Reference is made to the Personal Data Protection Law, issued by Royal Decree No. (M/19) dated 09/02/1443 AH*, and to the policies, controls and rules issued by the Saudi Data and Artificial Intelligence Authority and the National Data Management Office regarding data governance, based on the powers granted to the same under Cabinet Resolution No. (292) dated 27/04/1441 AH. Given that the Law, policies, controls and rules referred to above contribute to protecting and building confidence in the data sector in KSA, and that some of the above shall be implemented by the financial institutions supervised by the Central Bank, the Central Bank would like to emphasize the following:

I: Review the approved internal policies and procedures and ensure their compatibility and/or amendment in accordance with the following:

• Personal Data Protection Law issued by the Royal Decree * referred to above, within the legally specified period for commitment.
• Policies, controls and rules issued by the Saudi Data and Artificial Intelligence Authority, which can be accessed via the following electronic link: (sdaia.gov.sa/ndmo).

II: Evaluate the organizational gaps (Gap Analysis) with the Law, policies, controls and rules referred to above and develop a time plan to correct and present them to the Board of Directors for approval.

Pursuant to Circular No. (44043873) dated 24/05/1444 AH; based on the powers assigned to the Central Bank of Saudi Arabia under the relevant laws and regulations; and given what has been observed that there are some practices that require individual customers to disclose some of their personal data before providing the service or product without it being necessary, whether directly or through a third party, the Central Bank affirms that all financial institutions shall fully adhere to the protection of customers’ personal data in accordance with the regulations and instructions referred to above and the Central Bank’s instructions in this regard; review the procedures related to the practices of disclosing customers’ personal data and take the necessary measures to preserve them; develop the necessary procedures and controls to ensure its security, integrity, and use for the purposes for which it was collected; and provide the Central Bank with a report explaining the measures taken in this regard

Communication in this regard with the Central Bank shall be via the following e-mail: (CRC.Compliance@SAMA.GOV.SA).

*This Law was amended by Royal Decree No. M/148 dated 05/09/1444 AH.