Login using IAM
The terms and phrases used herein shall have the meanings ascribed to them in Article (1) of the Personal Data Protection Law issued by Royal Decree No. M/19 dated 9/2/1443 AH and its amendments, Article (1) of the Implementing Regulation of the Personal Data Protection Law, and Article (1) of the Regulation on Personal Data Transfer Outside the Kingdom. The following terms and phrases, wherever mentioned, shall have the meanings assigned thereto, unless the context requires otherwise:
1. Activities Related to Personal Data Protection: Any activity specified in paragraph (1) of Article (2) of these Controls.
2. Controls: Controls Governing Activities Related to Personal Data Protection.
3. Competent Authority: The Saudi Data & AI Authority (SDAIA).
4. Supervising Entity: Any government entity legally authorized to oversee specific activity(ies) and responsible for issuing licenses or permits for engaging in commercial, professional, or non-profit activities.
5. Licensee: A natural or legal person engaged in activities related to personal data protection under a license issued by the Supervising Entity.
6. Permit Holder: A natural or legal person engaged in activities related to personal data protection under a permit issued by the Supervising Entity, including registration with the Supervising Entity.
7. National Data Governance Platform: An electronic platform affiliated with the Competent Authority aimed at providing services to support the implementation of the provisions of the Law and Regulations.
1. These Controls shall apply to the entities subject to the provisions of Paragraph (1) of Article (33) of the Personal Data Protection Law, including consultancy services in Personal Data Protection, technical solutions and services for compliance with the provisions of the Law, technical and vocational training in Personal Data Protection, and the organization of conferences, workshops, and seminars related to Personal Data Protection or the Law, its Implementing Regulations, or documents issued thereunder.
2. The scope of these Controls shall include commercial, professional, and non-profit activities related to Personal Data Protection, regardless of their nature or the means by which they are conducted.
3. The application of these Controls shall not prejudice any legal provision set forth in another law or any regulatory requirement issued by the Supervising Entity.
4. The application of these Controls shall not prejudice any conditions or requirements issued by the Competent Authority for licensing entities engaged in the issuance of accreditation certificates in Personal Data Protection or for licensing entities conducting audits and inspections of Personal Data Processing activities.
The Licensee and the Permit Holder shall not engage in any commercial, professional, or non-profit activities related to Personal Data Protection before fulfilling the requirements set forth in these Controls, including the following:
1. Registration on the National Data Governance Platform, provided that the registration application includes the submission of the documents and records required by the Competent Authority, as well as the licensing or permitting information issued by the Supervising Entity, including a clear statement of the nature of the activity and the services or products provided thereunder.
2. Acknowledgment of compliance with the Law, Regulations, documents issued thereunder, and the provisions of these Controls, as well as the submission of relevant data and documents upon request by the Competent Authority, in accordance with the mechanisms determined thereby.
3. Disclosure of any prior complaints arising from the application of the Law and Regulations, and confirmation that no complaints are pending at the time of submitting the registration application referenced in Paragraph (1) of this Article.
4. Disclosure of any prior violations of the Law or Regulations that were previously recorded against the Licensee or the Permit Holder by the Competent Authority.
5. Any additional requirement deemed necessary by the Competent Authority for engaging in Activities Related to Personal Data Protection.
The Competent Authority shall take the necessary measures to verify compliance with the requirements set forth in this Article, in addition to ensuring that no ongoing investigative procedures exist regarding suspected violations of the Law or Regulations by the Licensee or the Permit Holder.
1. The Licensee Shall not provide consultancy services that contravene the provisions of the Law, Regulations, or any documents issued thereunder.
2. The Licensee shall maintain approved documentation outlining the organizational, administrative, and technical measures, as well as the practices followed when processing Personal Data, including the security measures adopted to ensure the protection of Personal Data.
3. The Licensee shall comply with any requirements issued pursuant to the Law and Regulations, as well as any binding instructions issued by the Competent Authority regarding compliance with the provisions of the Law and Regulations.
The requirements set forth in this Article shall apply to consultancy activities, whether conducted on a professional or commercial basis.
1. The training provider shall possess the qualifications and expertise relevant to Personal Data Protection.
2. The training provider shall submit supporting documentation and references used in preparing the training program, as well as any relevant information related to sponsorship and marketing, if applicable.
3. The content of the training program shall not contravene the provisions of the Law, Regulations, or any documents issued thereunder.
4. The training content shall not include any interpretation or construction of the provisions of the Law, its Implementing Regulations, or the enforcement directives of the Competent Authority.
5. The Competent Authority shall approve the training program, and an application for approval shall be submitted at least ninety (90) days before the scheduled date of the training program.
The requirements set forth in this Article shall apply to training activities related to Personal Data Protection, whether provided by a natural or legal person, without prejudice to any applicable legal provisions or relevant regulatory requirements.
1. An acknowledgment that the provided services and the associated technical solutions comply with the provisions of the Law and its Regulations and do not involve any violations thereof.
2. The Permit Holder shall possess the necessary technical tools to support the processing and protection of Personal Data in accordance with the Law and Regulations. Additionally, these activities must be undertaken by legally and technically qualified personnel with a minimum of five (5) years of experience in Personal Data Protection regulations, technical safeguards, and best practices.
3. The Permit Holder shall maintain approved documentation outlining the organizational, administrative, and technical measures, as well as the practices followed when processing Personal Data, including the security measures adopted to ensure the protection of Personal Data.
4. The Permit Holder shall conduct a self-assessment to evaluate compliance with the Law and provide a copy of the assessment results to the Competent Authority.
1. Speakers shall possess the qualifications and expertise relevant to Personal Data Protection.
2. The content presented shall not contravene the provisions of the Law, Regulations, or any documents issued thereunder.
3. The content presented shall not include any interpretation or construction of the provisions of the Law, its Implementing Regulations, or the enforcement directives of the Competent Authority.
4. The Competent Authority shall approve the conference, workshop, or seminar, and an application for approval shall be submitted at least ninety (90) days before the scheduled date of the event.
5. Supporting documents and records shall be submitted when applying for the approval referenced in Paragraph (4) of this Article, including information related to sponsorship, marketing, and the participating parties.
1. The Competent Authority may temporarily suspend the Licensee or Permit Holder from engaging in any of the activities specified in herein if there are ongoing proceedings related to suspected violations of the Law, Regulations, or these Controls.
2. The Competent Authority may suspend the Licensee or Permit Holder from engaging in any of the activities specified herein if, after undertaking the necessary legal procedures, it is determined that a violation of the Law, Regulations, or these Controls has occurred.
All activities specified in these Controls shall be recorded in a National Register maintained by the Competent Authority.
These Controls shall be periodically reviewed in accordance with developments and changes related to the practice of relevant activities.
These Controls, or any amendments or updates thereto, shall enter into force from the date of their publication in the Official Gazette.
Last update: 20 April 2025
You can browse the portal by giving voice commands using the microphone
Speak Now...
Please give voice commands from the following options:
Disclaimer: Translation into other languages depends on the Google translation, Therefor the NCC is not responsible for the accuracy of the information in the new language.
