Frequently Asked Questions (FAQs) For the Registration Services

• Registration Eligibility
  • Are there any registration fees? keyboard_arrow_down

    There are currently no fees for registration.
    

  • How is the mandatory registration of an entity on the National Data Governance Platform determined? keyboard_arrow_down

    Entities with various activities must register on the National Data Governance Platform if any of the cases set forth in Article (2) of the Rules Governing the National Register of Controllers within the Kingdom are met. The registration cases mentioned in the rules are:

    • Paragraph (1): If the controller is a public entity.
    • Paragraph (2): If the controller's main activity is based on personal data processing.
      • It is intended that the entity processes personal data during its main activity.
    • Paragraph (3): If the controller processes sensitive data.
      
  • How is the obligation to appoint a DPO on the National Data Governance Platform determined? keyboard_arrow_down

    Entities are required to appoint a DPO if any of the cases set forth in Article (5) of the Rules for Appointing Personal Data Protection Officer apply; as the appointment cases mentioned in the rules are:

    • Paragraph (1): If the controller is a public entity that provides services involving the large-scale processing of personal data.
    • Paragraph (2): If the core activities of an entity involve processing operations that, by their nature, require regular or systematic monitoring of individuals whose personal data is being processed.
    • Paragraph (3): If the entity’s core activities involve processing sensitive data.
      
  • What are the consequences of not registering on the National Data Governance Platform? keyboard_arrow_down

    Controllers that are obligated to register on the National Data Governance Platform, if any of the cases set forth in Article (2) of the Rules Governing the National Register of Controllers within the Kingdom are met. Failure to register shall be considered a violation of the provisions of PDPL and its implementing regulations, and the penalties stipulated in Article (36) of the Law shall apply.
    

  • What is meant by a controller? keyboard_arrow_down

    A controller means: Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.
    

  • What is meant by a public entity? keyboard_arrow_down

    A public entity means: Any ministry, department, public institution or public authority, any independent public entity in the Kingdom, or any affiliated entity therewith.
    

  • What is meant by processing? keyboard_arrow_down

    Processing means: Any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.
    

  • What is meant by sensitive data? keyboard_arrow_down

    Sensitive data means: Any Personal Data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual’s parents are unknown.
    

  • What is meant by the Artificial Intelligence Ethics Assessment? keyboard_arrow_down

    AI Ethics Assessment is a tool designed to enable entities to conduct a comprehensive and systematic analysis of the extent of their compliance with ethical standards in the development and application of artificial intelligence technologies. The process begins by identifying and evaluating all potential risks and the severity of their impact. The tool also includes questions in each principle of ethics to assess the level of ethical commitment of the artificial intelligence model.
    

  • What is meant by the assessment of the obligation to appoint a Personal Data Protection Officer (DPO)? keyboard_arrow_down

    It is an assessment that determines whether a controller is obligated to appoint a DPO if any of the cases outlined in Article (5) of the Rules for Appointing Personal Data Protection Officer apply.
    

• Registration Procedures
  • Government organizations
    • What are the procedures for registering a government entity on the National Data Governance Platform? keyboard_arrow_down
      • The government entity must send an official letter to SDAIA requesting registration include the representative’s information: Full name, National ID number, and Email address.
      • SDAIA staff will then create an account for the entity and its representative, a text message will be sent to the representative confirming the appointment.
      • The representative must then log into the platform and complete the required registration steps until the issuance of the Certificate of Registration in the National Register for Personal Data Protection.
        
  • Non-Profit Entities
    • What are the procedures for registering a non-profit entity on the National Data Governance Platform? keyboard_arrow_down

      The Chairman of the Board of Directors, as registered with the National Center for Non-Profit Sector, may complete the registration process directly through the platform or appoint a representative.
      

  • Private organizations
    • How is a private entity with multiple branches inside the Kingdom registered? Is each branch registered separately, or is it sufficient to register the main branch? keyboard_arrow_down

      Each company must be registered separately in the National Data Governance Platform if it has a different unique national number.
      

    • What are the procedures for registering a private entity within the Kingdom on the National Data Governance Platform? keyboard_arrow_down
      • If the private entity is (a company), the authorized person must appoint a representative of the entity using the 'Delegation Management' of the Saudi Business Center, specifying the service provider (Saudi Data and Artificial Intelligence Authority), and selecting the required service(Representing and registration on the National Data Governance Platform and completion of procedures); to complete the registration procedures until the issuance of the Certificate of Registration in the National Register for Personal Data Protection.

      • If the private entity is (a sole proprietorship), the owner may complete the registration process directly through the platform or appoint a representative using the 'Delegation Management'.
        
• Entity Representative
  • Are there specific criteria for appointing a representative? keyboard_arrow_down

    The Saudi Data & Al Authority (SDAIA) does not require any criteria regarding the entity’s representative, and it is subject to the discretion of the controller entity.
    

  • Can the representative also be the DPO? keyboard_arrow_down

    Yes, the representative may continue serving as the DPO on the platform if officially appointed by the entity.
    

  • Can the representative of a private entity be located outside the Kingdom? keyboard_arrow_down

    The platform currently allows only representatives within the Kingdom.
    

  • How an entity’s representative is be reappointed? keyboard_arrow_down
    • Government Entity: The representative is reappointed through an official letter addressed to SDAIA or by contacting the official email: (INFO@NDMO.GOV.SA).
    • Private Entities: The representative is reappointed by an authorized person using the 'Delegation Management' of the Saudi Business Center, specifying the start and end dates of the authorization.
    • Non-Profit Entity: The representative is reappointed by the Chairman of the Board of Directors via the National Data Governance Platform.
      
  • How is an entity’s representative appointed? keyboard_arrow_down
    • Government Entity: Its representative is appointed by a letter addressed from the government entity to SDAIA.
    • Private Entities: Its representative is appointed by an authorized person using the 'Delegation Management' of the Saudi Business Center, specifying the start and end dates of the authorization.
    • Non-Profit Entity: Its representative is appointed by the Chairman of the Board of Directors via the National Data Governance Platform.
      
  • What are the obligations of the entity’s representative? keyboard_arrow_down

    When using the platform, the representative must:

    1. Complete the entity’s registration process.
    2. Fill out the Personal Data Protection Officer’s information if the controller obligated to appoint a DPO, as per Article (32) of the Implementing Regulations of PDPL.
    3. Fill out the Chief Data Officer’s information (for government entity, if applicable).
    4. Fill out the AI Officer’s information (for private entity, if applicable).
    5. View the services provided.
    6. Use the personal data protection services when the entity is not obligated to appoint a DPO, as per Article (32) of the Implementing Regulations of PDPL.
    7. Continuously update the controller’s information to ensure it remains current.
       
  • Who is the Entity’s Representative? keyboard_arrow_down

    Any natural person designated by the Controller entity for the purposes of completing the registration procedures on the Platform.
    

• Personal Data Protection Officer (DPO)
  • Can a DPO be appointed from outside the Kingdom? keyboard_arrow_down

    Currently, the platform allows the appointment of a DPO within the Kingdom only for government, private, and non-profit entities within the Kingdom. However, as part of ongoing service improvements, the platform aims to enable the appointment of (a DPO outside the Kingdom in the future).
    

  • Can more than one DPO be appointed on the platform? keyboard_arrow_down

    Yes, by using the User Management Service.
    

  • What information is required to appoint a DPO on the platform? keyboard_arrow_down

    The entity’s representative must record the identity number, date of birth, email address, and official contact number during the registration process.
    

  • Who is the Personal Data Protection Officer (DPO)? keyboard_arrow_down

    One or more natural persons appointed by Controller to be responsible for monitoring the implementation of the provisions of the Law and its Implementing Regulations, overseeing Procedures applicable by Controller, and receiving requests relate to Personal Data in accordance with provisions of the PDPL and its Implementing Regulations.
    

• Authorization of Private Entity Representative Inside the Kingdom
  • Are establishments required to appoint a representative on its behalf via the 'Delegation Management'? keyboard_arrow_down

    No. The establishment owner may access the National Data Governance Platform and complete the registration procedures, and an appointment can be made through the 'Delegation Management' to complete the procedures.
    

  • What is the procedure for authorizing a representative for a private entity? keyboard_arrow_down

    There are two ways to authorize a representative in the 'Delegation Management' at the Saudi Business Center:

    1. The authorized person of the company logs into the 'Delegation Management' and directly appoints a representative.
    2. The representative logs into the 'Delegation Management' and submits a delegation request based on a letter from the company.
       
  • Who is the authorized person in a private entity? keyboard_arrow_down

    Any individual with authority over the entity’s commercial register. This authority enables them to delegate a representative via the 'Delegation Management'. The authorized person may vary depending on the legal structure of the company.
    

• Artificial Intelligence Officer
  • Can an entity receive more than one badge? And an accreditation certificate? keyboard_arrow_down

    An entity may receive multiple badges based on its products. However, only one accreditation certificate may be issued per entity, and it is granted after receiving at least one badge.
    

  • Can the entity’s representative also be the AI Officer? keyboard_arrow_down

    Yes. The entity’s representative may serve as the AI Officer on the platform if appointed by the entity.
    

  • Is there a specific validity period for the accreditation certificate? keyboard_arrow_down

    Yes, the validity period is one year.
    

  • Is there a specific validity period for the digital badges for AI Ethics? keyboard_arrow_down

    Yes, the validity period is one year.
    

  • What are AI ethics badges? keyboard_arrow_down

    AI ethics digital badges are optional badges awarded to an AI product after it advances and registers on the platform. These badges aim to encourage entities to enhance their adoption of AI ethics in their products.
    

  • What are the badge levels? keyboard_arrow_down
    • Level 1: Aware.
    • Level 2: Adoptive.
    • Level 3: Confirmative.
    • Level 4: Assured.
    • Level 5: Visionary.
      
  • What are the obligations of the AI Officer? keyboard_arrow_down

    The AI Officer is required to use the AI Ethics Evaluation service.
    

  • What is the AI Service Provider Accreditation Certificate? keyboard_arrow_down

    It is a certificate issued when the entity obtains at least one badge.
    

  • What is the target audience for obtaining these badges? keyboard_arrow_down

    Any entity or individual involved in developing AI systems.
    

  • Who is the AI Officer? keyboard_arrow_down

    Any natural or legal person that applies or uses AI systems to achieve certain goals.
    

• Difficulties in Registration
  • How can the representative access their profile to complete the official contact number and email address? keyboard_arrow_down
    • The entity’s representative logs into the platform.
    • The dashboard appears.
    • Select the private entity whose data will be modified.
    • A page appears showing the entity's data.
    • Click on the three dots shown at the top of the page.
    • Select “Edit Profile”.
    • The representative fills in the fields and ensures that the contact number entered starts with (05********).
    • Enter the verification code.
      
  • The commercial registration is not appearing when appointing the representative in the Saudi Business Center? keyboard_arrow_down

    Confirm that there is authority over the commercial register. If authority exists and the CR still does not appear, contact the specialists at the Saudi Business Center for support.
    

  • The private entity delegated in the National Data Governance Platform was not retrieved? keyboard_arrow_down
    1. Ensure the delegation request status is “Approved.”
    2. Ensure the delegation period is currently valid.
       
  • We tried updating the entity’s information, but it was not reflected in the registration certificate, or I did not receive a verification code on my mobile? keyboard_arrow_down

    Ensure that the representative has completed the fields for the official contact number and official email. Afterward, the entity’s information can be updated.
    

• Registration Certificate
  • Are certificate details updated automatically after editing entity information? keyboard_arrow_down

    Yes, the certificate details are updated automatically once the entity’s data is modified.
    

  • Do the entity and representative details appear on the registration certificate? keyboard_arrow_down

    Only the entity’s details appear on the certificate.
    

  • How can the registration certificate be verified? keyboard_arrow_down

    The certificate can be verified by searching using the entity name or registration number through the National Register for Personal Data Protection tool available on the platform.
    

  • Is the registration certificate publicly accessible? keyboard_arrow_down

    Yes, it is publicly accessible and includes:

    • Is the registration certificate publicly accessible?
    • Yes, it is publicly accessible and includes:
    • Entity name and logo
    • Official email address of the entity
    • Official contact number of the entity
    • Main address
    • Date of issue
    • Expiry date (excluding government entity and private entity within the Kingdom)
    • Commercial registration status for private entity within the Kingdom
      
• Platform Services
  • How to contact support? keyboard_arrow_down

    For suggestions or technical issues, please submit a request via the Contact Us section.
    

  • What services are offered on the platform? keyboard_arrow_down

    SDAIA provides a range of services to personal data processing entities, benefiting individuals, government, and private entities across all sectors. These services are accessible via the Electronic Services section of the platform.