Learn about Saudi Arabia's Personal Data Protection Law (PDPL)
In 2023, Saudi Arabia implemented a comprehensive Personal Data Protection Law aimed at safeguarding individuals' personal information. The law establishes guidelines for the collection, processing, and storage of data, grants individuals control over their data, and imposes penalties for non-compliance, ensuring enhanced privacy and data security.
Saudi Arabia has enacted its first comprehensive data protection law. The Personal Data Protection Law (PDPL) seeks to secure the privacy of individuals' personal data and to regulate the acquisition, processing, disclosure, and retention of such data by organisations.
The PDPL lays out extensive requirements pertaining to processing principles, data subjects' rights, organisations' obligations when processing personal data of individuals, cross-border data transfer mechanisms, and penalties for non-compliance.
One of the most notable characteristics of the PDPL is that it does not interfere with any provision that grants a data subject a right or specifies a higher level of protection in any other law or international convention to which Saudi Arabia is a party.
In addition, the SDAIA, in collaboration with the National Data Management Office (NDMO), issued a draft version of the Executive Regulations on 10 March 2022.
The PDPL was initially scheduled to go into effect on March 23, 2022. However, the SDAIA has submitted proposed amendments to the PDPL for public comment between November 20 and December 20, 2022. The Saudi Council of Ministers approved amendments to the PDPL on March 21, 2023. According to the revised version's timeline, PDPL will go into effect on 14 September 2023, and organisations will have until 13 September 2024 to conform.
Therefore, who must comply with this law? What rights do subjects of data have? Who administers this new law? To learn more about these queries and many others to enhance your compliance efforts, continue reading:
1. Who is Required to Comply with the Law?
The following describes how the new law applies to organisations based on their jurisdiction and the type of data involved:
a. Material Scope
The PDPL applies to the processing of personal and sensitive personal data pertaining to Saudi Arabian residents. The PDPL also applies to the deceased's personal information if it could be used to identify the deceased or a family member. The PDPL does not apply to the processing of personal information for domestic purposes.
b. Territorial Scope
The PDPL applies to any organisation, public or private, that processes personal data pertaining to individuals in Saudi Arabia. If a foreign organisation processes the personal information of Saudi Arabian citizens, the PDPL will also apply.
2. Responsibilities of Organisations In accordance with that Specific Statute
The PDPL imposes a number of responsibilities on controlling authorities (data administrators). Before processing personal data, data administrators (organisations) must ensure the data's accuracy, completeness, and relevance. The controlling authorities must also adhere to the data protection principles (limited collection, limited use, data security, accountability, limited retention, etc.).
The following are the essential PDPL obligations that organisations must fulfil to remain compliant:
a. Consent Requirements
The PDPL stipulates that organisations may not process personal data without the consent of the data's proprietor, with the exception of the circumstances outlined in the Draft Regulation.
Data subjects may revoke their consent to the processing of personal data at any time, and consent should not be required for the data controller to provide a service or benefit (unless the service or benefit is directly related to the processing activity for which consent is obtained).
The PDPL exempts the following scenarios from requiring consent:
- If the processing would accomplish a clear benefit and contacting the data subject is impossible or impracticable;
- If it is mandated by law or a prior agreement to which the data subject is a party;
- If the controller is a public entity and the processing is necessary for security or judicial purposes;
- If the controller is collecting data for scientific, research, or statistical purposes and has taken the required legal measures;
- The processing is necessary to protect the legitimate interests of the controller or a third party, as long as the rights of the data subjects are not compromised. This, however, does not apply to sensitive personal data.
Before initiating the collection of a data subject's personal information, organisations that collect the data directly from the data subject are required to inform the data subject of the following:
- The legitimate legal or practical basis for collecting their personal information;
- The purpose of collecting their personal data and whether collecting all or a portion of it is mandatory or voluntary, as well as informing them that their data will not be processed in a manner inconsistent with the purpose of its collection or in circumstances not specified in the PDPL;
- The identity of the person collecting the personal information and, when necessary, the address of their reference, unless the collection is for security purposes;
The organisation(s), its/their capacity, and whether the personal data will be transferred, disclosed, or processed outside the United Kingdom;
- Effects and risks of failing to complete the personal data collection procedure;
Subject data privileges; and
- Other elements are determined by the character of the organization's activity, as specified by the regulations.
c. Security Prerequisites
The PDPL requires organisations to adopt the organisational, administrative, and technical measures and means necessary to ensure the protection of personal data, including when it is transferred, in accordance with the provisions and controls outlined in the Draft Regulations.
d. Data Breach Requirements
The PDPL stipulates that organisations must notify the regulatory authority within 72 hours of discovering a data breach. In addition, the data controller must provide the regulatory authority with a comprehensive analysis of the violation and the measures being taken to prevent a recurrence.
In addition, if the data intrusion poses a substantial danger to the personal information of the data subjects, the data controller must promptly notify them. The controller must also provide the contact information of the DPO the data subjects can contact to learn more about the compromised data.
e. Data Protection Officer Requirement
The PDPL stipulates that organisations must appoint an individual (or multiple people) to be responsible for implementing its provisions.
f. Data Protection Impact Evaluation
According to the nature of their processing activities, the PDPL requires organisations to conduct an assessment of the consequences of processing personal data for any product or service offered to the public.
g. Processing Activity Record
Under the PDPL, organisations are required to maintain records of their processing activities for the duration specified in the Draft Regulation. The records should contain at least the following information:
- Contact information for the company;
- The reason for processing personal information;
- A description of the data subject categories;
- Any recipient to whom personal information has been (or will be) disclosed;
- Whether personal information has been (or will be) transferred or disclosed outside Saudi Arabia; and
- The anticipated length of time that the personal data will be stored.
h. Vendor Evaluation/Third Party Processing Demands
The PDPL stipulates that, when selecting the processing party, organisations must choose an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and must continuously verify such entity's compliance with their instructions in all matters pertaining to the protection of personal data.
i. Cross border data transmission Requirements
The PDPL permits transfers outside of Saudi Arabia, but stipulates that the recipient country must have regulations that guarantee the appropriate protection of personal data and a supervisory entity that requires controllers to implement appropriate procedures and mechanisms to protect personal data. To this end, SDAIA will establish evaluation criteria. In addition, Article 28 of the PDPL specifies that any of the following may serve as a transfer basis:
Preservation of the public interest, public health, public safety, or protection of the life or health of a specific individual or individuals; Performance of an obligation under an international agreement to which the Kingdom of Saudi Arabia is a party; or Performance of an obligation of the data subject under the Draft Regulations.
Previously, cross-border transmission was only permitted in exceptional circumstances and under certain conditions, such as in cases of extreme necessity to protect the life or vital interests of the data subject outside of Saudi Arabia, or to prevent, investigate, or treat an infection. In addition, SDAIA was compelled to approve each transfer individually.
3. Rights of Data Subjects
As with the majority of other global data protection regulations, the PDPL ensures that all data subjects have certain rights. These rights, also known as data subject rights, guarantee that all users retain control over their collected data. Different data protection regulations provide a variety of rights for data subjects. Among those protected by the PDPL are the following:
Right to Know/Information - Data subjects have the right to know the contact information of the data controller, the precise reason the data is being collected, the methods being used to collect the data, and whether or not the collected data will be shared or sold.
Right to Request Correction - Data subjects have the right to request correction of any incomplete, inaccurate, or outdated data collected on them.
Data subjects have the right to request the eradication of data collected on them. The reasons can range from the user revoking their consent for data acquisition to the data no longer fulfilling its intended purpose.
Right to Limit/Restrict Processing - Data subjects have the right to limit or refuse the processing of their personal data by the organisation in limited circumstances and for a limited duration. This privilege is not expressly granted by the PDPL; however, the regulatory authority has published a set of Frequently Asked Questions (FAQs) that describe it.
Right to Data Portability: Data subjects have the right to obtain their personal data in a comprehensible and machine-readable format and to request the transmission of their personal data to another controller.
The data controller must ensure that all data subjects are adequately informed of these rights and establish channels for data subjects to exercise them. The data controller must respond to these requests within 30 days and document all requests received from data subjects.
4. Regulatory Agency
Within Saudi Arabia, the Saudi Data & Artificial Intelligence Authority (SDAIA) will be primarily responsible for enforcing the PDPL. In addition to penalising organisations found to have violated the PDPL, the SDAIA is also tasked with advising organisations on internal data transfers and keeping track of data subject rights petitions received by organisations.
Nevertheless, the Saudi Data & Artificial Intelligence Authority (SDAIA) will only oversee the implementation of the new law for the first two years. Consideration will be given to transferring supervision to the National Data Management Office (NDMO) in 2024.
5. Consequences for Non-Compliance:
The PDPL stipulates that the penalty for disclosing or publishing sensitive personal data may be up to two years in prison and/or a fine of up to SAR 3 million ($800,000); therefore, both organisations and individuals can be punished.
For violations of other PDPL provisions, the maximum penalty is a warning letter or a fine of up to SAR 5 million ($1.3 million). In cases of repeated offences, the court may decide to double the sanction.
How an Organisation Can Implement the Regulation
Organisations will be compelled to modify their status in accordance with the PDPL provisions within one year of the law's effective date.
- Catalog their data inventories and classify sensitive personal data and personal data;
- Determine if it is necessary to appoint a representative in Saudi Arabia;
- Registering in Saudi Arabia;
- Disclosing how personal data is processed through formal policies and privacy notices that are transparent.
- Create formal policies and procedures for data acquisition (consent framework, etc.) and processing, and revise privacy policies as necessary;
- Have comprehensive notification mechanisms in place for data breaches;
- Map their processes, identify cross-border data flows from Saudi Arabia to other countries, and comply with the PDPL's stringent cross-border requirements;
- Have a comprehensive framework for data subject requests in place;
- Develop the capability to scan and trace data processing activity and generate ROPA compliance reports;
- Have in place technical and organisational safeguards to secure their processing activities; and
- Conduct impact assessments on personal information protection, vendor assessments, and other risk assessments.
How can Decube help?
Decube is one of the unified platform which is designed to efficiently manage Governance, PrivacyOps, Catalog and Observability. Not only you will be able to classify the data assets but also monitor for any incidents around that. We can help you stay compliant, schedule a demo here.