Credit data is classified as sensitive personal data, which requires stronger safeguards than regular personal information. Specifically: 

• Controllers must obtain explicit consent from you before collecting, using, processing, or sharing your credit data  

• They must notify you whenever your credit data is requested or shared with another entity empowering you with visibility over disclosures. 

• Additional Technical and Organizational Measures (TOMs) mandated by Saudi financial regulators (such as the Saudi Central Bank) must be followed to ensure confidentiality, integrity, and availability of credit data. 

Absolutely. Your explicit consent is paramount: 

• No Controller may process or share your credit data without a clear, informed consent from you. 

• You must be notified whenever someone else requests your credit data. This notification allows you to approve, question, or object to that disclosure in real time.

Yes. Credit data falls under sensitive personal data, triggering enhanced protection: 

• Explicit, specific consent is mandatory before any processing activities begin. 

• Controllers must adopt sector-specific safeguards such as: 

• Access controls limiting data visibility to only authorized personnel 

• Detailed activity logs and audit trails 

• Secure technical infrastructure aligned with banking regulations. 

• Regulators like the Saudi Central Bank or financial authorities may issue additional requirements for secure handling, notification protocols, and regular compliance audits.