Broxer
Join
ا

Data Privacy Officer

البيت الأهلي للتمويل

Jiddah, Makkah, Saudi Arabia · Full Time

Be the first to apply

Experience
Any
Salary
Openings
1
Posted
4 hours ago
Work mode
In office
Eligibility
Professionals with experience in privacy compliance, data protection operations, governance, or related legal/compliance roles who can work onsite in Jiddah and coordinate across internal functions and external partners.
Resume
Required to apply

Job description

Role overview

The Data Privacy Officer serves as the day-to-day lead for carrying out personal data protection obligations. This position keeps privacy compliance records in order and works closely with business teams, IT, cybersecurity, legal, procurement, and external vendors to ensure that data processing, subject requests, privacy assessments, breach handling, disclosures, processor activities, and cross-border transfers are properly controlled and documented.

Key responsibilities

Manage the full lifecycle of data subject requests, including access, copy, correction, update, completion, deletion, and consent withdrawal. Confirm the identity of requesters, record both written and verbal requests, and ensure responses, refusals, extensions, and their reasons are properly logged and completed within the required timeframes. Oversee approved channels for these requests, such as email, SMS, national address, electronic portals, or other lawful communication methods.

Draft and maintain privacy notices that clearly explain the controller’s identity, contact information, processing purposes, legal grounds, retention periods, individual rights, consent withdrawal, and whether providing data is mandatory or optional. Manage consent collection and evidence so that it is voluntary, specific, documented, and separated by purpose where needed. Support withdrawal handling and make sure processing stops when consent is the only lawful basis. Also help control direct marketing and advertising activities by maintaining opt-out mechanisms, identifying the sender, preserving consent records, and ensuring marketing stops immediately after withdrawal.

Build, update, and retain written records of processing activities. These records must cover controller information, DPO details where relevant, purposes, categories of personal data and data subjects, retention periods, disclosure recipients, transfers outside the Kingdom, and security controls. Make these records available for internal review, audit, management reporting, or authority requests.

Carry out and document privacy impact assessments for sensitive data, linked datasets, high-volume or repeated processing, monitoring, new technologies, automated decision-making, and any activity that could create serious privacy harm. Review purpose, legal basis, data sources, recipients, geographic scope, proportionality, harm likelihood, harm severity, and mitigation controls. Reassess high-risk processing when needed and support legitimate interest assessments by checking necessity, balancing interests, reasonable expectations, and the exclusion of sensitive data.

Maintain the personal data inventory and work with business and system owners on classification activities. Apply classification using impact, sensitivity, data type, business purpose, and regulatory needs. Track related controls such as protective marking, access, use, storage, sharing, retention, disposal, archiving, and declassification. Escalate uncertain or high-risk classification decisions to the Chief Data Privacy Officer.

Review incoming data sharing requests from internal and external parties. Validate the purpose, legal basis, minimization, classification, authorization, data type, preprocessing, safeguards, duration, frequency, termination, and liability needs. Prepare data sharing agreements or privacy schedules and route them for approval before any information is shared. Keep evidence of requests, decisions, agreements, controls, and implementation.

Maintain the register of personal data transfers and disclosures outside the Kingdom. Perform transfer risk assessments when required, including evaluation of purpose, legal basis, transfer type, geography, safeguards, minimization, possible material or moral impact, and mitigation steps. Confirm that approved safeguards such as standard contractual clauses, binding common rules, accreditation/certification, or other authority-approved safeguards are in place. Watch for changes in safeguards, sub-processors, countries, transfer purpose, or regulatory conditions, and escalate issues that require pause or remediation.

Review privacy questionnaires, due diligence materials, and contractual privacy clauses for processors and third parties. Make sure processor agreements address purpose, personal data categories, processing duration, breach notification duties, foreign regulatory exposure, mandatory disclosures, sub-processors, and data return or destruction requirements. Track approvals, objections, assurance reviews, remediation actions, and periodic compliance checks.

Work with cybersecurity and incident response teams to determine whether a security incident is a personal data breach. Prepare breach analyses covering the date and time, circumstances, categories of data, number of impacted data subjects, type of personal data, risk level, actions taken, future mitigation, and contact details. Support notifications to the competent authority within the required period where applicable, and draft clear data subject notices when a breach may affect rights, interests, or well-being. Keep breach reports, corrective actions, evidence, and lessons learned.

Maintain retention and destruction procedures for operational records, archived data, and backups where relevant. Coordinate destruction requests and send notifications to parties who previously received the data when required. Ensure data remains accurate, complete, and timely, and that corrections are documented and communicated to relevant recipients. Track proof of disposal and escalate any gaps in secure destruction or retention compliance.

Run privacy awareness activities, retain attendance and communication records, conduct regular compliance checks, and prepare dashboards for the Chief Data Privacy Officer. Keep audit-ready evidence for policies, procedures, assessments, rights requests, breaches, transfers, processors, sharing activities, and corrective actions. Follow up remediation plans and report overdue risk items.

Required deliverables

The role owns the following outputs: data subject rights register and request evidence; privacy notice register and consent/withdrawal evidence; records of processing activities register; privacy impact assessments and legitimate interest assessments; personal data inventory and classification evidence; data sharing request register and data sharing agreements; cross-border transfer register and transfer risk assessments; processor due diligence records, contract review evidence, and sub-processor approval records; personal data breach notification packs and corrective action evidence; retention, destruction, correction, and data quality records; and a privacy compliance dashboard plus awareness records.

Employment details

This is a full-time onsite position based in Jiddah, Makkah, Saudi Arabia.

Skills

Data Governance Records Management Data Privacy Compliance Audit Documentation Third-Party Risk Management Privacy Operations Breach Response Coordination Consent Management Privacy Impact Assessment Cross-Border Data Transfers Personal Data Protection Data Subject Rights Management

Leave it if you'd like a reply — we won't use it for anything else.

Click to browse, drag & drop, or paste a screenshot

PNG, JPG, GIF, MP4, WebM, MOV · Max 20MB each · Up to 5 files