SDAIA (the Saudi Authority for Data and Artificial Intelligence) has sought expert opinions on regulations governing the licensing of personal data processing audits and certification issuance, aiming to boost public trust in personal data handling.

Analysis

Licensing Conditions

The authority outlined general conditions for licensing, requiring applicants to adhere to system rules, regulations, and any official documents issued by the competent authority. Applicants must conduct audits or issue certifications independently, disclose potential conflicts of interest, and report any past complaints related to system compliance, ensuring no ongoing complaints during the application process.

Disclosure and Independence

The authority emphasised the need for applicants to disclose any violations previously identified by the competent authority. The regulations stipulated that applicants must be independent legal entities with a physical presence in Saudi Arabia, providing official contact details, including the legal name, address, and commercial registration or foreign investor license number.

Technical and Personnel Requirements

Applicants must possess the necessary technical tools and qualified personnel to perform audits or issue certifications related to personal data processing and protection, in line with system rules and methodologies set by the competent authority. Certification issuance requires accreditation from the Saudi Accreditation Center.

License Duration and Renewal

Licenses are granted for three years, with renewal applications required at least 90 working days before expiration, subject to meeting licensing conditions.

License Revocation

Licenses are revoked if the legal entity dissolves or undergoes transformation, merger, or division, as per company regulations. Revocation does not affect the validity of audit reports or certifications issued before the revocation date unless deemed invalid by the competent authority.

The end date of the consultation is January 11, 2025.

Here are the draft rules for the licensing of audits or checks of personal data processing activities and the issuance of accreditation certificates.

For the full story, click here.

For more news and content, try Lexis Middle East. Click on lexis.ae/demo to begin your free trial of Lexis® Middle East platform.

You can also explore the legal landscape by subscribing to our Weekly Newsletter.

Want to learn more about Lexis® Middle East? Visit https://www.lexis.ae/lexis-middle-east-law/.