Access Alert: SDAIA unveils Executive Regulation of Personal Data Protection Law

Access Alert: SDAIA unveils Executive Regulation of Personal Data Protection Law

On 11 July 2023, the Saudi Data and AI Authority (SDAIA) unveiled the Executive Regulation of the Personal Data Protection Law (PDPL) for public consultation. The consultation period is open until 31 July 2023.

The Executive Regulation aims to clarify procedures and the implementation process of the provisions provided in the PDPL. The updated regulation is largely modelled on the GDPR, including significant improvements since the first draft was published for public consultation on 10 March 2022.

However, certain areas still require clarity. First, the procedure for appointing the Data Protection Officer (DPO) has yet to be issued. According to Article 34 of the regulation, the Competent Authority is still expected to issue these rules, including circumstances under which a data protection officer shall be appointed.

Secondly, the interrelation of this regulation with other existing laws in the Kingdom needs to be clarified, noting that the regulation shall not prejudice the provisions of the applicable laws in the Kingdom or the conventions to which the Kingdom is a party.

Furthermore, Article 33, which covers the Transfer or Disclosure of Data to Entities outside the Kingdom, does not provide further clarification on adequate jurisdictions. However, read in conjunction with the regulation for cross-border data transfer, the list of adequate jurisdictions is pending consultation with six other regulatory authorities in the Kingdom.

Finally, the Executive Regulation also introduces some new elements, including a reference to a Legal Guardian, the definition of “Actual Interest”, and a National Register of Controllers. According to Article 37, the Competent Authority will also set the rules for licensing entities to issue accreditation certificates for Controllers and Processors.

The Executive Regulation is the final step towards the implementation of the PDPL. As such, the private sector’s participation in the consultation is highly recommended to address remaining issues and unclarities. Businesses should already start preparing to comply with the PDPL and its Executive Regulation by documenting what personal data they hold, where it comes from, and with whom they share it. Businesses will also need to carefully consider whom to appoint as a Data Protection Officer.

If you are interested in learning more about the Executive Regulation of the Personal Data Protection Law, require support with submitting comments to the public consultation, or wish to engage SDAIA, please contact Nada Ihab at [email protected] or Anja Engen at [email protected].

 

Related Articles

Access Alert: European Commission announces three-pillar approach to connectivity policy

Access Alert: European Commission announces three-pillar approach to connectivity policy

On 21 February, the European Commission presented its widely anticipated white paper on ‘How to master Europe’s digital infrastructure needs?’,...

21 Feb 2024 Opinion
Tech Policy Trends 2024: The evolution of GDPR

Tech Policy Trends 2024: The evolution of GDPR

With a major review scheduled for 2024, the EU will use the months ahead to reflect on where the GDPR...

21 Feb 2024 Opinion
Access Alert: Portugal imposes fines for non-compliance with type-approval requirements

Access Alert: Portugal imposes fines for non-compliance with type-approval requirements

Type approval (also known as homologation or certification) ensures product quality, safety, and interoperability, assuring consumers, businesses, and regulatory authorities...

20 Feb 2024 Opinion
Securing the final frontier: British perspectives on commercial defence in space

Securing the final frontier: British perspectives on commercial defence in space

In a statement on 15 January, the United Kingdom’s Secretary of Defence, Grant Shapps, declared that “The era of the...

19 Feb 2024 Opinion