When collecting Personal Data directly from the Data Subject, the Controller shall take appropriate measures to inform the Data Subject of the following upon Collection:

1. The legal basis for collecting their Personal Data.
   
   
2. The purpose of the Collection, and shall specify the Personal Data whose Collection is mandatory and the Personal Data whose Collection is optional. The Data Subject shall be informed that the Personal Data will not be subsequently processed in a manner inconsistent with the Collection purpose or in cases other than those stated in Article (10) of this Law.
   
   
3. Unless the Collection is for security purposes, the identity of the person collecting the Personal Data and the address of its representative, if necessary.
   
   
4. The entities to which the Personal Data will be disclosed, the capacity of such entities, and whether the Personal Data will be transferred, disclosed or processed outside the Kingdom.
   
   
5. The potential consequences and risks that may result from not collecting the Personal Data.
   
   
6. The rights of the Data Subject pursuant to Article (4) herein.
   
   
7. Such other elements as set out in the Regulations based on the nature of the activity done by the Controller.