Login using IAM
The Terms and Phrases set forth in these Rules shall bear the meanings assigned to them in Article (1) of the Personal Data Protection Law issued pursuant to Royal Decree No. (M/19), dated 9/2/1443 AH, and its amendments, as well as Article (1) of the Implementing Regulation of the Law and the Regulation on Personal Data Transfer Outside the Kingdom. Unless the context requires otherwise, the following terms and expressions, wherever mentioned in these Rules, shall have the meanings expressed herein.
1. The Rules: The rules governing the issuing of accreditation certificates.
2. The Licensee: The entity authorized by the Competent Authority to engage in the activity of issuing accreditation certificates to applicants.
3. Applicant: A Controller or Processor—operating either within or outside the Kingdom—that submits an application for an accreditation certificate to a licensee.
4. Accreditation Certificates: Certificates issued by the Licensee to the Applicant, confirming that the practices and procedures followed by the Applicant in processing personal data comply with the provisions of the Law, the Regulations, and the requirements provided for in these Rules.
5. Evaluation Report: A report prepared by the Licensee that includes the results of the evaluation of the practices and procedures followed by the Applicant in processing personal data pursuant to the provisions of the Law and the Regulations.
6. Competent Authority Platform: An electronic platform affiliated with the Competent Authority aims to provide services that support the application of the provisions of the Law and regulations.
The Rules shall apply to entities subject to the provisions of the Personal Data Protection Law that submit an application for accreditation certificates to the Licensee. The objectives of these Rules are to:
1. Enhance the performance of entities subject to the Law in aspects related to practices and procedures for personal data protection.
2. Build trust among data subjects in the practices and procedures adopted by Controllers and Processors when handling personal data.
1. The Applicant's practices and procedures for personal data processing activities shall comply with the provisions of the Law and the Regulations.
This shall be determined by an evaluation conducted by the Licensee as per the instructions issued by the Competent Authority.
2. The Applicant shall disclose any prior complaints filed against them pursuant to the application of the provisions of the Law and the Regulations and shall certify that no complaints are currently pending at the time of submitting the accreditation application.
3. The Applicant shall disclose any violations of the provisions of the Law previously identified by the Competent Authority.
The Competent Authority is entitled to undertake all necessary measures to verify compliance with the requirements provided for in this Article and shall ensure that no ongoing evidence-gathering proceedings exist regarding any alleged violations of the provisions of the Law by the Applicant.
1. The technical tools necessary to perform personal data processing and protection activities in compliance with the provisions of the Law and the Regulations. These activities shall be carried out by personnel who are legally and technically qualified, with a minimum of five (5) years of professional experience in such fields.
2. Duly approved documentation detailing the organizational, administrative, and technical measures, procedures, and practices followed when processing personal data, including the measures to ensure the security of personal data.
3. Requirements prescribed by the Licensee, aligned with the provisions of the Law and the Regulations, in addition to any requirements issued by the Competent Authority regarding the compliance with the provisions of the Law and the Regulations.
1.The Applicant shall verify the list of Licensees published on the Competent Authority's platform.
2. A copy of the supporting documents demonstrating compliance with the requirements provided for in Articles (3) and (4) of these Rules shall be submitted.
3. The Applicant shall fulfill any additional requirements related to the application submission process, including approved methods and channels, as determined by the Competent Authority in accordance with the provisions of the Law and the Regulations.
1. The Licensee shall evaluate the application in accordance with the
requirements provided for in Articles (3) and (4) of these Rules. The application shall be reviewed, and the evaluation report issued within a maximum of ninety (90) business days from the date of receipt. The Applicant shall be notified of the evaluation result, which shall be presented in documented form along with its justifications.
2. If the application is rejected, the Applicant may submit a subsequent application upon addressing the issues that led to the rejection of their prior application.
3. Upon approval of the application, the Licensee shall issue the accreditation certificate and provide the Applicant with a copy of the report detailing the evaluation results.
The accreditation certificate shall include, at a minimum, the following technical elements:
1. The accreditation certificate number.
2. Information about the entity to which the accreditation certificate is issued, including its contact details.
3. The date of issuance of the accreditation certificate and the duration of its validity.
4. Information about the Licensee authorized to issue the accreditation certificate, including its contact details.
The Competent Authority has the right to require additional elements for the issuance of the accreditation certificate.
1. The entity that received the accreditation certificate shall ensure the continuous training and development of personnel involved in personal data processing, in accordance with the provisions of the Law and the Regulations. The entity shall also support its personnel in obtaining relevant professional certifications to enhance their competencies.
2. The entity that received the accreditation certificate shall notify the Licensee if it becomes unable to comply with any provisions of the Law, the Regulations, or the requirements set forth in Articles (3) and (4) of these Rules. Upon such notification, the Licensee shall reassess the entity's eligibility to retain the accreditation certificate.
3. If the accreditation certificate is issued to an entity located outside the Kingdom, the entity shall notify the Licensee of any changes in the regulatory requirements or practices within its jurisdiction that conflict with the requirements set forth in Articles (3) and (4) of these Rules.
4. The Licensee shall conduct audits and assessments at least once annually, or as deemed necessary, to ensure that the entity holding the accreditation certificate or practices within its jurisdiction that conflict with the requirements set forth in Articles (3) and (4) of these Rules.
5. The Competent Authority may instruct the Licensee to reassess the validity of the accreditation certificate if the entity holding the accreditation certificate is found to be in violation of any provisions of the Law, the Regulations, or the requirements set forth in Articles (3) and (4) of these Rules.
6. A Processor located outside the Kingdom and holding an accreditation certificate under these Rules shall cooperate fully with the Competent Authority and the Licensee regarding any requests under the Personal Data Protection Law, its Implementing Regulations, and these Rules.
The accreditation certificate shall be issued by the Licensee for a duration of two (2) years, starting from the date of issuance.
The entity holding the accreditation certificate may submit a renewal application to the Licensee no less than thirty (30) business days prior to its expiration date. Renewal shall be approved upon verification of compliance with the requirements set forth in Articles (3) and (4) of these Rules. The duration of the renewed accreditation certificate shall be equivalent to its original duration of validity.
1. The Licensee may revoke the accreditation certificate in any of the following circumstances:
Employees of the Licensee shall disclose any actual or potential conflict of interest with the Applicant.
The Competent Authority and the Licensee shall publish on their official websites a list of entities that have received accreditation certificates, including the duration of validity for each certificate and the official contact details of the certified entities.
The Competent Authority may, when deemed necessary, review these Rules and make any amendments or updates thereto.
These Rules, along with any amendments or updates made thereto, shall enter into force on the date of their publication on the official website of the Competent Authority.
Last update: 09 December 2024
You can browse the portal by giving voice commands using the microphone
Speak Now...
Please give voice commands from the following options:
Disclaimer: Translation into other languages depends on the Google translation, Therefor the NCC is not responsible for the accuracy of the information in the new language.
