Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
As of July 2020, the Dubai International Financial Centre, a financial services free zone in the Emirate of Dubai, has a new data protection law, the Data Protection Law 2020 (the ‘DIFC Data Protection Law’). One key topic relevant to data controllers and data processors subject to the DIFC Data Protection Law is the question of whether or not it is compulsory to appoint a Data Protection Officer (‘DPO’). A DPO is someone appointed by a data controller or data processor to independently oversee certain data protection operations. In this article, we consider this point, and provide further information on related issues, including who can fulfil the DPO role, and the obligations incumbent on a DPO.
There is a requirement to appoint a DPO in certain circumstances. Certain DIFC Bodies (such as the DIFC Authority, the Dubai Financial Services Authority, and the DIFC Courts (with a limited exception), are required to appoint a DPO. Data controllers and data processors that are performing certain ‘high risk’ personal data processing activities must also appoint a DPO. There may be circumstances where the Commissioner of Data Protection requires a data controller or data processor, not falling into either of these categories, to appoint a DPO. (If a data controller or data processor is subject to the statutory requirement to appoint a DPO, it must submit an annual assessment of its data processing activities to the Commissioner of Data Protection, in the form prescribed by the Commissioner.)
The type of ‘high risk’ personal data processing activities that trigger the requirement to appoint a DPO include:
Data controllers and data processors subject to the DIFC Data Protection Law should consider whether they fall within any of the types of entities that must, by their nature, appoint DPOs. Otherwise, they should assess their personal data processing activities to determine whether they fall into the ‘high risk’ category that necessitates the appointment of a DPO. Based on guidance issued by the Commissioner of Data Protection, it can be concluded that the threshold for ‘high risk’ personal data processing is not high; there is some likelihood that many data controllers and processors operating in DIFC may need to appoint a DPO.
Even if a statutory requirement to appoint a DPO does not apply, a data controller or data processor subject to the DIFC Data Protection Law still needs to clearly allocate responsibility for data protection compliance within its organisation. It is also permissible for a data controller or data processor to appoint a DPO in circumstances where it is not strictly required to do so.
A DPO could be someone employed within a data controller or data processor, or within the corporate group of the data controller or processor (where the data protection officer role is managed centrally across a corporate group), or a third party service provider.
An individual acting as DPO to a corporate group can be based outside the UAE; otherwise, DPOs need to be resident in the UAE. (To the extent that a DPO could be a corporate third party service provider, it is our understanding that such service provider would need to be an entity licensed to operate in the UAE.)
A DPO needs to be familiar with the requirements of the DIFC Data Protection Law, and ensure that the data controller or data processor complies with such requirements. A DPO needs to be able to act independently and under his or her own authority, and have sufficient resources to discharge the duties of a DPO effectively, objectively and independently. A DPO needs to have timely and unrestricted access to information within the data controller or data processor to perform the duties of the DPO, and to have direct access to senior management. A DPO can perform other roles within a data controller or data processor, and for many organisations it would not be uncommon for the DPO role to be filled by a legal or compliance specialist, or an HR specialist, depending on the size and nature of the organisation.
Importantly, a DPO needs to be able to fulfil a variety of specific tasks set out in the DIFC Data Protection Law. These include:
Data controllers and data processors that are subject to the DIFC Data Protection Law need to determine whether or not they are subject to the statutory requirement to appoint a DPO. If a DPO is required, the DPO needs to have the competencies and status necessary to discharge his or her duties, as contemplated in the DIFC Data Protection Law. One of the first responsibilities of the DPO will be to ensure that the annual assessment is submitted as a matter of priority.