Last review date: 31 December 2024
Yes.
Yes, under the PDPL, a controller (not a processor) is required to appoint a DPO in certain circumstances.
If yes, under what circumstances?
☒ the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
☒ the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
☒ the core activities of the controller or the processor consist of processing on a large scale of special categories of data
Last review date: 31 December 2024
Yes. The PDPL, its Implementing Regulations and the ‘Rules for Appointing Personal Data Protection Officer’ published by the SDAIA provide a number of minimum requirements that have to be met for the appointment of the DPO.
If yes, what are these requirements?
☒ legal qualifications / experience
☒ other
- Sufficient knowledge of risk management practices, including the management and handling of personal data breach incidents.
- Sufficient knowledge of regulatory requirements for personal data protection and other relevant regulatory requirements for performing DPO tasks.
- Honesty and integrity, and not having been convicted of any offence involving dishonesty or breach of trust.
Last review date: 31 December 2024
Yes, there is an obligation is for controllers to register with SDAIA via the National Data Governance Platform in any of the following instances:
- if the controller is a public entity;
- if the controller’s main activity is based on personal data processing;
- if the controller processes sensitive data; or
- if an individual processes personal data for purposes exceeding personal or family use.
For the time being, this requirement applies only to controllers based in Saudi Arabia. Separate registration rules for controllers located outside Saudi Arabia are anticipated to be issued at a later date.