PDPL Article 8 says prescribes Controller’s responsibilities when choosing and overseeing data processors (third parties or vendors that process data on behalf of the controller).
Controllers must only work with trustworthy processors, monitor their compliance, and stay accountable for any misuse of personal data.
Saudi PDPL Article 8 (1)
Choose and Monitor Processors
Subject to the provisions of this Law and the Regulations regarding the Disclosure of Personal Data, the Controller shall only select Processors providing the necessary guarantees to implement the provisions of this Law and the Regulations. The Controller shall also monitor the compliance of said Processors with the provisions of this Law and the Regulations. This shall not prejudice the Controller’s responsibilities towards the Data Subject or the Competent Authority as the case may be. The Regulations shall set out the provisions necessary in this regard, including provisions related to any subsequent contracts conducted by the Processor.
Explanation of Saudi PDPL Article 8
Data Controllers must select compliant processors and stay fully responsible.
Saudi PDPL Article 8 (1) outlines Controller obligations, including:
- The controller must only appoint processors that provide sufficient guarantees they can comply with the PDPL and its regulations.
- The controller is also required to monitor the processor’s compliance with the law.
- Even if a processor is used, the controller remains fully responsible for protecting the data, both to the data subject and to the competent authority (e.g., SDAIA).
- The Implementing Regulations will also set conditions for sub-processors (vendors that a processor may contract with).
