Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 12
Duties of the controller and the processor towards the Data Protection Officer
- The Controller and the Processor shall provide all means to ensure that the Data Protection Officer performs the duties and tasks assigned to it as stipulated in Article (11) of this Decree by Law in the required manner. In particular, this shall include the following:
a. Ensure that the Data Protection Officer is appropriately and timely involved in all matters relating to the protection of Personal Data.
b. Ensure that the Data Protection Officer is provided with all the necessary resources and the necessary support to carry out the tasks assigned to it.
c. Not to terminate the Data Protection Officer services or impose any disciplinary penalty for a reason related to the performance of its duties in accordance with the provisions of this Decree by Law
d. Ensure that the Data Protection Officer is not charged with duties which contradict its duties under this Law. - The Data Subject may communicate directly with the Data Protection Officer about all matters relating to his/ her personal data processing to enable him/ her to exercise his/ her rights in accordance with the provisions of this Decree by Law.
FAQs
Controllers and Processors must provide the Data Protection Officer (DPO) with the resources necessary to carry out their responsibilities. This includes access to relevant personnel, systems, and data, as well as sufficient time and budget to perform their duties effectively. They must also ensure that the DPO is involved in all matters related to the protection of personal data from the earliest stages.
No. The DPO must operate independently and cannot be dismissed or penalized for performing their duties under the PDPL. This protection ensures that the DPO can act without conflict of interest or fear of retaliation, even when advising against practices that may expose the organization to legal or regulatory risk.
Yes. Data Subjects have the right to contact the DPO regarding any issue related to the processing of their personal data and the exercise of their rights under the PDPL. The Controller or Processor must ensure that the DPO’s contact information is made publicly available and that communications from Data Subjects are responded to in a timely and appropriate manner.