Saudi Arabia: Adopted insurance market code of conduct regulation including data localisation requirement

On 30 August 2008, the Saudi Arabian Monetary Agency (SAMA) adopted the Insurance Market Code of Conduct Regulation. The regulation mandates that companies must ensure the protection of customer personal data by adhering to specific conditions. These include the requirement that data must be obtained and used solely for defined and lawful purposes, stored within the Kingdom, kept secure and up to date, and made available to the customer upon written request. The code of conduct for the insurance market stipulates that customer data must be stored and maintained exclusively within the Kingdom of Saudi Arabia, except for the companies' auditors, actuaries, reinsurers, and co-insurers. This encompasses the safeguarding of original hard copies or electronic versions, which must be updated on a regular basis and retained for a minimum of 10 years. Furthermore, data must not be disclosed to third parties without prior authorisation from SAMA. Furthermore, companies are obliged to conclude data confidentiality agreements with third parties prior to the commencement of any business relationship.