Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
The Dubai International Financial Centre (“DIFC”), has issued a new Data Protection Law DIFC Law No. 5 of 2020 (“DIFC DP Law”). This law applies in the jurisdiction of the DIFC only
In this article, we focus on the circumstances under which controllers (i.e. entities that control the processing of personal data) and processors (i.e. entities under the direction of a third party to process personal data) must appoint a Data Protection Officer (DPO).
A DPO is defined under the DIFC DP Law as an officer appointed by a controller, joint controller or processor to independently oversee relevant data protection operations in the manner set out under the DIFC DP Law. In practice, a DPO is an individual appointed by the entity whose job it is to oversee an entity’s compliance with the DIFC DP Law.
It is mandatory for a DPO to be appointed by:
Under Article 16(3), the DIFC Commissioner of Data Protection (“Commissioner”) may also require a controller or processor to designate a DPO.
Otherwise a controller, joint controller or processor may voluntarily designate a DPO under Article 16(1).
A ‘DIFC Body’ includes the Commissioner, DIFCA, DFSA, DIFC Courts, and any other person, body, office, registry or tribunal established under DIFC Laws or established upon approval of the President of the DIFC that is not revoked by the DIFC DP Law or any other DIFC Law.
A ‘High Risk Processing Activity’ is the processing of personal data where one or more of the following applies:
The Commissioner has published policy guidance to assist controllers and processors to determine whether any of their business activities fall within this definition.
A DPO must reside in the UAE unless he or she is an individual employed within the organisation’s group and performs a similar function for the group on an international basis. The role of a DPO may be performed by a member of a controller’s or processor’s staff, an
individual employed within a controller’s or processor’s group in accordance, or by a third party under a service contract. A group may appoint a single DPO provided that he or she is easily accessible from each entity in the group. A DPO may hold other roles or titles within a controller, processor or in a group, and may fulfil additional tasks and duties other than those described in the DIFC DP Law.
A DPO is the data subject’s and the Commissioner’s first point of call about any data protection related issues. It must have knowledge of the DIFC DP Law and its requirements and shall ensure a controller or processor monitors compliance with the DIFC DP Law.
A DPO must:
Where a controller is required (and has not elected) to appoint a DPO, the DPO shall undertake an assessment of the controller’s processing activities, at least once per year, which shall be submitted to the Commissioner, which should include information such as whether it intends to undertake high risk processing activities (such an assessment is referred to as a DPO Controller assessment)
A data protection impact assessment is an assessment of the impact of the proposed processing operations on the protection of personal data, considering the risks to the rights of the data subjects concerned.
A DPO, where appointed, shall be responsible for overseeing data protection impact assessments.
Prior to undertaking High Risk Processing Activities, a data protection impact assessment has to be carried out regarding on the impact of the proposed processing operations on the protection of personal data, considering the risks to the rights of the data subjects concerned.
A controller who has appointed a DPO must provide any data subject from whom it obtains personal data with the contact details of the DPO.
Failing to appoint a DPO where required under the DIFC DP Law could result in a fine of up to US$50,000.
The obligation to appoint a DPO is substantially similar under the EU General Data Protection Regulation (“GDPR”). However, there are a few additional aspects to designating a DPO under the DIFC DP Law, including:
The DIFC DP Law provides for entities processing personal data to appoint a DPO for overseeing that entity’s compliance with the DIFC DP Law. In some circumstances, a DPO is mandatory.
It is an important role which is given to an individual so that an entity is more effectively able to manage its obligations under the DIFC DP Law. Compliance with the DIFC DP Law and continuous monitoring is a key task of the DPO.
A DPO has to have sufficient expertise, independence and resources to effectively perform their statutory duties. The DPO should work with the Commissioner in a transparent and cooperative way.
Even if a controller or processor is not required to appoint a DPO under the DIFC DP Law, it must still clearly allocate responsibility for oversight and compliance with respect to data protection duties and obligations under the DIFC DP Law, or any other applicable data protection law, within its organisation and be able to provide details of the persons with such responsibility to the Commissioner upon request.