LogoRegulatory Alerts
2021-12-23

Personal Data Protection Law and Data Governance Policies, Regulations, and Rules

The Saudi Central Bank (SAMA) issued this circular to mandate financial institutions under its supervision to align their internal data governance policies, procedures, and gap analyses with the Personal Data Protection Law and SDAIA's regulations. Institutions must review and amend existing frameworks to comply within the statutory period, conduct a formal regulatory gap analysis, establish a remediation timeline, and secure Board of Directors approval. All compliance communications and submissions must be directed to SAMA via the designated compliance email address, ensuring centralized oversight of data protection obligations across the financial sector.

Saudi Central Bank logo

Saudi Arabia

Saudi Central Bank

Click to view thumbnail

Saudi Central Bank (SAMA)
Reference No.: 43045328
Date: 19/05/1443 (Hijri)
Attachments: None

Circular

To Whom It May Concern, Dear Sir/Madam,

Subject: Personal Data Protection Law and the Policies, Regulations, and Rules Issued for Data Governance.

Reference is made to the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 09/02/1443H, and to the policies, regulations, and rules issued by the Saudi Data and AI Authority (SDAIA) regarding data governance, pursuant to the powers granted under Cabinet Decision No. (292) dated 27/04/1441H. Given that the aforementioned Law and policies, regulations, and rules contribute to protecting and building trust in the Kingdom's data sector, and considering that the compliance scope of certain provisions extends to financial institutions supervised by the Central Bank, the Saudi Central Bank wishes to confirm the following:

First: Review internal approved policies and procedures, ensure their compliance with, and/or amend them to align with the following:

  • The Personal Data Protection Law issued by the aforementioned Royal Decree, within the stipulated regulatory compliance period.
  • The policies, regulations, and rules issued by the Saudi Data and AI Authority, accessible via the following electronic link: (https://sdaia.gov.sa/ndmo)

Second: Conduct a regulatory gap analysis against the aforementioned Law and policies, regulations, and rules, develop a remediation timeline, and submit it to the Board of Directors for approval.

Please respond and act accordingly from the date hereof, with confirmation that all communications regarding this matter should be directed to the Central Bank via the following email address: (CRC.Compliance@SAMA.GOV.SA)

Yours sincerely,
Fahd bin Ibrahim Al-Mushari
Deputy Governor for Supervision

Distribution Scope:

  • All financial institutions supervised and regulated by the Saudi Central Bank

P.O. Box 2992 Riyadh 11169, Kingdom of Saudi Arabia Tel: +966 11 463 3000
P.O. Box 2992, Riyadh 11169, Kingdom of Saudi Arabia Tel: +966 11 463 3000

Share