The Personal Data Protection Law (PDPL) is Saudi Arabia’s first comprehensive data protection law. It was published in the Official Gazette in September 2021 and came into effect on March 17, 2023. This law governs all aspects of the processing of the personal data of individuals residing in the country. Organizations will have until Sept. 13, 2024, to comply with the new law.

On March 10, 2022, the Saudi Data and Artificial Intelligence Authority (SDAIA) and the National Data Management Office (NDMO) jointly released draft Executive Regulations complementing the PDPL. The regulation’s final version is expected to be released before Sept. 13, 2024.

 

You can find a comprehensive summary of the PDPL and its implementing rules below:

The PDPL governs the collection, use, storage, sharing, transfer, and updates pertaining to personal data, regardless of the methods of processing used. Foreign organizations that process Saudi personal data are also subject to the PDPL.

The PDPL defines as any information that specifically identifies a person or could lead to their identification. Examples include names, email addresses, driver’s licenses, phone, and social security numbers.

Under the new legislation, data controllers (organizations) are obligated to ensure the accuracy, completeness, and relevance of personal data before processing it. They must adhere to various data protection principles, including:

  1. Obtaining the consent of the data owner before processing their personal data.
  2. Creating and sharing with data subjects a personal data privacy policy. The policy should outline the purpose, content, collection method, storage, processing, destruction, and owner’s rights, and the process for exercising these rights.
  3. Implementing appropriate organizational, administrative, and technical measures to safeguard personal data, including during its transfer, in accordance with the regulations and controls outlined in the Executive Regulations.

Data Breach

In the event of a data breach, data controllers must promptly notify the SDAIA within 72 hours of becoming aware of the breach. They are also required to provide a comprehensive analysis of the breach to the regulatory authority, as well as the measures being implemented to prevent similar incidents in the future.

Data Processing Records

Organizations must maintain records of their processing activities, as specified by the Executive Regulation, for a determined period. The draft version of the Executive Regulations includes a five-year retention period after processing activities or until the purpose of collection of personal data ends, whichever is longer. These records should include essential information such as the organization’s contact details, the purpose of personal data processing, categories of data subjects, recipients of personal data, the expected retention period of the personal data, and whether the data has been transferred outside of Saudi Arabia.

Data Transfers

The PDPL has expanded the grounds for international data transfers. Previously, transfers outside Saudi Arabia were only allowed in specific cases such as protecting the life or vital interests of the data subject, addressing diseases, fulfilling obligations under agreements involving Saudi Arabia, or serving the interests of the country. Now, transfers are permitted for additional purposes specified in the regulations, including obligations of the data subject.

The conditions for transfers, such as minimum necessary data and protection of national security and vital interests, remain the same. The requirement for approval from the competent authority, however, has been removed. Instead, there is a new requirement for an appropriate level of data protection in the destination country. Further details and procedures regarding data transfer provisions, including potential exemptions, will be outlined in the final Executive Regulations.

Penalties/Sanctions

The PDPL establishes penalties for the disclosure or publication of sensitive personal data, including imprisonment for up to two years and/or a fine of up to SAR 3 million ($800,000 USD). Both organizations and individuals can be subject to sanctions. Violations of other PDPL provisions carry penalties that include a warning notice or a fine not exceeding SAR 5 million ($1.3 million USD). In cases of repeated offenses, the court has the authority to double the fine.

Final Thoughts

The PDPL in Saudi Arabia is a significant new law impacting personal data and privacy rights. By adhering to the law, organizations subject to the PDPL can help ensure compliance with the requirements for doing business in Saudi Arabia.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.