Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up here

Start Now

Overview of Saudi’s Personal Data Protection Law

Introduction

Saudi Arabia's first-ever comprehensive data protection law, Personal Data Protection Law (the “PDPL”) aims to protect the privacy of individuals’ personal data, and regulate the collection, processing, disclosure, or retention of personal data by the organizations. The PDPL provides comprehensive requirements related to processing principles, data subjects’ rights, organizations’ obligations while processing the personal data of individuals, cross-border data transfers mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL. The executive regulations (the “Regulations”) will be issued for supplementing the procedural provisions of the PDPL.

One of the prominent features of the PDPL is that it does not prejudice any provision that grants a right to the data subject or stipulates better protection in any other law or an international convention to which Saudi Arabia is a party. The PDPL will go into effect on March 23, 2022.

The Saudi Data & Artificial Intelligence Authority (regulatory authority) will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the National Data Management Office (NDMO) will be considered.

Who Needs to Comply with the PDPL (Application Scope of the PDPL)

  • Territorial Application Scope: The PDPL applies to public or private organizations that process personal data related to individuals that take place in Saudi Arabia by any means. If a foreign organization is processing the personal data related to individuals residing in Saudi Arabia, then the PDPL will also apply.
  • Material Application Scope: The PDPL applies to the processing of personal data and sensitive personal data related to individuals residing in Saudi Arabia.

The PDPL defines personal data as “any data – of whatever source or form – that would lead to the identification of the individual specifically, or make it possible to identify an individual directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit”.

Whereas the sensitive personal data means “any personal data that includes a reference to an individual's ethnic or tribal origin, or religious, intellectual or political belief, or indicates his membership in nongovernmental associations or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual or one of them is unknown”. The PDPL provides separate definitions for genetic, health, and credit data.

The PDPL also covers the deceased’s personal data, if it would lead to identifying the deceased or one of his/her family members specifically. The PDPL excludes the processing of personal data for domestic purposes from its application scope.

Obligations for Organizations Under the PDPL

The PDPL provides several obligations for the controlling authorities (data controllers). Before the processing of personal data, the data controllers (organizations) are required to ensure the accuracy, completeness, and relevancy of the personal data. The controlling authorities are also required to fulfill data protection principles (collection limitation, purpose limitation, data security, accountability, retention limitation, etc).

Following are the key obligations provided under the PDPL that organizations must oblige to stay compliant:

1. Registration Requirements

Organizations that are subject to PDPL are required to register on an electronic portal that will form a national record of controlling authorities. Organizations will also have to pay annual registration fees that will be decided in due course.

Organizations that operate outside Saudi Arabia and process the personal data of Saudi residents must appoint a representative in Saudi Arabia that the regulatory authority can resort to regarding compliance with the applicable laws. Please note that the ‘appointment of representative’ requirement will be delayed for a period of up to five years from the effective date of the PDPL.

2. Consent Requirements

The PDPL requires that organizations must not process personal data without the consent of its owner except for the cases stipulated under the Regulations (yet to be issued). These Regulations will set out the conditions of consent, the cases in which the consent must be in writing, and the terms and conditions related to obtaining the consent of the legal guardian if the data subject is incompetent or incapacitated.

Data subjects may withdraw their consent to the processing of personal data at any time and consent must not be a prerequisite for the data controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).

The PDPL provides that the consent is not required in the following scenarios:

  • If the processing would achieve a clear benefit and it is impossible or impractical to contact the data subject;
  • If it is required by law or prior agreement to which the data subject is a party; or
  • If the controller is a public entity and the processing is required for security or judicial purposes.

3. Privacy Policy and Privacy Notice Requirements

The PDPL requires that organizations must adopt a personal data privacy policy, and make it available to data subjects to review before collecting their data. This policy shall include the purpose of its collection, the content of the personal data to be collected, the method of collecting it, the means of storing it, how it will be processed, how it will be destroyed, the rights of its owner in relation to it, and how these rights will be exercised.

Organizations must – in the case of collecting personal data directly from data subjects – use adequate means to inform data subjects of the following elements before starting to collect his data:

  1. The valid legal or practical justification for collecting his/her personal data;
  2. The purpose of collecting his/her personal data, and whether collecting all or some of it is mandatory or optional, and informing him/her also that his/her data will not be processed later in a manner inconsistent with the purpose of its collection or in cases other than those stipulated in the PDPL;
  3. The identity of the person collecting the personal data and the address of his/her reference when necessary, unless the collection is for security purposes;
  4. The organization(s) to which the personal data will be disclosed, its/their capacity, and whether the personal data will be transferred, disclosed, or processed outside the Kingdom;
  5. Possible effects and dangers of not completing the personal data collection procedure;
  6. Data subject rights; and
  7. Other elements determined by the Regulations according to the nature of the activity practiced by the organization.

4. Data Protection Impact Assessment Obligation

The PDPL mandates organizations to conduct an assessment of the consequences of processing personal data for any product or service provided to the public according to the nature of their processing activities. The Regulations will set forth the relevant requirements for such assessments.

5. Security Requirements

The PDPL requires organizations to take the necessary organizational, administrative, and technical measures and means to ensure the preservation of personal data, including when it is transferred, in accordance with the provisions and controls specified by the Regulations (yet to be issued).

6. Record of Processing Activities Requirement

Under the PDPL, organizations are also required to keep records of their processing activities and for a period determined by the Regulations. The records should include a minimum of the following data:

  1. Contact details of the organization;
  2. The purpose of processing personal data;
  3. A description of the categories of data subjects;
  4. Any party to which personal data has been (or will be) disclosed;
  5. Whether personal data has been (or will be) transferred outside Saudi Arabia or disclosed to a party outside Saudi Arabia; and
  6. The period of time expected for keeping personal data.

7. Data Breach Notification Requirements

The PDPL requires that organizations must notify the regulatory authority as soon as they become aware of the occurrence of leakage or damage of personal data or the occurrence of illegal access. The Regulations will specify the circumstances in which the organization must notify the data subjects in the event of a leakage or damage to their personal data or illegal access. If the occurrence of any of the above would cause serious harm to their data or themselves, the organization must immediately notify data subjects.

The breach notification provisions provided under the PDPL are stricter than many international laws with requirements to notify “immediately” rather than within a specified period.

8. Data Protection Officer Requirement

The PDPL provides that organizations are required to appoint a person (or several persons) to be responsible for implementing the provisions of the PDPL.

9. Vendors Assessments Obligation

The PDPL provides that organizations– when choosing the processing party – must choose an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and Regulations, and must constantly verify such entity’s compliance with its instructions in all matters relating to the protection of personal data.

10. Marketing Requirements

The PDPL provides that personal data may not be used for marketing purposes without the consent of the recipient or use of opt-out mechanisms.

11. Cross Border Data Transfers Requirements

The PDPL has a stringent approach to data transfer outside of Saudi Arabia. The PDPL provides that except in cases of extreme necessity relating to a threat to the life of the data subject or his/her vital interests or to prevent, examine and treat an infection, organizations may not transfer personal data outside Saudi Arabia or disclose it to a party outside Saudi Arabia unless the transfer is required to comply with an agreement to which Saudi Arabia is party, or to serve Saudi interests, or for other purposes set out in the Regulations, provided that the following conditions are met:

  1. The data transfer must not prejudice national security or Saudi’s vital interests;
  2. The transferring organization must provide adequate guarantees for protecting the personal data that will be transferred or disclosed and maintain its confidentiality so that the data protection standards are not less than the standards stipulated in the PDPL and Regulations;
  3. The transfer must be restricted to the minimum personal data that is necessary for its purpose; and
  4. The regulatory authority must approve the transfer.

The PDPL also provides that regulatory authority may excuse an organization, on a case-by-case basis, from compliance with any of the above conditions except (1), if the regulatory authority itself or in cooperation with other bodies, assesses that the personal data will have an acceptable level of protection outside Saudi and that such data is not sensitive personal data. The Regulations will provide more details on how organizations can obtain approval from regulatory authorities for cross-border data transfers.

12. Separate Requirements for Processing Credit and Health Data

The PDPL provides separate requirements for processing the credit and health data. The PDPL requires that organizations must process such personal data in a manner that guarantees the confidentiality of data subjects and protects their rights, including the implementation of access controls to restrict access to individuals to whom access is necessary. The Regulations will provide further details regarding this type of processing.

Data Subject Rights Under the PDPL

The PDPL provides the following rights to data subjects:

Right to Information

Under the PDPL, data subjects have the right to information that includes informing data subjects of the legal or practical justification for collecting their personal data, the purpose of that collection, and that their data should not be processed in a manner inconsistent with the purpose of its collection.

Right to Object

The data subjects have the right to object to the processing of their personal data or to withdraw their consent to the processing of their personal data. This right is not explicitly provided under the PDPL, however, the regulatory authority has released a set of FAQs that provides details of this right.

Right to Correction

Where data subjects discover their personal information is incorrect or incomplete, they have the right to request an organization to correct or complete their personal data.

Right to Deletion

Data subjects have the right to request the destruction of data no longer needed or collected in an illegal manner.

Right to Limit/Restriction of Processing

Data subjects have the right to limit or refuse the processing of their personal information by the organization for special cases and for a limited period of time. This right is not explicitly provided under the PDPL, however, the regulatory authority has released a set of FAQs that provides details of this right.

Right to Access

Data subjects have the right to access their personal data from the organization and obtain a copy of it in a clear and readable format, in conformity with the content of the records, at no cost.

The PDPL provides that organizations may determine periods for exercising the right to access personal data in accordance with what the regulatory authority deems as a reasonable period, and further provides for circumstances where this right may be restricted by the organization.

Organizations must respond to requests from data subjects within the time period determined by Regulations. Data subjects can make any complaints arising from breaches of the PDPL and the Regulations to the regulatory authority. Based on this requirement, organizations must have a robust data subjects requests framework in place.

Non-Compliance Penalties Under the PDPL

The PDPL provides that the penalty for disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million. For violating the data transfer requirements, there may be imprisonment for up to one year and/or a fine not exceeding SAR 1,000,000. For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5,000,000. The court may double the penalty of the fine in case of repetition of offenses.

How an organization can operationalize the PDPL compliance

Organizations will be required to adjust their status in accordance with provisions of the PDPL within a period not exceeding one year from the date that it becomes effective.

Organizations must follow the following steps:

  • Catalog their data inventories and classify sensitive personal data and personal data;
  • Assess whether they need to appoint the representative in Saudi Arabia;
  • Register themself within Saudi Arabia;
  • Disclose how personal data is being processed through transparent formal policies and privacy notices;
  • Develop formal policies and procedures for data collection (consent framework etc.) and processing, and update privacy policies as needed;
  • Have robust data breach notification mechanisms in place;
  • Map their processes and discover cross-border data flows from Saudi Arabia to other countries, and fulfill strict cross border requirements under the PDPL;
  • Have a comprehensive data subject requests framework in place;
  • Develop the capability to scan and track data processing activity and produce ROPA reports for compliance;
  • Have technical and organizational security measures in place to protect their processing activities; and
  • Conduct personal information protection impact assessments, vendors assessments, and other risk assessments.

How Securiti Can Help

Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.

Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PDPL as well as other privacy and security regulations all over the world. See how it works. Request a demo today.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.