Kuwait Data Privacy Protection Regulation 26/2024 Overview

What is the Kuwait Data Privacy Protection Regulation?

The Kuwait Data Privacy Protection Regulation (the Regulation), or Regulation No. 26 of 2024, is Kuwait’s latest data privacy regulations, published on February 18, 2024 in the Official Gazette by the Communication and Information Technology Regulatory Authority (CITRA) and effective as of February 19, 2024.

Kuwait’s Regulation repeals and replaces the previous data privacy law, Data Privacy Protection Regulation No. 42 of 2021, and provides a guide for the way data is managed and processed by telecommunications and information technology service providers, aiming “to align with applicable legal and regulatory frameworks and provide guidelines for the lawful, fair, and transparent processing of personal data” and to “protect the rights and freedoms of individuals with regard to the processing of their personal data.”

When compared to other data privacy laws around the world, Kuwait’s data privacy legislation has no notable differences, however it does not specify the exact amount for penalties, for example.

How does the Kuwait Data Privacy Protection Regulation define Personal Information and what are other key definitions?

Under Kuwait's Regulation 26, ‘personal information’ is defined as any information related to an identified or identifiable person, and a ‘data subject’ is understood to mean the person to whom the personal information belongs.

There seems to be no definition for sensitive personal information or special categories of personal information, however, the law does define ‘consent’ as any freely given, specific, informed, and unambiguous indication of the data subject's wishes. This indication can be made by a statement or by clear affirmative action, signifying agreement to the processing of personal data relating to them.

A ‘data controller’ is the entity that determines the purposes and means of processing personal data, a ‘data processor’ is the entity that processes personal data on behalf of the data controller, and the action of ‘processing’ is any operation or set of operations performed on personal data, including collection, storage, use, and dissemination.

There is also no definition for the sale of personal data, instead the text of the law offers a definition for ‘recipient’ as a natural or legal person, public authority, agency, or another body to which personal data are disclosed, whether a third party or not, and for ‘third party’ as a natural or legal person, public authority, agency, or body other than the data subject, data controller, data processor, and persons who, under the direct authority of the data controller or processor, are authorized to process personal data.

Who does the Kuwait Data Privacy Protection Regulation apply to?

Kuwait’s Regulation applies to all entities that process personal data within the jurisdiction of Kuwait, which includes:

Businesses and organizations: Any entity that collects, uses, stores, or shares personal data of individuals within the jurisdiction.
Data controllers and data processors: Entities that determine the purposes and means of processing personal data, as well as those that process personal data on behalf of data controllers.
Cross-border data processing: Any processing of personal data that involves transferring data outside the jurisdiction must comply with this regulation, ensuring that the receiving country or international organization provides an adequate level of data protection.

Who does the Kuwait Data Privacy Protection Regulation exempt?

Kuwait’s Data Privacy Protection Regulation lists the following exemptions:

The processing of personal data by an individual for purely personal or household activities.
Activities related to law enforcement, national security, and public safety may be exempted where needed so as not to obstruct these activities.
The processing of personal data for journalistic, artistic, or literary purposes may be exempt where this is necessary to reconcile the right to data protection with the freedom of expression and information.
The processing of personal data for historical, statistical, or scientific research purposes may be exempted as long as the data is not used for making decisions about individuals.

What are the requirements for businesses under the Kuwait Data Privacy Protection Regulation?

The Kuwait Data Privacy Protection Regulation establishes a series of obligations for data controllers along with data protection principles which controllers have to respect. Controller obligations include the following:
- Accountability: Data controllers must be responsible for, and be able to demonstrate, compliance with all data protection principles. This includes implementing appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the regulation.
- Data Protection Impact Assessments: Data controllers are required to carry out an assessment of the impact of processing operations on the protection of personal data. This is particularly necessary when new technologies are used and when the processing is likely to result in a high risk to the rights and freedoms of natural persons.
- Record Keeping: Data controllers must maintain comprehensive records of all processing activities. This includes the purposes of the processing, descriptions of the categories of data subjects and of the categories of personal data, and any recipients to whom the personal data have been or will be disclosed.
- Cooperation with Authorities: Data controllers must cooperate with the relevant data protection authorities. This includes making available records of processing activities to the authorities upon request.
- Data Protection by Design and by Default: Data controllers are required to implement appropriate technical and organizational measures, both at the time of the determination of the means for processing and at the time of the processing itself, to ensure data protection principles such as data minimization. This means that, by default, only personal data that are necessary for each specific purpose of the processing are processed.
- Data Security Measures: Data controllers must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
- Data Breach Notification: In the event of a personal data breach, the data controller must notify the relevant data protection authority without undue delay. If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must also communicate the personal data breach to the data subject without undue delay.
- Data Protection Officer: Data controllers must appoint a Data Protection Officer (DPO) if their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or if they process special categories of data or data relating to criminal convictions and offenses.
- Data Protection Principles: data controllers have to observe the following principles
  - Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  - Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  - Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  - Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  - Storage Limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  - Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  - Accountability: The data controller shall be responsible for, and be able to demonstrate compliance with, these principles.

What are the consumer rights under the Kuwait Data Privacy Protection Regulation?

Individuals have the following data subject rights under Kuwait’s privacy law:

Right to Access
Right to Rectification
Right to Erasure ('Right to be Forgotten')
Right to Restriction of Processing
Right to Data Portability
Right to Object to Data Processing
Right to Not be Subject to Automated Individual Decision-Making, Including Profiling

How to respond to consumer requests under the Kuwait Data Privacy Protection Regulation?

Data controllers have to respond to data subjects' requests without undue delay and, in any event, within one month of receipt of the request. This can be extended by two additional months where necessary, taking into account the complexity and number of the requests, but the data controller has to inform the data subject of the extension within one month of receipt of the request, together with the reasons for this.

Before providing any information, data controllers have to verify the identity of the data subject making the request, to ensure that personal data is not disclosed to anyone who is not entitled to receive it.

Responses to data subjects' requests have to be provided free of charge, however, in cases where requests are manifestly unfounded or excessive, in particular because of their repetitive character, data controllers can either charge a reasonable fee, taking into account the administrative costs of providing the information or communication, or can refuse to act on the request.

If a data controller refuses to act on a data subject request, then they have to inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Kuwait Data Privacy Protection Regulation enforcement and penalties

The Kuwait Data Privacy Protection Regulation is enforced by the Communication and Information Technology Regulatory Authority (CITRA), who have the authority to investigate data processing activities, including accessing necessary personal data and information, can issue warnings, enforce compliance, and impose temporary or permanent restrictions on processing activities for non-compliance.

Penalties for violations include administrative fines, which depend on the severity and duration of the infringement and can reach a percentage of the total worldwide annual turnover or a specific amount in local currency but the exact amounts and percentages are not detailed in the law.

In addition to this, data subjects can seek judicial remedies against the authority's decisions and claim compensation for damages from data controllers or processors.

Data Subject Rights - GDPR vs. Kuwait Data Privacy Protection Regulation

GDPR

Right to access data
Right to correct inaccurate data
Right to the portability of data
Right to delete personal information
Right to information about how entities are sharing your data
Right to restrict processing
Right to object to processing
Right to object to automated processing

KUWAIT DATA PRIVACY PROTECTION REGULATION

Right to access
Right to correct
Right to delete
Right to restrict processing
Right to object to data processing
Right to not be subject to automated individual decision-making, including profiling
Right to data portability

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
Seamless integration into your website;
Adaptability to your users’ location and applicable regulation;
Customizable branding;
ReadyCompliance™: Covering 50+ data privacy regulations;
Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

FAQs about the Kuwait Data Privacy Protection Regulation 26/2024

What does the Kuwait Data Privacy Protection Regulation apply to?

Kuwait’s Regulation applies to all entities that process personal data within the jurisdiction of Kuwait, which includes:

Businesses and organizations: Any entity that collects, uses, stores, or shares personal data of individuals within the jurisdiction.
Data controllers and data processors: Entities that determine the purposes and means of processing personal data, as well as those that process personal data on behalf of data controllers.
Cross-border data processing: Any processing of personal data that involves transferring data outside the jurisdiction must comply with this regulation, ensuring that the receiving country or international organization provides an adequate level of data protection.

What is exempt under Kuwait's Data Privacy Protection Regulation?

Kuwait’s Data Privacy Protection Regulation lists the following exemptions:

The processing of personal data by an individual for purely personal or household activities.
Activities related to law enforcement, national security, and public safety may be exempted where needed so as not to obstruct these activities.
The processing of personal data for journalistic, artistic, or literary purposes may be exempt where this is necessary to reconcile the right to data protection with the freedom of expression and information.
The processing of personal data for historical, statistical, or scientific research purposes may be exempted as long as the data is not used for making decisions about individuals.

What data subject rights does the Kuwait Data Privacy Protection Regulation grant?

Individuals have the following data subject rights under Kuwait’s privacy law:

- Right to Access
- Right to Rectification
- Right to Erasure ('Right to be Forgotten')
- Right to Restriction of Processing
- Right to Data Portability
- Right to Object to Data Processing
- Right to Not be Subject to Automated Individual Decision-Making, Including Profiling

What are the penalties for non-compliance with Kuwait's Data Privacy Protection Regulation?

Penalties for violations of the Kuwait Data Privacy Protection Regulation include administrative fines, which depend on the severity and duration of the infringement and can reach a percentage of the total worldwide annual turnover or a specific amount in local currency but the exact amounts and percentages are not detailed in the law.

Regulations

Solutions

Features

What makes Clym different? Schedule a Demo or watch an introduction to Clym.

Request a Demo→

Documentation

News

Kuwait Data Privacy Protection Regulation