Regulatory Alerts2023-09-18
Compliance with the Updated Personal Data Protection System and its Implementing Regulations
The Saudi Central Bank mandates all supervised financial institutions to fully implement the updated Personal Data Protection System and its implementing regulations, which took effect on 14 September 2023. Institutions must review and align their internal policies and procedures within one year, submit a semi-annual compliance assessment via email starting in 2024, and cooperate with the Bank’s supervisory inspection visits. This directive establishes a centralized communication channel at CRC.Compliance@SAMA.GOV.SA to ensure ongoing regulatory oversight and standardized data governance across the financial sector.
Saudi Central Bank
Reference No.: 45015218 Date: 1445/03/04 (Hijri) Attachments: None
Circular
To: Peace, mercy, and blessings of God be upon you,
Subject: Emphasizing Compliance with the Updated Personal Data Protection System and its Implementing Regulations.
In continuation of the Central Bank's instructions conveyed via Circular No. (43045328) dated 19/05/1443H, regarding compliance with the Personal Data Protection System and the policies, controls, and rules issued for data governance, and referring to the gracious Royal Order No. (M/148) dated 05/09/1444H approving the amendments to the Personal Data Protection System, issued by Royal Decree No. (M/19) dated 09/02/1443H, and to its implementing regulations issued by the competent authority.
Therefore, and considering that the provisions of the aforementioned System and its implementing regulations took effect on 29/02/1445H corresponding to 14/09/2023G; the Central Bank emphasizes that financial institutions comply with the following:
First: Implement the updated Personal Data Protection System pursuant to Royal Decree No. (M/148) dated 05/09/1444H, and its implementing regulations issued by the competent authority, review related internal policies and procedures, and ensure their amendment to align with the System and its implementing regulations within a period of (one) year from the aforementioned effective date.
Second: Provide the Central Bank with the compliance status using the assessment form to be shared via email before 28/09/2023G, and submit it semi-annually in mid-January and July of each year, starting from 2024G, via the following email: (CRC.Compliance@SAMA.GOV.SA).
Third: The Central Bank serves as the communication channel for financial institutions regarding the implementation of the aforementioned System and its implementing regulations, via the email mentioned above.
For information and action as of its date. Please note that, in light of its supervisory and regulatory role, the Central Bank will conduct inspection visits to financial institutions to ensure compliance with the aforementioned System and its implementing regulations.
Yours sincerely, Committees
(Signature) Yazed bin Ahmed Al-Sheikh Deputy Governor for Supervision
Distribution Scope: All financial institutions subject to the supervision and regulation of the Central Bank