Understanding Saudi Arabia’s Personal Data Protection Law (PDPL)

The Kingdom of Saudi Arabia has enforced its first-ever comprehensive data protection law. The Personal Data Protection Law (PDPL) aims to protect individuals' personal data privacy and regulate organizations' collection, processing, disclosure, or retention of personal data. The Saudi Data & Artificial Intelligence Authority (SDAIA) is the primary regulatory body that will enforce PDPL in KSA for the first two years, following which a transfer to the National Data Management Office will be considered.

The PDPL provides comprehensive requirements related to processing principles, data subjects' rights, organizations' obligations while processing the personal data of individuals, and cross-border data transfer mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL.

The PDPL was originally set to be enforced on March 23, 2022. However, SDAIA submitted proposed amendments to the PDPL for public consultation from 20th November 2022 till 20th December 2022. On March 21st, 2023, the Saudi Council of Ministers passed amendments to the PDPL.

On 7th September 2023, SDAIA published the Implementing Regulations to the PDPL and the Personal Data Transfers Regulations. The Implementing Regulations and the Regulations on Personal Data Transfers provide details on the general obligations and principles highlighted in the PDPL. The regulations and the PDPL then came into force on 14 September 2023. However, organizations that process personal data have been provided with a one-year grace period to modify their practices and comply with the new legislative requirements. The grace period will effectively end on 14 September 2024.

Additionally, the SDAIA issued several supplementing regulations in August 2024 including:

• The Rules for Appointing Personal Data Protection Officer
• Revised Regulation on Personal Data Transfer Outside the Kingdom replacing the previously published Personal Data Transfer Regulation on September 7, 2023.
• The Rules Governing the National Register of Controllers Within the Kingdom,

So, who needs to comply with this law? What rights do data subjects have? Who enforces this new law? To learn more about these questions plus a lot more to increase your compliance efforts, read on below:

1. Who Needs to Comply with PDPL

Here’s how the new law applies to organizations based on their jurisdiction as well as the kind of data involved:

a. Material Scope

The PDPL applies to the processing of personal data and sensitive personal data related to individuals residing in Saudi Arabia. The PDPL also covers the deceased’s personal data if it would lead to identifying the deceased or one of his/her family members specifically. The PDPL excludes the processing of personal data for domestic purposes from its application scope.

b. Territorial Scope

The PDPL applies to public or private organizations that process personal data related to individuals in Saudi Arabia by any means. If a foreign organization processes personal data related to individuals residing in Saudi Arabia, then the PDPL will also apply.

2. Obligations for Organizations Under PDPL

The PDPL provides several obligations for the controlling authorities (data controllers). The Implementing Regulations and the Personal Data Transfer Regulations have expanded upon these. Before processing personal data, the data controllers (organizations) are required to ensure the personal data's accuracy, completeness, and relevancy. The controlling authorities must also fulfill data protection principles (collection limitation, purpose limitation, data security, accountability, retention limitation, etc.). The PDPL provides a 12-month grace period to allow organizations to become compliant after the effective date i.e. 14 September 2023.

Following are the critical obligations provided under the PDPL that organizations must oblige to stay compliant:

a. Consent Requirements

The PDPL requires that organizations not process personal data without the consent of its owner except for the cases stipulated under the Implementing Regulations. Organizations must obtain consent that is given freely, and independent consent must be obtained for each purpose of processing.

Data subjects may withdraw their consent to the processing of personal data at any time, and consent must not be a prerequisite for the data controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).

The PDPL provides that consent is not required in the following scenarios:

• If the processing would achieve a clear benefit and it is impossible or impractical to contact the data subject;
• If it is required by law or prior agreement to which the data subject is a party;
• If the controller is a public entity and the processing is required for security or judicial purposes;
• If the controller is collecting data for scientific, research, or statistical purposes while having taken the necessary steps stipulated within the law;
• Processing is necessary for the legitimate interests of the controller or other party, provided that the rights of data subjects are not prejudiced. However, this does not apply in the case of sensitive personal data.

b. Privacy Policy Requirements

The PDPL requires that organizations adopt a personal data privacy policy and make it available to data subjects to review before collecting their data. This policy shall include the purpose of its collection, the content of the personal data to be collected, the method of collecting it, the means of storing it, how it will be processed, how it will be destroyed, the rights of its owner in relation to it, and how these rights will be exercised.

Organizations must – in the case of collecting personal data directly from data subjects – use adequate means to inform data subjects of the following elements before starting to collect their data:

• The valid legal or practical justification for collecting their personal data;
• The purpose of collecting their personal data, and whether collecting all or some of it is mandatory or optional, and informing them also that their data will not be processed later in a manner inconsistent with the purpose of its collection or in cases other than those stipulated in the PDPL;
• The identity of the person collecting the personal data and the address of their reference when necessary, unless the collection is for security purposes;
• The organization(s) to which the personal data will be disclosed, its/their capacity, and whether the personal data will be transferred, disclosed, or processed outside the Kingdom;
• Possible effects and dangers of not completing the personal data collection procedure;
• Data subject rights; and
• The regulations determine other elements according to the nature of the activity practiced by the organization.

c. Security Requirements

The PDPL requires organizations to take the necessary organizational, administrative, and technical measures and means to preserve personal data, including when it is transferred, per the provisions and controls specified by the Implementing Regulations and Personal Data Transfer Regulations.

d. Data Breach Requirements

The PDPL and accompanying Regulations require that organizations notify the regulatory authority no later than 72 hours after first becoming aware of a data breach. Furthermore, the data controller must provide the regulatory authority with a detailed analysis of the breach and what steps are being taken to ensure such an incident is not repeated.

Additionally, if the data breach puts the data subjects' personal data at significant risk, the data controller must inform them promptly. The controller must also communicate the contact details of the relevant DPO the data subjects can contact to know more about the compromised data.

e. Data Protection Officer Requirement

To guarantee adherence to the Personal Data Protection Law, the SDAIA has established The Rules for Appointing Personal Data Protection Officer (DPO). Organizations that engage in processing activities including regular and systematic surveillance of individuals, handling sensitive personal data, or processing personal data on a large scale as part of their core operations, are required to appoint a DPO.

• To determine if processing is occurring on a large scale, variables including the number of people impacted, the volume and type of data, the geographic scope, and the categories of data subjects involved, are taken into account.
• Regular and systematic monitoring includes activities like tracking via cookies, collecting health data through wearables, and using behavioral analytics technologies for risk assessments.

The DPO's primary duties include developing internal policies for data protection, assessing data breach response plans, training personnel, advising on data protection policies, and ensuring compliance with PDPL. Appointing a DPO is necessary when personal data is central to delivering services, not for internal tasks like HR managing employee data. This ensures compliance with data protection laws and safeguards individual privacy

The Rules for Appointing a DPO provides the following guidance:

• The designated DPO must be academically qualified, have expertise protecting personal data, and understand risk management procedures, which include dealing with data breaches.
• A DPO can be an executive, external contractor or an internal employee.
• DPO appointment and contact information must be recorded, made available to the public, and submitted via the National Data Governance Platform to the SDAIA.
•  In order to enable the DPO to carry out their duties without interference, controllers should give them the tools, independence, and training they need.
• To keep their position inside the company, the DPO should be connected to the Data Management Office or a related division.

When organizations are engaging a data processor, they are required to evaluate whether the processor needs to appoint a DPO as per the SDAIA rules. If processors need to appoint a DPO the controllers organization must verify with processors whether a DPO has been assigned and, if not, make the necessary request.

f. Data Protection Impact Assessment

The PDPL mandates organizations to conduct an assessment of the consequences of processing personal data for any product or service provided to the public according to the nature of their processing activities. The Implementing Regulations go further by providing the minimum informational requirements for DPIAs.

g. Record of Processing Activities

Under the PDPL, organizations must keep records of their processing activities during the processing period and for an additional five years from the respective dates when the processing activities are completed. The records should include a minimum of the following data:

• Contact details of the organization;
• The purpose of processing personal data;
• A description of the categories of data subjects;
• Any party to which personal data has been (or will be) disclosed;
• Whether personal data has been (or will be) transferred outside Saudi Arabia or disclosed to a party outside Saudi Arabia; and
• The period of time that it is expected the personal data will be kept.

h. Vendor Assessment/Third-Party Processing Requirements

The PDPL provides that organizations – when choosing the processing party – must choose an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and must constantly verify such entity's compliance with its instructions in all matters relating to the protection of personal data.

i. Cross Border Data Transfer Requirements

PDPL allows transfers outside of KSA but requires the recipient country to have regulations that ensure appropriate protection of personal data and has a supervisory entity that imposes appropriate procedures and measures on controllers to protect personal data. The Personal Data Transfer Regulations state that subject to exemptions, the SDAIA will evaluate countries, international organizations, and specific sectors to enable the transfer of personal data of KSA residents outside KSA and has set the evaluation criteria.  Article 29 of the PDPL outlines the conditions under which personal data can be transferred or disclosed outside the Kingdom:

• Purposes for Data Transfer or Disclosure: Personal data may be transferred outside the Kingdom to fulfill specific purposes, including:
  • Performing an obligation under an international agreement to which the Kingdom is a party.
  • Serving the interests of the Kingdom.
  • Fulfilling an obligation to which the data subject is a party.
  • Meeting other purposes outlined in the Regulations.
• Conditions for Transfer or Disclosure: The law sets stringent conditions for such transfers to ensure data security and protection:
  • The transfer must not harm national security or the Kingdom's vital interests.
  • An adequate level of data protection must be in place outside the Kingdom, equivalent to the level guaranteed by domestic law. This must be verified by an assessment conducted by the SDAIA, in coordination with relevant authorities.
  • The amount of data transferred should be limited to the minimum necessary data required to achieve the intended purpose.
• Exceptions to Conditions: In emergencies, such as situations necessary to preserve the life or vital interests of the data subject or for the prevention, examination, or treatment of disease, the conditions outlined above may not apply.

Under Article 2 of the Revised Transfer Regulations, personal data may be transferred or disclosed to entities outside the Kingdom for additional purposes beyond those explicitly mentioned in Article 29 of the Law. These purposes include:

• Facilitating necessary operations for central data processing to enable the controller to efficiently manage its activities.
• Allowing for the provision of a service or benefit directly to the data subject.
• Supporting scientific research and studies, which may require access to personal data.

The SDAIA employs the following factors to assess a suitable degree of personal data protection, comparable to that ensured by the Kingdom

• The existence of regulations that protect personal data and the rights of data subjects, including compensation for damages from rights violations.
• A regulatory authority must be in place to enforce data protection laws.
• Willingness of the supervisory authority to cooperate with the Kingdom’s competent authority.
• Foreign regulations must not conflict with the Kingdom’s data protection laws or other applicable statutory provisions.
• Compliance with international treaties or agreements that mandate the transfer of personal data.
• Consideration of rules governing further transfers of personal data.

Maintaining a list of these adequate nations or organizations is the responsibility of the SDAIA. The list will be posted on their official website and examined every four years or more frequently as needed.The SDAIA reserves the right to amend the list if a country or organization no longer meets these standards, and may suspend data transfers to non-compliant entities as needed. The same standards apply to cities, special economic zones, and global trade centers.

In circumstances where the adequate level of protection is absent and the exceptions provided under PDPL do not apply, organizations can transfer personal data abroad by implementing appropriate safeguards. These include:

• Standard Contractual Clauses: Pre-defined legal agreements ensuring data protection in compliance with PDPL.
• Binding Common Rules: Internal rules within a group of multinational entities that align with the PDPL.
• Certificate of Accreditation: Approval from a licensed entity, confirming adherence to data protection standards under PDPL.

Appropriate safeguards must ensure compliance with the PDPL, protect data subjects' rights, including the right to file a complaint with SDAIA and allow them to seek compensation for any violations of the rights prescribed under PDPL.

Transfer of data outside the kingdom shall be subject to appropriate safeguards in the following cases:

• To implement agreements or serve national interests, standard provisions must be included in agreements.
• For transfers that are limited in scope or duration, standard contractual clauses or approval certificates are required, provided the data is not sensitive.
• Transfers necessary for internal operations within a multinational group require binding rules or standard clauses or entities to which data is transferred must have an approval certificate.
• Transfers to provide direct services or benefits are allowed if they align with the data subject's expectations and involve a certified entity, with non-sensitive data.
• Transfers necessary for research should be minimal and comply with standard clauses or be made to certified entities, with non-sensitive data.

The SDAIA may review the adequacy of appropriate safeguard specified in each exemption and amend these safeguards every two years or as needed.

The exemptions where data transfer outside the Kingdom is allowed under the appropriate safeguards are not applicable if:

• The controller fails to implement the appropriate safeguards.
• The SDAIA finds the safeguards inadequate for a specific case.

The Data Transfer Regulations mandates that organizations must conduct a risk assessment before transferring or disclosing personal data to entities outside the Kingdom in specific situations, such as when appropriate safeguards are employed or when transferring sensitive data on a continuous or widespread basis. The risk assessment should include the following:

• Justification for the data transfer, ensuring it aligns with legal requirements under PDPL.
• Details of the transfer's nature, including data processing activities and geographical scope.
• Evaluation of the safeguards implemented to ensure that it meets the data protection standards set by the PDPL.
• Measures to ensure the transfer is limited to the minimum data necessary, unless an exemption applies.
• Assessment of possible material or moral effects on data subjects and the likelihood of these risks occurring.
• Controls and measures to prevent or mitigate risks to personal data subjects.

j. National Register of Controllers

In line with the PDPL, Saudi Arabia has introduced the Rules Governing the National Register of Controllers Within the Kingdom, managed by the SDAIA. This register plays a vital role in ensuring data protection compliance across the Kingdom by monitoring entities that process personal data and verifying their adherence to the PDPL. The guidelines mandate registration for the following:

• If you are a public or private entity and processing personal data is a core part of your business operations, or if you handle sensitive data, registration is required.
• If you are an individual who processes personal data for purposes beyond personal or family use must also register.

To complete the registration on the National Data Governance Platform, every organization or individual must designate a representative. This representative is responsible for managing all registration formalities, including, providing the entity’s contact details and assessing the DPO appointment requirement as prescribed under the PDPL. Upon registration, entities receive a certificate valid for five years. This certificate is available for public verification and must be renewed to maintain compliance.

The National Data Governance Platform offers several essential services to help entities stay compliant:

• Report any personal data breaches within 72 hours.
• Conduct a privacy impact assessment
• Receive guidance on understanding and navigating the PDPL’s requirements.
• Conduct compliance assessments to ensure all standards and requirements are being met.

3. Data Subject Rights

Like most other data protection regulations globally, the PDPL ensures that all data subjects are guaranteed certain rights, known as data subject rights. The Implementing Regulations further expand upon these rights. These rights ensure that all users retain control over their data once it has been collected. Different data protection laws offer various different kinds of data subject rights. The ones guaranteed by the PDPL include the following:

a. Right to Know/Information

Data subjects have the right to know about the data controller's contact details, the exact reason the data is being collected, the methods being used for data collection, and whether this collected data will be shared or sold.

b. Right to Access

Data subjects have the right to access their personal data.

c. Right to Request Correction

Data subjects have the right to request correction of any data collected on them if it is incomplete, inaccurate, or obsolete.

d. Right to Request Destruction

Data subjects have the right to request the destruction of data collected on them. The reasons can range from the user rescinding their consent for data collection to the data no longer serving the purpose for which it was collected.

e. Right to Limit/Restriction of Processing

Data subjects have the right to limit or refuse the processing of their personal information by the organization for special cases and for a limited period of time. This right is not explicitly provided under the PDPL; however, the regulatory authority has released a set of FAQs that provide details of this right.

f. Right to Data Portability

The data subjects can obtain their personal data in a legible and clear format and request their personal data to be transferred to another controller.

The data controller must ensure that all data subjects are appropriately informed about these rights and establish dedicated channels for data subjects to exercise these rights. The data controller must fulfill these requests within 30 days and record all data subject requests received. The 30-day requirement is shorter than the three-month requirement laid out by the GDPR; thus, multinational organizations must act accordingly.

4. Regulatory Authority

SDAIA will be the primary body responsible for enforcing the PDPL within Saudi borders. More than just levying penalties on organizations found violating the PDPL, the SDAIA is also expected to advise organizations in internal data transfers and keep track of data subject rights requests received by organizations, among other responsibilities.

However, SDAIA will supervise the implementation of the new legislation for only the first two years. A transfer of supervision to the National Data Management Office (NDMO) will be considered in 2025.

5. Penalties for Non-Compliance

The PDPL provides that the penalty for disclosing or publishing sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000); both organizations and individuals can, therefore, be sanctioned.

For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million ($1.3 million). The court may double the penalty of the fine in case of repetition of offenses.

6. How an Organization Can Operationalize PDPL

Organizations will be required to adjust their status per provisions of the PDPL within a period not exceeding one year from the date that it becomes effective.

• Catalog their data inventories and classify sensitive personal data and personal data;
• Assess whether they need to appoint a representative in Saudi Arabia;
• Assess whether they comply with the evaluation criteria of the SDAIA under the Personal Data Transfer Regulations;
• Register themself within Saudi Arabia;
• Disclose how personal data is being processed through transparent formal policies and privacy notices;
• Develop formal policies and procedures for data collection (consent framework etc.) and processing, and update privacy policies as needed;
• Have robust data breach notification mechanisms in place;
• Map their processes and discover cross-border data flows from Saudi Arabia to other countries, and fulfill strict cross-border requirements under the PDPL and the Personal Data Transfer Regulations;
• Have a comprehensive data subject requests framework in place;
• Develop the capability to scan and track data processing activity and produce ROPA reports for compliance;
• Have technical and organizational security measures in place to protect their processing activities; and
• Conduct personal information protection impact assessments, vendor assessments, and other risk assessments.

7. How Securiti Can Help

Global privacy regulations encourage organizations to be responsible custodians of their consumers' data and automate privacy and security operations. Organizations need to incorporate robotic automation to keep up with the current digital landscape to operationalize compliance.

While several organizations offer software that helps companies comply with global privacy regulations, these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.

Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PDPL and its accompanying regulations and other privacy and security regulations worldwide.

See how it works. Request a demo today.

Frequently Asked Questions (FAQs)