In a significant move, the Kuwaiti Communications and Information Technology Regulatory Authority (CITRA) has published Data Protection Regulation No. 26/2024, replacing the previous regulation, No. 42/2021. With a focus on safeguarding personal data collected by telcos and IT service providers, the regulation emphasises transparency, informed consent, and purpose limitation for data collection and processing. It will impact all CITRA-licensed service providers, irrespective of data processing locations. Notably, service providers must promptly notify CITRA of any data breaches and implement stringent security measures.
Key Features & Obligations
- Transparency: Service providers are mandated to communicate terms in clear language (English and Arabic) and inform users about data modification or deletion request processes.
- Informed Consent: Explicit user consent is required before data collection, with full disclosure of conditions and obligations.
- Purpose Limitation: A clear explanation of the purpose of data collection is required, emphasising the necessity for service provision.
- Data Breach Notification: There is an obligation to report data breaches to CITRA within 24 hours, with specific protocols to minimise consequences.
- Security Measures: Service providers must ensure appropriate security measures, encryption, and adherence to their respective data classification policies.
- Retention Limitation: Personal data must be deleted post-contract termination, with exceptions for security, judicial rulings, and financial claims.