Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.Find out more
We are excited to share the latest edition of the Law Update, beautifully and appropriately titled “Sustainable Horizons: The Saudi Arabian Vision.” Giving special honor to the Kingdom’s 2030 vision, this update focuses on a collection of both informative and inspiring articles.
For those in construction, you can learn about how the tendering environment impacts risk-pricing for contractors, the updates on the legal framework of the construction industry and how contractors can protect themselves against financial difficulties.
There is good news too from the kingdom’s banking sector, from which the practice of “Open Banking” is being pushed for! But what is open banking? We’re answering that too.
Also . . . Are there any women trail blazers in Saudi Arabia you can name? We’ll help you with that. We cover how the Middle East has been making strides in empowering women in the entrepreneurial space,most notably in STEM fields.Read the full edition
The Data Protection Authority (currently the Ministry of Justice, Islamic Affairs and Waqf) (“Authority”) has issued five (5) additional draft decisions for consultation (“Draft Decision(s)”), pursuant to certain articles in the Personal Data Protection Law (Law No. 30 of 2018) (“PDPL”) stipulating the issuance of executive regulations. The Authority is currently accepting feedback on the Draft Decisions. Whilst no official deadline has yet been set for submissions, it is anticipated that the Authority will continue accepting feedback until the end of July. Feedback can be sent to the following e-mail address: firstname.lastname@example.org.
We have set out below some important highlights of the Draft Decisions.
This Draft Decision relates to the critical compliance step under the PDPL of notifying the Authority regarding processing activities.
Article 14 of the PDPL stipulates that, subject to certain exemptions, data controllers must notify the Authority prior to any processing activities, and update the Authority regarding any changes to the register within thirty (30) days from such change.
The Draft Decision clarifies that both existing and new processing activities shall require prior authorisation from the Authority. The Decision sets out, amongst other things, the information data controllers shall include when submitting the above-mentioned notification, the form of the notification, and the timeline during which the Authority shall respond to such notification request.
With reference to the PDPL, it is prohibited to transfer personal data outside the Kingdom subject to certain exemptions or an authorisation from the Authority; the latter includes where the transfer is “to a country or jurisdiction…on a list compiled and updated by the Authority…”. This Draft Decision lists 42 states, countries and territories which are deemed to have adequate legislative protections for personal data – i.e. it will be permissible to transfer personal data to these countries without the Authority’s prior approval.
A few significant differences exist between Bahrain’s ‘whitelist’ and that of the EU and even the financial free zones of the ADGM and DIFC in the UAE. Whilst it includes almost all EU countries, in addition to (inter alia) Israel, Japan, New Zealand and Switzerland, the Authority does not currently include the UK as offering adequate protection of personal data. However, in contrast with the DIFC, ADGM and EU, it proposes to grant adequacy status to the USA.
The Draft Decision details general obligations that all data controllers should abide by when processing sensitive personal data. This includes adopting internal policies and guidelines for protecting sensitive personal data (as mandated by the PDPL and/or instructed by the Authority), and maintaining appropriate records of the data processed whilst clearly setting out (inter alia) the purpose of the processing.
Data Controllers shall ensure that their appointed data processors comply with all regulations applicable to sensitive personal data.
The PDPL requires that data controllers maintain a register of the processing operations that the Data Manager must notify the Authority about in accordance with Article 14 with the law.
It is not completely clear that this is the “register” the Draft Decision refers to. The Draft Decision defines the “register” referred to in the PDPL as any register, whether in paper or electronic form, containing the personal data of an identifiable individual, and is accessible to the general public.
The Draft Decision also sets out the obligations of data controller upon the creation of the register – these mainly entail ensuring accuracy of the data and providing the relevant data subjects with information concerning the register, such as the purpose of creating the register, the data to be published in the register and the means of publication.
As per this Draft Decision, data controllers shall establish procedures for receiving data subjects’ complaints and make the procedures known to the data subjects.
The Decision further sets out the circumstances under which data subjects may file complaints against data controllers with the Authority as well as the information to be submitted with the complaint.
As a leading law firm in the Middle East & North Africa Region and with a reputable and dedicated Digital & Data practice, Al Tamimi & Company is well placed to assist you with preparing your submissions to the Authority and/or assess the probable impact of the PDPL on your organisation.
If you would like to further discuss the contents of this update, please contact Al Tamimi & Company in Bahrain.
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.