Data Protection Officer
at Tamara Riyadh, Saudi Arabia
Role Overview:The Data Protection Officer (DPO) is responsible for developing, implementing, and managing the organization’s data protection strategy to ensure full compliance with the Saudi Personal Data Protection Law (PDPL) and other applicable data protection regulations. The DPO serves as the primary point of contact for all data privacy and protection matters, ensuring that personal data is processed legally, securely, and ethically throughout the organization.
About Tamara Tamara is the leading shopping and payments platform in Saudi Arabia and the GCC region, with a mission to empower people in their daily lives and revolutionize how they shop, pay, and bank. The company was founded by serial entrepreneur Abdulmajeed Alsukhan along with his partners Turki Bin Zarah and Abdulmohsen Al Babtain. Tamara operates out of its headquarters in Riyadh, Saudi Arabia, and has offices in the UAE, Egypt, Germany, and Vietnam. Our large, dedicated team of professionals continues to grow as we expand our reach and impact.
Serving millions of users and partnering with thousands of merchants, Tamara collaborates with leading global and regional brands such as SHEIN, Jarir, noon, IKEA, H&M, and Farfetch, as well as local small and medium businesses. The company is backed by SNB Capital and Sanabil Investments, a wholly-owned company by the Public Investment Fund (PIF), Checkout.com, Coatue, Shorooq Partners, and Endeavor Catalyst, among others.
Key Responsibilities:
-
Develop and Implement Data Protection Policies:
Establish and maintain comprehensive data protection policies, procedures, and guidelines in alignment with the Saudi PDPL and international best practices. Ensure all data processing activities comply with PDPL and integrate data protection principles into all organizational processes. Create a data governance framework that includes policies for data retention, data deletion, and data archiving, aligned with PDPL.
-
Monitor Compliance with PDPL and Other Regulations:
Conduct regular reviews and audits of data processing activities to ensure compliance with PDPL. Identify, assess, and mitigate potential compliance gaps and collaborate with relevant stakeholders to implement corrective measures. Maintain documentation to demonstrate compliance with PDPL requirements, including data processing activities, risk assessments, and decisions related to data protection.
-
Manage Data Protection Impact Assessments (DPIAs):
Oversee and advise on Data Protection Impact Assessments (DPIAs) for any processing activities that could pose a high risk to data subjects' rights and freedoms. Ensure that DPIAs are carried out in accordance with PDPL and that any identified risks are mitigated effectively.
-
Handle Data Subject Requests and Complaints:
Manage and respond to data subject access requests (DSARs), including requests for access, correction, deletion, or restriction of processing of personal data in compliance with PDPL. Develop and implement efficient procedures to handle data subject requests within the timeframes specified by PDPL. Address complaints related to data protection from internal and external parties, ensuring swift resolution in compliance with PDPL.
-
Manage Data Breach Response:
Establish and maintain a data breach response plan compliant with PDPL requirements. Lead the investigation and resolution of data breaches, including the notification of the Saudi Data and Artificial Intelligence Authority (SDAIA) and affected data subjects as required by PDPL. Ensure thorough documentation of all breaches and corrective actions taken, meeting PDPL's notification and reporting obligations.
-
Serve as Point of Contact with Regulatory Authorities:
Act as the primary liaison between the organization and the Saudi Data and Artificial Intelligence Authority (SDAIA) or other relevant regulatory bodies. Coordinate and prepare responses to inquiries, audits, and investigations from regulatory authorities. Maintain a positive and cooperative relationship with regulators, providing necessary documentation and information promptly.
-
Provide Training and Awareness:
Develop and deliver comprehensive training programs to educate employees about their responsibilities under PDPL and the organization’s data protection policies. Conduct regular awareness sessions and workshops to foster a culture of data protection and privacy compliance within the organization.
-
Advise on Data Protection Strategy and Governance:
Provide strategic advice to senior management on data protection matters, including risk management, data security, and regulatory compliance. Work closely with IT, Legal, HR, and other departments to integrate data protection into all organizational functions. Develop and implement a roadmap for ongoing data protection improvements, aligned with business objectives and PDPL requirements.
-
Maintain Records of Processing Activities (RoPA):
Ensure the creation and maintenance of comprehensive records of all data processing activities conducted by the organization, in line with PDPL. Ensure these records are accurate, up to date, and readily available for inspection by regulatory authorities.
-
Stay Up to Date with Legal Developments:
Monitor and interpret changes in PDPL and other data protection regulations to provide proactive advice to the organization. Update internal policies and procedures as necessary to reflect new regulatory requirements or best practices.
-
Develop and Oversee Consent Management Processes:
Implement robust processes to obtain, manage, and document consent from data subjects in compliance with PDPL. Ensure clear and transparent communication about the purposes for data collection and processing, and manage consent withdrawal efficiently.
-
Ensure Compliance with Data Localization Requirements:
Ensure that all personal data collected or processed is stored in compliance with PDPL’s data localization requirements, ensuring data is stored within Saudi Arabia unless specific conditions allow otherwise. Work with IT and data teams to ensure technical and organizational measures are in place for secure data localization.
-
Implement Data Minimization and Purpose Limitation Principles:
Ensure that only the necessary amount of personal data is collected and processed for specified purposes, in compliance with PDPL. Regularly review data processing activities to ensure adherence to data minimization and purpose limitation principles.
-
Develop Privacy Notices and Transparency Measures:
Draft and maintain privacy notices that comply with PDPL, ensuring they are clear, transparent, and easily accessible to data subjects. Ensure that privacy notices are regularly reviewed and updated as necessary to reflect changes in data processing activities or legal requirements.
Qualifications and Skills:
Extensive knowledge of the Saudi Personal Data Protection Law (PDPL) and other relevant data protection laws and regulations. Proven experience in a similar role, preferably in a regulated industry such as finance, healthcare, or telecommunications. Strong understanding of data protection principles, data security measures, and privacy risk management. Excellent communication, negotiation, and stakeholder management skills. Experience in managing data breaches, incident response, and regulatory engagement. Relevant certifications such as CIPP/E, CIPM, CIPT, or other recognized data protection qualifications are preferred. Fluency in both Arabic and English is highly desirable for effective communication with local authorities and stakeholders.
Key Focus Areas for Compliance with Saudi PDPL:
-
Data Minimization and Purpose Limitation: Ensure only necessary data is collected and processed
