providers and entities that collect and process the personal data of a natural person through various means, such as websites, applications, etc.

Let’s look at the most important obligations provided under Kuwait’s DPPR.

Who Needs to Comply with Law

Material Scope

The law applies to the personal data of a natural or legal person whose identity can be identified or is identified through identifiers like name, financial, health, identity, religious, or racial information. It further includes information that can be used to identify a natural or legal person’s geolocation, genetic fingerprints, personal tracking systems, or a combination of other data that allows physical or online contact with the person who shall be referred to as the data owner.

Territorial Scope

As far as Kuwait’s Data Privacy Protection Regulation (DPPR) territorial scope is concerned, the law applies to all public and private sector service providers who conduct the collection, storage, and usage of personal data processed either inside or outside Kuwait. The processing of personal data can either be automated or, through any other means, part of a data storage system.

However, the provisions of this regulation do not apply to the following entities:

• Natural persons who collect and process personal and family data;
• Security authorities who conduct crime prevention, investigation, discovery, prosecution of perpetrators, enforcement of criminal penalties, and prevention of threats related to public security.

Obligations for Organizations Under DPPR

Similar to other laws, DPPR has defined a particular set of obligations for service providers and personal data owners. Let’s take a closer look at some of the important DPPR obligations.

General Data Processing Requirements

Under DPPR, service providers shall comply with the following data processing guidelines:

• Provide clear and easily accessible information about their data processing practices;
• Clarify the purpose of collection of user data being necessary to provide the service and how the collected data will be utilized before providing services to the user;
• Provide all information and service conditions as well as request processes to change or delete data in easy and accessible terms in both English and Arabic language before providing services;
• Processes data in a way that ensure that personal data is protected against unauthorized or illegal processing activities;
• Provide information on the duration of personal data storage as well as location;
• Inform the user if the service provider intends to process data for purposes other than those for which the personal data was collected.

Moreover, the data processing would only be legitimate if one or more following conditions are true:

• Consent of the data owner is available;
• Data processing is necessary to protect the natural or legal person’s data;
• It is necessary to comply with a legal obligation to which the service provider is subject;
• If the objectives performed by the service provider do not require identifying the data owner’s identity.

Also, DPPR states that a service provider would not be held responsible for any civil, administrative, or criminal liability if any violation of the intellectual property rights of a third party occurs through the upload, process, or storage of any information. However, this would not apply if the service provider becomes aware of it and takes no appropriate action. Such service providers should notify CITRA or any other competent entity without delay of any violation under the Electronic Crimes Law and other laws of Kuwait. They can also refer complaints against violating content from third parties to relevant state authorities. Also, if such a violation occurs, the service provider can remove or restrict access to any violating content.

Consent Requirements

DPPR has a comprehensive, clear, and strict set of obligations regarding obtaining the consent of data owners. It is imperative for service providers to obtain the consent of the user (data owner to collect and process their personal data) before providing the service to the user. More importantly, the data owner must provide consent to all the conditions and obligations that apply to the collection and processing of personal data.

Concerning the collection and processing of the personal data of minors (less than 18 years), service providers must obtain the explicit consent of the minor’s guardian. The law further obligates service providers to make “acceptable efforts” and use “available technologies” to verify the age of the minor and requires CITRA to have a mechanism in place to obtain the consent of their guardian.

DPPR further enables data owners to withdraw their consent at any given time. However, such withdrawal won’t affect the legality of the processing of personal data before the consent is withdrawn. The data service provider should also facilitate the withdrawal of consent at the start of the process. Also, the DPPR enables the data owners to request service providers to erase all their processed data from their systems and logs upon consent withdrawal request.

Service providers must also obtain the consent of the data owner before disclosing their data to any third parties for any marketing purposes unrelated to the services requested by the user.

Privacy Notification/ Privacy Policy Requirements

Like most other data privacy and protection regulations around the globe, Kuwait’s Data Privacy Protection Regulation also obligates service providers to establish and provide accessible privacy policies and privacy notices on their websites, sign-up forms, or at any point of sale.

Each service provider must create and maintain a written privacy policy that outlines details regarding the service provider’s processes and procedures associated with the collection, usage, and disclosure of personal information of data owners in a clear and accurate manner. This should be posted on the service provider’s website and should be provided to the users when they subscribe to their services. They should also specify their identity and location, including information on how a user may contact them.

The privacy notice provided by the service provider must also educate the data owner on circumstances in which the service provider may share personal information with any third party. It should also inform data owners about their rights to provide consent, withdraw consent, and cancel any end-user personal information processing. Moreover, it should also provide an option for the users to opt-out of any emails, text messages, or marketing-related phone calls. Service providers must notify data owners before making any fundamental changes to the privacy policy.

Data Breach Requirements

In the event of a breach, service providers are required to notify CITRA within a period not exceeding 72 hours when the incident is discovered. The notification should include:

• the nature of the breach, its extent, the affected data owner, and the security levels that have been breached;
• The name and mechanism of communication with the data protection officer;
• Possible consequences of a breach and the measures taken or proposed by the service provider to address the penetration.

DPPR requires service providers to notify data owners as well if the breach is associated with the personal data of a data owner. However, service providers may not need to notify data owners of the breach if they have taken appropriate technical and regulatory measures against the breach.

Security Requirements

Kuwait’s DPPR requires service providers to implement and ensure appropriate security measures against the loss of personal data, its disclosure, breach, or any unauthorized access by any third party. The measures taken to protect personal data may be appropriate to the sensitivity of the personal information, taking into account the potential risks and impact relating to rights and freedoms of legal persons such that:

• CITRA shall determine the mechanism and standards of encryption according to the level of data specified in the Data Classification Policy issued by CITRA.
• Continuous confidentiality, integrity, availability, and flexibility of processing systems and services.
• Restoring availability and timely access to personal data in the event of force majeure.
• Testing and evaluating the effectiveness of technical and regulatory measures to ensure processing security.

DPPR further obligates service providers to protect data against unauthorized disclosure, accidental loss, and illegal destruction and to comply with the guidelines or directives provided by the CITRA about risk management and disaster recovery.

Records of Processing Activity (RoPA)

Similar to the European Union’s General Data Protection Regulation (GDPR), Kuwait’s DPPR also requires service providers to maintain a record of processing activities for review by CITRA upon request. The records should contain the following details:

• Name and contact details of the service provider.
• Name and contact details of the data protection officer.
• Name and contact details of the service provider and its representative of the service is being offered from outside the State of Kuwait.
• Data processing purpose.
• Personal data category as well as data owner category.
• Technical and regulatory security measures.
• Transfer of personal data, if necessary, out of Kuwait with the identification of such country.
• A general description of the technical and regulatory security measures used.

Moreover, the service providers should make records available for viewing by CITRA upon request and train their processing staff in line with data protection policies.

Cross-border Data Transfer Requirements

DPPR requires service providers to notify data owners about their intention of transferring the personal data of the data owners outside Kuwait but following the measures recommended by CITRA.

Data Classification

A legal person who wishes to contract with any service provider has to classify his data for information security purposes by adhering to the data classification policy adopted by CITRA or any set of international best practices.

Data Subject/Data Owner Rights

Data protection regulations are established not only to secure data against cyber breaches, internal abuse, or any other security threats. Another purpose of these regulations is to empower users by giving them clear and exclusive rights to control the transparency of their personal data. The service provider should also determine a mechanism for the users to file a request for obtaining, correcting, deleting, restricting, or filing a request to transfer personal data. Following are some data owner rights that Kuwaitiis can practice:

Right to Access

The data owner is entitled to exercise his right to access details regarding his personal data processed by the service provider.

Right to Rectification

The data owner has the right to request the service provider to change or rectify the data or delete it.

Right to Erasure/Destroy/Anonymize

The data owner has the right to request the service provider to delete the personal data upon the request for consent withdrawal or if the personal data isn’t required anymore to use services provided by the service provider.

Regulatory Authority

The Communication and Information Technology Regulatory Authority (CITRA) is the primary authority to enforce penalties and fines in the event of a proven violation, as stipulated under Law 37 of 2014.

How Organizations Can Operationalize DPPR

Kuwait’s Data Privacy Protection Regulation (DPPR) is not as comprehensive as the EU’s GDPR, PIPL, or LGPD. However, it is clear and succinct enough to deliver personal data transparency to data owners. That being said, organizations must develop a sound strategy to operationalize DPPR in accordance with their business. Here are a couple of starts you can take to get started:

• Have a clear and easy-to-understand privacy policy that discusses how data owners can exercise their rights, data collection and processing purpose, etc.
• Have strict measures in place to ensure data security, protection against data leakage, etc.
• Have an automated system to handle users’ data requests in an efficient and effective manner.
• Streamline the data breach management system to notify CITRA and the affected data owners in the event of a breach.
• Train personnel engaged in the collection, handling, or use of personal information on security and privacy policies.

How Securiti Can Help

The worldwide customs of accessing, protecting, and sharing data are evolving at the speed of light, necessitating businesses to become more privacy-conscious of their data handling processes and adopt automation to safeguard customers' data, operationalize compliance and avoid falling behind in the migration process.

Standalone tools aren’t enough to combat digital threats and enable companies to comply with evolving global data privacy regulations as they offer elementary data-driven functionalities. With the power of Artificial Intelligence and Machine Learning, organizations can enhance their performance capabilities.

Securiti’s PrivacyOps platform is a cutting-edge revolutionary tool that is simple, intelligent, and an end-to-end automation solution for businesses. Securiti can assist you in remaining compliant with Kuwait's DPPR as well as other privacy and security standards around the world. Request a demo right now.