Personal Data Protection Law

(PDPL)

Eng. Suhaib Aljbour

Green Circle for Cyber Security
Riyadh, Saudi Arabia

Reviewed by: Mohammad Alkhudari

Green Circle CEO
September-2024
 Table of Contents
Chapter 1: Introduction to PDPL ....................................................... ……………………………..2
Chapter 2: Scope and Application of PDPL .....................................................................................5
Chapter 3: Principles of Data Protection Under PDPL ....................................................................8
Chapter 4: Rights of Data Subjects. ...............................................................................................11
Chapter 5: Obligations of Data Controllers and Processors ...........................................................12
Chapter 6: Cross-Border Data Transfers ........................................................................................18
Chapter 7: Data Breach Notification and Response .......................................................................21
Chapter 8: Data Subject Rights ......................................................................................................25
Chapter 9: Data Controllers and Data Processors ..........................................................................29
Chapter 10: Data Security and Breach Notification .......................................................................33
Chapter 11: Responsibilities of the Data Protection Officer (DPO)...............................................37
Chapter 12: Required Documentation for Compliance with PDPL ...............................................41

1
 Chapter 1: Introduction to PDPL

1.1 What is PDPL?

The Personal Data Protection Law (PDPL) is a legal framework designed to regulate the collection, processing,

storage, and sharing of personal data within the Kingdom of Saudi Arabia (KSA). Its primary goal is to protect the

privacy of individuals by ensuring that personal data is handled responsibly and securely. Introduced by the Saudi

Data and Artificial Intelligence Authority (SDAIA), PDPL aims to align the country with international best practices

in data protection, while also respecting cultural and legal differences specific to KSA.

The PDPL addresses the rights of individuals (data subjects) concerning their personal information and imposes

obligations on entities that process this data. Its implementation is crucial for businesses and public organizations

operating in Saudi Arabia, ensuring they adhere to the law's requirements and avoid penalties for non-compliance.

1.2 The Importance of Data Protection

In today's digital age, data has become one of the most valuable resources. Personal data, in particular, is highly

sensitive and requires stringent protection to avoid misuse, theft, or unauthorized access. The rise of digital services,

cloud computing, and cross-border data flows has made it imperative for countries to establish robust data protection

regulations to safeguard citizens' privacy.

For individuals, the protection of personal data ensures control over who accesses and uses their personal information,

whether for marketing, financial, or other purposes. For organizations, compliance with data protection laws like

PDPL not only prevents legal repercussions but also enhances trust between the entity and its customers or

stakeholders.

Failure to protect personal data can result in severe consequences such as identity theft, financial loss, and reputational
2
 damage. The PDPL provides a structured legal framework that encourages transparency and accountability in how

personal data is handled, thereby ensuring better privacy practices.

1.3 Global Influence on PDPL

The development of Saudi Arabia’s PDPL has been influenced by global data protection

laws, particularly the European Union’s General Data Protection Regulation (GDPR).

While PDPL is tailored to Saudi Arabia’s legal and cultural context, many of its core

principles reflect those seen in GDPR and other international regulations.

PDPL embraces fundamental principles such as data minimization, purpose limitation, and the requirement to ensure

the lawful basis for processing personal data. By following international best practices, PDPL enables Saudi

organizations to engage in international business while ensuring compliance with both local and global data protection

standards.

Moreover, PDPL is part of Saudi Arabia’s broader Vision 2030 initiative, which aims to position the Kingdom as a

leading global hub for digital innovation, with data privacy as a critical component of its success.

3
 1.4 Overview of Key Definitions and Terms

Understanding PDPL requires familiarity with several key terms that are integral to the law:

Any information relating to an identified or identifiable natural person. This

Personal Data includes names, addresses, identification numbers, online identifiers, and more.
The individual to whom the personal data relates. Under PDPL, data subjects
Data Subject have rights regarding how their personal data is processed and handled.
An entity (individual, company, or organization) that determines the purpose
Data Controller and means of processing personal data.
Any individual or organization that processes personal data on behalf of the
data controller. This includes handling, storing, or analysing the data but
Data Processor without determining its purpose.
Any operation performed on personal data, such as collecting, storing, using, or
Processing disclosing it.
Data Protection Officer A designated person responsible for overseeing data protection strategies and
(DPO) ensuring compliance with the PDPL within an organization.
The explicit, informed, and voluntary agreement by a data subject for the
Consent processing of their personal data for specific purposes.
The requirement for data controllers and processors to notify authorities and
Breach Notification affected individuals in case of a data breach.
Table 1: Key Definitions and Terms.

4
 Chapter 2: Scope and Application of PDPL

2.1 Who Does PDPL Apply To?

The Personal Data Protection Law (PDPL) applies to any entity, whether public or private, that collects, processes, or

stores personal data of individuals (data subjects) within the Kingdom of Saudi Arabia. This includes:

• Organizations and Businesses Operating in KSA: Any business or public authority that processes personal

data within Saudi Arabia must comply with PDPL. This applies to both local and foreign companies that

operate in the Kingdom or provide services that involve handling personal data of Saudi residents.

• Data Controllers and Processors: The law applies to both data controllers, who determine the purpose and

means of processing personal data, and data processors, who act on behalf of data controllers in handling

personal data.

• Cross-border Operations: Even if a company is based outside of Saudi Arabia but processes personal data of

Saudi residents, it must comply with the provisions of PDPL, particularly when it comes to international data

transfers.

• Individuals: In some cases, individuals who process personal data in a business or professional capacity may

also fall under the scope of the PDPL, particularly if they handle large volumes of personal information.

The PDPL seeks to cover all instances where personal data is processed, regardless of the entity’s location, ensuring

that Saudi residents’ privacy is protected whether their data is handled locally or internationally.

2.2 Key Entities: Data Controllers and Processors

A fundamental part of the PDPL is the distinction between two key roles: data controllers and data processors. Each

plays a different role in the processing of personal data and bears specific responsibilities under the law.

• Data Controller: A data controller is the person or organization that determines the purposes and means of

processing personal data. They are ultimately responsible for ensuring that the processing of data complies

with the PDPL. Their duties include:

5
 o obtaining the proper consent from data subjects.

o ensuring the accuracy of data.

o implementing security measures to protect personal data.

• Data Processor: A data processor acts on behalf of the data controller and processes personal data according

to the controller’s instructions. Although the processor does not determine the purposes or means of the

processing, they are still obligated to ensure that personal data is handled securely and in compliance with the

PDPL.

Both data controllers and processors are expected to work together to ensure the security and protection of personal

data. In cases of data breaches, both parties may have obligations to notify authorities and affected individuals.

2.3 Jurisdictional Reach of PDPL

PDPL has broad jurisdictional reach, extending its applicability beyond the borders of Saudi Arabia. The law applies

to:

• Entities within Saudi Arabia: Any organization or individual that processes personal data within the

Kingdom must adhere to PDPL, regardless of where the data subjects reside.

• Entities outside Saudi Arabia: Organizations located outside the Kingdom but processing personal data of

individuals within Saudi Arabia are also subject to the PDPL. This provision ensures that the data of Saudi

residents is protected even when it is processed internationally, particularly in cross-border transactions or by

international companies offering services to Saudi residents.

The extra-territorial application of PDPL aims to provide robust protections for personal data and enforce compliance

across borders, similar to global data protection laws such as the GDPR.

2.4 Exemptions and Limitations

While PDPL covers most scenarios of data processing, there are certain exemptions and limitations where the law may

not apply, or where different rules may govern the use of personal data. Some of these include:

• Personal and Household Activities: The PDPL does not apply to individuals processing data purely for

personal or household activities. For instance, maintaining a personal contact list or sharing information with

6
 friends or family would not fall under the law’s jurisdiction.

• Government Entities: In certain cases, government agencies and authorities are subject to separate data

protection regulations or may be partially exempt from the PDPL’s requirements. However, this exemption is

limited and varies depending on the specific activity and nature of the data being processed.

• Data Processed for Research or Statistical Purposes: There may be exemptions for the processing of

personal data for research or statistical purposes, provided that the processing is carried out in a manner that

ensures the anonymity of the data subjects and does not pose any harm to their privacy.

• National Security and Law Enforcement: Processing of personal data for national security, defense, or law

enforcement purposes may also fall under exemptions, particularly where such activities are governed by

other laws or regulations within Saudi Arabia.

Understanding these exemptions is critical for organizations and individuals to determine whether and how PDPL

applies to their data processing activities. It also clarifies the scope of the law and sets clear boundaries for its

application in different sectors and activities.

7
 Chapter 3: Principles of Data Protection Under PDPL

and Application of PDPL

3.1 Fair and Lawful Processing

At the core of the Personal Data Protection Law (PDPL) are principles that ensure personal data is processed in a fair,

lawful, and transparent manner. Organizations collecting or processing personal data must do so for legitimate

purposes and in ways that are fair to the data subject. This means:

• Transparency: Data subjects must be informed about why their data is being collected, how it will be used,

and who it will be shared with. They should also be aware of their rights under PDPL.

• Lawfulness: Data processing should comply with all legal requirements. Organizations must have a lawful

basis for processing, such as consent from the data subject, the necessity of processing for contract fulfillment,

or legal obligations.

• Fairness: Personal data must not be used in ways that are unfair or cause harm to the data subject. This

includes avoiding deceptive practices or using data for purposes that were not clearly communicated.

The fair and lawful processing principle underlines the responsibility of data controllers to ensure ethical use of

personal data, fostering trust between organizations and individuals.

3.2 Purpose Limitation and Data Minimization

PDPL emphasizes the importance of only collecting and processing personal data for clearly defined and legitimate

purposes. This principle ensures that organizations are specific about why they need the data and how it will be used:

• Purpose Limitation: Data should only be processed for purposes that are legitimate, specific, and explicitly

stated at the time of collection. If the organization wishes to use the data for a new purpose, it must inform the

data subject and, in some cases, obtain their consent.

• Data Minimization: The amount of personal data collected should be limited to what is necessary for the

specific purpose. Unnecessary or irrelevant data should not be collected, reducing the risks associated with

storing excessive personal information.

By adhering to these principles, organizations can limit the potential misuse of data and minimize the privacy risks

associated with excessive data collection.

8
 3.3 Data Accuracy and Integrity

PDPL requires that personal data must be accurate and kept up to date where necessary. This principle ensures that

outdated or incorrect information is corrected, which is essential for maintaining the integrity of data. Key aspects of

this principle include:

• Accuracy: Organizations must take reasonable steps to ensure that the personal data they hold is accurate,

complete, and up to date. This can be achieved through periodic reviews of the data and updates when needed.

• Rectification: Data subjects have the right to request corrections to inaccurate or incomplete data.

Organizations must have processes in place to respond to such requests in a timely and effective manner.

Maintaining accurate data is not only a legal requirement but also helps organizations maintain trust with their

customers and stakeholders.

3.4 Storage Limitation

The storage limitation principle ensures that personal data is not kept longer than necessary. Under PDPL:

• Retention Periods: Organizations must define clear retention periods for different types of data, ensuring that

personal data is stored only for as long as necessary to fulfill the purposes for which it was collected. Once the

retention period expires, the data must be securely deleted or anonymized.

• Data Deletion: When personal data is no longer required, organizations must implement secure methods for

deletion. This could include purging records from databases or securely shredding physical documents.

By adhering to this principle, organizations can minimize the risks of data breaches or unauthorized access to outdated

information.

3.5 Accountability and Transparency

Accountability and transparency are central to PDPL, ensuring that organizations take responsibility for their data

processing activities and are open about how personal data is handled.

• Accountability: Organizations are responsible for demonstrating compliance with PDPL. This includes

implementing appropriate data protection policies, conducting impact assessments where necessary, and

ensuring that staff members understand their responsibilities in relation to data protection.

9
 • Transparency: Organizations must be transparent about their data processing activities. This includes

providing clear and accessible information to data subjects about how their data is being used, who it may be

shared with, and the measures in place to protect it.

Transparency fosters trust, allowing data subjects to feel confident that their personal information is being handled

responsibly. Additionally, organizations must be prepared to provide evidence of compliance in case of regulatory

inquiries or audits.

10
 Chapter 4: Rights of Data Subjects

and Application of PDPL

4.1 The Right to Access

Under the Personal Data Protection Law (PDPL), data subjects have the right to access the personal data that

organizations hold about them. This right ensures transparency and gives individuals control over their personal

information. The key elements of this right include:

• Access to Information: Data subjects can request a copy of their personal data being processed by an

organization. This includes data collected, stored, or used in any manner.

• Purpose of Processing: Organizations must provide information on why they are processing the data and for

what specific purposes.

• How to Make a Request: Organizations must establish a clear process for data subjects to request access to

their data. They must respond to these requests within a reasonable timeframe, as specified in PDPL, and

without charging excessive fees.

By exercising the right to access, individuals can better understand how their personal data is being used, and they can

verify whether it is being processed in compliance with the law.

4.2 The Right to Rectification and Erasure

Data subjects have the right to request the correction or deletion of their personal data if it is inaccurate, incomplete, or

no longer necessary for the purposes for which it was collected.

• Right to Rectification: If personal data is incorrect or incomplete, data subjects can ask the organization to

rectify or update the information. Organizations must respond promptly and make necessary changes to

ensure data accuracy.

• Right to Erasure (Right to be Forgotten): Data subjects can request the deletion of their personal data under

certain conditions, such as:

o The data is no longer needed for the original purpose.

o The data subject withdraws consent, and there is no other legal ground for processing.

o The data has been unlawfully processed.

11
 o The data must be erased to comply with a legal obligation.

Organizations are required to comply with erasure requests unless there is a compelling legal reason to retain the data,

such as for regulatory or legal obligations.

4.3 The Right to Object to Processing

PDPL grants data subjects the right to object to the processing of their personal data in certain situations:

• Legitimate Interests: If the organization processes data based on legitimate interests, the data subject can

object to this processing, especially if they believe it adversely affects their rights and freedoms.

• Direct Marketing: Data subjects have the absolute right to object to the processing of their personal data for

direct marketing purposes. Upon objection, the organization must immediately cease such activities.

Organizations must inform data subjects of their right to object and implement mechanisms to handle these requests

efficiently, ensuring compliance with PDPL.

4.4 The Right to Data Portability

The right to data portability allows data subjects to request and receive their personal data in a structured, commonly

used, and machine-readable format. They can also request that the data be transferred directly from one data controller

to another, provided it is technically feasible.

Key features of data portability include:

• Transferable Data: Data subjects can request a copy of their data for their own use or to share it with other

service providers.

• Conditions for Portability: The right to data portability applies when the data is processed based on consent

or a contract, and the processing is carried out by automated means.

This right empowers individuals by making it easier for them to switch between service providers or platforms

without losing control of their personal data.

4.5 Handling Data Subject Requests

Organizations must establish clear and efficient procedures to handle data subject requests, ensuring they meet the

requirements outlined in PDPL. This includes:

12
 • Response Timeframes: Organizations are obligated to respond to requests within the timeframes specified by

PDPL. Failing to respond promptly can result in penalties.

• Verification of Identity: Before processing a request, organizations may need to verify the identity of the

data subject to ensure the request is legitimate and the personal data is not disclosed to unauthorized

individuals.

• Communication Channels: Organizations should provide data subjects with accessible channels to submit

their requests, such as online forms, email addresses, or dedicated customer service contacts.

• Transparency: Organizations should inform data subjects about the status of their requests, any actions taken,

and, if applicable, reasons for refusing certain requests (e.g., when a legal requirement overrides the data

subject’s rights).

13
 Chapter 5: Obligations of Data Controllers and Processors

and Application of PDPL

5.1 Data Controller Responsibilities

The data controller plays a critical role in determining how personal data is processed and must comply with a range

of responsibilities under the Personal Data Protection Law (PDPL). These obligations ensure that personal data is

handled responsibly, lawfully, and with respect for the data subject’s rights. Key responsibilities include:

• Ensuring Lawful Processing: Data controllers must ensure that personal data is processed in compliance

with legal requirements. This includes obtaining a lawful basis for processing, such as the data subject’s

consent, a contractual necessity, or compliance with legal obligations.

• Implementing Data Protection Policies: Controllers must implement and maintain internal data protection

policies that align with PDPL. These policies should cover data handling, access, retention, and security

measures to safeguard personal data.

• Transparency: Data controllers are required to provide data subjects with clear and accessible information

about the collection, processing, and storage of their personal data. This includes information about their

rights, the purposes of data processing, and the identities of third parties with whom data is shared.

• Record Keeping: Controllers must maintain records of all personal data processing activities. These records

should include details about the types of data being processed, the purposes for processing, the retention

periods, and the measures taken to protect the data.

• Ensuring Security of Data: The data controller is responsible for implementing

• appropriate technical and organizational measures to ensure the security and protection of personal data. This

includes encryption, access controls, and other security measures to protect data from unauthorized access,

loss, or breach.

14
 5.2 Data Processor Responsibilities

Data processors, who handle personal data on behalf of data controllers, also have significant responsibilities under

PDPL. Although they do not determine the purposes for processing, processors are still required to ensure the safe

handling of personal data. Their key obligations include:

• Processing Data as Directed: Data processors must process personal data only according to the instructions

given by the data controller. They are not allowed to process personal data for their own purposes or outside

of the scope of their agreement with the controller.

• Implementing Security Measures: Like data controllers, processors are required to implement appropriate

security measures to protect personal data from unauthorized access, loss, or breaches. They must also ensure

that any subcontractors or third parties they work with implement similar security measures.

• Breach Notification: In the event of a data breach, processors must promptly notify the data controller. The

controller, in turn, is responsible for notifying the appropriate authorities and the affected individuals, in

accordance with PDPL’s breach notification requirements.

• Assistance with Data Subject Rights: Data processors must assist data controllers in fulfilling requests from

data subjects, such as requests for access, rectification, or deletion of personal data.

5.3 Obtaining Consent

Consent is a fundamental requirement under PDPL, and data controllers must ensure that consent is obtained from

data subjects before collecting or processing their personal data in most situations. Key principles regarding consent

include:

• Freely Given: Consent must be obtained without any coercion or undue influence. Data subjects should have

the genuine option to agree or refuse.

• Informed and Specific: Data subjects must be fully informed about the purposes of data processing, and

consent should be specific to those purposes. Blanket or general consent for unspecified data processing

activities is not sufficient under PDPL.

• Explicit: In certain situations, such as the processing of sensitive personal data, explicit consent is required.

This means that data subjects must clearly affirm their consent, such as through a written or electronic

15
 statement.

• Right to Withdraw Consent: Data subjects have the right to withdraw their consent at any time.

Organizations must provide easy and accessible ways for data subjects to withdraw consent and cease

processing personal data upon withdrawal.

5.4 Data Security Obligations

Both data controllers and processors must implement appropriate security measures to protect personal data from

unauthorized access, loss, or breaches. PDPL mandates the following security measures:

• Risk Assessment: Organizations should regularly assess the risks associated with the processing of personal

data and implement security measures that are proportionate to the level of risk.

• Data Encryption: Personal data should be encrypted both in transit and at rest to protect it from unauthorized

access.

• Access Controls: Access to personal data should be limited to authorized personnel only. Organizations must

implement access control measures such as passwords, multi-factor authentication, and role-based access to

ensure data security.

• Incident Response Plan: Organizations should have a data breach response plan in place to quickly address

any security incidents. This includes identifying the breach, mitigating its impact, and notifying relevant

authorities and affected individuals.

5.5 Data Breach Notification

PDPL requires that data controllers notify relevant authorities and affected individuals in the event of a data breach

that could pose a risk to the rights and freedoms of data subjects. Key points regarding breach notification include:

• Timely Reporting: Controllers must notify authorities as soon as possible after becoming aware of the

breach, providing details on the nature of the breach, the data affected, and the measures taken to address the

breach.

• Notifying Data Subjects: If the breach poses a high risk to the data subject’s rights and freedoms, the

controller must also inform the individuals affected by the breach. This notification should include guidance

16
 on steps that the data subject can take to protect themselves from potential harm.

• Record Keeping: Data controllers must keep records of all data breaches, even if they do not require

notification to the authorities or data subjects. This record-keeping ensures accountability and compliance

with PDPL.

5.6 Data Protection Officer (DPO)

PDPL requires certain organizations, particularly those that handle large volumes of personal data or sensitive

personal data, to appoint a Data Protection Officer (DPO). The role of the DPO is to oversee data protection

compliance within the organization. Responsibilities of the DPO include:

• Monitoring Compliance: The DPO ensures that the organization complies with PDPL’s requirements,

including the implementation of data protection policies and responding to data subject requests.

• Conducting Audits and Assessments: The DPO may conduct internal audits to assess the organization’s data

protection practices and identify areas for improvement.

• Liaising with Authorities: The DPO serves as the point of contact for regulatory authorities regarding data

protection matters and any data breaches that may occur.

• Training and Awareness: The DPO is responsible for ensuring that employees understand their

responsibilities under PDPL and are trained on data protection policies and procedures.

17
 Chapter 6: Cross-Border Data Transfers

and Application of PDPL

6.1 Overview of Cross-Border Data Transfers

Cross-border data transfers refer to the movement of personal data from one country to another. Under the Personal

Data Protection Law (PDPL), transferring personal data outside the borders of the Kingdom of Saudi Arabia (KSA) is

subject to strict regulations to ensure that the level of data protection in the destination country is adequate.

PDPL imposes these regulations to protect the privacy of data subjects and prevent unauthorized or insecure transfers

of personal information to jurisdictions with lower levels of data protection. Organizations must comply with these

rules when transferring data internationally.

6.2 Conditions for Cross-Border Transfers

PDPL outlines specific conditions that must be met before personal data can be transferred outside KSA. These

conditions include:

• Adequacy of Protection: Personal data may only be transferred to countries or regions that have been

deemed to provide an adequate level of protection for data subjects. The adequacy of protection is determined

by KSA’s data protection authority, which assesses the legal framework and data security practices of the

destination country.

• Consent of Data Subjects: In cases where the destination country does not provide adequate protection, the

data subject must provide explicit consent for their data to be transferred. Organizations must clearly inform

data subjects of the potential risks involved in the transfer.

• Safeguards and Contracts: If no adequacy decision has been made, personal data may still be transferred to

a non-compliant country if the data controller puts appropriate safeguards in place. These safeguards can

include binding corporate rules (BCRs), standard contractual clauses (SCCs), or other legally binding

agreements that provide a sufficient level of protection for the data.

• Exemptions: PDPL provides certain exemptions where data can be transferred without meeting the adequacy

or consent requirements. These exemptions include situations where the transfer is necessary for the
18
 performance of a contract, legal claims, public interest, or to protect the vital interests of the data subject.

6.3 Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs)

BCRs and SCCs are mechanisms that allow organizations to transfer personal data internationally while ensuring that

the data is still protected in accordance with PDPL standards.

• Binding Corporate Rules (BCRs): BCRs are internal policies and procedures that multinational

organizations implement to govern the transfer of personal data within their corporate group. These rules must

be approved by the KSA data protection authority and ensure that all entities within the group comply with

PDPL when handling personal data.

• Standard Contractual Clauses (SCCs): SCCs are pre-approved legal agreements between the data exporter

and the data importer that ensure the data is protected when transferred to a third party outside KSA. These

clauses bind both parties to adhere to PDPL requirements, even if the recipient country lacks adequate

protection.

6.4 Assessing Adequacy of Protection

The Kingdom’s data protection authority assesses whether a foreign country offers adequate protection for personal

data based on several factors:

• The Legal Framework: The data protection authority evaluates whether the destination country has

comprehensive data protection laws, robust enforcement mechanisms, and adequate rights for data subjects.

• Data Security Practices: The security measures in place to protect personal data, such as encryption, access

controls, and breach notification requirements, are also considered.

• International Commitments: The destination country’s adherence to international data protection standards,

agreements, or participation in global privacy frameworks may influence the adequacy decision.

Organizations planning to transfer data to countries without an adequacy decision must implement additional

measures, such as contractual obligations, to protect the data.

19
 6.5 Exceptions for International Data Transfers

Under certain circumstances, PDPL allows for exceptions to the strict rules surrounding cross-border transfers. These

exceptions include:

• Contractual Necessity: Data transfers may occur if they are necessary for the performance of a contract

between the data subject and the controller. For example, international shipping of purchased goods may

require the transfer of customer data.

• Legal Claims: Data can be transferred internationally if it is necessary for the establishment, exercise, or

defense of legal claims.

• Vital Interests: If the transfer is necessary to protect the life or safety of the data subject or another

individual, it can be carried out without adhering to adequacy or consent requirements.

• Public Interest: Transfers that are deemed necessary for reasons of significant public interest, such as public

health or national security, may be exempt from the standard transfer conditions.

6.6 Regulatory Supervision and Enforcement

The Kingdom’s data protection authority monitors cross-border data transfers and has the power to enforce

compliance with PDPL’s requirements. Key enforcement actions include:

• Audits and Investigations: The authority can conduct audits and investigations into organizations’ cross-

border transfer practices to ensure compliance. Organizations must be prepared to provide documentation

showing that they meet PDPL’s conditions for international data transfers.

• Penalties for Non-Compliance: Organizations that fail to comply with PDPL’s cross-border transfer rules

may face severe penalties, including fines and restrictions on their data processing activities. Non-compliance

with the adequacy, consent, or safeguard requirements is treated as a serious violation of PDPL.

20
 Chapter 7: Data Breach Notification and Response

and Application of PDPL

7.1 Overview of Data Breaches

A data breach occurs when personal data is accessed, disclosed, or destroyed without authorization, or when it is lost

due to internal or external factors. Breaches can result from cyberattacks, employee errors, hardware failures, or

malicious activities, and they can have serious consequences for both organizations and data subjects.

Under the Personal Data Protection Law (PDPL), organizations must take specific steps when a data breach occurs.

These steps aim to protect individuals' privacy, minimize the damage, and ensure that the breach is managed

effectively. Organizations that fail to comply with data breach notification and response requirements may face severe

penalties.

7.2 Defining a Data Breach

PDPL defines a data breach as an event that leads to the unauthorized:

• Access to personal data

• Disclosure of personal data to an unauthorized party

• Destruction or alteration of personal data

• Loss of personal data, either accidentally or through malicious actions

Organizations must be vigilant in monitoring for potential breaches and respond swiftly when one is identified.

7.3 Data Breach Notification Requirements

When a data breach occurs, PDPL requires organizations to notify both the relevant authorities and the affected

individuals in certain circumstances. The key elements of the breach notification process include:

• Notification to Authorities: Organizations must notify the KSA data protection authority if a data breach

poses a risk to data subjects' privacy, security, or rights. The notification should be made as soon as possible

after the breach is detected and must include:

o The nature and scope of the breach

21
 o The categories and volume of personal data affected

o The actions taken to address the breach

o The potential impact on affected individuals

o Measures to mitigate the damage and prevent future breaches

• Notification to Data Subjects: If the breach poses a high risk to the privacy and rights of data subjects, the

organization must also inform the affected individuals. The notification should:

o Describe the breach in simple terms

o Explain the potential risks to the data subject

o Provide guidance on what steps the data subject can take to protect themselves

o Include contact information for further assistance

Failing to provide timely and adequate breach notifications can lead to penalties and reputational damage.

7.4 Developing a Data Breach Response Plan

Organizations must have a data breach response plan in place to ensure that they can respond quickly and effectively

in the event of a breach. A robust breach response plan includes:

• Incident Detection: Implement systems and processes to detect potential breaches early. This could include

monitoring network activity, setting up intrusion detection systems, and performing regular security audits.

• Response Team: Establish a designated data breach response team responsible for managing breaches. This

team should include members from IT, legal, compliance, and communications.

• Containment and Mitigation: Upon detecting a breach, the response team should take immediate action to

contain it. This may involve isolating affected systems, halting unauthorized access, and initiating data

recovery measures.

• Investigation and Assessment: After containment, the organization should investigate the cause of the

breach, assess its impact, and identify any vulnerabilities that may have been exploited.

• Remediation: Once the breach has been addressed, organizations should take steps to prevent future

incidents, such as patching security vulnerabilities, strengthening access controls, and updating security

policies.

22
 7.5 Legal and Regulatory Consequences of Data Breaches

Non-compliance with PDPL’s data breach notification and response requirements can lead to significant legal and

financial penalties. Consequences of failing to properly handle a data breach include:

• Fines: Organizations that fail to report breaches or respond in a timely manner may face heavy fines as

determined by the KSA data protection authority.

• Suspension of Processing Activities: In severe cases, authorities may suspend or restrict an organization's

data processing activities until it demonstrates compliance with PDPL.

• Reputational Damage: Beyond legal penalties, data breaches can damage an organization's reputation,

leading to loss of trust from customers, partners, and stakeholders.

7.6 Best Practices for Preventing Data Breaches

Preventing data breaches is a priority for organizations that handle personal data. Best practices include:

• Data Encryption: Encrypt sensitive personal data both in transit and at rest to prevent unauthorized access in

the event of a breach.

• Access Controls: Implement strict access control mechanisms, such as multi-factor authentication and role-

based access, to ensure that only authorized personnel can access sensitive data.

• Regular Security Audits: Conduct regular security audits to identify vulnerabilities and ensure that security

measures are up to date.

• Employee Training: Provide ongoing data protection and cybersecurity training to employees to minimize

the risk of human error leading to a data breach.

• Third-Party Risk Management: Ensure that third-party vendors who process personal data on behalf of the

organization comply with PDPL’s data protection requirements.

7.7 Incident Response in Collaboration with Third Parties

In cases where third-party vendors or partners are involved in data processing, organizations must work closely with

these parties to manage breaches effectively. Key steps include:

• Contractual Obligations: Ensure that contracts with third parties include clauses that specify breach

23
 notification and response obligations, requiring third parties to promptly report breaches and cooperate in

incident management.

• Coordinated Response: If a breach involves a third-party vendor, the organization and vendor must

coordinate their response efforts, including containment, investigation, and notification to authorities and data

subjects.

24
 Chapter 8: Data Subject Rights

8.1 Overview of Data Subject Rights under PDPL

The Personal Data Protection Law (PDPL) emphasizes the rights of individuals (data subjects) regarding the

processing of their personal data. These rights ensure that individuals have control over their personal information and

can make informed decisions about how it is collected, used, and shared. Organizations must implement processes to

ensure these rights are respected and must respond to data subject requests in a timely and lawful manner.

This chapter explores the key rights granted to data subjects under PDPL, as well as the responsibilities of

organizations in fulfilling these rights.

8.2 Right to Access Personal Data

Data subjects have the right to request access to their personal data held by an organization. This includes the right to:

• Confirmation of Processing: Data subjects can request confirmation on whether or not their personal data is

being processed by an organization.

• Access to Data: Data subjects can request a copy of their personal data, as well as information about the

purposes for which it is being processed, the categories of data being processed, and any third parties with

whom the data is shared.

• Information about Processing: In addition to the data itself, organizations must provide data subjects with

detailed information about how their personal data is processed, the lawful basis for processing, and the data

retention period.

Organizations must respond to access requests promptly, typically within a specified time period as defined by PDPL,

and they cannot charge unreasonable fees for access.

25
 8.3 Right to Rectification

Data subjects have the right to request the correction or rectification of inaccurate or incomplete personal data. If an

organization holds incorrect or outdated personal information, the data subject can request that it be updated.

• Rectification Requests: Organizations are required to correct personal data upon receiving a rectification

request unless there are legitimate reasons for not doing so.

• Notification of Changes: Once data is rectified, organizations must inform third parties who have received

the incorrect data (if applicable) about the changes, ensuring that incorrect information is not further

processed or used.

This right ensures that personal data remains accurate and up to date, reducing the risk of harm or confusion due to

incorrect information.

8.4 Right to Erasure (Right to be Forgotten)

PDPL grants data subjects the right to request the erasure of their personal data in certain circumstances, often referred

to as the "right to be forgotten." This right allows individuals to have their data removed from an organization’s

systems when:

• The data is no longer necessary: The personal data is no longer needed for the purposes for which it was

originally collected or processed.

• Consent is withdrawn: If the data subject previously provided consent for data processing and later

withdraws that consent, they can request the deletion of their personal data.

• Unlawful Processing: If the organization processed the data unlawfully or without a lawful basis, the data

subject can demand its erasure.

• Legal Obligation: Data must be erased if the organization is under a legal obligation to delete the personal

information, such as in compliance with a court order or regulation.

Organizations must assess each erasure request carefully and may be required to justify any refusal to erase the data,

such as in cases where the data is still needed for legal claims or other legitimate interests.

26
 8.5 Right to Restrict Processing

The right to restrict processing allows data subjects to limit the processing of their personal data under specific

circumstances. This means that while the data remains stored, it cannot be actively used or processed further. Data

subjects can exercise this right when:

• Data Accuracy is Contested: If the data subject disputes the accuracy of their personal data, they can request

that processing be restricted while the organization verifies the data’s accuracy.

• Unlawful Processing: If the organization’s data processing is unlawful, but the data subject does not want the

data erased, they can request that its processing be restricted instead.

• Legal Claims: If the data subject needs the data for legal claims but the organization no longer requires it for

processing purposes, they can request restricted processing.

Organizations must ensure that restricted data is not used or processed during the period of restriction, except for

storage purposes or to comply with legal obligations.

8.6 Right to Data Portability

The right to data portability allows data subjects to obtain a copy of their personal data in a structured, commonly

used, and machine-readable format. They can then transfer this data to another data controller or organization, either

directly or indirectly. The key aspects of data portability include:

• Applicability: This right applies to personal data that the data subject has provided to an organization,

typically through consent or a contractual agreement.

• Direct Transfers: In some cases, data subjects can request that their personal data be transferred directly from

one organization to another if it is technically feasible.

Data portability promotes the free flow of information and enables data subjects to switch between service providers

more easily without losing control over their personal information.

8.7 Right to Object to Processing

Data subjects have the right to object to the processing of their personal data in certain circumstances, particularly

when the processing is based on:

27
 • Legitimate Interests: If an organization processes personal data based on legitimate interests, data subjects

can object to this processing. The organization must then demonstrate compelling legitimate grounds for

continuing the processing that override the data subject’s rights and interests.

• Direct Marketing: Data subjects have an absolute right to object to the processing of their personal data for

direct marketing purposes. Upon receiving an objection, the organization must stop using the data for this

purpose.

The right to object empowers individuals to protect their privacy and control the ways in which their personal data is

used.

8.8 Right to Withdraw Consent

If personal data is processed based on the data subject’s consent, the data subject has the right to withdraw their

consent at any time. Withdrawal of consent must be as easy as giving it, and organizations must respect the

withdrawal and stop processing the data unless there is another legal basis for doing so.

8.9 Right to Complain and Seek Remedies

Data subjects have the right to file complaints with the KSA data protection authority if they believe their rights under

PDPL have been violated. They also have the right to seek legal remedies, including compensation, for damages

suffered as a result of non-compliance with the law.

• Filing Complaints: Data subjects can lodge complaints with the regulatory authority if an organization fails

to comply with PDPL or refuses to address their rights requests.

• Legal Recourse: In cases of serious breaches or harm, data subjects can pursue legal action to seek damages

and hold organizations accountable for violations of their privacy rights.

28
 Chapter 9: Data Controllers and Data Processors

9.1 Introduction to Data Controllers and Data Processors

The roles of data controllers and data processors are fundamental in the context of the Personal Data Protection Law

(PDPL). A clear distinction between the two is essential for determining responsibilities, liabilities, and obligations

under the law. This chapter explores the definitions, roles, and obligations of data controllers and processors, as well

as how these entities must cooperate to ensure the protection of personal data.

• Data Controller: The data controller is the entity that determines the purposes and means of processing

personal data. In other words, the controller decides why and how personal data should be processed.

• Data Processor: The data processor, on the other hand, processes personal data on behalf of the controller.

Processors do not make decisions about the data’s purpose or use but are responsible for handling the data as

per the instructions of the controller.

9.2 Responsibilities of Data Controllers

Data controllers have the primary responsibility for ensuring that personal data is processed in compliance with PDPL.

Their key obligations include:

• Lawful Processing: Controllers must ensure that personal data is processed lawfully, fairly, and transparently.

This means identifying and adhering to a legal basis for processing, such as obtaining the consent of the data

subject, fulfilling contractual obligations, or complying with legal requirements.

• Purpose Limitation: Controllers must clearly define the purpose of data processing and ensure that personal

data is only used for the stated purposes. If the purpose of data processing changes, the controller must notify

data subjects and, if necessary, obtain new consent.

• Data Minimization: Data controllers are required to collect only the personal data that is necessary for the

specified purpose. Collecting excessive or irrelevant data is not permitted under PDPL.

• Accuracy: Data controllers must ensure that personal data is accurate and kept up to date. They are

responsible for correcting or deleting inaccurate data when necessary.

• Accountability: Controllers must be able to demonstrate compliance with PDPL at all times. This includes
29
 maintaining detailed records of processing activities, implementing appropriate security measures, and

conducting regular audits.

• Contractual Obligations with Processors: When engaging data processors, controllers must establish formal

contracts that outline the roles, responsibilities, and security measures required for the processing of personal

data. The controller remains accountable for ensuring that the processor complies with PDPL requirements.

9.3 Responsibilities of Data Processors

Data processors act under the authority and instructions of the data controller and must adhere to the following

obligations under PDPL:

• Processing Under Instruction: Data processors may only process personal data based on the specific

instructions of the controller. Any processing beyond the scope of these instructions is a violation of PDPL.

• Security Measures: Processors must implement appropriate technical and organizational measures to protect

personal data from unauthorized access, loss, or destruction. This includes data encryption, access control

mechanisms, and breach detection systems.

• Data Breach Notification: If a data breach occurs while the processor is handling personal data, the

processor must inform the controller immediately. It is then the controller’s responsibility to notify the data

protection authority and, if necessary, the affected data subjects.

• Sub-Processing: Data processors must obtain the controller’s approval before engaging sub-processors to

handle personal data. Sub-processors are subject to the same obligations as the original processor, and the

processor remains liable for any breaches or violations by the sub-processor.

9.4 Contractual Relationships Between Controllers and Processors

The relationship between data controllers and processors must be formalized through a data processing agreement

(DPA). This contract should outline the following key elements:

• Nature of Processing: The DPA should specify the types of personal data being processed, the purposes of

processing, and the duration of processing activities.

• Security Obligations: The DPA must detail the security measures that the processor is required to implement,

30
 ensuring compliance with PDPL’s security requirements.

• Rights of Data Subjects: The contract should outline how the processor will assist the controller in fulfilling

data subject rights, such as responding to access requests, correcting inaccurate data, or ensuring data erasure.

• Liabilities: The agreement must clearly define the liabilities of the processor in case of data breaches, non-

compliance with PDPL, or any failure to follow the controller’s instructions.

• Audits and Inspections: The controller should have the right to conduct audits or inspections to ensure that

the processor complies with PDPL and the terms of the agreement.

9.5 Joint Controllers

In some cases, two or more entities may act as joint controllers, where they jointly determine the purposes and means

of processing personal data. Joint controllers share responsibility for compliance with PDPL. They must:

• Determine Responsibilities: Joint controllers must establish clear agreements on their respective roles and

responsibilities concerning data protection. This includes determining who will manage data subject requests

and ensure data security.

• Transparent Information: Joint controllers must inform data subjects about their shared responsibilities in a

clear and transparent manner, particularly regarding how their personal data will be processed and who is

accountable for ensuring compliance.

9.6 Liability and Penalties for Non-Compliance

Both data controllers and processors can be held liable for non-compliance with PDPL. Key points regarding liability

include:

• Liability of Controllers: Controllers are primarily responsible for ensuring lawful data processing. If a data

processor fails to comply with PDPL, the controller may still be held accountable, particularly if the breach

was due to a failure to properly oversee or instruct the processor.

• Liability of Processors: While processors are generally liable for their own actions, they may also be held

responsible for violations of PDPL or the processing agreement. This includes any unauthorized data

processing or failure to implement adequate security measures.

31
 • Penalties: Both controllers and processors may face significant penalties for non-compliance with PDPL.

Penalties can include fines, restrictions on data processing activities, or suspension of processing operations.

The severity of the penalty depends on the nature of the violation and its impact on data subjects.

9.7 Cooperation Between Controllers and Processors

Effective cooperation between data controllers and processors is essential for ensuring compliance with PDPL. Best

practices for cooperation include:

• Regular Communication: Controllers and processors should maintain open channels of communication to

ensure that any changes in data processing activities, security measures, or legal obligations are addressed

promptly.

• Ongoing Training: Both controllers and processors should provide regular data protection training to

employees involved in processing personal data. This helps ensure that staff are aware of their responsibilities

under PDPL and are prepared to handle personal data appropriately.

• Compliance Audits: Controllers should conduct periodic compliance audits to assess the processor’s

adherence to PDPL and the terms of the processing agreement. Any deficiencies should be addressed

immediately.

32
 Chapter 10: Data Security and Breach Notification

10.1 Introduction to Data Security under PDPL

Data security is one of the core pillars of the Personal Data Protection Law (PDPL), emphasizing the protection of

personal data from unauthorized access, loss, destruction, or damage. Organizations must implement appropriate

technical and organizational measures to ensure that personal data is secure at all times.

This chapter focuses on the security requirements of PDPL, the measures organizations must take to safeguard

personal data, and the procedures for responding to and notifying authorities and individuals in the event of a data

breach.

10.2 Security Measures for Personal Data

Under PDPL, organizations are required to adopt a comprehensive approach to data security, which involves:

• Technical Measures: This includes the implementation of technologies such as encryption, firewalls, secure

access controls, data anonymization, and regular security patching.

• Organizational Measures: Organizations must establish security policies, train employees, and conduct

regular security audits to ensure compliance with PDPL. Additionally, processes for access control, incident

response, and data handling must be documented and adhered to.

• Risk Management: Organizations should conduct data protection impact assessments (DPIAs) to identify

risks associated with personal data processing. Based on the assessment, organizations must implement

measures that mitigate identified risks, particularly for sensitive or high-risk data.

• Security by Design and Default: Organizations must embed security into their processes from the outset of

any data processing activity. This principle requires the incorporation of privacy features into products and

services by default, ensuring that data is secure from the start.

10.3 Access Control and Monitoring

To limit the exposure of personal data to unauthorized individuals, organizations must enforce strict access control
33
 measures. These include:

• User Access Management: Access to personal data should be granted on a need-to-know basis, with roles

and privileges clearly defined. Unauthorized employees or third parties must be prevented from accessing

sensitive data.

• Authentication and Authorization: Multi-factor authentication (MFA), strong password policies, and

regular access reviews are essential components of a secure data access strategy.

• Monitoring and Logging: Organizations must log all access to personal data and monitor for suspicious

activity. Continuous monitoring helps identify potential breaches or misuse early, allowing for rapid response.

10.4 Data Encryption and Anonymization

PDPL encourages organizations to apply encryption and anonymization techniques to protect personal data both at

rest and in transit:

• Encryption: Encryption ensures that data is unreadable to unauthorized parties unless they possess the

decryption key. This is particularly important when transmitting sensitive personal data over networks or

storing it in databases.

• Anonymization: For certain cases where personal data is no longer needed in its identifiable form,

anonymization can remove personally identifiable information (PII), reducing the risk of a privacy breach.

10.5 Data Breach Definition and Types

A data breach under PDPL is any incident that results in unauthorized access, disclosure, alteration, or destruction of

personal data. Common types of data breaches include:

• Confidentiality Breaches: Unauthorized disclosure of personal data, such as exposure to hackers, insiders, or

accidental sharing with the wrong recipient.

• Integrity Breaches: Alteration of personal data in unauthorized ways, which can compromise the accuracy

and trustworthiness of the data.

• Availability Breaches: Loss of access to personal data, whether due to accidental deletion, ransomware

attacks, or system failures, which disrupts the ability to process and use data.

34
 10.6 Breach Response and Containment

When a data breach occurs, organizations must act swiftly to contain the incident and mitigate its effects. Steps

include:

• Immediate Containment: Upon identifying a breach, organizations must take immediate actions to prevent

further damage, such as isolating affected systems, revoking compromised access credentials, or disabling

infected networks.

• Investigation: A thorough investigation is essential to understand the root cause of the breach, assess its

scope, and determine the specific personal data affected.

• Mitigation Measures: Organizations must implement measures to prevent similar breaches from occurring in

the future. This can include patching vulnerabilities, improving access controls, or enhancing monitoring

systems.

10.7 Data Breach Notification Requirements

PDPL mandates that organizations notify the relevant authorities and data subjects if a data breach occurs, particularly

when it is likely to result in harm to data subjects. The key aspects of breach notification include:

• Notifying Authorities: Organizations must notify the Saudi data protection authority (or other relevant

regulatory body) within a specified time frame (typically 72 hours) from discovering a breach, unless the

breach is unlikely to result in a risk to the rights and freedoms of individuals.

• Notifying Data Subjects: If the breach poses a high risk to data subjects, organizations must inform affected

individuals without undue delay. The notification should include information about the nature of the breach,

the data affected, potential consequences, and steps taken to mitigate the impact.

• Contents of Notification: The notification to authorities and data subjects must include:

o A description of the breach.

o The categories and approximate number of individuals affected.

o The categories and number of data records involved.

o The likely consequences of the breach.

35
 o Actions taken to address and mitigate the breach’s effects.

o Contact information for further inquiries.

Failure to notify authorities or data subjects within the required time frame can result in fines and additional sanctions

under PDPL.

10.8 Risk Assessment Post-Breach

Following a data breach, organizations should conduct a post-breach risk assessment to understand its full impact and

prevent future occurrences. This assessment involves:

• Evaluating Breach Impact: Assess the damage caused by the breach, including reputational harm, loss of

customer trust, and financial damage. Evaluate the personal data affected and the potential consequences for

individuals whose data was exposed.

• Improvement of Security Posture: Organizations must take steps to strengthen their security measures,

correct weaknesses that contributed to the breach, and ensure that future incidents are less likely to occur.

• Updating Policies and Procedures: Based on the lessons learned from the breach, organizations should

update their data protection policies, breach response plans, and training programs to better address potential

future risks.

10.9 Penalties for Data Breaches

PDPL imposes strict penalties for organizations that fail to protect personal data or properly handle data breaches.

These penalties can include:

• Fines: Financial penalties may be imposed based on the severity of the breach, the extent of non-compliance,

and the damage caused to data subjects.

• Suspension of Data Processing: In serious cases, authorities may order organizations to suspend data

processing activities until they comply with security requirements and breach response obligations.

• Reputational Damage: In addition to financial penalties, data breaches can cause significant reputational

harm, leading to loss of customer trust, business disruption, and legal liability.

36
 Chapter 11: Responsibilities of the Data Protection Officer (DPO)

The role of the Data Protection Officer (DPO) under the Personal Data Protection Law (PDPL) in the Kingdom of

Saudi Arabia is critical to ensuring compliance with data protection regulations and safeguarding the privacy rights of

individuals. The responsibilities of the DPO are outlined across various regulatory documents, and their duties span

multiple areas of governance, compliance, and incident management. Below are the key responsibilities as defined by

the relevant regulations:

1. Point of Contact

Reference: The Implementing Regulation of the PDPL, Article 32, Paragraph 3

• The DPO acts as the direct point of contact with the Competent Authority.

• They are responsible for implementing decisions and instructions from the Competent Authority regarding the

application of the Law and its Regulations.

2. Support and Advice

Reference: Rules for Appointing Personal Data Protection Officer, Article 8, Paragraph 1

• The DPO provides support and advice regarding all aspects of Personal Data protection.

• This includes contributing to the development of policies and internal procedures related to data protection

within the Controller's organization.

3. Awareness and Training

Reference: Rules for Appointing Personal Data Protection Officer, Article 8, Paragraph 2

• The DPO is involved in awareness activities, training, and transferring knowledge to personnel regarding data

protection and compliance with PDPL provisions.

• They ensure that staff understand the ethical requirements for handling personal data.

37
 4. Incident Response Plans

Reference: Rules for Appointing Personal Data Protection Officer, Article 8, Paragraph 3

• The DPO contributes to reviewing response plans for Personal Data Breach incidents.

• They ensure that the breach response plans are both adequate and effective for addressing potential data

breaches.

5. Periodic Reports

Reference: Rules for Appointing Personal Data Protection Officer, Article 8, Paragraph 4

• The DPO is responsible for preparing periodic reports regarding the Controller's activities related to the

processing of Personal Data.

• These reports include recommendations to ensure compliance with the Law and its Regulations.

6. Confidentiality and Protection

Reference: Rules for Appointing Personal Data Protection Officer, Article 8, Paragraph 5

• The DPO must maintain the confidentiality of Personal Data, considering its classification and sensitivity.

• They ensure that the appropriate level of protection is provided based on regulatory requirements and the

classification of the data.

7. Compliance Monitoring

Reference: Rules for Appointing Personal Data Protection Officer, Article 8, Paragraph 6

• The DPO monitors laws, regulations, and instructions issued by the Competent Authority and ensures that

they are implemented.

• They inform relevant departments of any amendments or changes to these laws to ensure ongoing compliance.

38
 8. AI Ethics Collaboration

Reference: Rules for Appointing Personal Data Protection Officer, Article 8, Paragraph 7

• The DPO collaborates with individuals responsible for implementing activities related to AI ethics.

• They ensure that AI activities comply with Personal Data Protection requirements and respect the privacy of

Data Subjects.

9. Impact Assessment Supervision

Reference: The Implementing Regulation of the PDPL, Article 32, Paragraph 3 (b)

• The DPO supervises impact assessment procedures related to Personal Data protection.

• They oversee audit and control reporting, document assessment results, and issue necessary recommendations

to ensure data protection compliance.

10. Enabling Data Subject Rights

Reference: The Implementing Regulation of the PDPL, Article 32, Paragraph 3 (c)

• The DPO is responsible for enabling Data Subjects to exercise their rights as stipulated in the PDPL.

• This includes providing access, rectification, deletion, and other rights related to the processing of their

Personal Data.

11. Breach Notification

Reference: The Implementing Regulation of the PDPL, Article 32, Paragraph 3 (d)

• In the event of a Personal Data Breach, the DPO must notify the Competent Authority.

• They ensure that such breaches are reported promptly and that the necessary procedures are followed to

mitigate any risks.

39
 12. Data Subject Requests

Reference: The Implementing Regulation of the PDPL, Article 32, Paragraph 3 (e)

• The DPO is tasked with responding to requests from Data Subjects regarding their Personal Data.

• They handle complaints filed by Data Subjects in accordance with the Law and its Regulations.

13. Record Monitoring

Reference: The Implementing Regulation of the PDPL, Article 32, Paragraph 3 (f)

• The DPO monitors and updates records related to the processing activities of the Controller.

• This includes ensuring that the records are accurate and reflect current data processing practices.

14. Violations Handling

Reference: The Implementing Regulation of the PDPL, Article 32, Paragraph 3 (g)

• The DPO handles violations related to Personal Data processing.

• They take corrective actions in response to such violations to ensure compliance with the PDPL.

40
 Chapter 12: Required Documentation for Compliance with PDPL

In addition to the DPO responsibilities, he is tasked with managing key documents that are critical for compliance

with PDPL:

1. Records of Processing Activities (RoPA)

o RoPA is a key document required under PDPL and must be maintained by the DPO. It provides a

detailed inventory of all data processing activities within the organization.

o Contents:

▪ Purpose of processing.

▪ Lawful basis for processing.

▪ Categories of data subjects and personal data.

▪ Risk assessments associated with each processing activity.

2. Data Protection Impact Assessment (DPIA)

o DPIAs are required for high-risk processing activities, helping to identify and minimize risks to

personal data.

o Contents:

▪ Description of the data processing and its purpose.

▪ Assessment of necessity and proportionality.

▪ Evaluation of risks to data subjects.

▪ Measures to mitigate identified risks.

41
 3. Data Breach Notification Form

o In the event of a data breach, this form is used to notify the regulatory authorities and affected data

subjects.

o Contents:

▪ Nature and scope of the breach.

▪ Categories and number of data subjects affected.

▪ Mitigation steps taken by the organization.

▪ Notifications made to authorities and data subjects.

4. Third-party Data Processing Agreements (DPA)

o DPAs are essential for ensuring that third-party data processors comply with PDPL and protect the

personal data they handle.

o Contents:

▪ Data processing details.

▪ Security measures to protect personal data.

▪ Processor’s obligations under PDPL.

5. Data Subject Request Forms

o These forms are used to handle data subject requests for access, rectification, or deletion of personal

data.

o Contents:

▪ Data subject’s identity verification.

▪ Details of the request.

▪ Actions taken by the organization to fulfill the request.

42
 6. Consent Management Records

o Maintain records of consent obtained from data subjects, ensuring that all personal data processing is

based on valid consent where necessary.

o Contents:

▪ Data subject’s name and contact details.

▪ Specific purposes for which consent was obtained.

▪ Date of consent and any withdrawal of consent.

43