On September 24, 2021, the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia was published in the government’s Official Gazette. Saudi Arabia's Personal Data Protection Law will go into effect on March 17, 2023. It is the first such kind of data protection law to be passed in the Kingdom of Saudi Arabia, which regulates the processing of personal data. Some principles of the PDPL are similar to those of other international data protection regulations, but the law also includes many unique requirements, such as data transfer and localization requirements.
The initial version of the PDPL introduced strict compliance regulations for data controllers. On November 20, 2022, an amended version of the PDPL was published, which contains significant changes which are largely more business-friendly, including decreased data localization requirements and the introduction of a form of legitimate interests as a legal basis for processing. The article takes into account the requirements of the latest version of the amended PDPL draft.
What is Saudi Arabia’s Personal Data Protection Law (PDPL)?
The PDPL is the first such kind of data protection law to be passed in the Kingdom of Saudi Arabia, which regulates the processing of personal data of Saudi Arabia residents, called data subjects.
The PDPL will regulate any kind of processing of personal data of Saudi Arabia residents including collecting, using, storing, managing, sharing, or updating of personal data.
The principle aim of the PDPL requires the private and public entities, called data controllers, to have a legal basis for the processing of personal data, and to ensure that the entities process personal data fairly, lawfully, and securely. Companies and organizations must protect personal data from loss, damage, or destruction.
For the first two years, the Saudi Data & Artificial Intelligence Authority (SDAIA) will be responsible for the implementation of the law. After two years, as the data protection landscape develops, the National Data Management Authority (NDMO) will become the supervisory authority.
The SDAIA, in consultation with various government entities, is required to issue the regulations prior to the law taking effect in March 2022.
The initial version of the PDPL required data controllers outside Saudi Arabia, that are processing personal data of Saudi Arabia residents, to appoint a representative in Saudi Arabia to fulfill their obligations under the law and pay a related fee. Article 31 of the amended draft removed specific provisions requiring data controllers to register with the competent authority for organizations outside of the Kingdom to appoint a local representative. However, the competent authority may still impose these requirements in specific cases for monitoring compliance.
The competent authority is expected to educate personnel of private and public entities regarding rights and obligations of the law. Data controllers are also required to hold workshops and train personnel on the law's concepts and principles.
Who does PDPL Apply to?
The Law applies to all personal data processing undertaken in Saudi Arabia. It means that all entities, private companies, public organizations, and their affiliates, that process the personal data of Saudi residents, are subject to the law. In addition, the law also applies to entities operating outside Saudi Arabia, that process the personal data of Saudi residents.
Personal data processing of deceased persons is also within the scope of the law if such processing could identify that person or his or her family.
Information used for household or personal proposes is excluded from the law.
Data Subjects' Rights under the PDPL
Residents of the Kingdom of Saudi Arabia, called data subjects, are given a number of data rights under the PDPL:
- Right to be informed. Any entity that processes the personal data of data subjects must inform them about the legal basis for collecting their personal data, its purpose, and how their data is processed.
- Right to access. Data subjects have the right to access their personal data, and the right to receive a copy of their personal data in an easily readable format and free of charge.
- Right to correction. Data subjects have the right to request entities to correct, update, or complete personal data about them. The entities must correct the data within a reasonable time.
- Right to deletion. Data subjects have the right to request the deletion of personal data if the entities no longer need it.
The Principles of Data Processing in the PDPL
Both private and public entities, called data controllers, must respect the following key principles of data processing in the PDPL:
Under the PDPL, the data controllers must have a legal basis to process the personal data of the data subjects. The data controllers have to balance between their needs and the rights and freedoms of data subjects. However, the law does not indicate how the balancing should be done in practice, so the application of this legal basis remains unclear.
The purpose of collecting personal data must be directly related to the purposes of the data controllers to perform their services, related to the data subjects. The methods for collecting personal data must be direct, clear, secure, and free from deception.
Personal data collection must be appropriate and limited to what is necessary to provide services or goods of the data controllers. If the collected data is no longer necessary, data controllers must stop collecting the data and delete it immediately.
The data subjects should have options for accepting and rejecting cookies, accordingly. Do not drop cookies BEFORE they gave Cookie Consent.
Consent for processing personal data is not necessary when:
- processing benefits data subjects and they cannot be contacted;
- processing is required by law or by an agreement to which an individual is a party; or
- the data controller is a public entity and such processing is required for security purposes.
Data controllers must take appropriate technical and organizational measures to ensure the security of personal data, including when it is transferred to third parties.
Data controllers should not disclose personal data under any circumstances if:
- it will be a threat to national security and reputation;
- it affects the Kingdom's of Saudi Arabia relationship with other countries;
- it prevents the detection of a crime or affects any criminal proceedings;
- it endangers the safety of individuals;
- it violates the privacy of individuals;
- it could breach legal or professional obligations or procedures;
- it could disclose confidential information.
The personal data could be disclosed only in these cases:
- when the data subject consents to it;
- when the personal data is already publicly available;
- when it is an obligation to fulfill legal requirements;
- when it is in the vital interest of data subjects; or
- when disclosing will not lead to the identification of individuals.
The PDPL allows the processing of non-sensitive personal data for marketing purposes if it is collected directly from individuals and with their consent. opt-out consent is enough in this case, rather than opt-in consent. That is, individuals must take specific actions to reject the collecting of non-sensitive personal data for marketing purposes. If no action is taken from the individuals' side, data controllers could collect non-sensitive personal data for marketing purposes by default.
International data transfers
The initial PDPL version allowed data transfer outside the Kingdom only in exceptional cases and imposed strict data localization which required the Competent Authority's approval to transfer personal data from the Kingdom of Saudi Arabia. The law also allowed possible imprisonment for non-compliance with transfer restrictions.
The amended draft of the legislation introduced the concept of adequacy, allowing personal data to be transferred to a recipient in a jurisdiction that ensures adequate protection of personal data and the rights of individuals. Additional grounds for transferring personal data were introduced, notably, if the transfer is carried out in the performance of an obligation of the data subject, which is similar to contractual necessity under the GDPR. Together with the updated data transfer, the amended draft excludes possible imprisonment for non-compliance with transfer restrictions.
To sum up, international data transfer should meet the following conditions:
- It must not harm national security or the Kingdom’s vital interests.
- The data must be protected to prevent its leakage or disclosure.
- The transfer is limited to the minimum amount of data required.
- The transfer is approved by the competent authority, as determined by the regulation,
- The recipient country or entity provides an adequate level of protection for personal data, or
- The transfer is carried out in the performance of an obligation of the data subject.
Record of processing activities
Data controllers must record data processing activities and keep records for a specified time. This requirement is different from other privacy laws of such kind as GDPR or CCPA. These records must be provided to the authorities when requested. The records should include the following data:
- the contact details;
- the purpose for processing that personal data;
- the categories of individuals;
- any third party to whom data has been, or will be, disclosed;
- the duration during which the data is retained.
The PDPL requires data controllers to choose a third party for data processing that provides the PDPL compliance, and constantly verify the compliance relating to the protection of personal data of such third party.
Data breach notification
When a data subject discovers that personal data has been breached, i.e. leaked, damaged, or hacked, it must immediately notify the competent authority.
Regarding the affected individual notification, an updated version of the law introduced a risk threshold for breach notifications. If a data breach could cause harm to a data subject, he must be notified immediately. If a data breach is detrimental to the rights and interests of a data subject, the notification is not obligatory. However, the breach notifications still lack a specific time period and further details on breach notification requirements.
Penalties for breaching the PDPL
The disclosure of sensitive personal data in violation of the provisions of the law could lead to a maximum penalty of two years imprisonment and a fine of up to SAR 3 million (USD 800K), or either of these penalties.
The violation of the provisions of the law of international data transfer could lead to maximum imprisonment of one year and a fine of up to SAR 1 million (USD 267K), or one of these two penalties.
The violations of all the other provisions could result in issuing a warning or a fine up to SAR 5 million (USD 1.3 million). The imposed fine may be doubled for repeated violations, but not exceeding SAR 10 million.
The investigation and prosecution of the violations will be performed by the Public Prosecution Office.
Frequently Asked Questions
What is the new Saudi Arabia's Personal Data Protection Law?
Is Saudi Arabia's Personal Data Protection Law already active?
Is there a law to protect personal data in Saudi Arabia?
Does GDPR apply to Saudi Arabia?
General Data Protection Regulation (GDPR), a data privacy law in the EU, is applicable in Saudi Arabia if an entity from the Kingdom of Saudi Arabia is collecting or processing the personal data of EU residents and citizens. Check the GDPR compliance checklist to be GDPR compliant.
What is Cookie Consent?