Personal Data Protection Law (PDPL) in Saudi Arabia (Royal Decree M/19 dated 16 of September 2021
Introduction to the PDPL
For the first time, the Personal Data Protection Law (PDPL) shall be implemented in Saudi Arabia, following the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA).
The Kingdom of Saudi Arabia has issued the “Personal Data Protection Law” or PDPL, which regulates the collection, storage, sharing, and processing of personal data for individuals residing in the Kingdom of Saudi Arabia.
The Personal Data Protection Law aims to protect the privacy of individuals, regulate data exchange, and ensure the privacy of personal data by regulating the collection, processing, disclosure, and retention of personal data. Companies shall not be able to process personal data if they do not have a legal basis to do so. Obtaining the consent of personal data owners is the primary requirement that companies will need to process personal data.
“Implementation of the new Personal Data Protection Law (PDPL)”
The ‘Personal Data Protection Law’ was issued on September 16, 2021, following the approval of the Council of Ministers in the Kingdom of Saudi Arabia, and it was published on September 24, 2022. The law contains several conditions for processing personal data, along with a series of rights that ‘data subjects’. The system includes a detailed framework regarding data processing standards and the responsibilities of relevant entities when processing personal data. Additionally, it outlines penalties for companies or public entities operating within the Kingdom of Saudi Arabia in case of non-compliance.
It was stated that the law shall be effective 720 days after its publication in the Official Gazette (Article 43 of the law), which means on September 14, 2023. The law has given the Data Controllers 1 year to comply with its provisions.
The Saudi Data and Artificial Intelligence Authority (SDAIA) oversees the implementation of the Personal Data Protection Law during the initial two years. Subsequently, the ‘National Data Management Office’ shall supervise its implementation.
Key Compliance Measures in the Personal Data Protection Law in Saudi Arabia:
• It is mandatory to define and document the privacy policies and procedures of the data controller (the entity collecting data and determining the purpose of processing personal data) and have them endorsed by the chief responsible officer within the entity, disseminating them to all relevant parties for implementation.
• Preparation of notices for both the policies and privacy procedures of the data controller, specifying the purposes for which personal data was collected and processed explicitly, clearly, and unequivocally. (Personal data is any information that leads to the identification of an individual specifically, or makes it possible to identify him directly or indirectly, including name, personal identification number, addresses, contact numbers, license numbers, registers, personal property, bank account and credit card numbers, fixed or animated images of the individual, and other personal data)
• All possible options for the data subject shall be specified, and explicit or implicit consent shall be obtained regarding the collection, use, or disclosure of their data to any other party.
• The collection of personal data shall be limited to the minimum necessary to achieve the specific purposes outlined in the privacy notice.
• Processing of personal data shall be restricted to the specified purposes in the privacy notice for which the data subject provided explicit or implicit consent, and it shall be retained only as long as necessary for the specified purposes or as required by the Kingdom’s regulations, policies, or systems, ensuring its secure disposal to prevent leakage, loss, misappropriation, misuse, or unauthorized access.
• Means for data subjects to access, review, update, and correct their personal data shall be specified and provided.
• Disclosure of personal data to external parties (i.e., transferring personal data from one place to another for processing) shall be limited to the purposes specified in the privacy notice, for which the data subject provided explicit or implicit consent.
• Personal data shall be protected against leakage (no disclosure of any personal data through readable, audible, or visible means or provision) or tampering, loss, misappropriation, misuse, alteration, or unauthorized access.
• Personal data shall be maintained accurately, completely, and directly related to the specified purposes outlined in the privacy notice.
• Compliance with privacy policies and procedures shall be monitored by a data controller, and any inquiries, complaints, or disputes related to privacy shall be addressed.
The Rights of Individuals:
1. Data subjects have the right to be informed about the purpose of processing their personal data, the necessity of such processing, the content of the data to be processed, the method of collection, storage means, and disclosure recipients.
2. Data subjects have the right to access their personal data held by the entity and obtain a clear, readable, and consistent copy of it, without charge.
3. Data subjects have the right to request the correction of their personal data they deem inaccurate, incomplete, or incorrect.
4. Data subjects have the right to request the destruction of their personal data that is no longer needed or was collected in an irregular manner.
5. Data subjects have the right to request the restriction of processing their personal data for specific cases and for a limited period.
6. Data subjects have the right to object to the processing of their personal data or revoke their consent for the processing.
Key Obligations for Business Owners under the Personal Data Protection System in Saudi Arabia:
• Displaying a privacy notice to visitors to notify them of using cookies to collect their data and obtaining their consent (implicit or explicit) for processing it.
• Appointing an individual responsible for data privacy protection.
• Implementing information security measures.
• Responding to data subjects’ requests regarding their personal data.
• Directly notifying any breaches of personal data.
• Protecting personal data when transferring it abroad.
• Managing contracts with processors and sub-processors (a processor being the company or entity processing personal data on behalf of and for the benefit of the controller).
Penalties in the event of non-compliance with the law
Due to the lack of compliance with the Personal Data Protection Law or any breach of its provisions, it can be significantly distressing for many individuals. According to the regulations and pursuant to Decision No. 35:
• “A penalty of imprisonment for up to two years or a maximum fine of 3 million Saudi Riyals shall be imposed on anyone who discloses sensitive data or publishes it in violation of the provisions of the law with the intent to harm the data owner or to achieve personal benefit.”
• In matters not explicitly addressed in Article 35 of the law, without prejudice to any stricter penalty stipulated in another regulation, a warning or a fine not exceeding 5 million Riyals shall be imposed on any entity that violates the provisions of the law or regulations. The fine shall be doubled in case of repeated violations.
• Anyone who contravenes the provisions of Article 29 of the law, which stipulates that “the transfer of personal data outside the Kingdom or disclosure to entities outside the Kingdom is not permissible except in compliance with an agreement where the Kingdom is a party, or to serve the interests of the Kingdom, or for other purposes as determined by the regulations,” shall be punished by imprisonment for a period not exceeding one year or a fine not exceeding 1 million Riyals, or both.
Conditions and Controls for the Transfer of Personal Data Outside the Kingdom of Saudi Arabia:
1. The transfer or disclosure shall not compromise national security or vital interests of the Kingdom.
2. Providing sufficient guarantees to preserve the personal data to be transferred or disclosed and its confidentiality, ensuring that the standards for data protection are not less than those specified in the law and regulations.
3. Limiting the transfer or disclosure to the minimum necessary personal data required.
4. Obtaining approval from the competent authority (as determined by a decision of the Council of Ministers) for the transfer or disclosure according to what the regulations specify.
5. Except for the condition stated in paragraph (1) of this article, the competent authority may, on a case-by-case basis, exempt the controller from complying with any of the aforementioned conditions, if it is determined, solely or in conjunction with other authorities, that the personal data will have an acceptable level of protection outside the Kingdom and if such data are not sensitive.
Can the data processor send marketing or awareness materials?
No, the data processor shall not be allowed to use personal means of communication, such as sending informative emails or marketing text messages to the data subject except under the following conditions:
• Obtaining consent from the targeted recipient to send these materials.
• Providing a clear mechanism by the sender that enables the targeted recipient to express their desire to opt-out from receiving such materials.
Exceptions to this include awareness materials sent by public entities.