Your Rights Under Kuwait's CITRA Resolution 26/2024 PDP (2026 Legal Guide) — Rules & Requirements

Researched by , Founder & Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: CITRA Resolution 26 of 2024 — Personal Data Protection Regulation; CITRA.

About this article

Sourced from Kuwaiti national legislation, Amiri decrees, and ministerial decisions. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Kuwaiti National Law

What is this right?

Kuwait's first dedicated data-protection law is CITRA Resolution 26 of 2024, effective 19 February 2024. Service providers had a 1-year grace period from publication to come into compliance. The Regulation applies to CITRA-licensed service providers — banks, telecom operators, e-commerce platforms, healthcare providers, and government entities processing personal data.

Key data-subject rights: access, correction, deletion, restriction of processing. Consent is required (explicit; for minors under 18 from a legal guardian). Breach notification: providers must notify CITRA within 24 hours of becoming aware of a breach.

When does it apply?

  • A CITRA-licensed service provider holds your personal data and refuses to disclose / correct / delete.
  • You withdraw consent but processing continues.
  • Data breach not notified to you / CITRA within 24 hours.
  • Bank, telecom, healthcare provider, or government agency discloses your data without lawful basis.

Using Your Rights Under CITRA Resolution 26/2024

  1. Start with a written request to the service provider. Cite CITRA Resolution 26/2024 and the right exercised.
  2. If refused, file with CITRA.
  3. For banking data, parallel a CBK Consumer Protection complaint.
  4. For criminal-side disclosure, file with MOI Cyber Crimes Department.

What should you NOT do?

  • Don't skip the provider's internal channel.
  • Don't disclose more identification data than necessary.
  • Don't pay 'data removal services' upfront.

About Data Privacy & Digital Rights in Kuwait

Kuwait's data-protection era began on 19 February 2024, when CITRA Resolution 26 of 2024 — the Personal Data Protection Regulation entered force. It is Kuwait's first dedicated PDP legislation. Service providers had a 1-year grace period to reconcile with the Regulation. Regulator: CITRA (Communications and Information Technology Regulatory Authority).

For NCII, the criminal framework is the Cybercrime Law 63/2015, with content / image offences carrying significant penalties. Investigation: MOI Cyber Crimes Department. Victims should also use StopNCII.org (18+) or takeitdown.ncmec.org (under-18) — both free.

Common Questions

Is CITRA Resolution 26/2024 in force?

Yes — effective 19 February 2024. Service providers had a 1-year grace period to come into compliance (full operational enforcement from approximately February 2025).

What service providers are covered?

CITRA-licensed service providers — banks, telecom operators, e-commerce platforms, healthcare providers, government entities, and other organisations collecting or processing personal data.

What is the breach-notification timeline?

Service providers must notify CITRA of a personal-data breach within 24 hours of becoming aware of it.

Are there fines for non-compliance?

The Resolution provides for administrative fines, with the specifics determined by the severity and duration of the infringement. Exact fine ranges should be verified against the gazetted text and any subsequent CITRA implementing decisions.

What is the your rights under citra resolution 26/2024 (kuwait pdp) right in Kuwait?

Kuwait's first dedicated data-protection law is CITRA Resolution 26 of 2024, effective 19 February 2024. Service providers had a 1-year grace period from publication to come into compliance. The Regulation applies to CITRA-licensed service providers — banks, telecom operators, e-commerce platforms, healthcare providers, and government entities processing personal data.Key data-subject rights: access, correction, deletion, restriction of processing. Consent is required (explicit; for minors under 18 from a legal guardian). Breach notification: providers must notify CITRA within 24 hours of beco...

When does it applyyour rights under citra resolution 26/2024 (kuwait pdp)?

A CITRA-licensed service provider holds your personal data and refuses to disclose / correct / delete.You withdraw consent but processing continues.Data breach not notified to you / CITRA within 24 hours.Bank, telecom, healthcare provider, or government agency discloses your data without lawful basis.

What rights do I have under Kuwait's data-protection regulation?

Start with a written request to the service provider. Cite CITRA Resolution 26/2024 and the right exercised.If refused, file with CITRA.For banking data, parallel a CBK Consumer Protection complaint.For criminal-side disclosure, file with MOI Cyber Crimes Department.

What should you NOT doyour rights under citra resolution 26/2024 (kuwait pdp)?

Don't skip the provider's internal channel.Don't disclose more identification data than necessary.Don't pay 'data removal services' upfront.

More in Data Privacy & Digital Rights

Removing Non-Consensual Intimate Imagery (NCII)NCII in Kuwait runs on three paths. Criminal: MOI Cyber Crimes Department under Cybercrime Law 63/2015. Technical takedo...Read more →Cyberstalking and Online Harassment in KuwaitCyberstalking and online harassment in Kuwait fall under the Cybercrime Law 63/2015. Defamation, insulting religious bel...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission