Personal Data Protection Law (Saudi Arabia)

Requirement

Article 17.1: Choosing the processor

Oh no! No description found. But not to worry. Read from Tasks below how to advance this topic.

The Controller shall ensure that any Processor chosen provides sufficient guarantees to protect Personal Data, and that the agreement with the Processor includes the following:

Purpose of the Processing.
Categories of Personal Data being processed.
Duration of the Processing.
Processor's commitment to notify the Controller in case of a Personal Data Breach, in accordance with the provisions of the Law, this Regulation, and without undue delay.
Clarification of whether the Processor is subject to Regulations in other countries and the impact on their compliance with the Law and its Regulations.
Not requiring the Data Subject's prior consent for mandatory Disclosure of Personal Data under the applicable laws in the Kingdom, provided that the Processor notifies the Controller of such Disclosure.
Identifying any subcontractors contracted by the Processor, or any other party to whom Personal Data will be disclosed.

Fulfill this requirement by completing the tasks below ->

This requirement is part of the framework:

Personal Data Protection Law (Saudi Arabia)

Other requirements of the framework

Article 17.1: Choosing the processor

Best practices

How to implement:

Article 17.1: Choosing the processor

This policy on

Article 17.1: Choosing the processor

provides a set concrete tasks you can complete to secure this topic. Follow these best practices to ensure compliance and strengthen your overall security posture.

The Controller shall ensure that any Processor chosen provides sufficient guarantees to protect Personal Data, and that the agreement with the Processor includes the following:

Purpose of the Processing.
Categories of Personal Data being processed.
Duration of the Processing.
Processor's commitment to notify the Controller in case of a Personal Data Breach, in accordance with the provisions of the Law, this Regulation, and without undue delay.
Clarification of whether the Processor is subject to Regulations in other countries and the impact on their compliance with the Law and its Regulations.
Not requiring the Data Subject's prior consent for mandatory Disclosure of Personal Data under the applicable laws in the Kingdom, provided that the Processor notifies the Controller of such Disclosure.
Identifying any subcontractors contracted by the Processor, or any other party to whom Personal Data will be disclosed.

Read below what concrete actions you can take to improve this ->

Frameworks that include requirements for this topic:

No items found.

How to improve security around this topic

In Cyberday, requirements and controls are mapped to universal tasks. A set of tasks in the same topic create a Policy, such as this one.

Here's a list of tasks that help you improve your information and cyber security related to

Article 17.1: Choosing the processor

Task name

Priority

Task completes

Complete these tasks to increase your compliance in this policy.

Critical

No other tasks found.

Complete these tasks in Cyberday ISMS ->

How to comply with this requirement

In Cyberday, requirements and controls are mapped to universal tasks. Each requirement is fulfilled with one or multiple tasks.

Here's a list of tasks that help you comply with the requirement

Article 17.1: Choosing the processor

of the framework

Personal Data Protection Law (Saudi Arabia)

Task name

Priority

Task completes

Complete these tasks to increase your compliance in this policy.

Critical

Reporting personal data breaches to authorities / data subjects

Critical

High

Normal

Low

Incident management

Data breach management

Reporting personal data breaches to authorities / data subjects

This task helps you comply with the following requirements

33. Notification of a personal data breach to the supervisory authority GDPR

34. Communication of a personal data breach to the data subject GDPR

6.1.3: Contact with authorities ISO 27001

16.1.5: Response to information security incidents ISO 27001

RS.CO-2: Incident reporting NIST

Data processing partner listing and owner assignment

Critical

High

Normal

Low

Partner management

Agreements and monitoring

Data processing partner listing and owner assignment

This task helps you comply with the following requirements

26. Joint controllers GDPR

28. Data processor GDPR

44. General principle for transfers GDPR

8.1.1: Inventory of assets ISO 27001

13.2.2: Agreements on information transfer ISO 27001

Documentation of partner contract status

Critical

High

Normal

Low

Partner management

Agreements and monitoring

Documentation of partner contract status

This task helps you comply with the following requirements

28. Data processor GDPR

15.1.3: Information and communication technology supply chain ISO 27001

A.7.2.6: Contracts with PII processors ISO 27701

HAL-16.1: Hankintojen turvallisuus - sopimukset Julkri

TSU-04: Henkilötietojen käsittelijä Julkri

Inventory and documentation of data processing agreements

Critical

High

Normal

Low

Privacy

Data transfer and disclosure

Inventory and documentation of data processing agreements

This task helps you comply with the following requirements

28. Data processor GDPR

13.2.2: Agreements on information transfer ISO 27001

15.1.2: Addressing security within supplier agreements ISO 27001

A.8.2.4: Infringing instruction ISO 27701

5.14: Information transfer ISO 27001

Defining and documenting retention times for data sets

Critical

High

Normal

Low

Privacy

Processing principles and accountability

Defining and documenting retention times for data sets

This task helps you comply with the following requirements

5. Principles relating to processing of personal data GDPR

18.1.3: Protection of records ISO 27001

21 §: Tietoaineistojen säilytystarpeen määrittäminen TiHL

PR.IP-6: Data destruction NIST

A.7.4.2: Limit processing ISO 27701

Evaluation of data processing agreement for important data processors

Critical

High

Normal

Low

Partner management

Agreements and monitoring

Evaluation of data processing agreement for important data processors

This task helps you comply with the following requirements

28. Data processor GDPR

15.1.2: Addressing security within supplier agreements ISO 27001

TSU-04.1: Henkilötietojen käsittelijä - Sopimukset Julkri

5.20: Addressing information security within supplier agreements ISO 27001

P6.5: Notification of unauthorized disclosure of personal information from third parties SOC 2

Complete these tasks in Cyberday ISMS ->

The ISMS component hierachy

When building an ISMS, it's important to understand the different levels of information hierarchy. Here's how Cyberday is structured.

Framework

Sets the overall compliance standard or regulation your organization needs to follow.

Requirements

Break down the framework into specific obligations that must be met.

Tasks

Concrete actions and activities your team carries out to satisfy each requirement.

Policies

Documented rules and practices that are created and maintained as a result of completing tasks.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way‍

Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.

Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.

Do it once - we automatically apply it to all current and future frameworks.

Start free trial