Compliance Checklists

KSA SDAIA Implementing Regulations

Article 3: Data Subject Rights (General)

Audit Query: Does the organization act on data subject requests within 30 days? If extensions are used, is the subject notified with reasons, and is the extension capped at 30 additional days?

Required Evidence: Data subject request log; copies of extension notifications; documented procedures for identity verification of requesters.

Article 4: Right to be Informed

Audit Query: Before collection, are individuals informed of the controller's identity, purpose of processing, retention period, and how to exercise rights or withdraw consent?

Required Evidence: Internal and external privacy notices; data collection forms (digital/paper) showing mandatory disclosures.

Article 5: Right of access to Personal Data

Audit Query: Does the organization provide a copy of personal data in a readable, clear, and commonly used electronic format without adversely affecting others' intellectual property?

Required Evidence: Access request fulfillment procedures; sample exported data files provided to subjects.

Article 6: Right to Request Access to Personal Data

Article 7: Right to Request Correction of Personal Data

Audit Query: Is processing restricted while data accuracy is being verified? Are third parties who previously received the data notified once it is corrected?

Required Evidence: Data correction workflow; logs of notifications sent to third-party recipients; records of restricted data during verification.

Article 8: Right to Request Destruction of Personal Data

Audit Query: Is data destroyed upon request, when no longer necessary, or when consent is withdrawn (if consent was the sole legal basis)?

Required Evidence: Data destruction certificates; backup purge logs; notifications to third parties requesting they also destroy the data.

Article 9: Anonymization

Audit Query: For anonymized data, has an assessment been conducted to ensure re-identification is impossible? Is the effectiveness of anonymization techniques regularly evaluated?

Required Evidence: Anonymization impact assessment; technical documentation of anonymization methods used; effectiveness review records.

Article 10: Means of Communication

Article 11: Consent

Audit Query: Is consent obtained freely and documented for future verification? Is explicit consent obtained for sensitive data, credit data, or automated decisions?

Required Evidence: Consent management platform logs; signed consent forms; separate consent records for distinct processing purposes.

Article 12: Consent Withdrawal

Audit Query: Is the procedure for withdrawing consent as easy as the procedure for giving it? Does the organization cease processing immediately upon withdrawal?

Required Evidence: Opt-out mechanism (e.g., "unsubscribe" links); withdrawal procedure documentation; logs showing cessation of processing.

Article 13: Legal Guardian

Article 14: Processing to serve Actual Interest of Data Subject

Article 15: Collecting Data from Third Parties

Article 16: Processing for Legitimate Interest

Audit Query: For non-public entities, has a documented assessment (balancing test) been performed to ensure the controller's interest does not override the subject's rights?

Required Evidence: Legitimate Interest Assessment (LIA) reports; documented risk mitigation measures for identified harms.

Article 17: Processor Selection

Audit Query: Do contracts with processors include the purpose, categories of data, and duration of processing? Does the processor notify the controller of breaches without undue delay?

Required Evidence: Signed Data Processing Agreements (DPAs); vendor due diligence reports; processor breach notification logs.

Article 18: Processing data for a purpose other than the one for which it was collected

Article 19: Data Minimization

Audit Query: Does the organization limit collection to the minimum data necessary for the specified purpose? Is this verified through data mapping?

Required Evidence: Data mapping documents; Record of Processing Activities (RoPA); data inventory showing necessity for each field.

Article 20: Disclosure of Personal Data

Article 21: Controls for Processing Personal Data for Public Interest Purposes

Article 22: Correction of Personal Data

Article 23: Information Security

Audit Query: Has the organization implemented technical and administrative measures to limit breach risks, following National Cybersecurity Authority (NCA) standards or best practices?

Required Evidence: Cybersecurity policy; risk assessment reports; evidence of encryption, access controls, and security monitoring.

Article 24: Notification of Personal Data Breach

Audit Query: Is the Competent Authority notified within 72 hours of a breach that potentially causes harm? Are data subjects notified if the breach conflicts with their rights?

Required Evidence: Incident response plan; breach notification templates; logs of reported incidents and corrective actions taken.

Article 25: Impact Assessment

Audit Query: Is a written assessment conducted for processing sensitive data, large-scale processing of those lacking legal capacity, or new technologies?

Required Evidence: Data Protection Impact Assessment (DPIA) reports; evidence of mitigating measures for identified high-severity risks.

Article 26: Processing Health Data

Audit Query: Are there specific organizational and technical controls to prevent unauthorized access or misuse of health data?

Required Evidence: Segregation of duties matrix for sensitive data access; internal policies aligned with Health Council requirements.

Article 27: Processing Credit Data

Audit Query: Are there specific organizational and technical controls to prevent unauthorized access or misuse of credit data?

Required Evidence: Segregation of duties matrix for sensitive data access; internal policies aligned with Saudi Central Bank requirements.

Article 28: Processing Data for Advertising or Awareness Purposes

Audit Query: Is consent obtained before sending marketing material (where no prior interaction exists)? Is there a free, simple mechanism to halt such materials?

Required Evidence: Marketing consent logs; halt-reception (opt-out) mechanism evidence; logs of halted communications.

Article 29: Direct Marketing

Article 30: Collection and Processing of Data for Scientific, Research, or Statistical Purposes

Article 31: Photographing or Copying Official Documents that Reveal the Identity of Data Subjects

Article 32: Data Protection Officer (DPO)

Audit Query: Is a DPO appointed for public entities with large-scale processing or organizations whose core activities involve sensitive data or systematic monitoring?

Required Evidence: DPO appointment letter; DPO job description; evidence of DPO's involvement in impact assessments and breach notifications.

Article 33: Records of Personal Data Processing Activities (RoPA)

Audit Query: Is a record of processing activities maintained for the duration of processing and for five years thereafter? Does it include purposes, categories, and retention periods?

Required Evidence: Comprehensive RoPA document; retention schedules; records of disclosures and transfers outside the Kingdom.