With 17 offices across 10 countries, we are a full-service commercial firm combining knowledge, experience and expertise to ensure our clients have access to the best legal solutions that are commercially sound and cost effective.
Our clients are at the heart of everything we do. Founded in 1989, we are the leading corporate law firm in the UAE and throughout the Middle East & North Africa with more than 450 legal professionals in 17 offices across 10 countries. We’re determined to use our knowledge, experience and intellectual rigour to find innovative solutions to overcome complex business challenges. We actively encourage diversity and inclusion, enabling us to attract and retain the best talent, to ensure our clients succeed.
#SDAIA has released draft amendments to the Implementing Regulations of the Personal Data Protection Law. These proposed changes are now open for public consultation, inviting stakeholders and the general public...
#SDAIA has released draft amendments to the Implementing
Regulations of the Personal Data Protection Law. These proposed
changes are now open for public consultation, inviting stakeholders
and the general public to provide their valuable feedback.
The document titled "Proposed Amendments to the
Implementing Regulation of the Personal Data Protection
Law" outlines several changes to the existing
regulations.
Key amendments and/or additions include the following
Subjects
Amendments
Definitions and Terminology
Competent Authority's Platform. Added as
an electronic platform for support services and enforcement tools
(Article 1).
Direct Marketing. Removed the definition. The
removal of the definition may necessitate clearer guidelines on
what constitutes direct marketing activities, potentially leading
to ambiguity for organizations striving to comply with the
regulations. Consequently, companies might need to reassess their
marketing strategies to ensure they are not inadvertently engaging
in activities that could be interpreted as direct marketing without
explicit regulatory guidance. We anticipate that SDAIA will address
this issue in the final version of the amendments.
Personal Data Breach. Removed the definition
and edited related texts throughout the regulation. Similar to the
removal of the Direct Marketing definition, companies will need to
closely review the edited texts to understand their obligations in
the event of a data breach. The absence of a clear definition may
require them to adopt broader or more cautious approaches to
incident management. Concurrently, companies may rely on the
Personal Data Breach Incidents Procedural Guide for further
clarity. While the guide provides clear instructions on handling
data breach incidents, it does not specify what constitutes a data
breach. Therefore, we also anticipate that SDAIA will address this
issue in the final version of the amendments.
Controller's Obligations
Information Provision. Amended to ensure
information is provided in simplified language when the data
subject lacks full or partial legal capacity (Article 4).
Data Subject Rights. Edited to clarify the
right to request a copy of personal data in a readable format
(Article 6). This amendment enhances the rights of data subjects by
ensuring they can request and receive their personal data in an
easily understandable format. Companies will need to ensure their
systems and processes can provide personal data in a readable
format, which may require technical adjustments and additional
resources.
Privacy Policy Requirements. Added a new
article (Article 18 Repeated) specifying that the privacy policy
must be clear and comprehensible (Article 18).
Consent for Marketing
Advertising and Awareness Materials: Amended
to specify conditions for obtaining consent, including
documentation and the ability to withdraw consent easily (Article
28).
Direct Marketing: Clarified requirements for
obtaining consent and providing mechanisms for halting marketing
materials (Article 29).
Personal Data Protection Officer (PDPO)
Appointment and Responsibilities: Amended to
include detailed responsibilities of the PDPO, such as monitoring
implementation, acting as a contact point, and handling data
breaches (Article 32).In alignment with the Rules for Appointing
Data Protection Officer issued by SDAIA, the detailed
responsibilities outlined in this amended version provide clearer
guidance on the role of the PDPO. This ensures that companies
appoint individuals capable of fulfilling these duties. The PDPO
will have specific responsibilities, including monitoring
compliance, acting as a contact point with the Competent Authority,
and overseeing data protection impact assessments. These procedures
increase accountability and ensure a higher standard of data
protection within companies.
Record Keeping
Processing Activities: Amended to specify the
duration for keeping records and ensuring their accuracy. Removed
some paragraphs and rearranged others (Article 33).
National Register of Controllers
Registration Requirements: Added conditions
for mandatory registration in the National Register of Controllers,
including public entities, primary data processors, and those
transferring data outside KSA (Article 34).
Complaint Handling
Submission and Processing: Amended to
streamline the complaint submission process and ensure timely
responses. Removed and renumbered some paragraphs (Articles 36 and
37).
Enforcement
Effective Date: Amended to specify that the
regulation comes into force upon publication in the official
gazette and on the Competent Authority's website (Article
38).
Start Date: 27 April 2025
End Date: 27 May 2025
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
