ع
Use and Privacy Policy

​​​​Capital Market Authority

Capital Market Authority (CMA) oversees regulation and development of Capital Market, by issuing rules and regulations for implementing Capital Market Law provisions, aiming to create a conducive investment environment, boost market confidence, reinforce disclosure and transparency of all publicly listed companies, and protect securities investors and dealers from illegal activities in the market.  To affirm its commitment to protecting Personal Data it collects under legally granted powers and maintaining its confidentiality, CMA has developed this Privacy Policy to clarify aspects related to collection of such data, how it is stored and handled, and associated rights therewith it.
 
What Personal Data Is Collected?
CMA collects and processes the following personal data:

  • Basic Personal Data: Includes, for example, name, ID number, educational qualification, gender, and marital status.
  • Contact Data: Includes, for example, phone numbers, e-mail address, and national address.
  • Financial Data: Includes, for example, bank and investment account numbers.
  • Employment Data: Includes, for example, employment history.
  • Ownership Data: Includes, for example, data showing beneficiary ownership in private entities such as companies, funds, etc.

 

How Is Personal Data Collected? And What Is the Purpose of Collecting It?

Personal data is collected through various methods, including, for example:
  • Filling out CMA e-forms or paper forms and sending them.
  • Contacting CMA via phone, email, or social media.
  • Cookies, which are data collected automatically by browser when you visit CMA website or one of its affiliated platforms, such as: (Time of access to CMA website, and pages visited).
  • From entities subject to supervision of CMA or other government entities for legally-binding processing operations.

​The purposes of collecting personal data are to achieve a number of purposes, including, but are not limited to:
  • Compliance with laws and regulations governing the work of the CMA.
  • Enabling CMA to effectively provide its services.
  •  Managing complaints, inquiries, and requests received by CMA.
  • Achieving public interest objectives or fulfilling security or judicial requirements. 

How Is Personal Data Used?
Personal data collected directly or indirectly is used in a manner that achieves the purposes specified in this policy.

How Is Personal Data Disclosed?
CMA is committed to not sharing Personal Data with other entities, except in cases specified in Articles 15 and 29 of Personal Data Protection Law (PDPL).

Legal base for Collecting and Processing Personal Data
CMA collects and processes Personal Data based on one of the following legal bases:

  1. Collection and processing of data in accordance with the Capital Market Law and its implementing regulations, or other applicable laws in Kingdom of Saudi Arabia, or in execution of a prior agreement to which Personal Data Subject is a party.
  2. When processing serves actual interest of Data Subject, and contacting them is impossible or difficult to achieve.
  3. Collection and processing of data required for security purposes,  fulfil judicial requirements or security requirements, or achieving a public interest.
  4. Collection and processing of non-sensitive personal data to achieve legitimate interests of CMA without prejudice to rights of personal data subject or conflicting with their interests.
  5. Personal Data Subject consents is required for processing of their data for specific purposes.
 
How Is Personal Data Stored?
CMA retains personal data within Kingdom of Saudi Arabia in a secure and reliable environment, applying necessary security measures as outlined by National Cybersecurity Authority (NCA). CMA destroys data upon completion of its collection purpose or in accordance with paragraph (1) of Article 8 of Implementing Regulation of PDPL. Destruction shall be carried out securely to prevent any unauthorized access or retrieval.
CMA may retain personal data even after the purpose for collection has ended, as stated in Article 18 of PDPL.
 
Personal Data Subject Rights Regarding Personal Data Processing
Under PDPL, data subject has the following rights, which primarily depend on the purpose of collecting and processing personal data:
  • Right to Be Informed: Data Subject has the right to know the methods of collecting personal data, legal base for its collection, purpose and methods of collection and processing, storage, destruction, and entities to which personal data may be disclosed. Detailed information can be accessed through Privacy Policy or by contacting CMA using the contact details provided below.
  • Right to Access Personal Data: Data Subject has the right to request access to their personal data, by contacting the Officer in charge at CMA, and they will be provided with it within (30) thirty working days unless an extension of the period is required.
  • Right to Request Obtaining Personal Data: Data Subject may request a copy of their personal data held by CMA in a readable and clear format, if technically feasible and in accordance with provisions of PDPL and its implementing regulations through contacting Personal Data Protection Officer. Access shall be provided within thirty (30) working days, unless an extension of the period is required
  • Right to Request Personal Data Correction: Data Subject has the right to request correction of any inaccurate, incorrect, or incomplete personal data, through contacting Personal Data Protection Officer at CMA. Notification of correction shall be sent via e-mail within thirty (30) working days, unless an extension of the period is required.
  • Right to Request Personal Data Destruction:   Data Subject has the right to request destruction of their personal data in accordance with provisions of PDPL and its implementing regulations. Notification of destruction shall be sent via email within thirty (30) working days, unless an extension is required.
  • Right to Withdraw Consent to Processing Personal Data: Personal Data Subject has the right to withdraw their consent for processing of their Personal Data at any time, unless there are legal bases requiring otherwise.

Unless otherwise is stipulated by law, Data Subject shall not be charged any fees in return for exercising these rights.

Use of Cookies

Cookies can be used interchangeably to serve the user better.
A cookie is an element of data that an electronic service may send to a browser that may be stored on a user's computer. Cookies that are placed on a user's computer are intended to facilitate the browsing of websites only and do not serve any other functions.


Security Measures to Protect Information

Users must take all reasonable measures to protect their personal information from any loss or misuse. Examples include:

Immediately contacting the CMA if there was a suspicion that the username, password or other confidential information are being used by someone else. The CMA can be reached through email or contact center number:

800-245-111 or  00966112053000

Using a secured network to connect to the internet and CMA's website.

Using a secured browser when using the internet and closing all other sub-applications.

Making sure that the anti-virus program is up to date.

Complaint or Objection Filing Method?
If you have any concerns or believe we are not in compliance with PDPL, you may file a complaint to Personal Data Protection Officer at Data Management Office, as per contact data below:

CMA - Data Management Office - Personal Data Protection Officer 
Riyadh - Al-Muhammadiyah District
Tel., No.: 0112937649
Email: PDP@cma.org.sa​

If you are not satisfied with how we process your complaint, you can submit a complaint to Saudi Authority for Data and Artificial Intelligence (SDAIA) according to contact information below:

SDAIA

Kingdom of Saudi Arabia, Riyadh

Website: SDAIA (sdaia.gov.sa)

National Data Governance Platform (NDGP) (dgp.sdaia.gov.sa)


This Privacy Policy was last updated on 09/10/2024.