Access Alert: SDAIA unveils Executive Regulation of Personal Data Protection Law

Access Alert: SDAIA unveils Executive Regulation of Personal Data Protection Law

On 11 July 2023, the Saudi Data and AI Authority (SDAIA) unveiled the Executive Regulation of the Personal Data Protection Law (PDPL) for public consultation. The consultation period is open until 31 July 2023.

The Executive Regulation aims to clarify procedures and the implementation process of the provisions provided in the PDPL. The updated regulation is largely modelled on the GDPR, including significant improvements since the first draft was published for public consultation on 10 March 2022.

However, certain areas still require clarity. First, the procedure for appointing the Data Protection Officer (DPO) has yet to be issued. According to Article 34 of the regulation, the Competent Authority is still expected to issue these rules, including circumstances under which a data protection officer shall be appointed.

Secondly, the interrelation of this regulation with other existing laws in the Kingdom needs to be clarified, noting that the regulation shall not prejudice the provisions of the applicable laws in the Kingdom or the conventions to which the Kingdom is a party.

Furthermore, Article 33, which covers the Transfer or Disclosure of Data to Entities outside the Kingdom, does not provide further clarification on adequate jurisdictions. However, read in conjunction with the regulation for cross-border data transfer, the list of adequate jurisdictions is pending consultation with six other regulatory authorities in the Kingdom.

Finally, the Executive Regulation also introduces some new elements, including a reference to a Legal Guardian, the definition of “Actual Interest”, and a National Register of Controllers. According to Article 37, the Competent Authority will also set the rules for licensing entities to issue accreditation certificates for Controllers and Processors.

The Executive Regulation is the final step towards the implementation of the PDPL. As such, the private sector’s participation in the consultation is highly recommended to address remaining issues and unclarities. Businesses should already start preparing to comply with the PDPL and its Executive Regulation by documenting what personal data they hold, where it comes from, and with whom they share it. Businesses will also need to carefully consider whom to appoint as a Data Protection Officer.

If you are interested in learning more about the Executive Regulation of the Personal Data Protection Law, require support with submitting comments to the public consultation, or wish to engage SDAIA, please contact Nada Ihab at [email protected] or Anja Engen at [email protected].

 

Related Articles

Access Alert: The intensifying battle between Musk and Ambani over India’s satellite broadband spectrum

Access Alert: The intensifying battle between Musk and Ambani over India’s satellite broadband spectrum

Space industry players should take note of the escalating competition in India’s satellite broadband market, as Elon Musk’s Starlink and...

25 Oct 2024 Opinion
2024 data reveals the urgent need for a village approach to child online safety

2024 data reveals the urgent need for a village approach to child online safety

Children are facing unprecedented online risks. Recent data shows that one in eight children globally (approximately 302 million) have fallen...

21 Oct 2024 Opinion
Access Alert: Mexico’s telecommunications and competition authorities set to be dissolved

Access Alert: Mexico’s telecommunications and competition authorities set to be dissolved

Overview On 13 October, Deputy Ricardo Monreal, leader of the ruling Morena party, announced that reforms to eliminate the Federal...

15 Oct 2024 Opinion
Cybersecurity skills in the EU: A new dawn?

Cybersecurity skills in the EU: A new dawn?

In September 2024, the Hungarian Presidency and the European Union Agency for Cybersecurity (ENISA) co-hosted the third annual edition of...

15 Oct 2024 Opinion