个人资料保护法

PersonalDataProtectionLaw

Article1

ForthepurposeofimplementingthisLaw,thefollowingtermsshallhavethemeaningsassignedthereto,unlessthecontextrequiresotherwise:

Law:ThePersonalDataProtectionLaw.

Regulations:TheImplementingRegulationsoftheLaw.

CompetentAuthority:TheauthoritytobedeterminedbyaresolutionoftheCouncilofMinisters.

PersonalData:Anydata,regardlessofitssourceorform,thatmayleadtoidentifyinganindividualspecifically,orthatmaydirectlyorindirectlymakeitpossibletoidentifyanindividual,includingname,personalidentificationnumber,addresses,contactnumbers,licensenumbers,records,personalassets,bankandcreditcardnumbers,photosandvideosofanindividual,andanyotherdataofpersonalnature.

Processing:AnyoperationcarriedoutonPersonalDatabyanymeans,whethermanualorautomated,includingcollecting,recording,saving,indexing,organizing,formatting,storing,modifying,updating,consolidating,retrieving,using,disclosing,transmitting,publishing,sharing,linking,blocking,erasinganddestroyingdata.

Collection:ThecollectionofPersonalDatabyControllerinaccordancewiththeprovisionsofthisLaw,eitherfromtheDataSubjectdirectly,arepresentativeoftheDataSubject,anylegalguardianovertheDataSubjectoranyotherparty.

Destruction:AnyactiontakenonPersonalDatathatmakesitunreadableandirretrievable,orimpossibletoidentifytherelatedDataSubject.

Disclosure:Enablinganyperson-otherthantheControllerortheProcessor,asthecasemaybe-toaccess,collectorusepersonaldatabyanymeansandforanypurpose.

Transfer:ThetransferofPersonalDatafromoneplacetoanotherforProcessing.

Publishing:TransmittingormakingavailableanyPersonalDatausinganywritten,audioorvisualmeans.

SensitiveData:PersonalDatarevealingracialorethnicorigin,orreligious,intellectualorpoliticalbelief,datarelatingtosecuritycriminalconvictionsandoffenses,biometricorGeneticDataforthepurposeofidentifyingtheperson,HealthData,anddatathatindicatesthatoneorbothoftheindividual’sparentsareunknown.

GeneticData:AnyPersonalDatarelatedtothehereditaryoracquiredcharacteristicsofanaturalpersonthatuniquelyidentifiesthephysiologicalorhealthcharacteristicsofthat

person,andderivedfrombiologicalsampleanalysisofthatperson,suchasDNAoranyothertestingthatleadstogeneratingGeneticData.

HealthData:AnyPersonalDatarelatedtoanindividual'shealthcondition,whethertheirphysical,mentalorpsychologicalconditions,orrelatedtoHealthServicesreceivedbythatindividual.

HealthServices:Servicesrelatedtothehealthofanindividual,includingpreventive,curative,rehabilitativeandhospitalizingservices,aswellastheprovisionofmedications.

CreditData:AnyPersonalDatarelatedtoanindividual'srequestfor,orobtainingof,financingfromafinancingentity,whetherforapersonalorfamilypurpose,includinganydatarelatingtothatindividual’sabilitytoobtainandrepaydebts,andthecredithistoryofthatperson.

DataSubject:TheindividualtowhomthePersonalDatarelate.

PublicEntity:Anyministry,department,publicinstitutionorpublicauthority,anyindependentpublicentityintheKingdom,oranyaffiliatedentitytherewith.

Controller:AnyPublicEntity,naturalpersonorprivatelegalpersonthatspecifiesthepurposeandmannerofProcessingPersonalData,whetherthedataisprocessedbythatControllerorbytheProcessor.

Processor:AnyPublicEntity,naturalpersonorprivatelegalpersonthatprocessesPersonalDataforthebenefitandonbehalfoftheController.

Article2

TheLawappliestoanyProcessingofPersonalDatarelatedtoindividualsthattakesplaceintheKingdombyanymeans,includingtheProcessingofPersonalDatarelatedtoindividualsresidingintheKingdombyanymeansfromanypartyoutsidetheKingdom.Thisincludesthedataofthedeceasedifitwouldleadtothemoramemberoftheirfamilybeingidentifiedspecifically.

ThescopeofapplyingtheLawexcludestheindividual'sPersonalDataProcessingforpurposesthatdonotgobeyondpersonalorfamilyuse,aslongastheDataSubjectdidnotpublishordiscloseittoothers.TheRegulationsshalldefinepersonalandfamilyuseprovidedinthisParagraph.

Article3

TheprovisionsandproceduresstatedinthisLawshallnotprejudiceanyprovisionthatgrantsarighttotheDataSubjectorconfersbetterprotectiontoPersonalDatapursuanttoanyotherlaworaninternationalagreementtowhichtheKingdomisaparty.

Article4

DataSubjectshallhavethefollowingrightspursuanttothisLawandassetoutintheRegulations:

TherighttobeinformedaboutthelegalbasisandthepurposeoftheCollectionoftheirPersonalData.

TherighttoaccesstheirPersonalDataheldbytheController,inaccordancewiththerulesandproceduressetoutintheRegulations,andwithoutprejudicetotheprovisionsofArticle(9)ofthisLaw.

TherighttorequestobtainingtheirPersonalDataheldbytheControllerinareadableandclearformat,inaccordancewiththecontrolsandproceduresspecifiedbytheRegulations.4-Therighttorequestcorrecting,completing,orupdatingtheirPersonalDataheldbytheController.

5-TherighttorequestaDestructionoftheirPersonalDataheldbytheControllerwhensuchPersonalDataisnolongerneededbyDataSubject,withoutprejudicetotheprovisionsofArticle(18)ofthisLaw.

Article5

ExceptforthecasesstatedinthisLaw,neitherPersonalDatamaybeprocessednorthepurposeofPersonalDataProcessingmaybechangedwithouttheconsentoftheDataSubject.TheRegulationsShallsetouttheconditionsoftheconsent,thecasesinwhichtheconsentmustbeexplicit,andthetermsandconditionsrelatedtoobtainingtheconsentofthelegalguardianiftheDataSubjectfullyorpartiallylackslegalcapacity.

Inallcases,DataSubjectmaywithdrawtheconsentmentionedinParagraph(1)ofthisArticleatanytime;theRegulationsdeterminesthenecessarycontrolsforsuchcase.

Article6

Inthefollowingcases,ProcessingofPersonalDatashallnotbesubjecttotheconsentreferredtoinParagraph(1)ofArticle(5)herein:

IftheProcessingservesactualinterestsoftheDataSubject,butcommunicatingwiththeDataSubjectisimpossibleordifficult.

IftheProcessingispursuanttoanotherlaworinimplementationofapreviousagreementtowhichtheDataSubjectisaparty.

IftheControllerisaPublicEntityandtheProcessingisrequiredforsecuritypurposesortosatisfyjudicialrequirements.

IftheProcessingisnecessaryforthepurposeoflegitimateinterestoftheController,withoutprejudicetotherightsandinterestsoftheDataSubject,andprovidedthatnoSensitiveDataistobeprocessed.RelatedprovisionsandcontrolsaresetoutintheRegulations.

Article7

Theconsentreferredtoinparagraph(1)ofArticle(5)ofthisLawmaynotformaconditionofprovidingaserviceorabenefit,unlesssuchserviceorbenefitisdirectlyrelatedtotheProcessingofPersonalDataforwhichtheconsentisgiven.

Article8

SubjecttotheprovisionsofthisLawandtheRegulationsregardingtheDisclosureofPersonalData,theControllershallonlyselectProcessorsprovidingthenecessaryguaranteestoimplementtheprovisionsofthisLawandtheRegulations.TheControllershallalsomonitorthecomplianceofsaidProcessorswiththeprovisionsofthisLawandtheRegulations.ThisshallnotprejudicetheController’sresponsibilitiestowardstheDataSubjectortheCompetentAuthorityasthecasemaybe.TheRegulationsshallsetouttheprovisionsnecessaryinthisregard,includingprovisionsrelatedtoanysubsequentcontractsconductedbytheProcessor.

Article9

TheControllermaysettimeframesforexercisingtherighttoaccessPersonalDatastatedinParagraph(2)ofArticle(4)hereinasstipulatedintheRegulations.TheControllermaylimittheexerciseofthisrightinthefollowingcases:

IfthisisnecessarytoprotecttheDataSubjectorotherpartiesfromanyharm,accordingtotheprovisionssetforththeRegulations.

IftheControllerisaPublicEntityandtherestrictionisrequiredforsecuritypurposes,requiredbyanotherlaw,orrequiredtofulfilljudicialrequirements.

TheControllershallpreventtheDataSubjectfromaccessingPersonalDatainanyofthesituationsstatedinParagraphs(1,2,3,4,5)and(6)ofArticle(16)herein.

Article10

TheControllermayonlycollectPersonalDatadirectlyfromtheDataSubjectandmayonlyprocessPersonalDataforthepurposesforwhichtheyhavebeencollected.However,theControllermaycollectPersonalDatafromasourceotherthattheDataSubjectandmayprocessPersonalDataforpurposesotherthantheonesforwhichtheyhavebeencollectedinthefollowingsituations:

TheDataSubjectgivestheirconsentinaccordancewiththeprovisionsofthisLaw.

PersonalDataispubliclyavailableorwascollectedfromapubliclyavailablesource.

TheControllerisaPublicEntity,andtheCollectionorProcessingofthePersonalDataisrequiredforpublicinterestorsecuritypurposes,ortoimplementanotherlaw,ortofulfilljudicialrequirements.

ComplyingwiththismayharmtheDataSubjectoraffecttheirvitalinterests

PersonalDataCollectionorProcessingisnecessarytoprotectpublichealth,publicsafety,ortoprotectthelifeorhealthofspecificindividuals.

PersonalDataisnottoberecordedorstoredinaformthatmakesitpossibletodirectlyorindirectlyidentifytheDataSubject.

PersonalDataCollectionisnecessarytoachievelegitimateinterestsoftheController,withoutprejudicetotherightsandinterestsoftheDataSubject,andprovidedthatnoSensitiveDataistobeprocessed.

TheRegulationsshallsetouttheprovisions,controlsandproceduresrelatedtowhatisstatedinparagraphs(2)to(7)ofthisArticle.

Article11

ThepurposeforwhichPersonalDataiscollectedshallbedirectlyrelatedtotheController’spurposes,andshallnotcontraveneanylegalprovisions.

ThemethodsandmeansofPersonalDataCollectionshallnotconflictwithanylegalprovisions,shallbeappropriateforthecircumstancesoftheDataSubject,shallbedirect,clearandsecure,andshallnotinvolveanydeception,misleadingorextortion.

ThecontentofthePersonalDatashallbeappropriateandlimitedtotheminimumamountnecessarytoachievethepurposeoftheCollection.ContentthatmayleadtospecificallyidentifyingDataSubjectoncethepurposeofCollectionisachievedshallbeavoided.TheRegulationsshallsetoutthenecessarycontrolsinthisregard.

IfthePersonalDatacollectedisnolongernecessaryforthepurposeforwhichithasbeencollected,theControllershall,withoutunduedelay,ceasetheirCollectionanddestroypreviouslycollectedPersonalData.

Article12

TheControllershalluseaprivacypolicyandmakeitavailabletoDataSubjectsfortheirinformationpriortocollectingtheirPersonalData.ThepolicyshallspecifythepurposeofCollection,PersonalDatatobecollected,themeansusedforCollection,Processing,storageandDestruction,andinformationabouttheDataSubjectrightsandhowtoexercisesuchrights.

Article13

WhencollectingPersonalDatadirectlyfromtheDataSubject,theControllershalltakeappropriatemeasurestoinformtheDataSubjectofthefollowinguponCollection:

ThelegalbasisforcollectingtheirPersonalData.

ThepurposeoftheCollection,andshallspecifythePersonalDatawhoseCollectionismandatoryandthePersonalDatawhoseCollectionisoptional.TheDataSubjectshallbeinformedthatthePersonalDatawillnotbesubsequentlyprocessedinamannerinconsistentwiththeCollectionpurposeorincasesotherthanthosestatedinArticle(10)ofthisLaw.

UnlesstheCollectionisforsecuritypurposes,theidentityofthepersoncollectingthePersonalDataandtheaddressofitsrepresentative,ifnecessary.

TheentitiestowhichthePersonalDatawillbedisclosed,thecapacityofsuchentities,andwhetherthePersonalDatawillbetransferred,disclosedorprocessedoutsidetheKingdom.

ThepotentialconsequencesandrisksthatmayresultfromnotcollectingthePersonalData.

TherightsoftheDataSubjectpursuanttoArticle(4)herein.

SuchotherelementsassetoutintheRegulationsbasedonthenatureoftheactivitydonebytheController.

Article14

TheControllermaynotprocessPersonalDatawithouttakingsufficientstepstoverifythePersonalDataaccuracy,completeness,timelinessandrelevancetothepurposeforwhichitiscollectedinaccordancewiththeprovisionsoftheLaw.

Article15

TheControllermaynotDisclosePersonalDataexceptinthefollowingsituations:

DataSubjectconsentstotheDisclosureinaccordancewiththeprovisionsoftheLaw.

PersonalDatahasbeencollectedfromapubliclyavailablesource.

TheentityrequestingDisclosureisaPublicEntity,andtheCollectionorProcessingofthePersonalDataisrequiredforpublicinterestorsecuritypurposes,ortoimplementanotherlaw,tofulfilljudicialrequirements.

TheDisclosureisnecessarytoprotectpublichealth,publicsafety,ortoprotectthelivesorhealthofspecificindividuals.

TheDisclosurewillonlyinvolvesubsequentProcessinginaformthatmakesitimpossibletodirectlyorindirectlyidentifytheDataSubject.

TheDisclosureisnecessarytoachievelegitimateinterestsoftheController,withoutprejudicetotherightsandinterestsoftheDataSubject,andprovidedthatnoSensitiveDataistobeprocessed.

TheRegulationsshallsetouttheprovisions,controlsandproceduresrelatedtowhatisstatedinparagraphs(2)to(6)ofthisArticle.

Article16

TheControllershallnotdisclosePersonalDatainthesituationsstatedinParagraphs(1,2,5)and(6)ofArticle(15)iftheDisclosure:

Representsathreattosecurity,harmsthereputationoftheKingdom,orconflictswiththeinterestsoftheKingdom.

AffectstheKingdom’srelationswithanyotherstate.

Preventsthedetectionofacrime,affectstherightsofanaccusedtoafairtrial,oraffectstheintegrityofexistingcriminalprocedures.

Compromisesthesafetyofanindividual.

ResultsinviolatingtheprivacyofanindividualotherthantheDataSubject,assetoutintheRegulations.

Conflictswiththeinterestsofapersonthatfullyorpartiallylackslegalcapacity.

Violateslegallyestablishedprofessionalobligations.

Involvesaviolationofanobligation,procedure,orjudicialdecision.

Exposestheidentityofaconfidentialsourceofinformationinamannerdetrimentaltothepublicinterest.

Article17

IfPersonalDataiscorrected,completedorupdated,theControllershallnotifysuchamendmenttoalltheotherentitiestowhichsuchPersonalDatahasbeentransferredandmaketheamendmentavailabletosuchentities.

TheRegulationsshallsetoutthetimeframesforcorrectionandupdatingofPersonalData,typesofcorrection,andtheproceduresrequiredtoavoidtheconsequencesofProcessingincorrect,inaccurateoroutdatedPersonalData.

Article18

TheControllershall,withoutunduedelay,DestroythePersonalDatawhennolongernecessaryforthepurposeforwhichtheywerecollected.However,theControllermayretaindataafterthepurposeoftheCollectionceasestoexist;providedthatitdoesnotcontainanythingthatmayleadtospecificallyidentifyingDataSubjectpursuanttothecontrolsstipulatedintheRegulations.

Inthefollowingcases,theControllershallretainthePersonalDataafterthepurposeoftheCollectionceasestoexist:

IfthereisalegalbasisforretainingthePersonalDataforaspecificperiod,inwhichcasethePersonalDatashallbedestroyeduponthelapseofthatperiodorwhenthepurposeoftheCollectionissatisfied,whicheverlonger.

IfthePersonalDataiscloselyrelatedtoacaseunderconsiderationbeforeajudicialauthorityandtheretentionofthePersonalDataisrequiredforthatpurpose,inwhichcasethePersonalDatashallbedestroyedoncethejudicialproceduresareconcluded.

Article19

TheControllershallimplementallthenecessaryorganizational,administrativeandtechnicalmeasurestoprotectPersonalData,includingduringtheTransferofPersonalData,inaccordancewiththeprovisionsandcontrolssetoutintheRegulations.

Article20

TheControllershallnotifytheCompetentAuthorityuponknowingofanybreach,damage,orillegalaccesstopersonaldata,inaccordancewiththeRegulations.

TheControllershallnotifytheDataSubjectofanybreach,damageorillegalaccesstotheirPersonalDatathatwouldcausedamagetotheirdataorcauseprejudicetotheirrightsandinterests,inaccordancewiththeRegulations.

Article21

TheControllershallrespondtotherequestsoftheDataSubjectpertainingtotheirrightsunderthisLawwithinsuchperiodandinsuchmethodassetoutintheRegulations.

Article22

TheControllershallconductanimpactassessmentofPersonalDataProcessinginrelationtoanyproductorservice,basedonthenatureoftheactivitycarriedoutbytheController,inaccordancewiththerelevantprovisionsoftheRegulations.

Article23

WithoutprejudicetothisLaw,theRegulationsshallsetoutadditionalcontrolsandproceduresfortheProcessingofHealthDatainamannerthatensurestheprivacyoftheDataSubjectandprotectstheirrightsunderthisLaw.Suchadditionalcontrolsandproceduresshallincludethefollowing:

RestrictingtherighttoaccessHealthData,includingmedicalfiles,totheminimumnumberofemployeesorworkersandonlytotheextentnecessarytoprovidetherequiredHealthServices.

RestrictingHealthDataProcessingproceduresandoperationstotheminimumextentpossibleofemployeesandworkersasnecessarytoprovideHealthServicesorofferhealthinsuranceprograms.

Article24

WithoutprejudicetothisLaw,theRegulationsshallsetoutadditionalcontrolsandproceduresfortheProcessingofCreditDatainamannerthatensurestheprivacyoftheDataSubjectandprotectstheirrightsunderthisLawandtheCreditInformationLaw.Suchcontrolsandproceduresshallincludethefollowing:

ImplementingappropriatemeasurestoverifythattheDataSubjecthasgiventheirexplicitconsenttotheCollectionofthePersonalData,changingthepurposeoftheCollection,orDisclosureorPublishingofthePersonalDatainaccordancewiththeprovisionsofthisLawandtheCreditInformationLaw.

RequiringthattheDataSubjectbenotifiedwhenarequestforDisclosureoftheirCreditDataisreceivedfromanyentity.

Article25

Withtheexceptionoftheawareness-raisingmaterialssentbyPublicEntities,Controllermaynotusepersonalmeansofcommunication,includingthepostandemail,oftheDataSubjecttosendadvertisingorawareness-raisingmaterials,unless:

Obtainingthepriorconsentofthetargetedrecipientforsuchmaterials.

Thesenderofthematerialshallprovideaclearmechanism,assetoutintheRegulations,thatenablesthetargetedrecipienttorequeststoppingreceivingsuchmaterialsiftheydesireso.

TheRegulationsshallsetouttheprovisionsconcerningtheaforementionedadvertisingandawareness-raisingmaterials,aswellastheconditionsandsituationsconcerningtheconsentoftherecipienttoreceiveaforementionedmaterials.

Article26

WiththeexceptionofSensitiveData,PersonalDatamaybeprocessedformarketingpurposes,ifitiscollecteddirectlyfromtheDataSubjectandtheirconsentisgiveninaccordancewiththeprovisionsofLaw;theRegulationsshallsetoutthecontrolsinsuchregard.

Article27

Personaldatamaybecollectedorprocessedforscientific,research,orstatisticalpurposeswithouttheconsentoftheDataSubjectinthefollowingsituations:

IfitdoesnotspecificallyidentifytheDataSubject.

IfevidenceoftheDataSubject’sidentitywillbedestroyedduringtheProcessingandpriortoDisclosureofsuchdatatoanyotherentity,ifitisnotSensitiveData.

IfpersonaldataiscollectedorprocessedforthesepurposesisrequiredbyanotherlaworinimplementationofapreviousagreementtowhichtheDataSubjectisaparty.

TheRegulationsshallsetoutthecontrolsrequiredbytheprovisionsofthisArticle.

Article28

ItisnotpermissibletocopyofficialdocumentswhereDataSubjectsareidentifiable,exceptwhereitisrequiredbylaw,orwhenacompetentpublicauthorityrequestscopyingsuchdocumentspursuanttotheRegulations.

Article29

SubjecttotheprovisionsofParagraph(2)ofthisArticle,aControllermayTransferPersonalDataoutsidetheKingdomordiscloseittoapartyoutsidetheKingdom,inordertoachieveanyofthefollowingpurposes:

Ifthisisrelatingtoperforminganobligationunderanagreement,towhichtheKingdomisaparty.

IfitistoservetheinterestsoftheKingdom.

IfthisistotheperformanceofanobligationtowhichtheDataSubjectisaparty

IfthisistofulfillotherpurposesassetoutintheRegulations.

TheconditionsthatmustbemetwhenthereisaTransferorDisclosureofPersonalData,accordingtowhatisstatedinParagraph(1)ofthisArticle,areasfollows:

TheTransferorDisclosureshallnotcauseanyprejudicetonationalsecurityorthevitalinterestsoftheKingdom.

ThereisanadequatelevelofprotectionforPersonalDataoutsidetheKingdom.SuchlevelofprotectionshallbeatleastequivalenttothelevelofprotectionguaranteedbytheLawandRegulations,accordingtotheresultsofanassessmentconductedbytheCompetentAuthorityincoordinationwithwhomeveritdeemsappropriatefromtheotherrelevantauthorities.

TheTransferorDisclosureshallbelimitedtotheminimumamountofPersonalDataneeded.

Paragraph(2)ofthisArticleshallnotapplytocasesofextremenecessitytopreservethelifeorvitalinterestsoftheDataSubjectortoprevent,examineortreatdisease.

TheRegulationsshallsetouttheprovisions,criteriaandproceduresrelatedtotheimplementingthisArticle,includingapplicableexceptionsforControllersregardingconditionsreferredtoinSubparagraphs(b)and(c)ofParagraph(2)ofthisArticle,aswellascontrolsandproceduresforsuchexemptions.

Article30

WithoutprejudicetotheprovisionsofthisLawandthepowersoftheSaudiCentralBankpursuanttoapplicablelegalprovisions,theCompetentAuthorityshallbetheentityinchargeofoverseeingtheimplementationofthisLawandtheRegulations.

TheRegulationsshallidentifythesituationswheretheControllershallappointoneormorepersonsaspersonaldataprotectionofficer(s).andshallsettheresponsibilitiesofanysuchpersoninaccordancewiththeprovisionsofthisLaw.

TheControllershallcooperatewiththeCompetentAuthorityinperformingitsdutiestosupervisetheimplementationoftheprovisionsofthisLawandtheRegulations,andshalltakesuchstepsasnecessaryinconnectionwiththerelatedmattersreferredtotheControllerbytheCompetentAuthority.

TheCompetentAuthority,inordertocarryoutitsdutiesrelatedtosupervisingtheimplementationoftheprovisionsoftheLawandRegulations,may:

RequestthenecessarydocumentsorinformationfromtheControllertoensureitscompliancewiththeprovisionsoftheLawandRegulations.

RequestthecooperationofanyotherpartyforthepurposesofsupportinaccomplishingsupervisorydutiesandenforcementoftheprovisionsoftheLawandRegulations.

SpecifytheappropriatetoolsandmechanismsformonitoringControllers’compliancewiththeprovisionsoftheLawandtheRegulations,includingmaintaininganationalregisterofControllersforthispurpose.

ProvideservicesrelatedtoPersonalDataprotectionthroughthenationalregisterreferredtoinSubparagraph(c)ofthisParagraphorthroughanyothermeansdeemedappropriate.TheCompetentAuthoritymaycollectafeeforthePersonalDataprotectionservicesitmayprovide.

TheCompetentAuthoritymay,atitsdiscretion,delegatetootherauthoritiestheaccomplishmentofsomeofitsdutiesthatarerelatedtosupervisionorenforcementoftheprovisionsoftheLawandRegulations.

Article31

WithoutprejudicetoArticle(18)herein,theControllershallmaintainrecords,forsuchaperiodasrequiredundertheRegulations,ofthePersonalDataProcessingactivities,basedonthenatureoftheactivitycarriedoutbytheController.SuchrecordsaretobeavailablewheneverrequestedbytheCompetentAuthority.Therecordsshallcontainthefollowinginformationataminimum:

ContactdetailsoftheController.

ThepurposeofthePersonalDataProcessing.

DescriptionofthecategoriesofPersonalDataSubjects.

AnyotherentitytowhichPersonalDatahasbeen,orwillbe,disclosed.

WhetherthePersonalDatahasbeenorwillbetransferredoutsidetheKingdomordisclosedtoanentityoutsidetheKingdom.

TheexpectedperiodforwhichPersonalDatashallberetained.

Article32

Repealed.

Article33

TheCompetentAuthorityshallsettherequirementsforpracticingcommercial,professionalornon-profitactivitiesrelatedtoPersonalDataprotectionintheKingdom,incoordinationwiththecompetentauthorities,andwithoutprejudicetotheotherrequirementssetbythoseauthoritiesintheirdomainofcompetence.

TheCompetentAuthoritymaygrantlicensestoentitiesthatissueaccreditationcertificatestoControllersandProcessors.TheCompetentAuthorityshallsettherulestoregulatetheissuanceofsuchcertificates.

TheCompetentAuthoritymaygrantlicensestoentitiesthatconductauditsorchecksofPersonalDataProcessingactivitiesrelatedtotheController’sactivity,inaccordancewiththeprovisionsstipulatedintheRegulations.TheCompetentAuthorityshallsettheconditionsandcriteriatograntsuchlicenses,andtherulesregulatingthem.

TheCompetentAuthorityshallspecifytheappropriatetoolsandmechanismstomonitorcomplianceofControllersandProcessorsoutsidetheKingdominregardwiththeirobligationsasstatedintheLawandtheRegulationswhenProcessingpersonaldatarelatedtoindividualsresidingintheKingdombyanymeans,andshalldefineprocedurestoenforcetheprovisionsoftheLawandtheRegulationsoutsidetheKingdom.

Article34

ADataSubjectmaysubmittotheCompetentAuthorityanycomplaintthatmayariseoutoftheimplementationofthisLawandthe