saudi-pdpl.com

Table of Contents

Article 1

Article 2

Article 3

Article 4

Article 5

Article 6

Article 7

Article 8

Article 9

Article 10

Article 11

Article 12

Article 13

Article 14

Article 15

Article 16

Article 17

Article 18

Article 19

Article 20

Article 21

Article 22

Article 23

Article 24

Article 25

Article 26

Article 27

Article 28

Article 29

Article 30

Article 31

Article 32

Article 33

Article 34

Article 35

Article 36

Article 37

Article 38

Article 39

Article 40

Article 41

Article 42

Article 43

Article 19

The Controller shall implement all the necessary organizational, administrative and technical measures to protect Personal Data, including during the Transfer of Personal Data, in accordance with the provisions and controls set out in the Regulations

FAQs

Controllers may share your personal data with a Processor or sub-processor only under specific conditions, as mandated by Article 19 and the Implementing Regulations. This includes: 

  • A formal Data Processing Agreement (DPA) must be in place. 
  • The Processor and any sub-processor must provide sufficient guarantees to comply with PDPL requirements for personal data protection. 
  • A Processor must obtain prior written approval from the Controller before engaging any sub-processor. 
  • The Controller remains legally responsible for all data processing, even when conducted by third parties.

The Data Processing Agreement between Controller and Processor must clearly define: 

  • The purpose and scope of the data processing 
  • Categories of personal data subject to processing 
  • Duration of the processing engagement 
  • Technical and organizational security measures to be implemented 
  • Obligation for breach notification, including timelines and reporting procedures 
  • A clause requiring Controller approval before engaging any sub-processor, who must also adhere to the same DPA terms

If the Processor or sub-processor mishandles your data, violating the PDPL or DPA then: 

  • The Controller remains fully responsible and accountable for any breach or misuse. 
  • The Controller must take corrective action, such as terminating the Processor’s contract or seeking legal remedies. 
  • The Controller may face regulatory penalties from SDAIA for failing to effectively supervise or enforce compliance by its Processors. 
Scroll to Top