Access Alert: SDAIA unveils Executive Regulation of Personal Data Protection Law

Access Alert: SDAIA unveils Executive Regulation of Personal Data Protection Law

On 11 July 2023, the Saudi Data and AI Authority (SDAIA) unveiled the Executive Regulation of the Personal Data Protection Law (PDPL) for public consultation. The consultation period is open until 31 July 2023.

The Executive Regulation aims to clarify procedures and the implementation process of the provisions provided in the PDPL. The updated regulation is largely modelled on the GDPR, including significant improvements since the first draft was published for public consultation on 10 March 2022.

However, certain areas still require clarity. First, the procedure for appointing the Data Protection Officer (DPO) has yet to be issued. According to Article 34 of the regulation, the Competent Authority is still expected to issue these rules, including circumstances under which a data protection officer shall be appointed.

Secondly, the interrelation of this regulation with other existing laws in the Kingdom needs to be clarified, noting that the regulation shall not prejudice the provisions of the applicable laws in the Kingdom or the conventions to which the Kingdom is a party.

Furthermore, Article 33, which covers the Transfer or Disclosure of Data to Entities outside the Kingdom, does not provide further clarification on adequate jurisdictions. However, read in conjunction with the regulation for cross-border data transfer, the list of adequate jurisdictions is pending consultation with six other regulatory authorities in the Kingdom.

Finally, the Executive Regulation also introduces some new elements, including a reference to a Legal Guardian, the definition of “Actual Interest”, and a National Register of Controllers. According to Article 37, the Competent Authority will also set the rules for licensing entities to issue accreditation certificates for Controllers and Processors.

The Executive Regulation is the final step towards the implementation of the PDPL. As such, the private sector’s participation in the consultation is highly recommended to address remaining issues and unclarities. Businesses should already start preparing to comply with the PDPL and its Executive Regulation by documenting what personal data they hold, where it comes from, and with whom they share it. Businesses will also need to carefully consider whom to appoint as a Data Protection Officer.

If you are interested in learning more about the Executive Regulation of the Personal Data Protection Law, require support with submitting comments to the public consultation, or wish to engage SDAIA, please contact Nada Ihab at nada.ihab@accesspartnership.com or Anja Engen at anja.engen@accesspartnership.com.

 

Related Articles

Access Alert: Colombia opens consultation on updates to the satellite licensing regime

Access Alert: Colombia opens consultation on updates to the satellite licensing regime

On 3 February 2022, the Ministry of Information and Communications Technologies (ICT Ministry) issued Resolution 0376, establishing a new regime...

4 Oct 2023 Opinion
Access Alert: The growing role of HAPS and the need for regulatory clarity

Access Alert: The growing role of HAPS and the need for regulatory clarity

In July 2023, the UK Secretary of State for Science, Innovation and Technology, Chloe Smith, announced GBP 20 million in...

4 Oct 2023 Opinion
TPX23: Keynote Speech by Gregory Francis

TPX23: Keynote Speech by Gregory Francis

In his keynote address at TPX23, Access Partnership’s CEO, Gregory Francis, outlined the organisation’s mission to enhance global access to...

3 Oct 2023 Opinion
The Key Policy Frameworks Governing AI in India

The Key Policy Frameworks Governing AI in India

India is in the process of formulating and implementing policy frameworks to govern various aspects of AI regulation. While comprehensive...

2 Oct 2023 AI policy Lab opinion