Registration of Private Entities

Introduction

Pursuant to Article (30), paragraph 4, of the Personal Data Protection Law Issued by Royal Decree No.(M/19)dated 9/2/1443 AH, amended by Royal Decree No.(M/148)dated 5/9/1444 AH, which provides: "The Competent Authority, in order to carry out its duties related to supervising the implementation of the provisions of the Law and Regulations, may:...(C) Specify the appropriate tools and mechanisms for monitoring Controllers’ compliance with the provisions of the Law and the Regulations, including maintaining a National Register of Controllers for this purpose". In accordance with Article (34) of the Implementing Regulation of the Law, which mandates that the Competent Authority shall issue the rules for registration in the National Register of Controllers, these Rules are hereby established. The purpose of these Rules is to inform and monitor Controllers within the Kingdom of the scope of their obligation to register on the National Data Governance Platform. Separate registration rules for Controllers located outside the Kingdom will be issued by the Competent Authority.

Article 1: Definitions

For the purposes of these Rules, the terms and phrases used herein shall have the meanings ascribed to them in Article (1) of the Personal Data Protection Law Issued by Royal Decree No. (M/19) dated 9/2/1443 AH and its amendments, and Article (1) of the Implementing Regulation of the Law, unless expressly defined within the body of these Rules. The following terms and phrases, wherever mentioned, shall have the meanings assigned thereto, unless the context requires otherwise:

1. Rules: The Rules Governing the National Register of Controllers within the Kingdom.
2. Competent Authority: Saudi Data & AI Authority (SDAIA).
3. The Platform: National Data Governance Platform.
4. National Register: A register that includes public, private, and individuals Controllers within the Kingdom who process personal data, with the aim of monitoring and following up on Controllers and assisting them in raising the level of compliance with the provisions of the law and regulations, in addition to provide services related to the protection of personal data.
5. Representative: Any natural person designated by the Controller for the purposes of completing the registration procedures on the Platform.
6. Individual: Any natural person who processes personal data for purposes exceeding personal or family use.

Article 2: Scope and Objective

These Rules shall be applicable to Controllers subject to the application scope of the Personal Data Protection Law and are mandated to register on the Platform in any of the following instances:

1. If the Controller is a public entity.
2. If the Controller’s main activity is based on personal data processing.
3. If the controller processes sensitive data.
4. If the individual processes personal data for purposes exceeding personal or family use.

This aims to build a national register for public and private Controllers and individuals who process personal data within the Kingdom, in addition to monitoring and following up on Controllers, assisting them in raising their level of commitment to implementing the provisions of the law and regulations and providing services related to personal data protection by registering on the Platform.

Article 3: Controller Delegate Appointment

1. Public Entity: A representative shall be appointed through the registration form sent by the Competent Authority.
2. Private Entity: A representative shall be appointed through the Platform by the authorized person.
3. Individuals: Individuals are their own representatives and are not allowed to designate other people.

Article 4: Registration Procedures

1. The representative must complete the registration process on the Platform when one of the conditions stipulated in Article (2) of these rules is met. The representative should also determine the need to appoint a Personal Data Protection Officer in accordance with the conditions stipulated in Article (32) of the executive regulations of the Personal Data Protection Law and the rules for appointing a Personal Data Protection Officer.
2. Individuals must complete the registration process on the Platform when one of the conditions stipulated in Article (2) of these rules is met.
   

Article 5: Profile Data

1. The Controller representative shall be responsible for completing all required fields on the Platform, including:
   A. Controller Entity Data: Entity logo, official email and contact number, and headquarters.
   B. Representative Data: Official email and contacts number.
2. Individuals must complete all required fields on the Platform, including official email and contact number.

Article 6: Circumstances for Appointing a Personal Data Protection Officer

The Controller shall appoint one or more individuals to be responsible for the protection of personal data in accordance with the cases stipulated in Article (32) of the Executive Regulations of the Personal Data Protection Law and the rules for appointing a Personal Data Protection Officer.

Article 7: Information of the Personal Data Protection Officer

1. If a Personal Data Protection Officer is appointed in accordance with Article (6) of these rules, the representative shall fill in the Personal Data Protection Officer's information on the Platform to create the Controller’s account.
2. If the Personal Data Protection Officer is an employee of the Controller or an external contractor, the representative must provide the following information:
   A.National ID/residency number for data retrieval purposes.
   B.Date of birth for verification of the entered national ID/residency number.
   C.Official contact information (phone number, e-mail).
3. If the Personal Data Protection Officer is a contractor located outside the Kingdom, the representative must provide the following information:
   A.First and last name.
   B.Official email.
   C.Official contact number.
4. The representative may appoint themselves as the Personal Data Protection Officer if they are appointed by the Controller.

Article 8: Obligations

1. When using the platform, the representative is committed to all of the following:
   Complete the entity’s registration.
   A.Fill in the data of the Personal Data Protection Officer in accordance with Article (7) of these rules.
   B.Fill in the information of the entity’s Chief Data (if any).
   C.View the results of the compliance assessment and the services provided.
   D.Use the Platform services, if a Personal data protection officer has not been appointed in accordance with Article (6) of these rules.
   E.Update the controller’s data on regular basis to ensure it is up-to-date.
2. When using the platform, individuals are committed to all of the following
   A.Complete the registration process.
   B.Use Platform services.
   C.Update data regularly to ensure it is up-to-date.
3. The Personal Data Protection Officer - if appointed - is obligated to use the Platform services stipulated in Article (12) of these Rules.

Article 9: Representative Replacement

1. The public Controller must communicate with the Competent Authority if it wishes to replace the representative, using the official means of communication available on the Platform.
2. If the private Controller wishes to replace the representative, they should use the form available on the Platform.

Article 10: Registration Certificate Issuance

1. The registration certificate shall be issued as soon as the registration process, stipulated in Article (4 (of these rules, is completed. The certificate shall include the following information:
   A.Registration Serial Number.
   B.Entity/Individual Name.
   C.Entity Logo.
   D.Entity Address.
   E.Official Email of the Entity/Individual.
   F.Official Contact Number of the Entity/Individual.
   G.The Date of Issue and End Date.
   H.QR code.
2. The certificate will be valid for (5) years as maximum.
3. The Competent Authority shall notify the Controller of the impending expiration of their registration certificate no less than thirty (30) days prior to the expiry date. Following the expiration of the certificate, the Controller may continue to access Platform Services for a grace period of up to five (5) days. However, access to services beyond this grace period shall be contingent upon the Controller submitting a renewal request.

Article 11: Making Registration Certificate Available to the Public

The Competent Authority allows the public to verify the registration of Controllers in the national registry by reviewing the registration certificate and verifying its authenticity, without imposing any requirements. This measure is taken to protect personal data and enhance confidence in the services provided.

Article 12: Services Provided on the Platform

The Platform offers a range of e-services aimed at protecting data as national assets and safeguarding the rights of individuals from illegal violations. These services include:

1. Personal Data Breach Notification Service: This service enables Controllers to notify a personal data breach incident to the Competent Authority immediately after its occurrence, within a period not exceeding (72) hours of becoming aware of the incident, this reporting is necessary if the incident would harm the personal data or the data subject or if it conflicts with their rights or interests, as outlined in Article (24) of the Executive Regulations of the Personal Data Protection Law.
2. Privacy Impact Assessment Service: This tool analyzes the impact of processing personal data on the products and services provided. It helps determine the scope and objectives of the processing, identify regulatory justifications, and assess the risks associated with processing personal data.
3. Legal Support Service: This service provides support and guidance to assist public entities in understanding the Personal Data Protection Law and its regulations. This includes interpreting stipulated provisions and requirements as well as offering guidance on relevant manuals and regulations, thereby contributing to ensuring effective application and achieving desired goals.
4. Compliance Assessment Service: This service involves periodically evaluating compliance with specific standards and requirements to monitor the level of commitment and ensure the effectiveness of actions taken to implement laws, regulations, and policies. It also helps identify incorrect practices to address them and improves business practices and procedures.

Article 13: Review and Amendment

The Competent Authority reviews these rules whenever necessary and may make any amendments or updates to such rules.

Article 14: Enforcement

These rules will be effective from the date of publication on the official website of the Competent Authority.

Attachment: Registration Form