Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up hereStart Now
Saudi Arabia's first-ever comprehensive data protection law, Personal Data Protection Law (the “PDPL”) aims to protect the privacy of individuals’ personal data, and regulate the collection, processing, disclosure, or retention of personal data by the organizations. The PDPL provides comprehensive requirements related to processing principles, data subjects’ rights, organizations’ obligations while processing the personal data of individuals, cross-border data transfers mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL. The executive regulations (the “Regulations”) will be issued for supplementing the procedural provisions of the PDPL.
One of the prominent features of the PDPL is that it does not prejudice any provision that grants a right to the data subject or stipulates better protection in any other law or an international convention to which Saudi Arabia is a party. The PDPL will go into effect on March 23, 2022.
The Saudi Data & Artificial Intelligence Authority (regulatory authority) will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the National Data Management Office (NDMO) will be considered.
The PDPL defines personal data as “any data – of whatever source or form – that would lead to the identification of the individual specifically, or make it possible to identify an individual directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit”.
Whereas the sensitive personal data means “any personal data that includes a reference to an individual's ethnic or tribal origin, or religious, intellectual or political belief, or indicates his membership in nongovernmental associations or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual or one of them is unknown”. The PDPL provides separate definitions for genetic, health, and credit data.
The PDPL also covers the deceased’s personal data, if it would lead to identifying the deceased or one of his/her family members specifically. The PDPL excludes the processing of personal data for domestic purposes from its application scope.
The PDPL provides several obligations for the controlling authorities (data controllers). Before the processing of personal data, the data controllers (organizations) are required to ensure the accuracy, completeness, and relevancy of the personal data. The controlling authorities are also required to fulfill data protection principles (collection limitation, purpose limitation, data security, accountability, retention limitation, etc).
Following are the key obligations provided under the PDPL that organizations must oblige to stay compliant:
Organizations that are subject to PDPL are required to register on an electronic portal that will form a national record of controlling authorities. Organizations will also have to pay annual registration fees that will be decided in due course.
Organizations that operate outside Saudi Arabia and process the personal data of Saudi residents must appoint a representative in Saudi Arabia that the regulatory authority can resort to regarding compliance with the applicable laws. Please note that the ‘appointment of representative’ requirement will be delayed for a period of up to five years from the effective date of the PDPL.
The PDPL requires that organizations must not process personal data without the consent of its owner except for the cases stipulated under the Regulations (yet to be issued). These Regulations will set out the conditions of consent, the cases in which the consent must be in writing, and the terms and conditions related to obtaining the consent of the legal guardian if the data subject is incompetent or incapacitated.
Data subjects may withdraw their consent to the processing of personal data at any time and consent must not be a prerequisite for the data controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).
The PDPL provides that the consent is not required in the following scenarios:
Organizations must – in the case of collecting personal data directly from data subjects – use adequate means to inform data subjects of the following elements before starting to collect his data:
The PDPL mandates organizations to conduct an assessment of the consequences of processing personal data for any product or service provided to the public according to the nature of their processing activities. The Regulations will set forth the relevant requirements for such assessments.
The PDPL requires organizations to take the necessary organizational, administrative, and technical measures and means to ensure the preservation of personal data, including when it is transferred, in accordance with the provisions and controls specified by the Regulations (yet to be issued).
Under the PDPL, organizations are also required to keep records of their processing activities and for a period determined by the Regulations. The records should include a minimum of the following data:
The PDPL requires that organizations must notify the regulatory authority as soon as they become aware of the occurrence of leakage or damage of personal data or the occurrence of illegal access. The Regulations will specify the circumstances in which the organization must notify the data subjects in the event of a leakage or damage to their personal data or illegal access. If the occurrence of any of the above would cause serious harm to their data or themselves, the organization must immediately notify data subjects.
The breach notification provisions provided under the PDPL are stricter than many international laws with requirements to notify “immediately” rather than within a specified period.
The PDPL provides that organizations are required to appoint a person (or several persons) to be responsible for implementing the provisions of the PDPL.
The PDPL provides that organizations– when choosing the processing party – must choose an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and Regulations, and must constantly verify such entity’s compliance with its instructions in all matters relating to the protection of personal data.
The PDPL provides that personal data may not be used for marketing purposes without the consent of the recipient or use of opt-out mechanisms.
The PDPL has a stringent approach to data transfer outside of Saudi Arabia. The PDPL provides that except in cases of extreme necessity relating to a threat to the life of the data subject or his/her vital interests or to prevent, examine and treat an infection, organizations may not transfer personal data outside Saudi Arabia or disclose it to a party outside Saudi Arabia unless the transfer is required to comply with an agreement to which Saudi Arabia is party, or to serve Saudi interests, or for other purposes set out in the Regulations, provided that the following conditions are met:
The PDPL also provides that regulatory authority may excuse an organization, on a case-by-case basis, from compliance with any of the above conditions except (1), if the regulatory authority itself or in cooperation with other bodies, assesses that the personal data will have an acceptable level of protection outside Saudi and that such data is not sensitive personal data. The Regulations will provide more details on how organizations can obtain approval from regulatory authorities for cross-border data transfers.
The PDPL provides separate requirements for processing the credit and health data. The PDPL requires that organizations must process such personal data in a manner that guarantees the confidentiality of data subjects and protects their rights, including the implementation of access controls to restrict access to individuals to whom access is necessary. The Regulations will provide further details regarding this type of processing.
The PDPL provides the following rights to data subjects:
Organizations must respond to requests from data subjects within the time period determined by Regulations. Data subjects can make any complaints arising from breaches of the PDPL and the Regulations to the regulatory authority. Based on this requirement, organizations must have a robust data subjects requests framework in place.
The PDPL provides that the penalty for disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million. For violating the data transfer requirements, there may be imprisonment for up to one year and/or a fine not exceeding SAR 1,000,000. For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5,000,000. The court may double the penalty of the fine in case of repetition of offenses.
Organizations will be required to adjust their status in accordance with provisions of the PDPL within a period not exceeding one year from the date that it becomes effective.
Organizations must follow the following steps:
Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PDPL as well as other privacy and security regulations all over the world. See how it works. Request a demo today.
See how easy it is to manage privacy compliance with robotic automation.