Table of Contents
Article 1
Article 2
Article 3
Article 4
Article 5
Article 6
Article 7
Article 8
Article 9
Article 10
Article 11
Article 12
Article 13
Article 14
Article 15
Article 16
Article 17
Article 18
Article 19
Article 20
Article 21
Article 22
Article 23
Article 24
Article 25
Article 26
Article 27
Article 28
Article 29
Article 30
Article 31
Article 32
Article 33
Article 34
Article 35
Article 36
Article 37
Article 38
Article 39
Article 40
Article 41
Article 42
Article 43
Article 19
The Controller shall implement all the necessary organizational, administrative and technical measures to protect Personal Data, including during the Transfer of Personal Data, in accordance with the provisions and controls set out in the Regulations
FAQs
Controllers may share your personal data with a Processor or sub-processor only under specific conditions, as mandated by Article 19 and the Implementing Regulations. This includes:
- A formal Data Processing Agreement (DPA) must be in place.
- The Processor and any sub-processor must provide sufficient guarantees to comply with PDPL requirements for personal data protection.
- A Processor must obtain prior written approval from the Controller before engaging any sub-processor.
- The Controller remains legally responsible for all data processing, even when conducted by third parties.
The Data Processing Agreement between Controller and Processor must clearly define:
- The purpose and scope of the data processing
- Categories of personal data subject to processing
- Duration of the processing engagement
- Technical and organizational security measures to be implemented
- Obligation for breach notification, including timelines and reporting procedures
- A clause requiring Controller approval before engaging any sub-processor, who must also adhere to the same DPA terms
If the Processor or sub-processor mishandles your data, violating the PDPL or DPA then:
- The Controller remains fully responsible and accountable for any breach or misuse.
- The Controller must take corrective action, such as terminating the Processor’s contract or seeking legal remedies.
- The Controller may face regulatory penalties from SDAIA for failing to effectively supervise or enforce compliance by its Processors.