The Rules Governing the National Register of Controllers Within the Kingdom

The Saudi Data and AI authority has recently published the Rules governing National Register of Controllers within the Kingdom of Saudi Arabia (“Kingdom”) pursuant to Article 34, of the Personal Data Protection Law Issued by Royal Decree No. (M/19) dated 9/2/1443 AH, amended by Royal Decree No.(M/148) dated 5/9/1444 AH.

The Rules define essential terms such as who the competent authority is, whilst explicitly mentioning the need for Controllers in the Kingdom to register on the National Data Governance Platform. This requirement applies to public entities, entities primarily processing personal data, those handling sensitive data, and individuals processing data beyond personal or family use. Controllers are obligated to appoint representatives for registration using the form provided within the Rules, with procedures differing for public and private entities versus individuals who act as their own representatives.

Article 4 mandates the representatives to complete procedures on the Platform if the above-mentioned conditions[1] are met, including the need to appoint a Personal Data Protection Officer in accordance with Article 32 of the executive regulations of the Personal Data Protection Law. Controllers are responsible for ensuring all required data fields are accurately filled out, covering controller entity details, representative information, and, if applicable, details of the appointed Data Protection Officer (“DPO”), who may be an employee of the Controller, an external contractor or a contractor located outside the Kingdom. Furthermore, controllers may designate themselves as the DPO whilst emphasizing compliance with Article 4’s mandate to complete all registration procedures on the Platform.

The issuance of a registration certificate follows the successful completion of the registration process, containing entity or individual-specific information (registration serial number, entity logo, contact details, and validity period up to 5 years). Upon expiry of the same, the Competent Authority will notify Controllers of the impending expiration at least thirty days in advance, upon which they may submit a renewal request ensuring compliance with data protection regulations. The Competent Authority will allow the public to verify registration details, enhancing transparency and trust in data protection practises.

The Rules mention the various e-services provided on the Platform aimed at safeguarding data integrity and protecting individuals’ rights. These services include personal data breaches, conducting privacy impact assessments, providing legal support services, and compliance assessment services in consonance with data protection laws and regulations.

The Competent Authority can update or amend the rules as needed, enforcing them upon publication to ensure Kingdom-wide data protection compliance.

Look out for our more detailed analysis in our next Law Update edition.

[1] Conditions refer to the applicability of the Rules in the following instances:

1. Controller being a public entity.
2. Controller’s main activity is based on personal data processing.
3. Controller processes sensitive data.
4. Individual processes personal data for purposes exceeding personal or family use.