New SDAIA rules and guidelines published as KSA’s personal data protection framework is now enforceable

Middle East

In the lead up to the much anticipated enforcement date from 14 September 2024, the Saudi Data and AI Authority (SDAIA) has issued a series of new rules and guidelines to help businesses understand and prepare for their obligations under the Personal Data Protection Law and its Implementing Regulations. We consider the top five key priority areas for any entities processing the personal data of residents in Saudi Arabia.

As at the date of this publication, SDAIA has issued the following new rules and guidelines to supplement the Saudi Personal Data Protection Law (PDPL) and the Implementing Regulations (including the amended Regulation on Personal Data Transfer outside the Kingdom):

Rules:

  1. Rules for Appointing Personal Data Protection Officer
  2. Rules Governing the National Register of Controllers Within the Kingdom
  3. Standard Contractual Clauses for Personal Data Transfer

Guidelines:

  1. Elaboration and Developing Privacy Policy Guideline
  2. Guide to the Saudi Personal Data Protection Law For Controllers and Processors
  3. Guidelines for Binding Common Rules (BCR) For Personal Data Transfer
  4. Minimum Personal Data Determination Guideline
  5. Personal Data Destruction Anonymization And Pseudonymisation Guideline
  6. Personal Data Disclosure Cases Guideline
  7. Personal Data Processing Activities Records Guideline
  8. Self-Assessment Guideline.

Regulation on Personal Data Transfer Outside the Kingdom

Article 2

Further to Article 29 of the PDPL, “other purposes” for transferring or disclosing personal data outside KSA will include:

  1. Performing necessary operations for central processing to enable the Controller to conduct its activities
  2. Providing a service or benefit to the subject of the personal data
  3. Conducting scientific research and studies
Article 3SDAIA will publish on its website an official list of countries that provide an appropriate level of protection for data transfers or disclosures outside KSA. SDAIA may amend the list and may suspend transfers to certain jurisdictions at their discretion. Jurisdictions can include countries, cities, special economic zones and global trade centers.
Article 4

Controllers making transfers or disclosures outside KSA will be exempt from the obligations of Articles 29 (b) and (c) of the PDPL, which are to ensure the appropriate level of data protection in the destination country and only to transfer the minimum amount of personal data needed, if the Controller implements:

  1. Standard contractual clauses (see further below)
  2. Binding common rules
  3. Certificate of accreditation

These appropriate safeguards must also include protection of the rights of personal data subjects, including the right to file complaints and seek damages for violations of these rights.

Article 6The exemption detailed in Article 4 above may be revoked where appropriate safeguards are not implemented or are deemed inadequate by SDAIA.
Article 7

Controllers must conduct a risk assessment before transferring or disclosing personal data outside KSA in the following cases:

  1. Transfers or disclosures outside KSA using the Article 4 exemption
  2. Transfers or disclosures outside KSA of sensitive data on a continuous or widespread basis

The risk assessment should include the following elements:

  1. Purpose and legal basis
  2. Description
  3. Assessment of the appropriate safeguards in place
  4. Assessment of the measures used to achieve the purpose
  5. The potential material or moral effects
  6. The mitigating measures to prevent potential risks

Rules Governing the National Register of Controllers within the Kingdom

Article 2

The following Controllers will be required to register on the National Data Governance Platform (Platform):

  1. Controllers who are public entities
  2. Controllers whose main activity is based on personal data processing
  3. Controllers who process sensitive data
  4. Individuals who process personal data for purposes exceeding personal or family use
Article 3

Each type of Controller should appoint Representatives in the following way:

  1. Public entity – through the registration form sent by SDAIA
  2. Private entity – through the Platform

Individuals are their own representatives and are not permitted to appoint other people.

Article 4

Article 6

Article 7

Where Article 2 above is triggered, a Representative must register on the Platform, while also assessing whether a DPO should be appointed under Article 32 of the Implementing Regulations.

If a DPO is appointed, the Representative must input the DPO’s information on the Platform, including the following details:

  1. If the DPO is an employee or Controller or an external contractor – national ID, DOB, official contact information (phone/email)
  2. If the DPO is a contractor located outside KSA – first and last name, official email and contact number

The Representative may also appoint themselves as the DPO once appointed by the Controller.

Article 5

The Representative must input on the Platform the following profile data:

  1. Controller Entity Data – entity logo, official email and contact number, HQ address
  2. Representative Data –  official email and contact number

Individuals must complete all the required fields including official email and contact number.

Article 8The Representative must, while using the platform, fill in all the required information, and view the results and update the Controller’s data on a regular basis to ensure it is up to date.
Article 9

If a Representative needs to be replaced, Controllers must communicate with SDAIA using the following means:

  1. For public Controllers – the official means of communication on the Platform
  2. For private Controllers – the form available on the Platform 

Article 10

Article 11

Once registered, a Registration Certificate will be issued which will be valid for a maximum of five years. This Registration Certificate must be made available to the public.

When due to expire, SDAIA will notify the Controller more than 30 days prior to expiration. Following expiration, the Controller may continue to use the Platform for up to five more days grace period, however further extensions will need to be requested.

Article 12

The Platform offers the following services to protect data and safeguard data subject rights:

  1. Personal data breach notification service
  2. Privacy impact assessment service
  3. Legal support service
  4. Compliance Assessment service

Rules for Appointing a Personal Data Protection Officer

Article 4

Controllers must ensure that an appointed DPO has:

  1. Appropriate academic qualifications and experience in personal data protection
  2. Sufficient knowledge of risk management practices and how to handle data breach incidents
  3. Sufficient knowledge of the regulatory requirements and DPO obligations
  4. Honesty and integrity, and no record of conviction for any dishonest offence

The DPO may be an executive, employee, or an external contractor.

Article 5

Article 9

Controllers must appoint at least one DPO in any of the following cases:

  1. Controller is a public entity providing large scale personal data processing (‘large scale’ is assessed by SDAIA on number and categories of data subjects, volume of data, type of data, and geographical scope of processing)
  2. Controller’s core activities require regular and systematic monitoring of data subjects (‘regular and systematic monitoring’ is assessed by SDAIA on collection of personal data through tracking or other technologies, if monitoring occurs at specific intervals or periodically, and if monitoring is conducted through technological means or as part of a general plan for collecting data, e.g. collecting data through wearable fitness devices, using behavioural analytics for risk assessments, or using location tracking through cookies or surveillance cameras)
  3. Controller’s core activities involve processing sensitive personal data (‘core activities’ are assessed by SDAIA to include any provision of products or services that cannot be provided without processing personal data, e.g. insurance companies processing personal data to provide health insurance, finance companies processing credit data to offer financial products and services, and marketing companies processing personal data for marketing purposes). Note that activities which merely support the Controller’s core business, e.g. processing employee data by an internal HR department, do not constitute ‘core activities’

Controllers may also voluntarily appoint a DPO if desired, even if not obligated to do so as above.

Article 6

 

The DPO must be appointed in writing and the Controller must:

  1. If the DPO is an employee – document the appointment
  2. If the DPO is an external contractor – conclude an agreement with the external contractor

Once appointed, the DPO’s contact information must be promptly announced within the Controller.

Article 7Controllers must provide clear and accessible means of communication with the DPO for all data subjects, and must provide SDAIA with all the DPO’s contact information via the Platform.
Article 8

An appointed DPO is responsible for:

  1. Providing support and advice regarding all aspects of personal data protection and developing internal data protection policies and procedures for the Controller
  2. Participating in awareness activities and training, and instructing Controller personal regarding data protection regulatory compliance
  3. Contributing to reviewing plans for how to handle personal data breach incidents and ensuring plans are adequate and effective
  4. Preparing periodic reports regarding Controller’s processing of personal data and making appropriate compliance recommendations
  5. Staying up to date with regulatory developments to ensure compliance
  6. Providing support and advice to internal teams operating modern technological systems (e.g. IT) to ensure regulatory compliance
Article 9

Controllers, when concluding agreements with a Processor to process personal data on behalf of the Controller, must ensure that the Processer has an appointed DPO if required under Article 5 above. If no such DPO has been appointed, Controllers should request such appointment prior to concluding any such agreement.

Controllers should support and train an appointed DPO, and should not assign tasks that conflict with the DPO’s independence. 

Elaboration and Developing Privacy Policy Guideline

Privacy Policy Key Elements

Controllers must ensure that their privacy policy contains the following:

  1. Entity name (in accordance with regulatory registers and trademarks) and activity, with a brief overview of activities and services
  2. Contact information of the Controller (must include phone numbers(s), website and postal address), and contact information of the DPO if required to be appointed
  3. Clarifications of the categories of personal data being collected (e.g. account data, payment data, third party data, cookies data, location data etc.), and whether this collection is mandatory or optional for processing purposes
  4. Division of collecting and processing data into (i) data to be collected directly from data subject and (ii) data to be collected indirectly. The purpose of collecting personal data must be explicitly stated, must only be collected with the consent of the data subject, and must be limited to the necessary minimum
  5. Presentation of the method of how personal data will be processed (e.g. data life cycle)
  6. Clarification of whether the personal data will be shared with other entities
  7. Clarification of the means of storage and geographical location of stored personal data, whether internal or external, the time period for retention and the methods used to destroy data upon expiration of retention period
  8. Clarification of data subject’s rights, including (i) the right to be informed (ii) the right to access held personal data (iii) the right to request access in a clear and readable format (iv) the right to request correction (v) the right to request destruction (vi) the right to withdraw consent at any time (vii) the right to file a complaint, and (viii) the right to claim compensation for material or moral damage caused by violations of the DPL
  9. Provision of a complaints and objecting filing mechanism
  10. Providing access to the privacy policy in a clear, legible, language suitable format, and periodically reviewing it to keep up to date

Minimum Personal Data Determination Guideline

Minimum Collection of Personal Data

Controllers and Processors collecting personal data should only collect the minimum amount strictly necessary for their purpose, by considering the following:

  1. Actual need to collect personal data
  2. Purpose of collection
  3. Method(s) of collection
  4. Content
  5. Destruction
  6. Retention

There is no definition of what constitutes ‘minimum’, but adherence to Article 11 of the PDPL is recommended.

Controllers are required to conduct regular assessments to determine what personal data they need to retain, including evaluating what data currently held could be destroyed. 

This guidance also lists several examples for Controllers to use in assessing their compliance with the relevant regulations.

Conclusion

As Saudi Arabia’s Personal Data Protection Framework is now enforceable, we recommend that all entities processing the personal data of residents in KSA to:

  • Perform a comprehensive review of their personal data handling practices
  • Update or create new internal privacy documents, as well as supplier and customer facing privacy documents, including, for example, compliance programs, privacy policies, privacy notices, intra-group transfer agreements, data processing agreements, records of processing activities etc
  • Assess whether a DPO needs to be appointed, and if so, appoint the DPO now
  • Assess whether to register as a Controller, and if so, register now
  • Roll out new or refresher privacy and personal data handling training to all employees

Article co-authored by Rupert Nodder, Trainee Solicitor at CMS.