Africa and Middle East Privacy Packs¶
South Africa — POPIA (Act 4 of 2013)¶
Pack ID: za-popia | Framework: POPIA | Regulator: Information Regulator
Controls: 8 (4 critical, 3 high, 1 medium)
Law: Protection of Personal Information Act (fully enforced from July 1, 2021)
POPIA-01: Information Officer Designation¶
Critical
Designate an Information Officer and register their details with the Information Regulator.
Legal Reference: POPIA Section 17; Information Regulator Guidelines on IO Designation
Head of organization is the IO. Register contact details with Regulator. Publish on website. IO responsibilities: encouraging compliance, dealing with requests, cooperating with Regulator, ensuring compliance audits. Deputy IOs may be designated.
| Check | Description |
|---|---|
| POPIA-01-C1 | Information Officer designated and registered with Regulator |
| POPIA-01-C2 | IO contact details published on website |
| POPIA-01-C3 | Deputy IOs designated if needed |
POPIA-02: Lawfulness of Processing (Section 10)¶
Critical
Process personal information lawfully and only if specific conditions are met.
Legal Reference: POPIA Sections 10-11
Process only if: data subject consents, necessary for contract, compliance with legal obligation, protects legitimate interest, necessary for public law duty, performed by public body, or information is public. Consent: voluntary, specific, informed, unambiguous.
| Check | Description |
|---|---|
| POPIA-02-C1 | Processing basis documented per processing activity |
| POPIA-02-C2 | Consent obtained (voluntary, specific, informed, unambiguous) |
POPIA-03: Purpose Specification and Retention¶
High
Limit processing to specified purposes and delete/deidentify when purpose is achieved.
Legal Reference: POPIA Sections 14, 18-19
Do not process for incompatible purposes. Retain no longer than necessary. Destroy or deidentify records when no longer authorized. Record destruction. Retain for historical, statistical, or research with safeguards.
| Check | Description |
|---|---|
| POPIA-03-C1 | Purpose compatibility assessed for each processing |
| POPIA-03-C2 | Retention periods defined and documented |
| POPIA-03-C3 | Deletion/deidentification records maintained |
POPIA-04: Further Processing Limitation¶
Medium
Ensure further processing is compatible with the original collection purpose.
Legal Reference: POPIA Section 15
Compatible if: connected to original purpose, consent obtained, data made public, necessary for compliance, protects legitimate interests. Conduct compatibility assessments considering: purpose, nature of information, consequences, contractual rights.
| Check | Description |
|---|---|
| POPIA-04-C1 | Compatibility assessment conducted for further processing |
| POPIA-04-C2 | Further processing register maintained |
POPIA-05: Information Quality (Section 16)¶
Medium
Take reasonably practicable steps to ensure personal information is complete, accurate, and not misleading.
Legal Reference: POPIA Section 16
Ensure data quality at collection and before use. Verify against reliable sources. Provide correction mechanisms. Document data quality control processes.
| Check | Description |
|---|---|
| POPIA-05-C1 | Data quality verification procedures implemented |
| POPIA-05-C2 | Correction mechanism available for data subjects |
POPIA-06: Security Safeguards (Section 19)¶
Critical
Implement appropriate, reasonable technical and organizational security measures.
Legal Reference: POPIA Section 19; Information Regulator Security Guidance
Identify all foreseeable internal and external risks. Establish safeguards against identified risks. Regularly verify effectiveness. Address: data loss, damage, unauthorized access, unauthorized destruction. Include access controls, encryption, firewalls, physical controls.
| Check | Description |
|---|---|
| POPIA-06-C1 | Risk assessment conducted for identified risks |
| POPIA-06-C2 | Safeguards implemented and regularly verified |
| POPIA-06-C3 | Encryption and access controls in place |
POPIA-07: Data Subject Rights (Sections 23-25)¶
High
Implement data subject rights: notification, access, correction, objection, destruction.
Legal Reference: POPIA Sections 23-25
Rights: be notified when PI is collected, establish whether PI is held, request correction/destruction, object to processing on reasonable grounds. Respond within reasonable time (generally 30 days). No fee for initial request.
| Check | Description |
|---|---|
| POPIA-07-C1 | All POPIA data subject rights implemented |
| POPIA-07-C2 | Requests responded to within reasonable time |
| POPIA-07-C3 | Request documentation maintained |
POPIA-08: Compromise Notification (Section 22)¶
Critical
Notify the Information Regulator and affected data subjects of security compromises.
Legal Reference: POPIA Section 22; Information Regulator Breach Notification Regulations
When reasonable grounds to believe PI accessed/acquired by unauthorized persons, notify: (1) Regulator, (2) affected data subjects (unless exceptions). Include: possible identity of unauthorized person, date, PI compromised, possible harm, steps taken. Maintain compromise register.
| Check | Description |
|---|---|
| POPIA-08-C1 | Regulator notification procedure for compromises |
| POPIA-08-C2 | Individual notification with required details |
| POPIA-08-C3 | Compromise register maintained |
UAE — PDPL (Federal Decree-Law No. 45 of 2021)¶
Pack ID: ae-pdpl | Framework: PDPL-UAE | Regulator: UAE Data Office
Controls: 6 (3 critical, 3 high)
Law: Federal Decree-Law No. 45 of 2021; Implementing Regulation: Cabinet Decision No. 93 of 2021
PDPL-UAE-01: Data Protection Officer (UAE)¶
High
Appoint a DPO for processing that requires systematic monitoring or large-scale sensitive data.
Legal Reference: PDPL Articles 10-11; Cabinet Decision No. 93/2021
Appoint DPO when: large-scale sensitive data, systematic monitoring on a large scale, or specified by UAE Data Office. DPO advises on compliance, cooperates with Data Office, acts as contact point. Publish contact details. Ensure independence.
| Check | Description |
|---|---|
| PDPL-UAE-01-C1 | DPO appointed where required |
| PDPL-UAE-01-C2 | DPO contact details published |
| PDPL-UAE-01-C3 | DPO independence ensured |
PDPL-UAE-02: Consent and Legal Basis (UAE)¶
Critical
Obtain clear, unambiguous consent or identify alternative legal basis.
Legal Reference: PDPL Articles 4-5, 7-9
Clear, unambiguous consent. Alternatively: contract, legal obligation, vital interests, public interest, legitimate interests (assessed against rights). Sensitive personal data (health, biometric, racial, religious, criminal): explicit consent unless exception.
| Check | Description |
|---|---|
| PDPL-UAE-02-C1 | Clear, unambiguous consent obtained per purpose |
| PDPL-UAE-02-C2 | Explicit consent for sensitive data |
| PDPL-UAE-02-C3 | Legal basis documented per processing activity |
PDPL-UAE-03: Privacy Notice and Transparency¶
High
Provide clear privacy notices at collection with all PDPL-required information.
Legal Reference: PDPL Article 6
Include: controller identity and contact, DPO contact, processing purposes, legal basis, data categories, recipients, cross-border transfers, retention, data subject rights, complaint mechanisms. Clear language (Arabic and/or English). At or before collection.
| Check | Description |
|---|---|
| PDPL-UAE-03-C1 | Privacy notice includes all PDPL-required items |
| PDPL-UAE-03-C2 | Notice provided at or before collection |
| PDPL-UAE-03-C3 | Notice in appropriate language(s) |
PDPL-UAE-04: Personal Data Protection Impact Assessment¶
High
Conduct DPIAs for processing that may pose high risks to data subjects.
Legal Reference: PDPL Articles 20-21; Cabinet Decision No. 93/2021
Before processing likely to result in high risk, particularly with new technologies. Include: systematic description, necessity/proportionality assessment, risk identification, mitigation measures. Consult DPO. Submit to UAE Data Office when requested.
| Check | Description |
|---|---|
| PDPL-UAE-04-C1 | DPIA criteria for high-risk processing established |
| PDPL-UAE-04-C2 | DPIAs conducted with required documentation |
| PDPL-UAE-04-C3 | Results submitted to UAE Data Office when required |
PDPL-UAE-05: Cross-Border Data Transfer (UAE)¶
Critical
Ensure personal data transferred outside the UAE receives adequate protection.
Legal Reference: PDPL Articles 22-25; Cabinet Decision No. 93/2021
Transfer only when: destination provides adequate protection (Data Office adequacy), appropriate safeguards (SCCs, BCRs), or exceptions (explicit consent, contract, public interest). Assess destination legal framework. Use approved mechanisms. Note: DIFC and ADGM Free Zones have their own data protection regimes.
| Check | Description |
|---|---|
| PDPL-UAE-05-C1 | Adequacy assessment conducted per destination country |
| PDPL-UAE-05-C2 | SCCs or BCRs for non-adequate transfers |
| PDPL-UAE-05-C3 | Free Zone (DIFC/ADGM) rules assessed if applicable |
PDPL-UAE-06: Breach Notification and Security (UAE)¶
Critical
Implement security measures and notify the UAE Data Office of breaches.
Legal Reference: PDPL Articles 15, 33-34; Cabinet Decision No. 93/2021
Appropriate technical and organizational measures. Notify Data Office as soon as possible within specified timeframe. If high risk, notify individuals without undue delay. Include: nature, data categories, affected count, measures taken, contact details. Maintain breach register.
| Check | Description |
|---|---|
| PDPL-UAE-06-C1 | Security measures documented and implemented |
| PDPL-UAE-06-C2 | UAE Data Office notification procedure established |
| PDPL-UAE-06-C3 | Individual notification for high-risk breaches |
Saudi Arabia — PDPL (Royal Decree M/19, amended M/148/2023)¶
Pack ID: sa-pdpl | Framework: PDPL-SA | Regulator: NDMO (National Data Management Office / SDAIA)
Controls: 6 (3 critical, 3 high)
Law: Personal Data Protection Law (fully in effect September 14, 2023)
PDPL-SA-01: Consent and Legal Basis¶
Critical
Obtain valid consent or identify alternative legal basis for processing.
Legal Reference: PDPL Articles 5-6, 9; Amending Law M/148/2023
Consent: specific, informed, unambiguous, indicating clear will. Alternatively: contract, legal obligation, vital interests, public task, legitimate interests (assessed against rights). Sensitive data (health, genetic, racial, ethnic, religious, biometric, criminal): explicit consent unless exception. Document consent.
| Check | Description |
|---|---|
| PDPL-SA-01-C1 | Specific, informed, unambiguous consent obtained |
| PDPL-SA-01-C2 | Explicit consent for sensitive data |
| PDPL-SA-01-C3 | Legal basis documented per processing activity |
PDPL-SA-02: Privacy Notice (Arabic Language)¶
High
Provide clear privacy notices in Arabic with all PDPL-required disclosures.
Legal Reference: PDPL Article 8; Amending Law M/148/2023
Include: controller identity, contact, processing purposes, legal basis, data categories, recipients, retention, cross-border transfers, data subject rights (amendment, withdrawal, destruction), complaint mechanisms. Clear Arabic. Before or at collection.
| Check | Description |
|---|---|
| PDPL-SA-02-C1 | Privacy notice in Arabic with all required items |
| PDPL-SA-02-C2 | Notice provided before/at collection |
PDPL-SA-03: Data Subject Rights¶
High
Implement data subject rights including access, correction, destruction, and objection.
Legal Reference: PDPL Articles 16-18; Amending Law M/148/2023
Rights: be informed, access personal data, correct/update inaccurate data, destroy data processed in violation, withdraw consent, lodge complaint. Respond within reasonable period. Enable through accessible means (website, app).
| Check | Description |
|---|---|
| PDPL-SA-03-C1 | All PDPL rights implemented and accessible |
| PDPL-SA-03-C2 | Requests processed within reasonable period |
PDPL-SA-04: Data Localization and Cross-Border Transfer¶
Critical
Comply with Saudi data localization requirements and cross-border transfer regulations.
Legal Reference: PDPL Article 29; Amending Law M/148/2023; NDMO Transfer Regulations
Process personal data in Saudi Arabia. Cross-border transfer only when: destination provides adequate protection (NDMO assessment), appropriate safeguards (SCCs, BCRs approved by NDMO), or exceptions (explicit consent, contract, public interest). Obtain NDMO approval where required.
| Check | Description |
|---|---|
| PDPL-SA-04-C1 | Data localization requirement assessed and implemented |
| PDPL-SA-04-C2 | NDMO adequacy assessment for destination countries |
| PDPL-SA-04-C3 | SCCs/BCRs approved by NDMO for non-adequate transfers |
| PDPL-SA-04-C4 | Transfer register maintained |
PDPL-SA-05: Security Measures and Breach Notification¶
Critical
Implement security safeguards and notify NDMO and affected individuals of breaches.
Legal Reference: PDPL Articles 20, 30; Amending Law M/148/2023; NDMO Breach Regulations
Appropriate technical and organizational measures. Notify NDMO within 72 hours of awareness (immediately if high risk). If high risk, notify individuals without undue delay. Include: nature, data categories, affected count, consequences, measures. Maintain breach register.
| Check | Description |
|---|---|
| PDPL-SA-05-C1 | Security measures documented and risk-assessed |
| PDPL-SA-05-C2 | NDMO notification within 72 hours |
| PDPL-SA-05-C3 | Individual notification for high-risk breaches |
| PDPL-SA-05-C4 | Breach register maintained |
PDPL-SA-06: NDMO Registration and Compliance¶
High
Register with NDMO as required and comply with oversight obligations.
Legal Reference: PDPL Article 40; Amending Law M/148/2023; NDMO National Data Governance Interim Regulations
Register with NDMO when required. Appoint DPO to liaise. Maintain processing records. Cooperate with NDMO audits. Implement NDMO guidelines. Submit annual compliance reports if required. Government entities: comply with National Data Governance policies.
| Check | Description |
|---|---|
| PDPL-SA-06-C1 | NDMO registration completed where required |
| PDPL-SA-06-C2 | Processing records maintained for NDMO oversight |
| PDPL-SA-06-C3 | NDMO guidelines and policies implemented |
Exercise: Middle East Data Localization Comparison
Both Saudi Arabia and UAE have data transfer requirements, but they differ significantly.
| Question | Saudi Arabia (PDPL) | UAE (PDPL) |
|---|---|---|
| Is data localization mandatory? | ? | ? |
| What must you do before transferring abroad? | ? | ? |
| Who approves transfer mechanisms? | ? | ? |
| Do Free Zones have separate rules? | ? | ? |
Answers
- Saudi: Yes, data must be processed in Saudi Arabia by default. Transfers only with NDMO-approved safeguards.
- UAE: No blanket localization, but adequacy assessment required. SCCs or BCRs for non-adequate countries.
- Saudi: NDMO (under SDAIA) approves SCCs/BCRs and assesses adequacy.
- UAE: UAE Data Office regulates mainland. DIFC and ADGM Free Zones have their own separate data protection laws (DIFC DPL, ADGM DPR).
Exercise: South Africa POPIA Compliance Checklist
If your organization operates in South Africa, use this checklist:
- [ ] Information Officer designated and registered with the Information Regulator
- [ ] IO contact details on your website
- [ ] Processing conditions documented (Section 10-11 lawful basis per activity)
- [ ] Purpose compatibility assessed for all processing
- [ ] Retention schedule defined with deletion/deidentification procedures
- [ ] Security safeguards risk assessment conducted
- [ ] Access controls, encryption, and firewalls implemented
- [ ] Data subject rights process (notification, access, correction, objection)
- [ ] Compromise/breach notification procedure for Section 22
- [ ] Compromise register maintained
- [ ] Operator (processor) contracts executed
- [ ] Cross-border transfer safeguards documented
- [ ] Direct marketing controls in place (Section 69-70)
Run ges policy install za-popia to install the POPIA pack and track each control.