{"id":106820,"date":"2025-05-22T13:17:59","date_gmt":"2025-05-22T13:17:59","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=106820"},"modified":"2025-08-27T09:43:52","modified_gmt":"2025-08-27T09:43:52","slug":"saudi-arabia-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/saudi-arabia-data-protection-cybersecurity\/","title":{"rendered":"Saudi Arabia: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-106820","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-saudi-arabia"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">DROUA AL-AMAL<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2024\/04\/\u0630\u0648\u0631\u0629-01-2.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">DROUA AL-AMAL<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2024\/04\/\u0630\u0648\u0631\u0629-01-2.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Saudi Arabia<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The personal data protection law of KSA (PDPL) has been issued pursuant to Royal Decree No. (M\/19) dated 09\/02\/1443 AH corresponding to September 16, 2021 and has been amended pursuant to Royal Decree No.(M\/148) dated 05\/09\/1444 AH corresponding to March 27, 2023.<\/p>\n<p>The PDPL has been enforced on September 14, 2023, with a grace period of one year which ended on September 14, 2024. The Saudi Data &amp; Artificial Intelligence Authority (SDAIA) is competent authority to implement and enforce the PDPL.<\/p>\n<p>The Implementing Regulation of the PDPL and the Regulation on Personal Data Transfer outside the Kingdom have also been issued. In addition to that SDAIA has issued various other guidelines with respect to data privacy such as Personal Data Disclosure Guidelines, Personal Data Processing Activities Records Guidelines, Standard Contractual Clauses for cross border personal data transfer, The Rules Governing the National Register of Controllers.<\/p>\n<p>The Anti-Cyber Crime Law 2007 issued by Royal Decree No. M\/17 0n 8 Rabi&#8217;I 1428H (March 26, 2007), criminalizes invasion of privacy and illegal and authorized use, access and modification of data which includes but not limited to the spying or illegal interception or reception of data transmitted through an information network or a computer, also it criminalizes the unlawful access to the computers with the motive of blackmailing or threatening any person.<\/p>\n<p>The kingdom has also established a national cyber security authority established by Royal Decree No. 6801 of October 31, 2017, as amended by Royal Decree No. 7053 of September 9, 2021.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Saudi Data and Artificial Intelligence Authority (SDAIA) has opened a public consultation in April 2025, on proposed amendments to the Implementing Regulations of the Personal Data Protection Law (PDPL) the proposed amendments are with respect to the following:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Amendments to personal data breach definition<\/li>\n<li>Amendments to the privacy notice requisites<\/li>\n<li>Amendments with respect to the Direct marketing and data protection officers, also with respect to the record of processing activities and registration with the regulator.<\/li>\n<\/ul>\n<p>In addition to that consultation with respect to complaint handling is also being sought.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As per Article 34 of the Implementing Regulations of the PDPL\u00a0 SDAIA (the competent authority) has issued The Rules Governing the National Register of Controllers (the Register) within the Kingdom. The Controllers falling within the following category are under obligation to get registered in \u201cthe Register\u201d;<\/p>\n<ul style=\"padding-left: 0\">\n<li>The Controller is a public entity<\/li>\n<li>The Controller\u2019s main activity is based on personal data processing<\/li>\n<li>The Controller processes Personal Data<\/li>\n<li>When the individuals processes personal data for the purposes other than personal and family use.<\/li>\n<\/ul>\n<p>Failing to get registered will amount to the violation of the Personal Data Protection Law \u00a0\u00a0and its Regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How do the data protection laws in your jurisdiction define \u201cpersonal data,\u201d \u201cpersonal information,\u201d \u201cpersonally identifiable information\u201d or any equivalent term in such legislation (collectively, \u201cpersonal data\u201d)? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., \u201ccontroller\u201d, \u201cprocessor\u201d, \u201cdata subject\u201d, etc.)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Personal Data:<\/p>\n<p>Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.<\/p>\n<p>Sensitive Data:<\/p>\n<p>Personal Data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health.<\/p>\n<p>Data Subject:<\/p>\n<p>The individual to whom the Personal Data relate.<\/p>\n<p>Controller:<\/p>\n<p>Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.<\/p>\n<p>Processor:<\/p>\n<p>Any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller.<\/p>\n<p>Processing:<\/p>\n<p>Any operation carried out on Personal Data by any means, whether manual\u00a0 or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.<\/p>\n<p>Collection:<\/p>\n<p>The collection of Personal Data by Controller in accordance with the provisions of this Law, either from the Data Subject directly, a representative of the Data Subject, any legal guardian over the Data Subject or any other party.<\/p>\n<p>Personal Data Breach:<\/p>\n<p>Any incident that leads to the Disclosure, Destruction, or unauthorized access to Personal Data, whether intentional or accidental, and by any means, whether automated or manual.<\/p>\n<p>Explicit Consent:<\/p>\n<p>Direct and explicit consent given by the Data Subject in any form that clearly indicates the Data Subject&#8217;s acceptance of the Processing of their Personal Data in a manner that cannot be interpreted otherwise, and whose obtention can be proven.<\/p>\n<p>Health Data:<\/p>\n<p>Any Personal Data related to an individual&#8217;s health condition, whether their physical, mental or psychological conditions, or related to Health Services received by that individual.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Controller\/processor shall process personal data while considering the following principles:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The consent of the data subject is mandatory except in cases where exception has been given.<\/li>\n<li>The purpose for which personal data is to be collected shall be directly related to the Controller\u2019s purposes.<\/li>\n<li>The purpose for personal data is collected must not be in contravention with any legal provision.<\/li>\n<li>The means and methods used for the processing of personal data must be clear, secure and shall not involve any deception, misleading or extortion.<\/li>\n<li>The means and methods used for the processing of personal data must not be against any existing legal provisions.<\/li>\n<li>The personal data collected must be appropriate, that is it must be minimum and up to the extent it is needed for the purpose for which it was collected.<\/li>\n<li>The personal data collected must not be retained any longer than it was needed.<\/li>\n<li>The controller may not process the personal data without taking the sufficient steps to verify the Personal Data accuracy, completeness , timeliness and relevance to the purpose for which it was collected.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Consent of data subject is mandatory for every processing of the personal data except in cases when the exemption has been provided in the law. Furthermore, the controller\/processor has to\u00a0 obtain the consent if the purpose for the processing has to be changed.<\/p>\n<p>The Data subject\u2019s consent has to be explicit in the following cases;<\/p>\n<ul style=\"padding-left: 0\">\n<li>When the processing involves sensitive data<\/li>\n<li>When the processing of credit data is carried out.<\/li>\n<li>When the decisions are made solely based on automated processing of Personal Data.<\/li>\n<\/ul>\n<p>Following are the circumstances when the controller\/processor are permitted to process personal data without obtaining of the consent;<\/p>\n<ul style=\"padding-left: 0\">\n<li>When the processing of the personal data is in the interest of the data subject but it is impossible or difficult to contact \/reach out the data subject.<\/li>\n<li>When the processing is mandatory with respect to another law.<\/li>\n<li>When the processing is necessary for the execution of an agreement to which data subject is already a party.<\/li>\n<li>When the controller is a public entity and the processing of the personal data of the data subjects is necessary for the;\n<ol style=\"padding-left: 5\" type=\"i\">\n<li>Security purposes<\/li>\n<li>For the judicial purposes.<\/li>\n<\/ol>\n<\/li>\n<li>When the processing is necessary to be done by the Controller for its legitimate interest, the controller can process personal data without any consent of the data subject if it does not prejudice the rights and interests of the Data subjects. It is also important that such processing must not involve the sensitive personal data.<\/li>\n<\/ul>\n<p>CONTENT &amp; ADMINISTRATION OF CONSENT:<\/p>\n<p>The Controller shall obtain the consent for the processing of the personal data as follows:<\/p>\n<ul style=\"padding-left: 0\">\n<li>In appropriate form or means<\/li>\n<li>consent can be written or verbal or can be obtained by use of any electronic methods.<\/li>\n<\/ul>\n<p>While obtaining of the consent through appropriate form and means the following conditions are to be met:<\/p>\n<ol style=\"padding-left: 0\" type=\"i\">\n<li>The consent obtained must be given freely by the data subject and consent shall not be obtained through misleading methods.<\/li>\n<li>The data subject must be intimated about the purpose for which data is to be processed, the purpose must be disclosed to the data subject at the time of obtaining of consent of beforehand. The purpose for which personal data is to be processed must be clear and specific.<\/li>\n<li>The data subject giving the consent must have a legal capacity to give the consent.<\/li>\n<li>The consent obtained must be documented for future verification purposes , the documentation may be done by:\n<ul style=\"padding-left: 5\">\n<li>Keeping the records that must include the consent of the data subjects with respect to the processing<\/li>\n<li>The records must contain the consent along with the time when consent was taken and also the method through which consent was obtained.<\/li>\n<\/ul>\n<\/li>\n<li>For each processing operation independent consent must be obtained.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In respect of sensitive personal data, the PDPL provides:<\/p>\n<ul style=\"padding-left: 0\">\n<li>No sensitive personal data can be processed without the obtaining of data subject\u2019s consent.<\/li>\n<li>Even when the controller can receive personal data from another source than the data subject for the any legitimate purpose, the controller is barred from obtaining sensitive personal data from any other source than the data subject.<\/li>\n<li>No sensitive data can be processed for marketing purposes..<\/li>\n<li>Processing for the purposes of scientific, research or statistical purposes is allowed without consent, however processing is not allowed without consent for these purposes in case of sensitive personal data.<\/li>\n<\/ul>\n<p>While processing Health Data the Controller is to adopt and implement the controls issued by the Ministry of Health, the Saudi Health Council, the Saudi Central Bank , the council of health insurance, that specifies the responsibilities of the employees of entities involved in the Health Data Processing, such as,\u00a0 health care providers, health insurance companies, health insurance claims management companies and those which are contracted by them carrying out the processing of Health Data, also the Controller has to document all stages of Health Data Processing.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPL excludes the individual\u2019s personal data processing from its scope when the processing is carried out for family and personal use and does not go beyond it.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Controller has to formulate risk assessment in a written and documented form. The assessment shall underline the potential impacts and risks that may have affect the data subject of personal data processing. The Controller shall provide a copy of impact assessment to any processor acting on its behalf in relation to the relevant processing.<\/p>\n<p>If the assessment shows that processing operations will harm the privacy of data subjects then the Controller shall address the reasons for that and re-conduct the assessment.<\/p>\n<p>Impact assessment is to be conducted in the following cases:<\/p>\n<ul style=\"padding-left: 0\">\n<li>When sensitive personal data is being processed<\/li>\n<li>When the personal data collected from two different sources are being collected, compared or linked.<\/li>\n<li>In case the Controller on continuous and large scale, process personal data of data subjects who fully or partially lack legal capacity or when processing is of such nature that it requires continuous monitoring of data subjects.<\/li>\n<li>When the controller is using new technologies for the processing of the personal data<\/li>\n<li>When the controller based its decision solely on automated processing of the personal data.<\/li>\n<li>When the Controller is providing a product or service that involves processing of the personal data that is likely to cause harm to the privacy of data subjects.<\/li>\n<\/ul>\n<p>The impact assessment document must comprise of the following:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>Purpose for which personal data is to be processed and legal basis of the processing.<\/li>\n<li>The nature of the processing<\/li>\n<li>Types of personal data to be processed<\/li>\n<li>Sources of the personal data<\/li>\n<li>Entities with whom personal data is to be shared.<\/li>\n<li>Scope of the processing (type of personal data and geographical scope of processing)<\/li>\n<li>Context of the processing which identifies the relationship between the data subjects, controller and the processors.<\/li>\n<li>Necessity and proportionality of the measures which are to be taken to enable the Controller and Processors to process the minimal Personal Data necessary to achieve the purpose of processing.<\/li>\n<li>Impact of processing such as likelihood of any negative impact on data subjects<\/li>\n<li>Proposed measures that needed to be adopted to prevent or limit the risks.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific codes of practice issued for now.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The controller is required to maintain the record of the processing activities during the period of the processing and also for 5 years after the completion of the personal data processing activity. The term of 5 year shall start from the date of completion of the personal data processing activity.<\/p>\n<p>Record of processing activities must include the following ingredients:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>Name &amp; contact details of the controller<\/li>\n<li>Where applicable, the information of the data protection officer<\/li>\n<li>Purpose for which personal data is being processed or to be processed.<\/li>\n<li>Details of Categories of personal data being processed and the categories of data subject.<\/li>\n<li>Where possible retention period of each category of personal data<\/li>\n<li>Categories of the recipients with whom the personal data is to be shared<\/li>\n<li>Descriptions of personal data which is to be transferred out side of the Kingdom<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend data retention and\/or data disposal policies and procedures? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPL stipulates the circumstances when a controller is allowed to retain the personal data processed by it or when it has to be deleted.<\/p>\n<p>The Controller has to delete the personal data without undue delay once it is no longer needed for the purpose it was collected, or the purpose for which it was collected cease to exist. After the deletion it must be made sure the destroyed data must not anything which may lead to the identification of the data subject.<\/p>\n<p>There are circumstances when the personal data can be retained even after the purpose for which it was collected cease to exist. Such circumstances are as follows:<\/p>\n<ul style=\"padding-left: 0\">\n<li>When the law has provided legal basis for retaining of the personal data for specific period even after the purpose for which personal data was processed ceased to exist. The controller shall destroy the personal data once the specific time period lapses or when the purpose of the collection is satisfied, whichever is higher.<\/li>\n<li>When the personal data collected is relevant to any judicial proceedings before any judicial authority and its retention is required for the purpose of judicial proceedings in that case personal data shall be retained and will be destroyed once the judicial proceedings are being concluded.<\/li>\n<\/ul>\n<p>Personal Data Disposal:<\/p>\n<p>The Controller shall dispose the personal data when:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The personal data is no longer required.<\/li>\n<li>When the data subject requests of such destruction of personal data.<\/li>\n<li>The data subject withdraws its consent and the consent was the sole legal basis for the processing.<\/li>\n<li>The Controller came to know that their personal data processing is in violation of law.<\/li>\n<\/ul>\n<p>While disposing of personal data being processed, following conditions are to be met by the Controllers:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The controller shall adopt appropriate measures to notify any other parties of such destruction of personal data, with whom the controller has shared the personal data and shall request of destruction of personal data.<\/li>\n<li>The controller has to take appropriate measures to notify the individuals with whom he has shared the personal data about the decision to destroy personal data and shall request them to destroy personal data in their possession as well.<\/li>\n<li>The Controller shall destroy all copies of personal data he had with it including any backups in the system, and any other copy in its system.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no such requirement in the PDPL.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Controller needs to appoint a data protection officer if it is a public entity that provide services and involves large scale of personal data processing. If a controller is involved in such activities primarily which involves the processing operations requiring continuous and regular monitoring of individuals on large scale then such data controller shall also in need of data protection officer appointment.<\/p>\n<p>The Controller shall also appoint a data protection officer if it is involved in processing of the sensitive personal data.<\/p>\n<p>The data protection officer may be an official, an employee or an external contractor of the controller.<\/p>\n<p>Responsibilities of data protection officer:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Monitoring the implementation of the provisions of the law and regulations<\/li>\n<li>Monitoring the procedures adopted by the controller<\/li>\n<li>Receiving and handling the requests pf the data subjects with respect to the personal data<\/li>\n<li>Acting as the direct point of contact between the controller and the competent authority and implementing its decisions and regulations.<\/li>\n<li>Supervising the impact assessment, audit reports, evaluation with respect to data protection controls, documenting the assessment results and issuing necessary recommendation accordingly<\/li>\n<li>Facilitating data subjects in the exercise of their rights.<\/li>\n<li>Notifying the competent authority with respect to the breach incidents.<\/li>\n<li>Handling and responding to data subject\u2019s requests<\/li>\n<li>Overseeing the records of personal data processing activities of the Controller<\/li>\n<li>managing the Controller\u2019s violations and acting accordingly to correct the wrongdoings.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No such specific requirement is there in the PDPL. However, the PDPL do require to implement organizational and administrative measures to protect the personal data. This implies the employee training as part of the organizational measures.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPL stipulates that appropriate measures shall be taken to inform the data subjects with the information prior to the processing of their personal data. There are two situations when the data is to be collected one directly from that data subject and from any other individual other than the data subject.<\/p>\n<p>The following information is be intimated to data subjects prior to the processing:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Legal basis for processing<\/li>\n<li>The purpose of collection and controller shall specify the personal data whose collection is mandatory and whose collection is optional.<\/li>\n<li>Unless the collection of the personal data for security purposes, the identity of the person collecting the personal data and the address of its representative, if necessary.<\/li>\n<li>The entities with which personal data will be shared.<\/li>\n<li>The potential consequences and risks that may result from not collecting the personal data.<\/li>\n<\/ul>\n<p>When the personal data is directly processed from the data subject, following information is to be provided to data subjects:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Controller\u2019s identity, its contact details, details of any other channel\/means of communication with data subjects for personal data protection processing.<\/li>\n<li>Where applicable, contact details of the data protection officer.<\/li>\n<li>Legal basis for processing.<\/li>\n<li>Specific, clear and explicit purpose for collecting and processing personal data.<\/li>\n<li>The time period for which personal data is to be retained and if that is not possible the estimated time period for which personal data may be retained.<\/li>\n<li>Information with respect to rights of data subjects.<\/li>\n<li>Information with respect to withdraw of the consent by the data subject.<\/li>\n<li>Whether processing of personal data is mandatory or optional.<\/li>\n<\/ul>\n<p>When the personal data is to be collected directly from the individual other than the data subject, the controller is under obligation to communicate to data subject of above mentioned information within 30 days. Along with the above mentioned information, the data subject shall also be communicated o categories of persona data processed and the source from which it is obtained.<\/p>\n<p>The PDPL also gives some exceptions when aforementioned information needs not to be given to data subject:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The information is already available to the data subject.<\/li>\n<li>The implementation of this (to inform data subject) is not possible or requires disproportionate effort.<\/li>\n<li>The data is being obtained in accordance with law.<\/li>\n<li>The controller is a public entity and collection of personal data is for security purpose, judicial requirements or to achieve public interest.<\/li>\n<li>Personal data is subject to professional confidentiality provisions established by law.<\/li>\n<\/ul>\n<p>Also in case of additional processing of personal data for a purpose other than for which it was collected, the controller need to provide the additional necessary information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Controllers and processors are defined at Q No.4<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The National Data Management Office (NDMO) has issued, as part of National Data Governance Policies, Children and Incompetents\u2019 Data Protection Policy (the Policy) which provides that controllers should not make automated decisions based on a child\u2019s or incapacitated person\u2019s Personal Data Processing and must not use it for direct marketing.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on targeted advertising and\/or behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While for the purpose of sending awareness-raising material and advertising the control has to follow the following steps;<\/p>\n<ul style=\"padding-left: 0\">\n<li>Has to obtain the consent from data subject<\/li>\n<li>The controller must provide a mechanism that would allow the data subject to opt out of receiving marketing materials. Such mechanism must be easy, straightforward, and at least as easy as the procedures for giving consent to receive them.<\/li>\n<li>While sending the marketing materials, the identification of the entity sending the marketing material shall be clearly stated without any anonymization.<\/li>\n<li>Where a data subject shall withdraw its consent, the controller shall immediately cease the process of sending related marketing materials without undue delay.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term \u201csale\u201d or such related terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPL doesn\u2019t address the sale of the personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Telecommunication and Information Technology Act (the Act) governs the telecommunication sector within the Kingdom.<\/p>\n<p>It has defined telecommunications as \u201cany transmission or reception, between persons or things, of signs, written messages, images, sounds, or information of any kind via wired or wireless systems.\u201d<\/p>\n<p>The Act is promulgated to create such environment in the kingdom which is feasible for technical innovation, entrepreneurship, research and development in Telecommunication &amp; IT Sector. The law aimed at to support the innovation and development of developing sub sectors and new technologies and also to encourage new telecommunications and information technology services.<\/p>\n<p>While providing a support to emerging IT, telecommunication and entrepreneur sector the law also safeguard the public interest by providing protection to the end users of the above mentioned sectors by providing appropriate quality if IT and Telecommunication services. Furthermore, the telecommunication Act is also in field to provide protection to the user of services against harmful content, and strive to maintain the confidentiality of communications.<\/p>\n<p>The Bye Laws of the Act have further given protection to the confidentiality of user\u2019s communication and also protected personal information of the users. For protection of the user\u2019s information the law is in line with the personal data protection law in terms of being specific, clear purpose for which it is collected, must be accurate and up to date and that user\u2019s information and communications are protected by means and methods proportionate to their sensitivity.<\/p>\n<p>Some of the important definitions from the Telecommunication bye laws are as follows:<\/p>\n<p>Mobile Telephony Service:<\/p>\n<p>wireless communication service that enables<\/p>\n<p>telecommunications between portable wireless devices, including:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>Fixed telephone devices.<\/li>\n<li>Fixed wireless devices.<\/li>\n<li>Space stations.<\/li>\n<li>Other portable wireless device.<\/li>\n<\/ol>\n<p>Person:<\/p>\n<p>A natural or legal person, including any governmental authority or shareholding company, or a limited or joint liability company, or other types of companies and individual establishments.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The biometric is included within the definition of sensitive personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (\u201cAI\u201d).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The SDAIA has issued its Al Ethic Principles (Version 1.0) in September, 2023, to regulate the activities related to the AI in the Kingdom, also the Saudi Authority for Intellectual Property (SAIP) has also issued amendments in its previous intellectual property legislation, which would also regulate the intellectual property rights to be created for the AI creation.<\/p>\n<p>Saudi Data and AI Authority has also issued AI Adaptation Framework in September 2024, SDAIA offers this document as a guiding framework that provides a comprehensive roadmap for the adoption of AI in all\u00a0 sectors.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPL and the Regulation on Personal Data Transfer outside the Kingdom \u00a0provides for the procedure and manner in which the personal data may be transferred outside the Kingdom.<\/p>\n<ul style=\"padding-left: 0\">\n<li>A Controller is allowed to transfer or disclose personal data outside the jurisdiction if it transfers it in accordance with the law and regulations. While transferring the controller must ensure that such transfer doesn\u2019t impact national security or vital interests of the kingdom or violate any other laws of the kingdom.<\/li>\n<li>the Controller shall have to minimize and limit the data transfer to the outside the jurisdiction to the extent it will serve the purpose for which personal data is to be transferred.<\/li>\n<li>There is an adequate level of protection for personal data outside the kingdom which must be at least equivalent to the level of protection guaranteed by the law.<\/li>\n<li>When transferring or disclosing personal data outside the kingdom the Controller must ensure that the privacy of the data subjects is not harmed and also that it doesn\u2019t not impact the level of the protection guaranteed for personal data under the law and its regulations. For this purpose, the controller has to ensure that the transfer or disclosure of the personal data doesn\u2019t compromise the following:<\/li>\n<\/ul>\n<ol style=\"padding-left: 5\">\n<li>The data subject\u2019s ability to exercise their rights<\/li>\n<li>The data subject\u2019s ability to withdraw their consent for the processing.<\/li>\n<li>Controller\u2019s ability to comply with the requirements of notifying the personal data breach.<\/li>\n<li>Controller\u2019s ability to comply with provisions, controls, and procedures for disclosing of the personal data.<\/li>\n<li>Controller\u2019s ability to comply with the provisions and controls for destroying personal data.<\/li>\n<li>Controller\u2019s ability to take necessary organizational and technical measures.<\/li>\n<\/ol>\n<p>The competent authority shall evaluate the level of protection of the personal data provided in the recipient jurisdiction. The competent authority shall submit the results of the assessment (including its recommendations) of the level of protection for Personal Data outside the kingdom and shall also give its recommendation to whether an adequacy decision must be issued or not or an international agreement must be concluded. The competent authority shall review the assessment after every 4 years if it is necessary. The competent authority shall propose to the Prime Minister the termination, amendment, or suspension of any decision taken regarding the level of protection outside the kingdom.<\/p>\n<p>Where no adequate level of protection is available outside the kingdom where personal data has to be transferred, it must be ensured that the regulatory requirements in the country or the international organization do not bring any prejudice to the privacy of the data subject or hinders the enforcement of the appropriate safeguards.<\/p>\n<p>The appropriate safeguards may constitute any of the following:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Binding Common Rules<\/li>\n<li>Standard Contractual Clauses<\/li>\n<li>Certificate of compliance with the PDPL and its regulations in the kingdom, together with the enforceable commitments of applicability of the appropriate safeguards, must be given by the Controller or Processor in the third country.<\/li>\n<li>Binding Codes of Conduct.<\/li>\n<\/ul>\n<p>EXEMPTIONS:<\/p>\n<p>In the absence of adequate level of protection for the personal data and in absence of any of the appropriate safeguards, the transfer of personal data outside the Kingdom or disclosure to a party outside the Kingdom is permitted in any of the following circumstances;<\/p>\n<ol style=\"padding-left: 0\">\n<li>When the transfer of personal data outside the kingdom is necessary for the performance of an Agreement.<\/li>\n<li>When the controller is a public entity and the transfer of personal data outside the kingdom is necessary for the safeguards of the kingdom\u2019s national security or for the public interest.<\/li>\n<li>When the controller is a public entity and the transfer of personal data outside the kingdom is necessary for the investigation or detection of crimes, or such transfer is necessary for the prosecution of perpetrators, or when the transfer is necessary for the execution of penal sanctions.<\/li>\n<li>When the transfer of personal data outside the kingdom is necessary for the protection of vital interests of the data subjects.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ul style=\"padding-left: 0\">\n<li>The PDPL requires the Controller to take the necessary organizational, administrative , and technical measures to ensure the security of the personal data and the privacy of the data subjects.<\/li>\n<li>The Controller has to implement necessary technical and security measures to limit the security risks related to Personal Data Breach.<\/li>\n<li>The Controller has to comply with the relevant controls, standards issued by the National Cyber Security Authority or other recognized best practices of cyber security if the Controller does not fall within the domain of National Cyber Security Authority.<\/li>\n<li>The Controller while hiring a processor has to conclude an agreement with the processor wherein the Controller has to take guarantee from the processor that it would take appropriate measures to protect the security of the personal data.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of  security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Personal data breach has been defined as \u201cany incident that leads to the Disclosure, Destruction, or un authorized access to Personal Data, whether intentional or accidental, any by any means, whether automated or manual.\u201d<\/p>\n<p>Notification to the Authority (SDAIA):<\/p>\n<p>The Controller upon becoming aware of any data breach incident\u00a0 that would potentially cause harm to the personal data or data subject\u2019s rights, shall notify the SDAIAA of any such breach incident withing 72 hours of the breach. Where the Controller will fail to notify the SDAIAA within the stipulated time period it shall act on it as soon as possible and will also justify the delay in the intimation of the data breach incidents.<\/p>\n<p>The notification to the authority (SDAIA) must include the following information:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>Complete detail of the incident of personal data breach , including the time, date and circumstances of the breach and the time when the Controller became aware of the breach.<\/li>\n<li>Categories of effected personal data<\/li>\n<li>Approximate number of data subjects who got effected of the breach.<\/li>\n<li>The types of personal data which became target of breach incident.<\/li>\n<li>Description of the actual or potential risks impact of such breach incident on personal data and data subjects.<\/li>\n<li>Details of the measures taken by the Controller to prevent or limit and mitigate the impact of the actual or potential risks to be faced personal data or data subjects along with the details of any future measures that will be taken to avoid the recurrence of the breach.<\/li>\n<li>A statement underlining the fact that the data subject has been intimated of his\/her personal data breach.<\/li>\n<li>The contact details of the Controller or data protection office or any other relevant official who is having information with regard to the data breach.<\/li>\n<\/ol>\n<p>The controller shall keep the record of the report submitted to the authority with respect to the incident of data breach and shall document the corrective measures it has taken in this regard.<\/p>\n<p>Notification to the data subject:<\/p>\n<p>If an incident of personal data breach may cause damage to the personal data of the data subject or may conflict with their rights or interests, then the Controller is under obligation to notify the data subject of such breach incident without undue delay. The notification furnished must be in a simple and clear language and must constitute the following information:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>Description of personal data breach<\/li>\n<li>Description of potential risks arising from the personal data breach, and the measures taken to prevent or limit those risks and limit their impact.<\/li>\n<li>Name and contact details of the controller or data protection officer ( if appointed) and any other available means of communication.<\/li>\n<li>the controller has to provide data subject with such recommendations or advice that may assist the data subject in taking measures to avoid the identified risk or limit their impact.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPL confers the following rights on data subjects which are exercisable through a submission\/request made by the data subject to the data controller, which has to be implemented on within 30 days of the request while such time period can be extended;<\/p>\n<ul style=\"padding-left: 0\">\n<li>Right to be informed<\/li>\n<li>Right of access to personal data<\/li>\n<li>Right to request Access to personal data<\/li>\n<li>Right to Request Correction of personal data<\/li>\n<li>Right to request Destruction of Personal Data<\/li>\n<\/ul>\n<p>Right to be Informed:<\/p>\n<p>A &#8211; If the personal data is collected directly from the data subject, the controller shall have to inform the data subject about the following details, before or at the time of the collection of the personal data;<\/p>\n<ul style=\"padding-left: 0\">\n<li>Controller\u2019s identity, contact details, and any others means of communications established by the Controller for the purpose of communication of data subject with the controller.<\/li>\n<li>Where data protection officer is appointed, its contact details.<\/li>\n<li>The legal basis for which personal data is being collected.<\/li>\n<li>The clear and specific purpose for which personal data is to be collected.<\/li>\n<li>Retention period of personal data.<\/li>\n<li>Data subject\u2019s rights awareness<\/li>\n<li>Information with respect to the withdrawal of the consent by the personal data.<\/li>\n<li>Information with regard to the nature of the processing, whether mandatory or optional.<\/li>\n<\/ul>\n<p>The condition of informing the data subject with respect to the processing would not be applicable if the data subject is aware of all the information which is usually intimated to him\/her through the information notice, or if the provision of such information of processing will conflict any other existing law in the kingdom.<\/p>\n<p>B &#8211; When Data is obtained from any other person than data subject:<\/p>\n<p>When the personal data of a data subject is obtained directly from any other individual than the data subject itself, the controller is under obligation to inform data subject with the set of information as described in part A, within a period of 30 days. In addition to the information stipulated in Part A the data subject shall has to be intimated of the categories of the personal data processed and the source from which the controller obtained it.<\/p>\n<p>However these conditions are not applied in the following circumstances if ;<\/p>\n<ul style=\"padding-left: 0\">\n<li>The information is already available to the data subject.<\/li>\n<li>The execution of the process is impossible or requires disproportionate effort.<\/li>\n<li>That controller obtained the data in accordance with law.<\/li>\n<li>The controller is a public entity and the collection of the personal data to is to fulfill and judicial requirement, for security purposes or to protect any public interest.<\/li>\n<li>The personal data is subject to professional confidentiality provisions established by law.<\/li>\n<\/ul>\n<p>C &#8211; CONTINOUS AND LARGE-SCALE PERSONAL DATA PROCESSING of data subject lacking legal capacity;<\/p>\n<p>When a controller is involved in such business which requires continuous and large scale processing of personal data;<\/p>\n<ul style=\"padding-left: 0\">\n<li>of individuals that lack legal capacity fully or partially; or<\/li>\n<li>controller monitor data subjects continuously; or<\/li>\n<li>controller adopt new technologies; or<\/li>\n<li>controller make automated decisions based on personal data;<\/li>\n<\/ul>\n<p>The information so provided shall be in an appropriate language as stipulated in this Article when the controller has this knowledge that data subject fully or partially lacks legal capacity.<\/p>\n<p>then the controller shall take necessary measures\u00a0 to inform the data subject about the\u00a0 details of the information provided as in section A. the controller while communicating such information gas to furnish following additional information to the data subject;<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>means and methods of collecting and processing Sensitive Data, where applicable.<\/li>\n<li>Means and procedures taken to protect personal data.<\/li>\n<li>Information with respect to any decisions that will be made based solely on automated processing of personal data.<\/li>\n<\/ol>\n<p>When a controller starts additional processing of personal data for a purpose other than the one for which it was initially collected for, it shall provide the data subject with the necessary information, before the additional processing,\u00a0 as provided in the law and described in Section A herein.<\/p>\n<p>RIGHT OF ACCESS TO PERSONAL DATA:<\/p>\n<p>a data subject can exercise his\/her right to access the personal data in the following cases;<\/p>\n<ul style=\"padding-left: 0\">\n<li>The exercise of right to access by a data subject will not have a negative impact on the rights of others.<\/li>\n<li>An access to personal data can be provided when a request to access has been made or when the controller has already provided a channel which enable the data subject to directly access their personal data without the need to make a request.<\/li>\n<\/ul>\n<p>also\u00a0 while enabling data subjects to access their personal data, the controller must ensure that it does not involve disclosing personal data that identifies another individual.<\/p>\n<p>RIGHT TO REQUEST ACCESS TO PERSONAL DATA:<\/p>\n<p>the law has conferred this right to a data subject that he\/she can request a copy of their personal data in a readable and clear format, however the following conditions are to be considered while exercising of this right;<\/p>\n<ul style=\"padding-left: 0\">\n<li>Exercising of this right to request access to personal data by a data subject should not be negatively impact the rights of others.<\/li>\n<li>The personal data must be provided to the data subject in a commonly used electronic format and the data subject my request a printed hard copy if feasible.<\/li>\n<li>While granting access to data subject to his\/her personal data, the controller has to ensure that it does not involve disclosing personal data that identifies another individual.<\/li>\n<\/ul>\n<p>RIGHT TO REQUEST CORRECTION OF PERSONAL DATA:<\/p>\n<p>If a data subject contest the accuracy of the personal data processed by the controller, the data subject shall have the right to restrict the controller from processing of the personal data for such time period during which the controller will verify the accuracy of the personal data. However, such restriction will not be implemented upon if providing of such data contravenes provisions of the PDPL.<\/p>\n<p>The controller may ask the data subject to provide with needed supporting documents or evidence to verify in order to update, correct, or complete the personal data. the controller shall destroy such documents\/ evidences once the verification process will be completed.<\/p>\n<p>After correction of the personal data the Controller, without delay, shall notify the other parties of such correction to whom the personal data has been shared previously.<\/p>\n<p>RIGHT TO REQUEST DESTRUCTION OF PERSONAL DATA:<\/p>\n<p>Controller shall destroy personal data in the following cases:<\/p>\n<ul style=\"padding-left: 0\">\n<li>When such deletion is requested by the data subject.<\/li>\n<li>When the personal data is no longer necessary for the purpose it was collected;<\/li>\n<li>When the data subject withdraws its consent and it was the sole legal basis for processing.<\/li>\n<li>When the Controller became aware of the fact that the personal data was processed in a manner that violates the law.<\/li>\n<\/ul>\n<p>The data controller shall destroy the personal data in the following manner:<\/p>\n<ul style=\"padding-left: 0\">\n<li>When a controller shall has to destroy personal data or when the data subject requests the destruction of the personal data , the controller shall take appropriate action to notify other parties with whom the concerned the personal data has been shared by the Controller .<\/li>\n<li>The controller shall take appropriate measures to notify the individuals to whom the personal data has been disclosed by any means and to request its destruction.<\/li>\n<li>The controller shall has to destroy all copies of the personal data it has, whether is its control system or backups .<\/li>\n<\/ul>\n<p>The PDPL has set out certain exceptions where the controller can retain the data after completion of purpose such as when the data subject is not identifiable through such data, or there are legal basis for the retention of the personal data even after the purpose for which it was collected cease to exist.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The individual can file a complaint before the competent authority within 90 days after he\/she became aware of the violation of the PDPL. The competent authority shall assess the complaint and shall decide whether to accept a complaint or not.<\/p>\n<p>The PDPL while protecting the rights of the data subjects also afford this opportunity to the individuals that suffered a damage due to the violation of PDPL and its regulations may apply to a competent court for proportionate compensation for the material of moral damage.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Any individual that suffers a damage as a result of violation of the PDPL and its regulations may apply to a competent court for proportionate compensation for the moral or material damage.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Saudi Data and Artificial Intelligence Authority (SDAIA) is the competent authority to enforce the PDPL. SDAIA has the authority to inspect the violations mentioned in the PDPL and the Regulations. The SDAIA has this power to confiscate any tools involved or used un committing the violation. The auditing entities shall be issued licenses by the SDAIA. In addition to that the SDAIA has the authority to receive the complaints from the data subjects and to take the necessary measures regarding the complaints submitted to it.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Following penalties are provided in connection with the violations of the PDPL:<\/p>\n<table style=\"font-size: 10px\" border=\"1\">\n<tbody>\n<tr>\n<td width=\"312\">&nbsp;<\/p>\n<p>Disclosure of publishing of Sensitive Personal Data in violation of PDPL<\/td>\n<td width=\"312\">&nbsp;<\/p>\n<p>Imprisonment not exceeding 2 years and\/or a fine note exceeding SAR 3,000,000<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"312\">&nbsp;<\/p>\n<p>Any other violation of the PDPL Law<\/td>\n<td width=\"312\">&nbsp;<\/p>\n<p>Fine not exceeding SAR 5,000,000<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The fine may be doubled if the violation is repeated, however, the fine will not exceed twice the amount of maximum limit of fine.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No such guidelines are published with respect to the calculation of the fines.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The data subject can file a complaint with the competent authority however it is silent on the filing of appeal by the controllers against the decisions of the competent authority.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As less than a period of one year is passed after the implementation of PDPL,\u00a0 therefore, SDAIA being the competent authority is likely to adopt awareness and facilitation mechanism to help enforce the PDPL, like by way of issuing guidelines and templates etc.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Communications, Space and Technology Commission (CST) has established a comprehensive Cybersecurity Regulatory Framework (CRF) aimed at enhancing the cybersecurity development of the Information and Communications Technology (ICT) sector. This framework primarily applies to organizations that are licensed or registered with CST, as well as those under its regulatory oversight within the ICT sector in the Kingdom of Saudi Arabia.<\/p>\n<p>CRF divides the Service providers into Critical National Infrastructure (CNI) and into Non- Critical National Infrastructure<\/p>\n<p>The service providers categorized as CNI will have to comply with the Essential Cyber Security Controls (ECC) issued by the National Cybersecurity Authority (NCA). NCA\u00a0 shall oversee the compliance by the SPs classified as the NCA, these SPs shall submit a compliance report to CST and a copy of it will be submitted to NCA. Incase of any cybersecurity incident, the SPs classified as CNI will have to report to NCA and must notify the CST.<\/p>\n<p>The Service Providers categorized as Not Critical National Infrastructure for risk management have to implement the following Cyber security Risk Management:<\/p>\n<ol style=\"padding-left: 0\">\n<li>Develop and apply a suitable cybersecurity risk assessment process to identify, analyze, and evaluate risks in order to safeguard information assets.<\/li>\n<li>Implement an effective risk treatment and monitoring strategy to address identified cybersecurity risks and regularly track the progress of mitigation efforts.<\/li>\n<\/ol>\n<p>As per SAMA\u2019s Cyber Security Framework, the member organizations as defined in the law, have to conduct Cyber Risk Identification and Cyber security Risk Identification.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>CRF along with the ECC requires the service providers to provide the NCA with the compliance and cybersecurity incident reports and to notify to the CST.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cybersecurity Regulatory Framework by the SAMA requires member organizations to establish a Cybersecurity governance structure, for which a cyber security committee is needed to be constituted. This Committee must comprise of Compliance Officer and Chief Information Security Officer.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there specific cybersecurity laws \/ regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Specific laws includes the following;<\/p>\n<ul style=\"padding-left: 0\">\n<li>Cyber Security Regulatory framework by the CST (Communications, space and technology Commission).<\/li>\n<li>Essential Cybersecurity Controls (ECC) by National Cybersecurity Authority (NCA)<\/li>\n<li>Cybersecurity Framework by SAMA<\/li>\n<li>Anti-Cyber Crime Law (issued by Royal Decree No. M\/17 in 8 Rabi&#8217;I 1428H (March 26, 2007))<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What impact do international cybersecurity standards have on local laws and regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Local laws are being legislated independently.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose obligations in the context of  cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cyber Regulatory Framework (CRF) \u00a0defines Cyber incident as \u201c A breach of a system\u2019s security policy in order to affect its integrity or availability and\/or the unauthorized attempted access to a system of systems.<\/p>\n<p>CRF also requires the SPs classified as CNI is obliged to immediately report to the NCA and notify the CST.<\/p>\n<p>SAMA\u2019s Cyber Security Framework requires the member organizations to develop a Cyber Security Incident Management Systems, the objective if which is the handling and identification of Cyber Security Incidents in order to reduce the potential business impact on the member organizations.<\/p>\n<p>The member organizations must inform immediately to the SAMA\u2019s IT Risk Supervision Department with respect to any medium or highly classified incident occurrence or identification.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cyber security laws are enforced by the combination of regulatory authorities which includes the Communications Space and Technology Commission which is the entity responsible for regulating the sector of communications, space, and technology in the Kingdom of Saudi Arabia, and by the National Cyber Security Authority. Whereas, Saudi Arabian Monetary Authority enforces its Cyber Security Framework.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>CST has the authority to introduce controls for the CNI- SPs with respect to self-assessment, field inspections, compliance workshops, proactive and incident triggered audits. It can also monitor Non- CNI SPs with respect to the to self-assessment, field inspections, compliance workshops, proactive and incident triggered audits.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The applicable cybersecurity laws primarily provide guidelines, but do not prescribe specific penalties for non-compliance. However, Anti Cyber Crime law has Prescribed maximum imprisonment of\u00a0 10 years and fine of 5 million for terrorism related cyber crimes and for unlawfull access to websites, otherwise the fine ranges from SAR 500,000 to SAR 5 million.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Not Applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Saudi Arabia, the Bureau of Investigation and Public Prosecution, is the competent authority responsible for investigating and prosecuting cybercrimes under the Anti-Cyber Crime Law (ACCL), following the procedure laid down in the Criminal Law.<\/p>\n<p>The case is prosecuted before a competent criminal court, the decision of which is appealable before the Court of Appeals, however, once an appeal is filed against the decision of a court of original jurisdiction or as stipulated in Criminal Law in \u201cCircuit Court\u201d the appeal is firstly referred to the circuit court which have decided the case initially. The circuit court will either upheld the decision it has already rendered, or it will make amendments to the judgment. If the Circuit court makes any amendments, it will forward it to the Court of Appeals, which will still be appealable.<\/p>\n<p>The decision of the appellant court is applicable before the Supreme Court. The decision of the appellant court is not finalized unless it is upheld by the Supreme Court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No public information is available.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">9665<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/106820","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=106820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}