SAUDI ARABIA Law and Practice Contributed by: Zain Satardien, Chadi Hourani and Hayel Hourani, Hourani & Partners
Appointment of Data Protection Officers (DPOs) A DPO is mandatory for entities that: • regularly monitor data subjects or process sensi - tive data as a core activity; and • handle personal data on a large scale (eg, public entities); DPOs, either internal or external, must be equipped with the resources and independence to fulfil their role, and their responsibilities include ensuring compliance, conducting awareness pro - grammes, and liaising with the SDAIA. Penalties for Non-Compliance Non-compliance with the PDPL could result in signifi - cant penalties.
finding, controllers must generally implement appro - priate safeguards, such as SDAIA approved Standard Contractual Clauses, Binding Common Rules or other recognised mechanisms, and carry out a risk assess - ment, particularly where transfers involve sensitive data or occur on a continuous or large-scale basis. Limited exemptions remain available, for example where the transfer is necessary to provide a service or benefit to the data subject or forms part of cen - tral group operations, but these are interpreted nar - rowly and do not displace the overarching obligation to ensure that data is treated in a manner consistent with the PDPL once transferred outside the Kingdom.
529 CHAMBERS.COM
Powered by FlippingBook