Last review date: 31 December 2024

Yes

The PDPL establishes the concept of Data Protection Guardians, which are parties accredited by and registered with the PDPA that must be appointed by controllers in certain circumstances. These may be internal (employed) or external (third party) persons meeting specific criteria set out in Executive Order No. 46 of 2022 and enrolled on the register per Executive Order No. 47 of 2022.

Last review date: 31 December 2024

Yes

If yes, under what circumstances?

The PDPA may determine specific categories of controller that are required to appoint external or internal data guardians from time to time.

Last review date: 31 December 2024

Yes

Last review date: 31 December 2024

Yes

In addition to a general notification requirement, the following operations require the prior written authorization of the PDPA:

• automatic processing of sensitive personal data;
• automatic processing of biometric data necessary for the verification of an individual’s identity;
• automatic processing of genetic data , unless carried out by physicians, or a specialist within a licensed medical establishment, and is necessary for preventative medicine, medical diagnosis or the administration of health care or treatment;
• automatic processing involving linkage between personal data files, of two or more data controllers, processed for different purposes; and
• processing that is done by means of visual recording, and used for surveillance purposes.

Executive Order No. 44 of 2022 provides further guidance on the rules and procedures for submitting the  various notifications and authorization requests to the PDPA as required by the PDPL.