The Capital Market Authority (CMA) oversees regulation and development of Capital Market, by issuing rules and regulations for implementing Capital Market Law provisions, aiming to create a conducive investment environment, boost market confidence, reinforce disclosure and transparency of all listed companies, and protect investors and dealers from illegal activities in the market. To affirm its commitment to protecting Personal Data it collects under legally granted powers and maintaining its confidentiality, CMA has developed this Privacy Policy to clarify aspects related to the collection of such data, how it is stored and handled, and associated rights.
What Personal Data is Collected?
CMA collects and processes the following personal data:
| Data Set | Data Collected | Obligation Type |
| Basic Personal Data | Includes name, ID number, date of birth, gender, marital status, social insurance number, type of disability (if any), and civil status (deceased or alive). | Mandatory |
| Contact Data | Includes email address, mobile number, and national address. | Mandatory |
| Education Data | Includes name of educational institution, degree, specialization, and GPA. | Mandatory |
| Employment Data | Includes professional certificates, previous employers, previous job titles, and employer establishment number in Social Insurance. | Optional |
| Financial Data | Includes data collected for financial compensation, such as bank IBAN and bank name. | Mandatory |
How Is Personal Data Collected? What Is the Purpose of Collecting It?
CMA processes personal data that is collected directly or indirectly, depending on the service provided. Methods of collecting personal data include:
Direct Collection:
- When applying for services provided on CMA website.
- When communicating with CMA via phone, email, or social media accounts.
Indirect Collection:- Cookie data, which is automatically collected by browser when visiting CMA website.
- Data from entities subject to CMA supervision or other government entities for legally-binding processing operations.
Personal data is collected and processed to achieve the following purposes:
- To comply with laws and regulations governing CMA work.
- To enable CMA to provide its services effectively.
- To address complaints, inquiries, and requests received by CMA.
- To achieve public interest objectives or fulfill security or judicial requirements.
If data is not obtained, CMA will be unable to carry out its role in accordance with regulations and laws governing its work.
Legal Basis for Collecting and Processing Personal Data
CMA collects and processes personal data based on one of the following legal basis:
- Collection and processing of data in accordance with Capital Market Law and its implementing regulations, or other applicable laws in the Kingdom of Saudi Arabia, or in implementation of a previous agreement to which the Data Subject is a party.
- When the Processing serves actual interests of the Data Subject, but communicating with the Data Subject is impossible or difficult.
- Collection and processing of data required for security purposes, fulfilling judicial or security requirements, or achieving a public interest.
- Collection and processing of non-sensitive personal data to achieve legitimate interests of CMA without prejudice to rights of personal data subject or conflicting with their interests.
- Personal Data Subject consent is required for processing of their data for specific purposes.
How is Personal Data Disclosed?
CMA may disclose personal data to:
- Government and non-government entities according to cases stated in Article (15) of Personal Data Protection Law (PDPL).
- Entities subject to CMA supervision to process complaints and inquiries.
CMA may transfer personal data outside the geographical borders of the Kingdom or disclose it to entities outside the Kingdom, when necessary, in accordance with Article (29) of PDPL and its Implementing Regulations.
How is Personal Data Stored?CMA retains personal data within the Kingdom of Saudi Arabia in a secure and reliable environment, where the necessary security measures are applied as stated by the National Cybersecurity Authority (NCA). CMA destroys data when the purpose of its collection ends or in any of the cases mentioned in Paragraph (1) of Article (8) of the Implementing Regulations of PDPL. Digital data is destroyed using secure destruction techniques and methods.
CMA may retain personal data even after the purpose of its collection ends, in accordance with Article (18) of PDPL.
Personal Data Subject Rights Regarding Personal Data Processing
Data Subject shall have the following rights pursuant to this Law and as set out in the Regulations:
- The right to be informed about the legal basis and the purpose of the Collection of Personal Data and its processing, including methods of processing, storage, destruction, and disclosure. Comprehensive details are available in the privacy policy or by contacting the Authority using the information provided below.
- The right to access their personal data by contacting Personal Data Protection Officer at CMA. The requested data will be provided within thirty business days unless an extension is required.
- The right to request obtaining their Personal Data from CMA in a readable and clear format, whenever technically feasible. This request can be made by contacting the Personal Data Protection Officer at the Authority, and the data will be provided within thirty business days unless an extension is required.
- The right to request correcting their personal data if it is inaccurate, incorrect, or incomplete. This request can be made by contacting the Personal Data Protection Officer at the Authority. The data subject will be notified of the correction via email within thirty business days unless an extension is required.
- The right to request a destruction of their personal data, provided it does not conflict with the provisions of the Personal Data Protection Law and its Executive Regulations. The data subject will be notified of the erasure via email within thirty business days unless an extension is required.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Unless otherwise stipulated by law, Data Subject shall not be charged any fees in return for exercising this right.
Use of Cookies
Cookies may be used in electronic exchanges to enhance user experience. A cookie is a piece of data that an electronic service may send to the browser, which may be stored on the user's computer. The purpose of cookies placed on the user's computer is to facilitate browsing websites and does not serve any other functions.
Security Measures to Protect Information
Users must take all reasonable measures to protect their personal information from loss or misuse, including the following examples:
- Immediately contact CMA if it is suspected that someone has obtained their password, access code, or any other confidential information, via CMA email or contact center numbers:
- Use a secure network to access the internet and CMA website.
- Use a secure browser when using the internet and close unused applications on the network.
- Ensure that antivirus software is always up to date.
How to Submit a Complaint or Objection?
If you have any concerns or believe we are not in compliance with PDPL, you may file a complaint to Personal Data Protection Officer at Data Management Office using the contact details provided below:
Capital Market Authority - Data Management Office – Personal Data Protection Officer
Riyadh – Al-Muhammadiyah District
Phone No.: 0114906065
Email: PDP@cma.org.sa
If you are not satisfied with our handling of the complaint, you can submit a complaint to Saudi Data & AI Authority (SDAIA) using contact details below:
Saudi Data & AI Authority (SDAIA)
Kingdom of Saudi Arabia, Riyadh
Website: (sdaia.gov.sa)
National Data Governance Platform (NDGP): (dgp.sdaia.gov.sa)
Privacy Policy Last Updated on: 09/04/2025
