The Saudi Arabia Personal Data Protection Law (PDPL) was created to protect the privacy of individuals and businesses in the Kingdom of Saudi Arabia (KSA). The law applies to any entity operating in Saudi Arabia and holds data controllers and data processors responsible for protecting the personal data of individuals and businesses.
What Is Saudi Arabia’s PDPL?
The PDPL is the first-ever comprehensive data protection law in the KSA. The Personal Data Protection Law (PDPL) aims to protect individuals’ personal data privacy and regulate organizations’ collection, processing, disclosure, or retention of personal data.
The PDPL provides comprehensive requirements related to processing principles, data subjects’ rights, organizations’ obligations while processing the personal data of individuals, and cross-border data transfers mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL.
Since its passing in 2016, the General Data Protection Regulation (GDPR) has influenced many of the subsequent legislation for data privacy, protection, and governance. When comparing the PDPL and the GDPR, you can see that the core of both laws are similar, however, several key differences should be noted between the two.
The KSA data protection law does not provide as much information about how data subjects can enforce their rights. Additionally, the PDPL imposes stricter restrictions on organizations that want to transfer personal data out of Saudi Arabia. Other differences include the registration obligations for data controllers and the PDPL’s greater emphasis on consent as a precondition for lawful data processing.
More clarity on the requirements of the PDPL is expected to be added through the release of the Executive Regulations. The draft of these regulations was made available for public review on March 10, 2022, and the final version is expected to be published prior to the law’s effective date in 2023.
PDPL Executive Regulations
KSA PDPL executive regulations cover a wide range of data protection initiatives, including:
- Regulatory Authority: Any government authority or any entity that has independent public personality and has, in accordance with its powers and responsibilities, regulatory or oversight duties and responsibilities over a certain sector or activity in the Kingdom.
- Direct Marketing: Communication, by any means, with a person or a group of persons, aiming to send marketing, advertising, or awareness-raising material to such person or group.
- Practical Need: Actual need for processing personal data, with fairness and integrity and without conflicting with the rights and expectations of the Personal Data Subject.
- Personal Data Breach: Any act in any manner that leads to illegal disclosure of Personal Data, whether it is intentional or not.
- Risks and Impact: The possibility that Personal Data Subjects may suffer damage due to the processing of their Personal Data and the impact of such risk.
- Anonymization: Removing any direct or indirect characteristics from the Personal Data that may make the Personal Data Subject specifically identified.
- Transfer of Personal Data to outside the Kingdom: Sending or sharing Personal Data, by any means, to or with an entity outside the Kingdom, in order to process such Personal Data fully or partially, for specific purposes based on legal justification or Practical Need.
- Implied Consent: Consent that is not given Explicitly by the Data Subject or the authorized person, but given implicitly through the person’s actions and the facts and circumstances of the situation
Processing PDPL Data
The PDPL only applies to data controllers and processors who are established in the Kingdom of Saudi Arabia or who process the personal data of individuals in the KSA. However, the law also applies to data controllers and processors operating outside the country if they process the data of individuals in the KSA.
The PDPL sets some critical principles that data controllers and processors must adhere to, including:
- Data controllers and processors must obtain consent from an individual before collecting, using, transferring, or storing personal data.
- Explicit consent is needed to process sensitive data for marketing and advertising purposes.
- Personal data must be collected and used for legitimate purposes only.
- Data controllers and processors must ensure that personal data is accurate, relevant, and up-to-date.
- Personal data must be kept secure and not disclosed to any third party without the individual’s written consent.
- Data controllers and processors must delete any personal data that is no longer needed.
- Data controllers and processors must provide individuals with information about how their data is being used.
- Controllers may not use personal communications (including post and email) to send advertising or informational materials to a Personal Data Subject without their prior consent.
- Controllers must provide clear opt-out mechanisms.
KSA Data Subject Rights
Article 4 of the proposed amendments to the PDPL created actionable data rights for Saudi Arabian citizens (data subjects), including but not limited to the right to access, right to correct, and right to delete. Additionally, the PDPL doesn’t allow the processing data to change without the consumer’s consent. But similar to the GDPR, consumers may also withdraw consent (without exceptions).
- Right to Be Informed: consumers need to be informed of the legal basis and purpose for using personal data.
- Right to Access: Consumers can request their information and have the right to know how the data is collected, stored, processed, and shared.
- Right to Correct: Consumers can request updates and corrections from the controller. However, the controller must also notify all parties that have received the information to correct, complete or update the personal data.
- Right to Destruction: Consumers can request deletion, with exceptions, for example, if the data is necessary for a legal purpose and only retained for a certain period. In addition, controllers may retain Personal Data after the Collection purpose no longer exists if they remove identifying factors from the Personal Data.
- Right to Obtain: Consumers have the right to obtain their personal data in a clear and concise format, including the right to request data transfer.
Record of Processing Activities
Under the PDPL, organization must keep record of the personal data processing activities, so that the documented records are available whenever requested by the Authority. The records should contain the following information at a minimum:
- The purpose of the Processing
- A description of the categories of Data Subjects;
- The contact details of the organization
- Any other entity to which Personal Data has been/will be Disclosed.
- Whether the Personal Data has been/will be transferred or disclosed outside of KSA;
- The expected period for which Personal Data shall be retained.
Privacy Risk Assessments
Under the PDPL organizations must conduct a privacy risk assessment for processing of all personal data for any product or service provided to consumers.
The PDPL requires organizations to put in place appropriate safeguards to protect personal data from unauthorized access, disclosure, and use. In addition, the law sets out strict data breach notification requirements that organizations must comply with in the event of a data breach.
The PDPL requires that organizations notify the regulatory authority within three days of the breach. Additionally, organizations must provide a full beach analysis and the show steps towards future accountability.
If an organization becomes aware of a breach that is capable of causing harm to an individual, that person must be notified in accordance with PDPL notification requirements.
Data Transfer & Sharing
Transfers of personal information in and out of Saudi Arabia under the PDPL are as follows:
- data transfers are permitted to a third party subject to legal or corporate data protection rules similar to the PDPL.
- certain types of transfer are exempt from the conditions, such as when an individual has consented to the transfer or where the transfer is necessary to fulfill an agreement.
- data disclosures and transfers are limited to the minimum personal data required.
- data transfers must preserve the interest, health, safety, or protect the life or health of a specific person;
- data transfers must not adversely affect the national security or vital interests of the Kingdom of Saudi Arabia.
KSA PDPL Enforcement
According to Article 20(1) of the PDPL, controllers are obliged to notify the relevant authority if they become aware of a data security breach. The executive regulations will specify the conditions under which controllers must inform data subjects of a breach of their personal data.
However, if the breach is likely to cause significant harm to the individual or their personal data, the controller must promptly notify them of the breach, as outlined in Article 20(2) of the PDPL. KSA PDPL executive regulations enforce penalties for disclosure or publication of sensitive personal data that can include imprisonment for up to two years and/or a fine not exceeding SAR 3 million.
The penalty in relation to violations of the data transfer provision in Article 29 of the PDPL may result in imprisonment for up to one year and/or a fine not exceeding SAR 1,000,000. For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5,000,000.
Achieve PDPL Compliance with BigID
Ultimately, the PDPL is designed to help protect the privacy of individuals in the Kingdom of Saudi Arabia, and to ensure that businesses who process personal data are held accountable for how they use it. If you’re collecting, using, transferring, or storing personal data in Saudi Arabia, then it’s important to ensure that you comply with the PDPL.
With BigID, companies can avoid penalties and get ahead of PDPL compliance challenges:
- Discover data: Identify personal data and classify sensitive data.
- Contextualize data: Correlate relationships between data by bringing context to personal data and sensitive data.
- Label and tag data for legal purposes: Ensure data is being processed in agreement with privacy regulations.
- Document record of processing activities: Manage a Record of Processing Activities (RoPA)a to assess data assets, protection, breach status, location, PIA, data sharing and transfers.
- Detect out-of-policy, cross-border data transfers: Track data access, usage, and transfer violations across the organization for immediate action.
- Automate data rights fulfillment: Automate manual fulfillment of individual data access and deletion requests.
- Manage data risk: Discover, classify, and map data to apply controls for breach risk reduction and fulfill privacy impact assessments (PIA).
- Minimize duplicate or sensitive data: Enable data minimization with duplicate identification and apply retention rules based on a legal purpose.
- Report on whose data they have: Enable correction workflows and validate whether sensitive data is being captured.
Any organization processing the personal data of Saudi Arabia residents should ensure they’re in compliance with PDPL and pay close attention to any updates released from regulators over the next few months.
See how BigID can help you ensure your organization’s compliance with PDPL.