The Rules Governing the National Register of Controllers Within the Kingdom

Add Comment ؟

Required field
You can add your visuals to the project with no more than 5000 characters,1000 Characters left
user can hide his name by uncheck Visible in comments in profile Section,

Required field Wrong verification code

Add comment

Comments

(Blank)

Purpose
Agencies
Effect
Subjects

Article 1: Definitions

Add Comment

1.  For the purposes of these Rules, the terms and phrases used herein shall have the meanings ascribed to them in Article 1 of the Personal Data Protection Law Issued by Royal Decree No. (M/19) dated 9/2/1443 AH, amended by Royal Decree No. (M/148) dated 5/9/1444 AH and Article 1 of the Implementing Regulation of the Law, unless expressly defined within the body of these Rules.
2.  The following terms and phrases -wherever used in these rules- shall have the meanings assigned to them, unless the context requires otherwise:
Rules: The Rules Governing the National Register of Controllers.
Competent Authority: Saudi Data & AI Authority (SDAIA).
The Platform: National Data Governance Platform.
National Register: A way to monitor and follow up on Controllers, as well as assist them in raising their level of compliance with the Law and the Regulations. Additionally, the National Register provides services related to personal data protection procedures.
Personal Data Protection Officer: Any natural person designated by the Controller to serve as the Personal Data Protection Officer. This officer shall be responsible for personal data protection, ensuring adherence to the Law and the Regulations within the Controller. The officer shall also monitor and supervise relevant procedures within the Controller and receive requests related to personal data in accordance with the Law and the Regulations.
Delegate: A designated delegate authorized to act on behalf of the Controller for the purposes of completing registration procedures on the Platform.

Comments.

Add Comment

Article 2: Scope and Objective

Add Comment

These Rules shall be applicable to Controllers that are subject to the application scope of the Personal Data Protection Law and are mandated to register on the Platform in any of the following instances:
1.  If the Controller is a public entity.
2.  If the Controller’s main activity is based on personal data processing and collection.
3.  If the Controller collects and processes sensitive personal data, and the processing is likely to entail a high risk to the rights and freedoms of the personal data subjects, e.g., criminal data, genetic data, or an individual’s racial or ethnic origin.
This aims to establish a unified national register that facilitates enhanced compliance by Controllers with the provisions of the Personal Data Protection Law and the Regulations.

Comments.

Add Comment

Article 3: Registration Procedures

Add Comment

1.  Public Entity: The public controller shall complete the registration form provided by the Competent Authority and designate a delegate authorized to act on its behalf during the registration process. The designated delegate shall complete all required fields within the registration form, assess the need for appointing a Personal Data Protection Officer for the entity, and issue the entity's registration certificate.
2.  Private Entity: The private controller shall complete the registration process on the Platform. The registration can be initiated by the owner, partner, or a designated delegate authorized to act on behalf of the entity. The designated delegate shall complete all required fields within the registration form, verify registration eligibility, assess the need for appointing a Personal Data Protection Officer for the entity, and issue the entity's registration certificate.
3.  Individuals: Individuals may register on the Platform by completing the required registration procedures, which include completing all required fields within the registration form, verifying eligibility for registration, and issuing the registration certificate.

Comments.

Add Comment

Article 4: Controller Delegate Appointment

Add Comment

1. Public Entity: A delegate shall be appointed through the registration form sent by the Competent Authority.
2. Private Entity: A delegate shall be appointed by the entity's owner or partner.

Comments.

Add Comment

Article 5: Delegate Replacement

Add Comment

1. The public controller shall be responsible for maintaining the accuracy of the designated delegate's information. This includes updating the delegate's information as necessary and facilitating communication with the Competent Authority should the entity want to change the delegate.
2. The private controller shall be responsible for maintaining the accuracy of the designated delegate's information. This includes updating the delegate's information on the Platform as necessary.

Comments.

Add Comment

Article 6: Controller Delegate Obligations

Add Comment

On the Platform, the Controller’s delegate shall comply with the following:

1.  Complete the registration procedures on the entity's behalf.
2.  Complete the following data fields:
- The Personal Data Protection Officer in the cases stipulated in the Law and the Regulations and the Rules for Appointing the Personal Data Protection Officer.
- The entity’s Chief Data Officer, if any.
3.  Review the results for the compliance and the provided services assessment.
4.  Use the Platform Services in case no Personal Data Protection Officer is appointed, in accordance with the conditions stipulated in the Law, the Regulations, and the Rules Governing Appointment.
5.Update the Controller's data regularly to maintain its validity and accuracy.

Comments.

Add Comment

Article 7: Profile Data

Add Comment

The profile shall be completed following the completion of the following data fields:
1. The public and private controller delegate shall be responsible for completing all required fields on the Platform, including:
- Controller Data: Entity logo, official email and contact number, and headquarters.
- Delegate Data: Official email and contact number.
2. Individuals must complete all required fields on the Platform, including official email and contact number.

Comments.

Add Comment

Article 8: Registration Certificate Issuance

Add Comment

The registration certificate shall be issued as soon as the registration process is completed. The certificate shall include the following information:
1.  Registration Serial Number.
2.  Entity/Individual Name.
3.  Entity Logo.
4.  Entity Address.
5.  Official Email of the Entity/Individual.
6.  Official Contact Number of the Entity/Individual.
7.  The Date of Issue and End Date.
8.  QR code.
The Competent Authority shall notify the Controller of the impending expiration of their registration certificate no less than thirty (30) days prior to the expiry date. Following the expiration of the registration certificate, the Controller may continue to access Platform Services for a grace period of up to five (5) days. However, access to services beyond this grace period shall be contingent upon the Controller submitting a renewal request.

Comments.

Add Comment

Article 9: Making Registration Certificate Available to the Public

Add Comment

The Competent Authority shall implement mechanisms to facilitate the verification of Controllers' registration. This verification process is intended to enhance trust and confidence in the services provided. The registration certificate for each Controller shall be publicly accessible within the National Register for Personal Data Protection.

Comments.