The Kingdom of Saudi Arabia (“Saudi Arabia” or the “Kingdom”) has enacted the Personal Data Protection Law (“PDPL”), the country’s first comprehensive data protection law. The PDPL was scheduled to become effective on March 23, 2022 but full implementation was recently delayed until March 17, 2023, a positive development for those subject to the law since preparing for it will require time and effort. Entities subject to the law – or “controllers,” in the law’s parlance – will have one year from the date it comes into effect to comply.
The law is generally similar to the European General Data Protection Regulation (“GDPR”), with some notable exceptions – specifically, the rules around data transfers and data localization, legal bases for processing, and penalties for noncompliance.
Below, we describe some of the key elements of the law as currently written that companies should be aware of as they prepare for the law’s implementation.
In its current form, the PDPL has a broad scope, applying to the processing of personal data by companies or public entities, by any means, that
- takes place in Saudi Arabia; or
- relates to the personal data of residents of the Kingdom by companies located outside the Kingdom.
“Personal data” is defined in the PDPL as any information through which an individual may be directly or indirectly identified, including name, social security number, numbers, addresses, bank account and credit card details, and pictures.
“Sensitive personal data” is defined as any personal data that includes a reference to an individual’s ethnic or tribal origin, religious, intellectual, or political belief, membership in civil associations or institutions, as well as criminal and security data, genetic data, credit data, health data, location data, and data that indicates that one or both parents of an individual are unknown.
Key Principles and Obligations
Entities subject to the PDPL are required to register on an electronic portal that will form a national record of controlling authorities. Organizations that operate outside of the Kingdom and process the personal data of Saudi residents will be required to appoint a representative in Saudi Arabia that the regulatory authority can contact regarding compliance with applicable laws.
The PDPL prohibits entities from processing personal data without the consent of the data subject, except in circumstances that will be stipulated in yet-to-be-issued regulations. The PDPL states that consent is not required in only a few circumstances, including where the processing would achieve a clear benefit and it is impossible or impractical to contact the data subject.
Controllers are required to choose service providers, or “processors,” that provide guarantees to implement the provisions of the PDPL and controllers must verify their processors’ compliance with the controller’s instructions.
The methods and means of collecting personal data must be appropriate to the circumstances of the data owner, and the content of the personal data must be appropriate and limited to the minimum necessary to achieve the purpose of its collection.
Controllers may not process personal data without taking sufficient steps to verify the data’s accuracy, completeness, timeliness, and relevance to the purpose for which it was collected.
Data Protection Impact Assessment
Controllers must evaluate the consequences of processing personal data for any product or service provided to the public, taking into account the nature of the processing activity.
Data Transfers and Localization
Except in cases of extreme necessity relating to a threat to the life or vital interests of the data subject, or to prevent, examine, or treat an infection, a controller may not transfer personal data outside the Kingdom or disclose it to a party outside the Kingdom unless the transfer is required (i) to comply with an agreement to which the Kingdom is a party to, (ii) to serve the interests of the Kingdom, or (iii) for other purposes to be set out in the regulations.
Even if a transfer falls under one of these criteria, the transfer is subject to certain additional conditions, including approval of a regulatory authority.
Data Subject Rights
The PDPL provides for the following data subject rights:
- the right to be informed;
- the right to access personal data;
- the right to correct, complete, and/or update personal data;
- the right to request erasure of personal data;
- the right to not have personal data processed, or the purpose of processing of the personal data changed, without consent;
- the right to withdraw consent at any time; and
- the right to make any complaints arising from breaches of the PDPL and executive regulations to the competent authority.
Security and Incident Response Measures
Controllers are required to take the necessary organizational, administrative, and technical measures to ensure the preservation of personal data, including when it is transferred. Controllers must also notify the regulatory authority as soon as they become aware of the occurrence of leakage or damage of personal data, or the occurrence of illegal access.
The penalty for the disclosure or publication of sensitive data may include imprisonment for up to two years and/or a fine not exceeding SAR 3,000,000 (US $799,725). Violations of the data transfer requirements will be met with imprisonment for up to one year, and/or a fine not exceeding SAR 1,000,000 (US $266,575). All other violations of the PDPL will be punished with a warning or a fine that does not exceed SAR 5,000,000 (US $1,333,000), which may be doubled in the event of a repeat violation.
Entities potentially subject to the PDPL should keep an eye out for the regulations that will provide additional guidance regarding the PDPL’s practical applications.
Companies operating in the Kingdom, or processing the data of individuals in the Kingdom, should also begin to review their processing activities, and should consult with legal counsel as they consider any changes that will be required to comply with the PDPL.