KSA’s Personal Data Protection Law (PDPL)

Saudi Arabia has published its first-ever comprehensive data protection law. The Personal Data Protection Law (PDPL) regulates the collection, processing, disclosure, and retention of personal data by organizations.

According to the PDPL, organizations must comply with comprehensive requirements regarding processing principles, data subjects' rights, obligations while processing personal data of individuals, cross-border data transfers, and penalties for noncompliance are provided.

According to the PDPL, it does not prejudice any right or better protection guaranteed to the data subject in any other law or international convention to which Saudi Arabia is a party.

A draft version of the Executive Regulations was also released on 10 March, 2022 by the Saudi data protection regulatory authority, SDAIA in collaboration with the National Data Management Office (NDMO).

It was originally intended that the PDPL would be enforced on March 23, 2022. However, SDAIA submitted proposed amendments to the PDPL for public consultation between November 2022 and December 2022. Saudi Council of Ministers amended the PDPL on March 21, 2023. As per the timeline within the amended version, the PDPL will officially come into force on 14 September 2023 and organizations will have until 13th September 2024 to comply.

To find out who has to comply with this law, what rights data subjects have, and who is responsible for enforcing it, read on.

Who is required to comply with the law?

Based on the type of data and the jurisdiction of the organization, the new law applies as follows:

a. The scope of the material
Individuals residing in Saudi Arabia are covered by the PDPL for the processing of their personal and sensitive data. Personal data of deceased individuals are also covered by the PDPL if it can be used to identify them or a member of their family. It excludes the processing of personal data for domestic purposes.

b. The territorial scope of the project
The PDPL applies to all public and private organisations that process personal data about Saudi Arabian citizens in any way. If a foreign organisation processes data about Saudi citizens, the PDPL also applies.

c. Organisations' obligations under that specific law
Controlling authorities (data controllers) are required to ensure that personal data are accurate, complete, and relevant before processing them. As part of the data protection principles, controlling authorities must also comply (collection limitation, purpose limitation, data security, accountability, retention limitation, etc.).

Organisations must comply with the following critical obligations under the PDPL:

Requirements for Consent

In accordance with the PDPL, organisations may not process personal data without the consent of the owner, except in cases outlined in the Draft Regulation.
Unless the service or benefit is specifically related to the processing activity for which consent is obtained, consent cannot be a prerequisite to the data controller offering a service or benefit. Data subjects may withdraw their consent to the processing of personal data at any time.

According to the PDPL, consent is not required in the following scenarios:

• It is impossible or impractical to contact the data subject if the processing would achieve a clear benefit;
• It is required by law or by an agreement to which the data subject is a party;
• If the controller is a public entity and the processing is necessary for security or judicial purposes;
• When the controller collects data for scientific, research, or statistical purposes in accordance with the law;
• Providing that the rights of data subjects are not prejudiced, processing is necessary to protect legitimate interests of the controller or another party. However, this does not apply to sensitive personal data.

Requirements for Privacy Notifications/Privacy Policies

In order to comply with the PDPL, organizations must establish a personal data privacy policy that data subjects can review before their data is collected. In this policy, the purpose of collection, the content of the data to be collected, the method by which it will be collected, how the data will be stored, how it will be processed, how it will be destroyed, and how the owner will exercise these rights are described.

Before collecting personal data directly from data subjects, organizations must inform them of the following elements:

Justification for collecting their personal information;

Whether collecting all or some of their personal data is mandatory or optional, as well as the fact that their data will not be processed later in a manner inconsistent with its purpose or otherwise than as specified in the PDPL;

• When necessary, the identity of the person collecting the personal data, as well as the address of their reference;
• Organisation(s) to whom the personal data will be disclosed, their capacity, and whether the personal data will be transferred, disclosed, or processed outside the Kingdom;
• Effects and dangers of not collecting personal data;
• The rights of data subjects; and
• According to the nature of the activity performed by the organization, other elements are determined by the regulations.

Requirements for security

PDPL requires organizations to implement the necessary organizational, administrative, and technical measures to ensure the preservation of personal data, including when it is transferred, in accordance with the provisions and controls specified in the Draft Regulations.

Requirements for data breaches

PDPL requires organizations to notify the regulatory authority within 72 hours of discovering a data breach. Furthermore, the data controller must provide the regulatory authority with a detailed analysis of the breach and what steps are being taken to ensure such an incident does not repeat.

In addition, the data controller must notify the data subjects promptly if the breach poses a significant risk to their personal information. To learn more about what data has been compromised, the controller must also provide the contact details of the relevant DPO.

Requirements for Data Protection Officers

As part of the PDPL, organizations must appoint a person (or persons) to be responsible for implementing its provisions.

Assessment of the impact of data protection

In accordance with the PDPL, organisations are required to assess the consequences of processing personal data for any product or service they provide to the public.

Record of processing activities

The PDPL requires organizations to keep records of their processing activities for a period determined by the Draft Regulation, which should include at least the following information:

• Organization's contact information;
• Purpose of processing personal data;
• Data subject categories;
• Parties to whom personal data has been (or will be) disclosed;
• Personal data has been (or will be) transferred outside Saudi Arabia or disclosed to a third party outside Saudi Arabia; and
• It is expected that the personal data will be stored for a certain period of time.

Requirements for vendor assessment and third-party processing

Under the PDPL, organizations must select a processing party that is capable of enforcing the provisions of the PDPL and constantly verify that that entity complies with its instructions in all matters pertaining to the protection of personal data.

Requirements for cross-border data transfer

PDPL allows for transfers outside of Saudi but requires the recipient country to have regulations that ensure appropriate protection of personal data and a supervisory authority that imposes appropriate procedures and measures on controllers to protect personal data. SDAIA will set an evaluation criteria for these purposes, while Article 28 of PDPL stipulates that any of the following can be used as a basis to transfer:

The protection of a specific individual's life or health or the preservation of the public interest, public health, or public safety;
Performing an obligation under an international agreement to which the Kingdom of Saudi Arabia is a party;
In accordance with the Draft Regulations, the data subject must perform an obligation.
Previously, cross-border transfer was allowed only in extreme cases and under certain conditions, such as when it was vital to the life of the data subject outside Saudi Arabia, or his vital interests, or to prevent, examine or treat infection. Further, SDAIA was required to approve transfers on a case-by-case basis.

Rights of data subjects

According to the PDPL, all data subjects are guaranteed certain rights, as is the case with most other data protection regulations worldwide. Once a user's data has been collected, these rights are known as data subject rights. Different data protection laws guarantee different types of data subject rights. A few of the ones guaranteed by the PDPL are as follows:

Information/Right to Know -

A data subject has the right to know the contact information of the data controller, the purpose of the data collection, the collection methods, and whether the collected data will be shared or sold.

Corrections may be requested -

Any incomplete, inaccurate, or outdated data collected on a data subject may be corrected.

The right to request destruction -

There is a right for data subjects to request that their data be destroyed. Reasons can vary from the user rescinding their consent to the data no longer serving the intended purpose.

Limitation/restriction of processing -

Special cases and for a limited period of time, data subjects have the right to limit or refuse the organization's processing of their personal information. While this right is not explicitly stated in the PDPL, the regulatory authority has released a set of FAQs explaining it.

Right to data portability:

A data subject can request their personal data to be transferred to another controller in a legible and clear format.

All data subjects must be appropriately informed about these rights and dedicated channels must be established for data subjects to exercise these rights by the data controller. All data subject requests must be fulfilled within 30 days by the data controller, and all requests must be recorded.

The regulatory authority

The Saudi Data & Artificial Intelligence Authority (SDAIA) will be responsible for enforcing the PDPL within Saudi borders. As well as imposing penalties on organizations in violation of the PDPL, the SDAIA is also expected to advise organizations on internal data transfers and keep track of requests for data subject rights.

The Saudi Data & Artificial Intelligence Authority (SDAIA) will oversee the implementation of the new legislation for only the first two years. In 2024, the National Data Management Office (NDMO) will take over the supervision.

Non-compliance penalties

Under the PDPL, organisations or individuals can be sanctioned for disclosing or publishing sensitive personal data. Penalties include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000).

Other violations of the PDPL are punishable by a warning notice or by a fine not exceeding SAR 5 million ($1.3 million). If the offender repeats the offense, the court may double the fine.

How an organization can operationalize the law

• The PDPL will require organisations to adjust their status within one year of its effective date.
• Classify sensitive personal data and personal data inventories;
• Determine whether a Saudi Arabian representative needs to be appointed;
• Saudi Arabian citizens must register themselves;
• Transparent formal policies and privacy notices should be provided regarding how personal data is being processed;
• Establish formal policies and procedures for data collection (consent framework, etc.) and processing, and update privacy policies as needed;
• Implement robust notification mechanisms for data breaches;
• Meet strict cross-border requirements under the PDPL by mapping their processes and discovering cross-border data flows;
• Implement a comprehensive framework for data subject requests;
• Produce ROPA reports for compliance by scanning and tracking data processing activity;
• Protect their processing activities with technical and organizational security measures;
• Assess personal information protection impact, vendor risk, and other risks.

Reach out to ISSS UK:

Write to us on subramaniam@isss.org.uk for your compliance requirements and for your CDPO trainings.