Skip to main content

PDPL Addendum

Last updated: 7 May 2025

This PDPL Addendum ("Addendum") supplements the BankSearch Data Processing Agreement ("DPA") and applies when BankSearch, acting as a Processor, processes Personal Data on behalf of the Customer that is subject to the Kingdom of Saudi Arabia Personal Data Protection Law (Royal Decree M/19 of 2021, as amended) ("PDPL").

How it works: This Addendum applies only where the Customer qualifies as a Controller under the PDPL. If the PDPL does not apply to the relevant Processing, this Addendum remains dormant and the existing DPA, including UK GDPR provisions, shall govern such Processing exclusively.

A1. Priority & Interpretation

If any provision of this Addendum conflicts with the DPA, this Addendum prevails for PDPL regulated Processing. Capitalised terms have the meaning given in the DPA unless defined here.

“PDPL” means the Kingdom of Saudi Arabia Personal Data Protection Law, issued under Royal Decree M/19 of 9/2/1443H (corresponding to 16 September 2021), together with its Implementing Regulations, as amended from time to time.

“PDPL Personal Data” means Personal Data subject to the Saudi PDPL, as determined by the Customer’s assessment of applicable law.

A2. Additional Processor Obligations

A2.1 24 Hour Breach Notice.BankSearch shall notify the Customer within 24 hours of confirming any Personal Data Breach affecting PDPL Personal Data. Such notification shall include, where available, a description of the nature of the breach, affected data, and remediation steps.

A2.2 Log Retention.Activity logs relating to PDPL Personal Data will be retained for five (5) years (in accordance with PDPL Implementing Regs §23(2)).

A2.3 Localisation.BankSearch will store PDPL Personal Data exclusively on infrastructure located within the Kingdom of Saudi Arabia, or the United Kingdom where such hosting is explicitly approved by the Customer. No other jurisdictions will be used unless permitted under A4.

A2.4 Data Minimisation.BankSearch will not retain or process PDPL Personal Data beyond the scope necessary for providing the Services, in accordance with the principle of data minimisation set out in PDPL Article 10.

A3. Data Subject Rights

BankSearch shall assist the Customer, as Controller, in responding to data subject requests under the PDPL, including the right to destruction, within the 30-day statutory period (extendable once by a further 30 days), in accordance with PDPL Articles 4–9 and Implementing Regs §14, and strictly in accordance with the Customer’s documented instructions.

A4. International Transfers

PDPL Personal Data is hosted in the United Kingdom by default. It will not be transferred to any other country unless:

(a) the Customer has provided documented approval; and

(b) a legally valid transfer mechanism is implemented, such as the SDAIA Standard Contract, a Transfer Impact Assessment, or any other safeguard approved by SDAIA or any successor authority, in accordance with Article 29 of the Saudi Personal Data Protection Law (PDPL) and applicable guidance issued by SDAIA.

A5. Appointment of Data Protection Officer (PDPO)

BankSearch confirms it has appointed a Data Protection Officer reachable at privacy@banksearch-consultancy.com for PDPL compliance matters. The DPO shall serve as the primary point of contact for all PDPL-related matters.

A6. Cooperation with Competent Authority

BankSearch shall cooperate with the Saudi Data & AI Authority (SDAIA) or any successor authority in accordance with PDPL Art 31 . BankSearch shall not initiate direct contact with SDAIA regarding Customer-controlled PDPL Personal Data unless legally required to do so and shall notify the Customer in advance where permitted by law.

A7. Governing Law

For PDPL matters, this Addendum shall be governed by the laws of the Kingdom of Saudi Arabia; for all other matters the governing law clause in the DPA applies.

A8. Changes to This Addendum

We may revise these this PDPL Addendum to Data Processing Agreement from time to time. Material changes take effect 15 days after posting here and we may notify users by email or in-app message.

Signatures

By executing the DPA or otherwise accepting its terms (including via digital acceptance or account creation), the parties agree that this PDPL Addendum is incorporated by reference and forms part of the DPA for all Processing of PDPL Personal Data.