Login using IAM
The terms and phrases used herein shall have the meanings ascribed to them in Article 1 of the Personal Data Protection Law issued pursuant to Royal Decree No. M/19 dated 9/2/1443 AH (as amended), Article 1 of the Implementing Regulations of the Personal Data Protection Law, and Article 1 of the Regulation on Personal Data Transfer Outside the Kingdom. The following terms and phrases, wherever mentioned, shall have the meanings assigned thereto unless the context requires otherwise:
1. Rules: The rules governing the licensing of audits or checks of personal data processing activities and the issuance of accreditation certificates to controllers and processors.
2. License: A document issued by the Competent Authority granting a Licensee the power to conduct audits or checks or issue accreditation certificates.
3. Applicant: The entity that submits a license application to the Competent Authority to conduct audits or checks of personal data processing activities or issue accreditation certificates to controllers and processors.
4. License Type: The license to issue accreditation certificates to controllers and processors or the license to conduct audits or checks of personal data processing activities.
5. Licensee: The entity empowered by the Competent Authority to conduct audits or checks or issue accreditation certificates, pursuant to the Competent Authority's decision on the submitted license applications and in accordance with the requirements specified in these Rules.
6. Accreditation Certificate: A certificate issued by the Licensee to a controller or processor attesting that the personal data processing practices and procedures followed by the controller or processor comply with the provisions of the Law, regulations, and requirements stipulated in the Rules Governing the Issuance of Accreditation Certificates.
7. Audits or Checks: The activities undertaken by the Licensee to verify that an entity's personal data processing activities are conducted in a compliant manner. This involves auditing and checks the entity's personal data processing activities and related controls and procedures, as well as identifying any gaps in the application of the Law and regulations.
8. Audit or Checks Report: A report prepared by a Licensee to conduct audits or checks, outlining the findings of the audit or check of the personal data processing activities subject to the audit or check in light of the provisions of the Law and regulations.
9. Assessment Report: A report prepared by the Licensee to issue accreditation certificates detailing the findings of its assessment of the practices and procedures followed in personal data processing in light of the provisions of the Law and regulations.
10. Competent Authority's Platform: An electronic platform affiliated with the Competent Authority aims to provide services that support the application of the provisions of the Law and regulations.
These Rules shall apply to entities that submit license applications to the Competent Authority to conduct audits or checks of personal data processing activities or to issue accreditation certificates, as stipulated in Paragraphs (2) and (3) of Article 33 of the Law, and Articles 35 and 36 of the Law's Implementing Regulation. These Rules aim to:1. Define the licensing procedure followed by the Competent Authority for entities issuing accreditation certificates or conducting audits or checks.
2. Approve reliable entities to provide audits or checks or issue accreditation certificates in accordance with the provisions of the Law and regulations and in line with the documents issued by the Competent Authority regarding compliance with the provisions of the Law and regulations.
3. Promote transparency in the application of the provisions of the Law through the adoption and publication of procedures related to licensing entities to undertake the activities specified in the Law.
The Applicant shall meet the following requirements:
1. Compliance with the provisions of the Law, regulations, and any other regulatory documents issued by the Competent Authority.2. Conducting audits or checks or issuing accreditation certificates in accordance with the methodology specified by the Competent Authority and following the documents related to compliance with the provisions of the Law and regulations as specified.
3. Providing these services independently and disclosing any potential conflicts of interest that may arise when conducting business under the license with controllers or processors.
4. Disclosing any previous complaints filed against the Applicant related to the application of the provisions of the Law and regulations and confirming that there are no ongoing complaints at the time of submitting the application.
5. Disclosing any violations arising from the application of the provisions of the Law and regulations that have been previously identified by the Competent Authority in relation to the applicant.
1. The Applicant shall be a legal entity independent of any other entity under the Kingdom’s regulations and shall have an establishment in the Kingdom.
2. The means of communication adopted for the Licensee shall include the entity’s legal name, the address of its establishment, and the commercial registration or foreign investor license number.
3. The Applicant shall have the technical tools and qualified personnel to conduct audits or checks or issue accreditation certificates related to personal data processing activities and protection in accordance with the provisions of the Law, regulations, and methodology determined by the Competent Authority.
4. Obtaining accreditation for granting certificates from the Saudi Accreditation Center if the license application is related to issuing accreditation certificates.
5. Preparing a plan and procedures for the periodic review of the activity of entities that have been issued accreditation certificates, if the license application is related to accreditation certificates.
6. Any other requirements determined by the Competent Authority, in accordance with the provisions of the Law, regulations, and any document issued by the Competent Authority regarding the application of the provisions of the Law and regulations.
A license application shall be submitted by the Applicant in accordance with the procedures specified by the Competent Authority. The application shall include the following details:
1. The license application form and the type of license requested.
2.The entity's articles of association, commercial registration, address, and official contact details.
3. A copy of the supporting documents for the requirements specified in Articles 3 and 4 of these Rules.
4. Any other requirements specified by the Competent Authority, in accordance with the provisions of the Law and regulations, and consistent with the standards of compliance with the provisions of the Law and regulations.
1. The Competent Authority shall evaluate the license application in accordance with the requirements and conditions set forth in Articles 3 and 4 of these Rules. The application shall be reviewed, and a decision shall be issued within a maximum period of ninety (90) business days from the date of its receipt. The Applicant shall be notified of the decision in writing and with reasons.
2. In the event of rejection of the application, the Applicant may re-submit the application after addressing the reasons for rejection.
3. In the event of acceptance of the application, the Competent Authority shall determine the duration of the license in accordance with the provisions of Article 8 of these Rules.
The fees for services provided by the Competent Authority to the Licensee shall be determined through the Competent Authority’s Platform or any other means deemed appropriate by the Competent Authority.
The Competent Authority shall grant the license for a period of three (3) years commencing from the date the license decision is issued.
Licensees shall submit a renewal application to the Competent Authority at least ninety (90) business days prior to the expiration date. Renewal shall be approved upon verification of the fulfillment of the license requirements and conditions stipulated in Articles 3 and 4. The term of the renewed license shall be the same as the initial term or as determined by the Competent Authority.
1. The Competent Authority may revoke the license or temporarily suspend the licensee’s activities in the following cases:
a. Failure of the Licensee to comply with the requirements stipulated in Articles 3 and 4 of these Rules, or violation of the provisions of the Law and regulations or any binding instructions issued by the Competent Authority in this regard.
b. Termination of the accreditation stipulated in Paragraph (4) of Article 4 of these Rules if the License Type is a license to issue accreditation certificates.
c. Failure of the licensee to address violations or any written directives issued by the Competent Authority.
d. If it is proven that the Licensee has provided false information or failed to disclose any information that it was required to disclose for the purposes of obtaining a license.
e. Any other reasons deemed appropriate by the Competent Authority.
2. The Competent Authority shall notify the entity whose license has been revoked or temporarily suspended of the reasons for such revocation or suspension.
3. The entity may appeal the revocation or temporary suspension of the license within a period not exceeding (30) business days from the date of notification of the decision or may amend its situation and submit proof of such amendment if the revocation or suspension of the license was based on any of the provisions of Paragraph (1) of this Article.
4. The revocation or temporary suspension of the license shall not affect the validity of audit or check reports or accreditation certificates issued by the Licensee prior to the date of revocation or suspension unless the Competent Authority finds that such work is unsound or incorrect.
1. The license issued pursuant to these Rules shall be canceled in any of the following cases:
a. Termination of the legal entity of the company in accordance with the Companies Law.
b. Transformation, merger, or division of the company in accordance with the Companies Law.
2. The cancellation of the license shall not affect the validity of audit or check reports or accreditation certificates issued by the licensee prior to the date of cancellation unless the Competent Authority finds that such activities were unsound or incorrect.
1. An entity that has obtained a license to conduct audits or checks pursuant to these Rules shall not subcontract any of the work it undertakes pursuant to the license to any other party except with the prior approval of the Competent Authority.
2. An entity that has obtained a license to issue accreditation certificates pursuant to these Rules shall not subcontract any of the work it undertakes pursuant to the license to any other party except with the prior approval of the Competent Authority.
3. The subcontracting by a licensee of any of the work it undertakes pursuant to the license shall not relieve it of its obligations under these Rules or its liability to the Competent Authority.
1. The licensee shall continuously train and develop its personnel involved in personal data protection in accordance with the provisions of the Law and regulations and support them in obtaining professional certifications in this field to ensure the enhancement of their competence.
2. The licensee shall follow up on any regulations, instructions, or similar publications related to personal data protection issued by the Competent Authority.
3. The licensee shall conduct a semi-annual assessment of the administrative, technical, organizational, and operational measures and procedures for audit or check activities or the issuance of accreditation certificates to ensure the continued availability of the conditions and requirements of the license specified in Articles 3 and 4 of these Rules.
4. The licensee shall maintain the confidentiality of the findings of audit or check activities or the issuance of accreditation certificates related to the assessed entities and shall not publish, share, or disclose its contents without the approval of the Competent Authority.
5. The licensee shall disclose any material change after obtaining the license that may result in a conflict of interest with any controller or processor when performing its duties under the license.
1. An entity licensed to issue accreditation certificates shall be obligated to submit reports to the Competent Authority, upon request, related to the issuance of accreditation certificates, including the fees for providing such services.
2. The Licensee shall maintain complete, up-to-date, and auditable documentation, including the following: a. All accreditation applications received from controllers and processors.
b. All assessments of accreditation applications.
c. All issued accreditation certificates, including details of the entity to which the certificate was issued, the date of issuance, the expiration date, and all related documents.
d. All decisions, justifications, and supporting evidence related to the withdrawal or renewal of accreditation certificates.
e. Details of all relevant Licensee personnel who participate in assessing the suitability of a controller or processor for accreditation or who make decisions regarding the issuance, withdrawal, or renewal of accreditation certificates.
3. The Licensee shall submit periodic reports to the Competent Authority on entities that have been granted, withdrawn, or renewed accreditation certificates, stating the reasons for taking any such action.
The Competent Authority shall publish on its platform a list of entities licensed to conduct audits or checks and entities licensed to issue accreditation certificates, including the validity periods of the licenses and the official contact information for each Licensee.
The Competent Authority may, when necessary, review these Rules and make any amendments or updates thereto.
These Rules, or any amendments or updates thereto, shall enter into force from the date of their publication on the official website of the Competent Authority.
Last update: 09 December 2024
You can browse the portal by giving voice commands using the microphone
Speak Now...
Please give voice commands from the following options:
Disclaimer: Translation into other languages depends on the Google translation, Therefor the NCC is not responsible for the accuracy of the information in the new language.
