INSITE - UAE- May 2025

SAUDI ARABIA NEW DRAFT DATA PROTECTION AMENDMENTS

Summary: Saudi Arabia is progressing its data protection regime with two key regulatory developments: proposed amendments to the Personal Data Protection Law (PDPL) Implementing Regulations and the introduction of new controls for service providers in the data sector. These complementary measures aim to enhance compliance, raise standards for support services, and improve accountability across the Kingdom’s growing data economy.

In Detail: Saudi Arabia is moving quickly toward becoming a data-driven economy, and its regulations are evolving to support this shift. In April 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) released two important draft documents for public consultation:

1. Proposed changes to the Implementing Regulations of the PDPL; and

2. New Draft Controls for businesses and professionals involved in personal data protection.

The amendments aim to clarify what companies must do when managing personal data internally. The new Controls focus on those who support the data protection sector, like consultants, trainers, and event organizers. Together, these drafts show SDAIA’s push to tighten compliance and expand oversight.

Key Changes to Implementing Regulations

The proposed changes to the Implementing Regulations include both structural updates and important content revisions. While the main principles of the PDPL remain, the draft adds clarifications, removes some parts, and updates certain procedures changes that businesses in Saudi Arabia need to review carefully.

These updates show SDAIA’s aim to better align with global data protection standards and to address practical issues that have come up since the law was first introduced.

1. Amendments to the Implementing Regulations of the PDPL

These proposed amendments clarify and refine existing requirements under the PDPL, aiming to align more closely with international standards like the EU GDPR.

Key Highlights:

• Definitions Removed: The draft deletes definitions for "Direct Marketing" and "Personal Data Breach," creating ambiguity and placing more responsibility on organizations to interpret these terms based on general legal principles. This could increase compliance risk until further guidance is issued.

  
  

• Enhanced Data Subject Rights:

  
  

  • Information must be provided in simple language for individuals with limited legal capacity (Article 4).

  • Individuals now have the right to receive their personal data in a readable, accessible format (Article 6).

  • Privacy policies must be clear and user-friendly, not just legally compliant (Article 18 Repeated).

  
  

• Consent and Marketing: Articles 28 and 29 strengthen rules around marketing communications:

  
  

  • Explicit consent is required and must be easy to withdraw.

  • Mechanisms must be in place for users to stop receiving marketing messages.

  
  

• PDPO Role Expanded (Article 32): The Personal Data Protection Officer (PDPO) now has clearly defined duties, including overseeing compliance, managing data breach responses, and coordinating with SDAIA. This aligns the role more closely with international standards and makes it more central to an organization’s governance structure.

  
  

• Operational Changes:

  
  

  • Record-Keeping (Article 33): Clearer guidance on how long records must be kept and what they should include.

  • Registration (Article 34): Entities transferring data internationally or handling data for public bodies must register with the National Register of Controllers.

  • Complaints (Articles 36–37): More efficient complaint handling procedures, including faster response timelines.

  
  

• Legal Certainty: The regulations will take effect upon publication in the Official Gazette and on SDAIA’s website.

2. New Draft Controls for Data Protection Service Providers

This second draft regulation introduces oversight for organizations that offer services related to data protection by closing a regulatory gap and extending SDAIA’s reach beyond just data controllers and processors.

Scope:

Covers entities offering:

• Data protection consultancy services

• Technical solutions (e.g., compliance tools)

• Training and certification programs

• Public awareness events (e.g., conferences and seminars)

Core Requirements:

• Mandatory Registration: All service providers must register on the National Data Governance Platform, ensuring SDAIA visibility and control.

• Disclosure Obligations: Entities must declare any past data protection violations or investigations.

Category-Specific Rules:

• Consultants: Must follow PDPL aligned practices and keep records.

• Trainers: Must use qualified personnel and get SDAIA approval.

• Tech Providers: Must demonstrate that their solutions meet PDPL standards and conduct self-assessments.

• Event Organizers: Must ensure speaker qualifications and legal content, with prior approval from SDAIA.

Enforcement and Oversight:

• SDAIA can suspend a provider’s activities if violations are found or if investigations are underway.

• A public register of approved service providers will be maintained to ensure transparency and accountability.

• SDAIA will review and update these Controls periodically based on feedback and developments.

  
  

The Controls will take effect once published in the Official Gazette, giving clear legal certainty. Organizations planning to operate as advisors, trainers, vendors, or event organizers should start reviewing the draft now and get ready to comply.

Key Links: https://www.middleeastbriefing.com/news/saudi-arabia-draft-data-protection-amendments/ 

https://istitlaa.ncc.gov.sa/en/transportation/ndmo/rulesgoverningpdplactivities/Documents/Draft%20Controls%20Governing%20Commercial,%20Professional,%20and%20Non-Profit%20Activities%20Related%20to%20Personal%20Data%20Protection.pdf

https://sdaia.gov.sa/en/SDAIA/about/Documents/ImplementingRegulation.pdf

https://istitlaa.ncc.gov.sa/en/Transportation/NDMO/IRofPDPLAmendments/Pages/default.aspx 

OMAN ENACTS NEW LAW FOR SPECIAL ECONOMIC AND FREE ZONES

Summary: On 7 April 2025, Oman issued Royal Decree 38/2025, enacting the Law of Special Economic Zones (SEZs ) and Free Zones (FZs), published in the Official Gazette on 13 April 2025. The Law introduces a unified framework to enhance business operations in SEZs and FZs, offering key incentives such as a 10-year tax exemption (with possible extensions) and favorable customs provisions. An Explanatory Memorandum has also been released, outlining the Law's objectives and clarifying its provisions.

In Detail: The Sultanate of Oman introduced a significant legal development through Royal Decree 38/2025, establishing the new Law on Special Economic Zones and Free Zones.

Key incentives include a 10-year corporate tax exemption for eligible entities, with the possibility of further extensions for specific strategic activities. Businesses will also benefit from favorable customs rules, reinforcing Oman’s appeal as a regional investment hub.

To further ease doing business, the Law introduces a one-stop shop service that will centralize and streamline the processing of permits, approvals, and licenses.

The Law anticipates the issuance of its Executive Regulation within one year, along with additional decisions to support smooth implementation.

Previously, different laws governed FZs and the Duqm SEZs, leading to separate rules, procedures, and benefits. Royal Decree 56/2002 applied to FZs, while Duqm SEZ was regulated by Royal Decree 119/2011. These differences created inconsistencies in tax exemptions and operational processes.

Following a review of economic laws, the Sultanate of Oman issued a new Law to unify and modernize the legal framework for all SEZs and FZs. This new Law streamlines procedures, harmonizes benefits, and strengthens oversight to create a more attractive investment environment.

Its main goals include:

• Attracting local and foreign investment

• Diversifying income sources

• Creating jobs

• Supporting SMEs

• Offering consistent and enhanced incentives

• Linking tax exemptions to economic outcomes

• Regulating real estate development in the zones

The Law cancels the earlier Free Zones Law (Royal Decree 56/2002) and any conflicting legislation. Until the new regulations are issued, existing ones will continue to apply as long as they do not contradict the new Law.

Key Highlights of Law and the Explanatory Memorandum

1. Corporate Income Tax

   
   

   • Eligible businesses in SEZs and FZs get a 10-year exemption from income tax.

   • This can be extended for two more periods if the business offers high added value or supports innovation.

   • Detailed rules for eligibility will be in the upcoming Executive Regulation.

   • The exemption does not apply to banks, insurers, telecom companies, contractors, or transport businesses (road/maritime).

   
   

2. Customs

   
   

   • A customs department will be set up within each SEZ to speed up import/export processes and lower logistics costs.

   • Customs systems will be coordinated with the Royal Oman Police to ensure smooth and secure operations.

   
   

3. Customs exemptions:

   
   

   • Goods used to build and run businesses in SEZs and FZs are customs-free.

   • Exports from these zones are not taxed.

   • Goods can be temporarily brought in for repairs or manufacturing under certain conditions.

   
   

4. Real Estate

   
   

   • Land for development will be offered under usufruct rights (long-term leases).

   • Non-Omanis can buy property in these zones through freehold ownership, giving them full ownership.

   
   

5. Administration and Support

   
   

   • A one-stop shop system will manage all approvals, permits, and licenses to make doing business easier.

   • Authorities must ensure developers and businesses get the services they need to operate.

   
   

6. Existing Operators

   
   

   • Businesses already operating in FZs or Duqm SEZ will keep their current benefits until their agreements expire.

   
   

7. Next Steps

   
   

   • Companies should review the Law to understand how it affects them and what benefits may apply.

   • An Executive Regulation will be issued within one year to provide detailed guidance on implementation.

Key Links: https://www.opaz.gov.om/upload/files/decisions/Royal_Decree38_2025_Issuing_the_law_of_Special_Economic_Zones_and_Free_Zones_English.pdf

https://www.opaz.gov.om/upload/files/decisions/Explantory_Memorandum_Provisions_Special_Economic_Zones_Free_Zones_Law_English.pdf

https://taxnews.ey.com/news/2025-0998-oman-issues-law-on-special-economic-zones-and-free-zones 

DMCC INTRODUCES NEW SPV & HOLDING COMPANY LICENCES

Summary: The Dubai Multi Commodities Centre (DMCC) has launched two new licence types Special Purpose Vehicle (SPV) and Holding Company, designed to make business structuring in Dubai more efficient and cost-effective.

In Detail: The DMCC a leading free zone in the UAE, has launched new SPV and Holding Company licences, aimed at providing investors and businesses with flexible, efficient, and cost-effective legal structures. This development aligns with global demand for simplified and transparent structuring options, particularly in the context of tightening international compliance standards.

An SPV is a private legal entity created for specific non-operational purposes such as holding assets, isolating risk, or structuring investments. It is commonly used for real estate holdings, IP management, and project-based ventures. An SPV under DMCC can be incorporated as a company limited by shares or guarantee and enjoys significant regulatory exemptions, including the absence of requirements for physical premises, a company secretary, or annual general meetings.

A Holding Company, in contrast, functions as a parent entity that owns shares in other companies. It is not intended to conduct commercial operations directly but can hire employees and serve as a head office to manage group entities, investments, or regional operations.

Both structures provide efficient alternatives to traditional licences, which often impose operational and physical infrastructure requirements that are unnecessary for passive or oversight-only entities. By removing these obligations, DMCC enables more agile and cost-conscious establishment of legal entities.

DMCC’s framework further benefits from access to both local and international banking support and a globally recognised regulatory regime. With over 24,000 companies currently registered, the DMCC remains a preferred jurisdiction for international business.

Key Features of the new licenses

1. SPV Licence:

   
   

   • No requirement for physical office, AGM, or company secretary

   • Incorporated as a company limited by shares or guarantee

   • Enables asset holding, risk segregation, and investment structuring

   • Cost-efficient and compliant with international standards

   
   

2. Holding Company Licence:

• Not operational, but can act as a regional or global head office

• Permits hiring staff for group-level management

• Suitable for consolidated ownership of multiple entities

These new licences are intended to accommodate a wide range of users from private investors to multinational corporations by offering secure, flexible structures for asset holding, liability segregation, and investment management. Key Users Include:

• Multinational companies seeking centralised control and simplified governance

• Asset-holding and investment entities aiming for tax and legal efficiency

• Family offices, venture capital firms, and entrepreneurs consolidating private holdings

• Businesses shifting away from traditional offshore jurisdictions towards substance-based regimes like the UAE

Key Links: DMCC Unveils New SPV and Holding Company Licences to Enhance Business Structuring

DMCC Launches New Licences to Enhance Business Flexibility | Arabian Post

DMCC Launches New SPV and Holding Company Licences to Enhance Business Structuring - Al Tamimi & Company

DMCC unveils new SPV and Holding Company Licenses