1. Are periodic assessments conducted to ensure your entity’s compliance with the law?

2. Has a record been created for how personal data is processed according to the requirements of Article 31 of the law?

3. Are personal data transferred, stored, or processed outside the geographical boundaries of the Kingdom of Saudi Arabia?

4. When obtaining consent for processing personal data for marketing purposes from the data subject, is this done according to Article 26 of the law?

5. If there is credit data processing, have the controls mentioned in Article 24 of the law been applied?

6. If there is health data processing, have the controls mentioned in Article 23 of the law been applied, including restricting access to health data to the smallest number of employees possible?

7. Do you have a documented procedure or its equivalent as a controlling entity to notify the relevant authority in case of a leak, damage, or unauthorized access to personal data?

8. Do you, as a controlling entity, disclose personal data according to one of the guarantees stipulated in Articles 15 and 16 of the law?

9. Do you have procedures and policies as a controlling entity when selecting a processing entity for personal data that ensure the chosen processor complies with and provides the necessary guarantees for the implementation of the law’s provisions and regulations?

10. Can data subjects withdraw their consent to the processing of their personal data at any time?

11. Is there evidence or proof that the data subjects have consented to the processing of their personal data by you?

12. Is there a procedure that enables the data subject to submit a request concerning their rights as stipulated in Article 4 of the law?

13. Have personal data been collected for specific, explicit, and lawful purposes that do not conflict with any existing law?