Web Content Viewer

Government Entities Registration

Government Entities Registration

The Saudi Data & AI Authority (SDAIA) supervises the application of the provisions and regulations of PDPL issued by Royal Decree No. (M/19) dated 09/02/1443 AH, and amended by Royal Decree No. (M/148) dated 05/09/1444 AH, and follows up on the commitment of entities to get registered in the Platform to build a unified national register and provide services related to data management, governance and personal data protection. Also, this service allows registrars to make an assessment determining the extent to which the entity is obliged to appoint one or more DPO in accordance with the standards set by PDPL Implementing Regulations, and thereafter the registration certificate is issued.

Requirements

The government entity fills out the registration form sent by the Saudi Data & AI Authority (SDAIA), and accordingly, an account for the entity will be created by SDAIA, and a notification will be sent to the delegate to access the Platform and complete the registration procedures. You can also communicate via e-mail (Info@ndmo.gov.sa) if the account for the entity was not created.
In case you have inquiries or technical issues to complete the registration process on the Platform, please submit the request via contact us option.

  • Login to the National Data Governance Platform
  • Select government entity registration
  • Click on Start Service
  • The entity’s delegate signs up through the national single sign-on “Nafath”
  • Complete the entity profile information
  • Evaluate the necessity of appointment of DPO through specific standards
  • Issuing a registration certificate on the Platform

Rules and guidelines

Introduction

Pursuant to Article (30), paragraph 4, of the Personal Data Protection Law Issued by Royal Decree No.(M/19)dated 9/2/1443 AH, amended by Royal Decree No.(M/148)dated 5/9/1444 AH, which provides: "The Competent Authority, in order to carry out its duties related to supervising the implementation of the provisions of the Law and Regulations, may:...(C) Specify the appropriate tools and mechanisms for monitoring Controllers’ compliance with the provisions of the Law and the Regulations, including maintaining a National Register of Controllers for this purpose". In accordance with Article (34) of the Implementing Regulation of the Law, which mandates that the Competent Authority shall issue the rules for registration in the National Register of Controllers, these Rules are hereby established. The purpose of these Rules is to inform and monitor Controllers within the Kingdom of the scope of their obligation to register on the National Data Governance Platform. Separate registration rules for Controllers located outside the Kingdom will be issued by the Competent Authority.

Article 1: Definitions

For the purposes of these Rules, the terms and phrases used herein shall have the meanings ascribed to them in Article (1) of the Personal Data Protection Law Issued by Royal Decree No. (M/19) dated 9/2/1443 AH and its amendments, and Article (1) of the Implementing Regulation of the Law, unless expressly defined within the body of these Rules. The following terms and phrases, wherever mentioned, shall have the meanings assigned thereto, unless the context requires otherwise:

  1. Rules: The Rules Governing the National Register of Controllers within the Kingdom.
  2. Competent Authority: Saudi Data & AI Authority (SDAIA).
  3. The Platform: National Data Governance Platform.
  4. National Register: A register that includes public, private, and individuals Controllers within the Kingdom who process personal data, with the aim of monitoring and following up on Controllers and assisting them in raising the level of compliance with the provisions of the law and regulations, in addition to provide services related to the protection of personal data.
  5. Representative: Any natural person designated by the Controller for the purposes of completing the registration procedures on the Platform.
  6. Individual: Any natural person who processes personal data for purposes exceeding personal or family use.

Article 2: Scope and Objective

These Rules shall be applicable to Controllers subject to the application scope of the Personal Data Protection Law and are mandated to register on the Platform in any of the following instances:

  1. If the Controller is a public entity.
  2. If the Controller’s main activity is based on personal data processing.
  3. If the controller processes sensitive data.
  4. If the individual processes personal data for purposes exceeding personal or family use.

This aims to build a national register for public and private Controllers and individuals who process personal data within the Kingdom, in addition to monitoring and following up on Controllers, assisting them in raising their level of commitment to implementing the provisions of the law and regulations and providing services related to personal data protection by registering on the Platform.

Article 3: Controller Delegate Appointment

  1. Public Entity: A representative shall be appointed through the registration form sent by the Competent Authority.
  2. Private Entity: A representative shall be appointed through the Platform by the authorized person.
  3. Individuals: Individuals are their own representatives and are not allowed to designate other people.

Article 4: Registration Procedures

  1. The representative must complete the registration process on the Platform when one of the conditions stipulated in Article (2) of these rules is met. The representative should also determine the need to appoint a Personal Data Protection Officer in accordance with the conditions stipulated in Article (32) of the executive regulations of the Personal Data Protection Law and the rules for appointing a Personal Data Protection Officer.
  2. Individuals must complete the registration process on the Platform when one of the conditions stipulated in Article (2) of these rules is met.

Article 5: Profile Data

  1. The Controller representative shall be responsible for completing all required fields on the Platform, including:
    A. Controller Entity Data: Entity logo, official email and contact number, and headquarters.
    B. Representative Data: Official email and contacts number.
  2. Individuals must complete all required fields on the Platform, including official email and contact number.

Article 6: Circumstances for Appointing a Personal Data Protection Officer

The Controller shall appoint one or more individuals to be responsible for the protection of personal data in accordance with the cases stipulated in Article (32) of the Executive Regulations of the Personal Data Protection Law and the rules for appointing a Personal Data Protection Officer.

Article 7: Information of the Personal Data Protection Officer

  1. If a Personal Data Protection Officer is appointed in accordance with Article (6) of these rules, the representative shall fill in the Personal Data Protection Officer's information on the Platform to create the Controller’s account.
  2. If the Personal Data Protection Officer is an employee of the Controller or an external contractor, the representative must provide the following information:
    A.National ID/residency number for data retrieval purposes.
    B.Date of birth for verification of the entered national ID/residency number.
    C.Official contact information (phone number, e-mail).
  3. If the Personal Data Protection Officer is a contractor located outside the Kingdom, the representative must provide the following information:
    A.First and last name.
    B.Official email.
    C.Official contact number.
  4. The representative may appoint themselves as the Personal Data Protection Officer if they are appointed by the Controller.

Article 8: Obligations

  1. When using the platform, the representative is committed to all of the following:
    Complete the entity’s registration.
    A.Fill in the data of the Personal Data Protection Officer in accordance with Article (7) of these rules.
    B.Fill in the information of the entity’s Chief Data (if any).
    C.View the results of the compliance assessment and the services provided.
    D.Use the Platform services, if a Personal data protection officer has not been appointed in accordance with Article (6) of these rules.
    E.Update the controller’s data on regular basis to ensure it is up-to-date.
  2. When using the platform, individuals are committed to all of the following
    A.Complete the registration process.
    B.Use Platform services.
    C.Update data regularly to ensure it is up-to-date.
  3. The Personal Data Protection Officer - if appointed - is obligated to use the Platform services stipulated in Article (12) of these Rules.

Article 9: Representative Replacement

  1. The public Controller must communicate with the Competent Authority if it wishes to replace the representative, using the official means of communication available on the Platform.
  2. If the private Controller wishes to replace the representative, they should use the form available on the Platform.

Article 10: Registration Certificate Issuance

  1. The registration certificate shall be issued as soon as the registration process, stipulated in Article (4 (of these rules, is completed. The certificate shall include the following information:
    A.Registration Serial Number.
    B.Entity/Individual Name.
    C.Entity Logo.
    D.Entity Address.
    E.Official Email of the Entity/Individual.
    F.Official Contact Number of the Entity/Individual.
    G.The Date of Issue and End Date.
    H.QR code.
  2. The certificate will be valid for (5) years as maximum.
  3. The Competent Authority shall notify the Controller of the impending expiration of their registration certificate no less than thirty (30) days prior to the expiry date. Following the expiration of the certificate, the Controller may continue to access Platform Services for a grace period of up to five (5) days. However, access to services beyond this grace period shall be contingent upon the Controller submitting a renewal request.

Article 11: Making Registration Certificate Available to the Public

The Competent Authority allows the public to verify the registration of Controllers in the national registry by reviewing the registration certificate and verifying its authenticity, without imposing any requirements. This measure is taken to protect personal data and enhance confidence in the services provided.

Article 12: Services Provided on the Platform

The Platform offers a range of e-services aimed at protecting data as national assets and safeguarding the rights of individuals from illegal violations. These services include:

  1. Personal Data Breach Notification Service: This service enables Controllers to notify a personal data breach incident to the Competent Authority immediately after its occurrence, within a period not exceeding (72) hours of becoming aware of the incident, this reporting is necessary if the incident would harm the personal data or the data subject or if it conflicts with their rights or interests, as outlined in Article (24) of the Executive Regulations of the Personal Data Protection Law.
  2. Privacy Impact Assessment Service: This tool analyzes the impact of processing personal data on the products and services provided. It helps determine the scope and objectives of the processing, identify regulatory justifications, and assess the risks associated with processing personal data.
  3. Legal Support Service: This service provides support and guidance to assist public entities in understanding the Personal Data Protection Law and its regulations. This includes interpreting stipulated provisions and requirements as well as offering guidance on relevant manuals and regulations, thereby contributing to ensuring effective application and achieving desired goals.
  4. Compliance Assessment Service: This service involves periodically evaluating compliance with specific standards and requirements to monitor the level of commitment and ensure the effectiveness of actions taken to implement laws, regulations, and policies. It also helps identify incorrect practices to address them and improves business practices and procedures.

Article 13: Review and Amendment

The Competent Authority reviews these rules whenever necessary and may make any amendments or updates to such rules.

Article 14: Enforcement

These rules will be effective from the date of publication on the official website of the Competent Authority.

Attachment: Registration Form

Required Fields
 Entered by Public Controller
Entity Name in Arabic
Entity Name in English
Entity's Unified Number (Optional)
Representative Name in Arabic
Representative National ID



The registration service in the National Data Governance Platform aims to build a unified national register, for implementation of the requirements of PDPL and its Implementing Regulations, to ensure effective control over entities' compliance with relevant regulatory requirements.

Any entity that collects and processes the personal data of individuals, either citizens or residents of the Kingdom of Saudi Arabia, in accordance with Article (2) of the Registration Rules

Registration is mandatory in the following cases:

  1. If the controller is a public entity.
  2. If the controller's primary activity involves processing of personal data.
  3. If the controller processes sensitive data.
  4. If an individual’s personal data processing for purposes that go beyond personal or family use.

As stipulated in Article (2) of Registration Rules.


Government Entity delegate

The Entity’s delegate: the one who represents the entity with the following obligations:

  • Complete the entity's registration procedures in the National Data Governance Platform.
  • Appointment or reappointment of a DPO, when needed.
  • View the assessments and services provided in the National Data Governance Platform.

Needed Data to be registered:

  • ID number.
  • Date of birth.
  • Contact information (Mobile Number, email).

Government entities fill out the registration forms sent by the Saudi Authority for Data and Artificial (SDAIA) and then the account will be created for the entity's delegate by the SDAIA then a notification will be sent to them. Accordingly, the delegate will complete the registration process, which includes signing in through the National Single Sign-On (Nafath), completing the entity’s profile information, assessing whether assigning a personal data protection officer to the entity is mandatory, and issuing the registration certificate.

The steps can also be viewed in a simplified manner by clicking on Government Entities Registration

DPO is responsible for the entity’s commitment to implement the provisions of PDPL and Regulations without prejudice to the obligations stipulated in the Implementing Regulations of PDPL, and the entity shall appoint one or more persons to undertake the roles of DPO.

Needed Data to be registered:

  • ID number.
  • Date of birth.
  • Contact information (Mobile Number, email).

Click here for an assessment to identify whether or not the appointment of a DPO is mandatory.

The DPO shall comply with each of the following:

  • Following up on the entity's commitment to PDPL and its Implementing Regulations.
  • Identifying the personal data processing activities carried out by the entity in the National Data Governance Platform and evaluating them through the services provided.
  • Notifying the Competent Authority of data breach, damage, or illegal access.
  • Conducting assessments to measure the entity's compliance and making the privacy impact assessment.

The public can use the search service in the National Register for Personal Data Protection after entering the entity's name or registration number. This is required to verify the entity's registration in the national data governance Platform to raise the level of the trust in their provided services.

No registration fee

SDAIA provides several services to the providers of the personal data processing activities which serve individuals, government and private entities in various sectors.

Click here to view the list of e-services

You can contact us via e-mail Registration@ndmo.gov.sa

If you have any technical issues or suggestions please submit a request via contact us option

Back