Saudi Arabia: Qualified obligation on data controllers to register with Data Protection Authority

The Saudi Data & Artificial Intelligence Authority, the entity currently acting as the data protection authority in Saudi Arabia, has recently indicated that it is now accepting registration from private sector data controllers that need to register with it pursuant to the Personal Data Protection Law and its Regulations. This is a significant development as, until recently, only public sector entities had been invited to register. Private sector entities (and individuals) that might be subject to the obligation to register with SDAIA should scrutinise the requirements more closely and – if necessary - take steps to comply.

The Personal Data Protection Law applies to the processing of personal data related to individuals that takes place within the Kingdom, and to the processing of personal data related to individuals residing in the Kingdom by any party outside the Kingdom. SDAIA, as the ‘Competent Authority’ under the PDPL, is tasked with maintaining a National Register of data controllers in order to monitor compliance, and for issuing the associated rules relating to such registration. A National Register platform has been developed, and the Rules Governing the National Register of Controllers within the Kingdom, published in August 2024, has been prepared with this in mind.

The threshold for application of the registration requirement to private sector data controllers seems very low.  Along with private sector entities whose main activity is based on personal data processing, private sector entities who process sensitive personal data are required to register. This would seem to cast a fairly broad net, as there is some likelihood that many entities will process sensitive personal data in one way or another. (In contrast, in so far as sensitive personal data is concerned, the requirement to appoint a Data Protection Officer applies to entities whose ‘core’ activities involve processing sensitive personal data.)

In order to register a data controller must appoint a ‘representative’. This role is not the same as that of a data protection officer, although the role of the representative could be filled by the DPO if the entity is otherwise required to appoint a DPO.

When registering, it is necessary for the representative to provide profile information about the data controller and the representative and – if applicable – about the DPO.  Besides this, the implications of registering as a controller on the National Register platform would seem to be limited to the representative committing to viewing the results of the compliance assessment and (if a DPO has not been appointed) to using the services provided via the platform.

The services available on the platform include a ‘compliance assessment service’, as well as a tool for undertaking privacy impact assessments and a mechanism by which data breach notifications can be submitted. (The platform also offers, for public sector entities, a legal support service on the application of the PDPL and its Regulations.) 

In terms of the compliance assessment service in particular, this is described as involving periodic evaluation of compliance […] to monitor the level of commitment and ensure the effectiveness of actions taken to implement laws, regulations, and policies. Our expectation is that when utilising this service – which may well be a ‘threshold’ to registration - a controller will be able to rely on its own records of processing activities to provide the requisite information.

The requirement for private sector entities to register on the National Data platform does not seem particularly onerous, and controllers are rewarded with a certificate of registration. 

Given the extra-territorial application of the PDPL, and as noted in the introduction to the Rules Governing the National Register of Controllers within the Kingdom, separate registration rules for controllers located outside the Kingdom will be issued by SDAIA in due course. Watch this space.

For any further information on Saudi Arabia’s Personal Data Protection Law please contact Nick O’Connell or Charlie Christie.