With reference to the instructions of the Central Bank communicated through Circular No. (4304528) dated 19/05/1443H regarding compliance with the Personal Data Protection System and the policies, controls, and regulations issued for data governance, and in reference to the Royal Decree No. (M/148) dated 05/09/1444H which includes the approval of amendments to the Personal Data Protection System issued by Royal Decree No. (M/20) dated 02/09/1443H, and to its executive regulations issued by the competent authority.

Based on the aforementioned circumstances and given that the provisions of the aforementioned system and its executive regulations have come into force on 29/02/1445 corresponding to 14/09/2023, the Central Bank emphasizes that financial institutions must adhere to the following:

First:  Implement the updated Personal Data Protection System in accordance with Royal Decree No. (M/148) dated 09/05/1444 AH, and its executive regulations issued by the relevant authority. Review related internal policies and procedures to ensure they are amended to comply with the system and its executive regulations within a period of one year from the effective date mentioned above.

Second:  Provide the Central Bank with a compliance status using the evaluation form that will be shared via email before the date 28/09/2023. This should be submitted semi-annually in mid-January and mid-July of each year, starting from 2024, via the following email: (CRC.Compliance@SAMA.GOV.SA).

Third: The Central Bank will serve as the communication channel for financial institutions regarding the implementation of the aforementioned system and its executive regulations, using the email mentioned above. 

For your information and to act accordingly from this date. Please note that the Central Bank, as part of its supervisory and regulatory role, will conduct inspection visits to financial institutions to ensure the implementation of the aforementioned system and its executive regulations.