Skip to main content
Entire section Custom print Text Only Rich Text Print / Save as PDF
  Versions

 
Download Original PDF

2.6 Data Protection

No: BCT/15631 Date(g): 2/5/2012 | Date(h): 11/6/1433 Status: In-Force

Banks must ensure that card and account holder's confidentiality is maintained at all times and comply with the requirements of:

a) "Rules Governing Anti-Money Laundering & Combating Terrorist Financing", Section 4.10: "Record Keeping & Retention" and

b) "Rules Governing the Opening of Bank Accounts & General Operational Guidelines in Saudi Arabia", Part 2 "Supervisory Rules & Controls" Section 4: "Updating Account Data".

In addition to the requirements described as follows:

2.6.1 Contracting entity (an individual or a juristic person or government entity) data collection

The issuer is responsible for ensuring that the primary cardholder’s data is collected and processed, irrespective of other parties being involved in providing the service (refer to 1.2.1).

2.6.2 Contracting entity (an individual or a juristic person or government entity) data storage

The issuer shall ensure that contracting entity (an individual or an organisation) personal data, either in electronic format or paper-based, collected during the contracting entity’s recruitment, as well as from the transactional activity of the payment device is stored in secured facilities within the Kingdom of Saudi Arabia (see "Rules on Outsourcing" issued by SAMA).

The data storage facilities and the data transmission processes are considered secured if the issuer has taken the necessary technical and organisational measures to comply with the Payment Card Industry (PCI) standards as defined, to protect the data against:

a) Accidental loss;

b) Alteration, unauthorised disclosure or access;

c) All other forms of unlawful processing.

2.6.3  Third party use of contracting entity (an individual or a juristic person or government entity) and/or primary cardholder data

Prior consent of the primary cardholder is needed when the issuer or a third party wishes to use the primary cardholder’s personal data for services additional to the purpose for which it has been collected (e.g., for e-marketing purposes), except when:

a) The issuer or the third party is required to do so in order to comply with a legal obligation (e.g., responsibility to comply with regulations relating to money laundering); or

b) The data is non-attributable and its use is defined in the contract to which the primary cardholder is party (note: primary cardholders can provide such consent as part of the application process).