The Rules Governing the National Register of Controllers Within the Kingdom
Digital & Data / UAE
The Saudi Data & AI Authority (“SDAIA”) has recently published the Rules governing National Register of Controllers within the Kingdom of Saudi Arabia (“Kingdom”) pursuant to Article 34, of the Personal Data Protection Law Issued by Royal Decree No.
Law Update: Issue 370 - From Africa to Asia: Legal Narratives of Change and Continuity
David YatesPartner,Head of Digital & Data
The Saudi Data and AI Authority (“SDAIA”) has recently published the Rules governing National Register of Controllers within the Kingdom of Saudi Arabia (“Kingdom”) pursuant to Article 34, of the Personal Data Protection Law Issued by Royal Decree No. (M/19) dated 9/2/1443 AH, amended by Royal Decree No.(M/148) dated 5/9/1444 AH.
These Rules aim to establish a national registry encompassing public, private controllers, and individuals processing personal data within the Kingdom whilst monitoring, overseeing Controllers to support their adherence to the Law and regulations by offering services related to personal data protection through registration on the National Data Governance Platform.
The Rules apply to Controllers[1] subject to the application scope of Personal Data Protection Law and are mandated to register on the Platform if they fall within the following categories:
Controller is a public entity.
Controller’s main activity is based on personal data processing.
Controller processes sensitive data.
If the individual processes personal data for purposes exceeding personal or family use.
[1] Any public entity, individual, or private legal entity that determines the purposes and methods of processing personal data, whether the controller processes the data itself or by a processor.
The Competent Authority referred to within the Rules is the SDAIA who, when necessary, can amend or update the Rules as and whenever necessary.
The Rules outlines the procedures for appointing representatives for Controllers based on their entity types. Public entities are required to appoint a representative using the registration form provided by the Competent Authority. For private entities, the appointment of a representative must be completed via the Platform by an authorized individual within the organization. In contrast, individuals who are Controllers function as their own representatives, are not permitted to designate others for this role.
Registration: The appointed representative is responsible for completing the registration process on the Platform upon meeting the conditions set out in the scope. Additionally, the representative must assess whether there is a requirement to appoint a Personal Data Protection Officer, (“DPO”) as specified in Article 32 of the executive regulations of the Personal Data Protection Law. Whereas individuals acting as Controllers must fulfil the registration process on the Platform if the conditions mentioned in the Scope are met.
Maintenance of Profile Data: The representative of the Controllers must fill out all mandatory fields on the Platform providing details of the Controller entity such as the entity’s logo, official email address, contact number and headquarters. Additionally, the representative’s own information such as their official email and contact number must be filled and, if applicable, details of the appointed Data Protection Officer (“DPO”).
Utilize Platform Services and Update Information Regularly.
Controllers are required to appoint individuals responsible for safeguarding personal data in accordance with the specified conditions under Article 32 of the Executive Regulations of the Personal Data Protection Law. Upon appointment of a DPO, the Controller’s representative is obligated to fill in the Personal Data Protection Officer’s information on the Platform.
If the Officer is an employee of the Controller or an external contractor, information such as National ID/ residency, date of birth for verification and official contact information must be collected. For a DPO located outside the Kingdom, information such as their full name, official email and contact number must be collected. Alternatively, the representative may appoint themselves as the Officer if authorized by the Controller.
Post the registration process, a registration certificate will be issued containing information such as the registration serial name, entities or the individual’s logo, email address, name, email, contact number and date of issue/ end date. This registration certificate will hold validity of up to 5 years and upon its expiry, the Competent Authority shall notify the Controller on the impending expiration of their registration certificate in no less than 30 days prior to the expiry date, allowing a grace period of 5 days to access the Platform Services.
The Competent Authority will allow the public to verify registration of Controllers in the National Registry enhancing transparency and trust in data protection practises.
The Platform provides a variety of e-services aimed at safeguarding personal data and protecting individual’s rights from unlawful infringements. These services include:
Personal Data Breach Notification: Enabling Controllers to promptly report any breach to the Competent Authority within 72 hours of awareness as required by Article 24 of the Executive Regulations of the Personal Data Protection Law. This reporting is crucial when a breach threatens personal data, data subjects or conflicts with their rights or interests.
Privacy Impact Assessment Services: Assesses how personal data processing impacts products or services. It helps define processing scope, objectives, regulatory justifications and evaluated associated risks.
Legal Support Service: Assists public entities in understanding, applying and interpreting provisions of Personal Data Protection Law and its regulations.
Compliance Assessment Service: Conducts periodic evaluations to monitor adherence to standards and requirements whilst identifying and addressing incorrect practises, enhancing overall business procedures and practises.
For further information,please contact David Yates.
Published in September 2024
