On August 27, 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) published Rules on Appointing a Personal Data Protection Officer (the Rules), following public consultation. The Rules aim to set minimum requirements for appointing a data protection officer (DPO), clarify cases in which a controller must appoint a DPO, and determine the DPO's roles and tasks. Scope The Rules apply to all controllers covered by provisions of the Personal Data Protection Law (PDPL) and its Implementing Regulations. Definition of a DPO The Rules define a DPO as one or more natural persons appointed by the controller to be responsible for monitoring the implementation of the provisions of the PDPL a
News
Saudi Arabia: SDAIA publishes Rules for DPO appointment
August 28, 2024
Summary
The Saudi Data & Artificial Intelligence Authority (SDAIA) released the Rules for appointing a Data Protection Officer (DPO) on August 27, 2024, which outline the minimum requirements for DPO appointment, the circumstances necessitating a DPO, and their specific roles and responsibilities. The Rules, which follow a public consultation, apply to all controllers governed by the Personal Data Protection Law (PDPL) and its Implementing Regulations. A DPO is required for public entities processing large-scale personal data, controllers whose core activities include regular monitoring of data subjects, or those handling sensitive personal data. DPOs can be internal or external to the organization, must possess certain qualifications and experience, and their appointment and contact details must be documented and announced. DPOs are tasked with supporting personal data protection efforts, participating in training, reviewing data breach response plans, and preparing compliance reports.