10 Sep 2024
In August 2024, the Saudi Data & AI Authority (SDAIA) released "The Rules Governing the National Register of Controllers within the Kingdom" under Article 34 of the Implementing Regulation of Saudi Arabia’s Data Protection Law. These Rules are designed to inform and monitor Controllers within Saudi Arabia regarding their obligation to register on the National Data Governance Platform. Separate registration rules for Controllers based outside of Saudi Arabia will be issued later.
Saudi Arabia’s New Data Protection Law (KSA PDPL)
The Personal Data Protection Law (PDPL) came into effect on September 14, 2023, marking a significant step in regulating the use of personal data in Saudi Arabia. Entities must comply with the PDPL and its Implementing Regulation by September 14, 2024.
Territorial and Material Scope of KSA PDPL
The Law applies to personal data processed in the Kingdom of Saudi Arabia (KSA) and to processing that takes place outside of the KSA where personal data relating to individuals residing in Saudi Arabia is being processed. As a result, organizations with a presence in Saudi Arabia will need to consider the Law’s application not only to their Saudi Arabia-based entities but also to any foreign entities involved in the processing of personal data that belong to Saudi Arabian residents.
The Law excludes from its scope the processing of personal data for personal and family use. As per the Draft Executive Regulations, processing for personal and family use means the processing carried out by an individual within their family or within their limited social circle, taking part in any social or family activity.
Penalties for Non-Compliance
Non-compliance with the KSA PDPL can result in fines of up to SAR 5,000,000. For repeated breaches, courts may double the penalty. In cases involving the unlawful disclosure or publication of sensitive data, violators could face imprisonment if the violation is intended to harm an individual or gain personal advantage.
About the SDAIA
The Saudi Data & AI Authority (SDAIA) oversees the implementation of the PDPL. It is the national authority for data and AI matters in Saudi Arabia, including big data management. SDAIA acts as the main reference for organizing, developing, and regulating data, AI operations, research, and innovation.
Registration Obligations for Controllers
The Rules specify that the following categories of Controllers must register on the National Data Governance Platform:
- Public entities.
- Controllers whose main activities involve processing personal data.
- Controllers who process sensitive data.
- Individuals who process personal data beyond personal or family use.
National Register for Controllers
The registration process applies to public and private entities, as well as individuals. A Controller must appoint a representative to manage the registration and issue a registration Certificate, which is valid for up to five years. SDAIA will make the Certificate publicly available.
The Controller's appointed representative is also responsible for determining whether a Personal Data Protection Officer (DPO) is required, as outlined in Article 32 of the Implementing Regulation.
Personal Data Protection Officer (DPO)
A DPO must be appointed in the following scenarios:
- Public Entities: If a public entity processes personal data on a large scale.
- Regular and Systematic Monitoring: If the Controller engages in regular and systematic monitoring of data subjects.
- Sensitive Personal Data: If the Controller processes sensitive personal data as part of its core activities.
The SDAIA has clarified the minimum requirements for appointing a DPO, including the specific circumstances under which a DPO must be designated and the responsibilities they will carry out.
The DPO may be an internal employee, an executive, or an external contractor, either based in Saudi Arabia or abroad. The representative appointed for National Register purposes may also serve as the DPO.
Organizations must assess whether they need to appoint a DPO by law or if doing so would be in their best interest. Both legal and voluntary decisions must be documented by the Controller or processor.
Services Offered on the National Data Governance Platform
The Platform provides several e-services aimed at enhancing data protection and safeguarding individual rights, which the Representative registered in the Platform is obliged to use:
- Personal Data Breach Notification Service: Enables Controllers to report data breaches to the Competent Authority within 72 hours of becoming aware of an incident.
- Privacy Impact Assessment Service: Assesses the impact of personal data processing on services and products.
- Legal Support Service: Offers guidance to public entities on PDPL compliance.
- Compliance Assessment Service: Regularly evaluates compliance to ensure the effectiveness of data protection measures.
How Privacy Minders Can Help
In an era where technology increasingly permeates everyday life, protecting personal data has become essential. Privacy Minders is well-equipped to assist your organization in addressing KSA PDPL requirements, drawing on years of experience in data protection.
Our team can assess your organization’s obligations under the Law and recommend the necessary actions to meet regulatory requirements. Additionally, with the recent release of SDAIA's Rules on appointing a Personal Data Protection Officer, we can help you determine whether a DPO is required and guide you through the appointment process.
Privacy Minders also offers DPO services to organizations, providing expert management of this critical role and supporting your efforts to comply with PDPL obligations.