When an organization (Controller) collects your personal data directly from you, it must provide key information to ensure transparency. This is often done through a privacy notice and includes: 

• Legal Basis and Purpose: The specific legal justification for collecting your data and a clear explanation of what it will be used for. The Controller must also state that your data will not be used for any other purpose unless permitted by law. 

• Collector’s Identity: The identity of the person or entity collecting the data and the contact address of their representative, unless the collection is for security purposes. 

• Data Recipients: The entities or categories of entities your personal data will be disclosed to. 

Yes, the Controller must inform you about these details at the time of collection. This is part of ensuring fair and transparent processing. You must be informed of: 

• Your Rights: A summary of your rights as a Data Subject under the law, such as the rights to access, correct, and request the destruction of your data. 

• International Transfers: Whether your data will be transferred, disclosed, or processed outside the Kingdom. This aligns with global data protection standards that require informing individuals about cross-border data flows.

You are not necessarily required to provide all the data an organization asks for. The Controller must clarify this for you by: 

• Distinguishing Data Types: Specifying which pieces of personal data are mandatory to provide and which are optional. For example, an online store might mark required fields like a shipping address with a star (*), making it clear that other fields are optional. 

• Explaining Consequences: Informing you of the potential consequences and risks if you choose not to provide the requested data. For example, failure to provide a required piece of information might prevent you from accessing a service or completing a transaction.