Implementing Regulation of PDPL Article 36 establishes that audits of personal data processing activities must be conducted to verify compliance with the PDPL and identify any control gaps. Such audits must be conducted independently and professionally, and SDAIA (the Competent Authority) will issue licensing rules for entities offering these audit services. SDAIA will also coordinate with the Digital Government Authority (DGA) for audits involving government-related service providers.
Audits must be independent, professional, and licensed by SDAIA.
Implementing Regulation of PDPL Article 36 (1)
Purpose of Audit
The purpose of audit and checking is to ensure that the entity is properly protecting Personal Data through auditing and checking of carried out Personal Data Processing activities, and related controls and procedures, and identifying any gaps in compliance with the Law and its Regulations.
Implementing Regulation of PDPL Article 36 (2)
Conduct Standards
When carrying out audit or checking of Personal Data Processing activities, entities shall adhere to the following:
a) Provide the services independently according to professional standards.
b) Develop the necessary administrative and organizational procedures and controls to ensure the accuracy and integrity of their output.
Implementing Regulation of PDPL Article 36 (3)
Licensing Rules
The Competent Authority shall issue the rules for licensing entities that undertake auditing or checking of Personal Data Processing activities in accordance with paragraph (3) of Article 33 of the Law. The Competent Authority shall also coordinate with the Digital Government Authority regarding licensing for entities providing services on behalf of government entities.
Explanation of Implementing Regulation of PDPL Article 36
Compliance verification:
Implementing Regulation of PDPL Article 36 (1) says, audits aim to ensure that personal data is handled in compliance with PDPL by examining processing operations, controls, and gaps.
Professional execution:
Implementing Regulation of PDPL Article 36 (2) says, audits must be independent and follow established professional standards, with procedures in place to ensure accuracy and reliability of audit results.
Authorized audit providers:
Implementing Regulation of PDPL Article 36 (3) says, SDAIA will issue rules to license audit service providers and will coordinate with DGA for government-related services.
