On 11 July 2023, the Saudi Data and AI Authority (SDAIA) unveiled the Executive Regulation of the Personal Data Protection Law (PDPL) for public consultation. The consultation period is open until 31 July 2023.
The Executive Regulation aims to clarify procedures and the implementation process of the provisions provided in the PDPL. The updated regulation is largely modelled on the GDPR, including significant improvements since the first draft was published for public consultation on 10 March 2022.
However, certain areas still require clarity. First, the procedure for appointing the Data Protection Officer (DPO) has yet to be issued. According to Article 34 of the regulation, the Competent Authority is still expected to issue these rules, including circumstances under which a data protection officer shall be appointed.
Secondly, the interrelation of this regulation with other existing laws in the Kingdom needs to be clarified, noting that the regulation shall not prejudice the provisions of the applicable laws in the Kingdom or the conventions to which the Kingdom is a party.
Furthermore, Article 33, which covers the Transfer or Disclosure of Data to Entities outside the Kingdom, does not provide further clarification on adequate jurisdictions. However, read in conjunction with the regulation for cross-border data transfer, the list of adequate jurisdictions is pending consultation with six other regulatory authorities in the Kingdom.
Finally, the Executive Regulation also introduces some new elements, including a reference to a Legal Guardian, the definition of “Actual Interest”, and a National Register of Controllers. According to Article 37, the Competent Authority will also set the rules for licensing entities to issue accreditation certificates for Controllers and Processors.
The Executive Regulation is the final step towards the implementation of the PDPL. As such, the private sector’s participation in the consultation is highly recommended to address remaining issues and unclarities. Businesses should already start preparing to comply with the PDPL and its Executive Regulation by documenting what personal data they hold, where it comes from, and with whom they share it. Businesses will also need to carefully consider whom to appoint as a Data Protection Officer.
If you are interested in learning more about the Executive Regulation of the Personal Data Protection Law, require support with submitting comments to the public consultation, or wish to engage SDAIA, please contact Nada Ihab at [email protected] or Anja Engen at [email protected].