Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
The Data Protection Authority (currently the Ministry of Justice, Islamic Affairs and Waqf) (“Authority”) has issued five (5) additional draft decisions for consultation (“Draft Decision(s)”), pursuant to certain articles in the Personal Data Protection Law (Law No. 30 of 2018) (“PDPL”) stipulating the issuance of executive regulations. The Authority is currently accepting feedback on the Draft Decisions. Whilst no official deadline has yet been set for submissions, it is anticipated that the Authority will continue accepting feedback until the end of July. Feedback can be sent to the following e-mail address: email@example.com.
We have set out below some important highlights of the Draft Decisions.
This Draft Decision relates to the critical compliance step under the PDPL of notifying the Authority regarding processing activities.
Article 14 of the PDPL stipulates that, subject to certain exemptions, data controllers must notify the Authority prior to any processing activities, and update the Authority regarding any changes to the register within thirty (30) days from such change.
The Draft Decision clarifies that both existing and new processing activities shall require prior authorisation from the Authority. The Decision sets out, amongst other things, the information data controllers shall include when submitting the above-mentioned notification, the form of the notification, and the timeline during which the Authority shall respond to such notification request.
With reference to the PDPL, it is prohibited to transfer personal data outside the Kingdom subject to certain exemptions or an authorisation from the Authority; the latter includes where the transfer is “to a country or jurisdiction…on a list compiled and updated by the Authority…”. This Draft Decision lists 42 states, countries and territories which are deemed to have adequate legislative protections for personal data – i.e. it will be permissible to transfer personal data to these countries without the Authority’s prior approval.
A few significant differences exist between Bahrain’s ‘whitelist’ and that of the EU and even the financial free zones of the ADGM and DIFC in the UAE. Whilst it includes almost all EU countries, in addition to (inter alia) Israel, Japan, New Zealand and Switzerland, the Authority does not currently include the UK as offering adequate protection of personal data. However, in contrast with the DIFC, ADGM and EU, it proposes to grant adequacy status to the USA.
The Draft Decision details general obligations that all data controllers should abide by when processing sensitive personal data. This includes adopting internal policies and guidelines for protecting sensitive personal data (as mandated by the PDPL and/or instructed by the Authority), and maintaining appropriate records of the data processed whilst clearly setting out (inter alia) the purpose of the processing.
Data Controllers shall ensure that their appointed data processors comply with all regulations applicable to sensitive personal data.
The PDPL requires that data controllers maintain a register of the processing operations that the Data Manager must notify the Authority about in accordance with Article 14 with the law.
It is not completely clear that this is the “register” the Draft Decision refers to. The Draft Decision defines the “register” referred to in the PDPL as any register, whether in paper or electronic form, containing the personal data of an identifiable individual, and is accessible to the general public.
The Draft Decision also sets out the obligations of data controller upon the creation of the register – these mainly entail ensuring accuracy of the data and providing the relevant data subjects with information concerning the register, such as the purpose of creating the register, the data to be published in the register and the means of publication.
As per this Draft Decision, data controllers shall establish procedures for receiving data subjects’ complaints and make the procedures known to the data subjects.
The Decision further sets out the circumstances under which data subjects may file complaints against data controllers with the Authority as well as the information to be submitted with the complaint.
As a leading law firm in the Middle East & North Africa Region and with a reputable and dedicated Digital & Data practice, Al Tamimi & Company is well placed to assist you with preparing your submissions to the Authority and/or assess the probable impact of the PDPL on your organisation.
If you would like to further discuss the contents of this update, please contact Al Tamimi & Company in Bahrain.