Access Alert: SDAIA unveils Executive Regulation of Personal Data Protection Law

Access Alert: SDAIA unveils Executive Regulation of Personal Data Protection Law

On 11 July 2023, the Saudi Data and AI Authority (SDAIA) unveiled the Executive Regulation of the Personal Data Protection Law (PDPL) for public consultation. The consultation period is open until 31 July 2023.

The Executive Regulation aims to clarify procedures and the implementation process of the provisions provided in the PDPL. The updated regulation is largely modelled on the GDPR, including significant improvements since the first draft was published for public consultation on 10 March 2022.

However, certain areas still require clarity. First, the procedure for appointing the Data Protection Officer (DPO) has yet to be issued. According to Article 34 of the regulation, the Competent Authority is still expected to issue these rules, including circumstances under which a data protection officer shall be appointed.

Secondly, the interrelation of this regulation with other existing laws in the Kingdom needs to be clarified, noting that the regulation shall not prejudice the provisions of the applicable laws in the Kingdom or the conventions to which the Kingdom is a party.

Furthermore, Article 33, which covers the Transfer or Disclosure of Data to Entities outside the Kingdom, does not provide further clarification on adequate jurisdictions. However, read in conjunction with the regulation for cross-border data transfer, the list of adequate jurisdictions is pending consultation with six other regulatory authorities in the Kingdom.

Finally, the Executive Regulation also introduces some new elements, including a reference to a Legal Guardian, the definition of “Actual Interest”, and a National Register of Controllers. According to Article 37, the Competent Authority will also set the rules for licensing entities to issue accreditation certificates for Controllers and Processors.

The Executive Regulation is the final step towards the implementation of the PDPL. As such, the private sector’s participation in the consultation is highly recommended to address remaining issues and unclarities. Businesses should already start preparing to comply with the PDPL and its Executive Regulation by documenting what personal data they hold, where it comes from, and with whom they share it. Businesses will also need to carefully consider whom to appoint as a Data Protection Officer.

If you are interested in learning more about the Executive Regulation of the Personal Data Protection Law, require support with submitting comments to the public consultation, or wish to engage SDAIA, please contact Nada Ihab at [email protected] or Anja Engen at [email protected].

 

Related Articles

AI for All in Thailand: Building an AI-ready economy with Google

AI for All in Thailand: Building an AI-ready economy with Google

อ่านบทความนี้เป็นภาษาไทย A doctor in Bangkok analyzes medical images with AI, leading to a faster, more accurate diagnosis for her patient....

19 Dec 2024 AI Policy Lab
The Role of Earth Observation in Combating Desertification in Middle Eastern Countries

The Role of Earth Observation in Combating Desertification in Middle Eastern Countries

This month’s UNCCD COP16 in Riyadh marked a pivotal moment in combating global land degradation and drought, with outcomes including...

13 Dec 2024 Opinion
Access Alert: Enhancing Efficiency in India’s Logistics Through AI and Digital Integration

Access Alert: Enhancing Efficiency in India’s Logistics Through AI and Digital Integration

A recent panel discussion at the Bengaluru Tech Summit 2024 on 20 November 2024 focused on the transformative role of...

29 Nov 2024 Opinion
Access Alert: How Will Deepfake Regulations in APAC Impact Your Business?

Access Alert: How Will Deepfake Regulations in APAC Impact Your Business?

The rise of deepfakes – AI-generated content that manipulates audio, video, or images to create realistic but false representations –...

29 Nov 2024 Opinion