The Saudi Arabia Personal Data Protection Law (PDPL) was created to protect the privacy of individuals and businesses in the Kingdom of Saudi Arabia (KSA). The law applies to any entity operating in Saudi Arabia and holds data controllers and data processors responsible for protecting the personal data of individuals and businesses.
What is the Saudi Arabia Personal Data Protection Law?
The PDPL is the first-ever comprehensive data protection law in the KSA. The Saudi Arabia Personal Data Protection Law (PDPL) aims to protect individuals’ personal data privacy and regulate organizations’ collection, processing, disclosure, or retention of personal data.
The PDPL provides comprehensive requirements related to processing principles, data subjects’ rights, organizations’ obligations while processing the personal data of individuals, and cross-border data transfers mechanisms and lays out penalties for organizations in case of non-compliance with the PDPL.
Who Must Comply
The regulations encompass all ‘Public’ and ‘Private’ entities, along with their associates, engaged in processing the ‘Personal Data’ of Saudi Arabian residents, including deceased individuals, for the provision of services or goods. Notably, the law extends its reach beyond the borders of the Kingdom of Saudi Arabia to establishments outside the country handling data of Saudi citizens.
Importantly, ‘Article 3’ explicitly clarifies that the PDPL doesn’t supersede any preceding laws that confer rights or enhanced protection to data subjects. Moreover, the law respects existing international treaties or agreements involving Saudi Arabia. It’s crucial to highlight that the PDPL does not apply to individuals collecting data for personal or family use.
PDPL Executive Regulations
KSA PDPL executive regulations cover a wide range of data protection initiatives, including:
- Regulatory Authority: Any government authority or any entity that has independent public personality and has, in accordance with its powers and responsibilities, regulatory or oversight duties and responsibilities over a certain sector or activity in the Kingdom.
- Direct Marketing: Communication, by any means, with a person or a group of persons, aiming to send marketing, advertising, or awareness-raising material to such person or group.
- Practical Need: Actual need for processing personal data, with fairness and integrity and without conflicting with the rights and expectations of the Personal Data Subject.
- Personal Data Breach: Any act in any manner that leads to illegal disclosure of Personal Data, whether it is intentional or not.
- Risks and Impact: The possibility that Personal Data Subjects may suffer damage due to the processing of their Personal Data and the impact of such risk.
- Anonymization: Removing any direct or indirect characteristics from the Personal Data that may make the Personal Data Subject specifically identified.
- Transfer of Personal Data to outside the Kingdom: Sending or sharing Personal Data, by any means, to or with an entity outside the Kingdom, in order to process such Personal Data fully or partially, for specific purposes based on legal justification or Practical Need.
- Implied Consent: Consent that is not given Explicitly by the Data Subject or the authorized person, but given implicitly through the person’s actions and the facts and circumstances of the situation
How Does Saudi Arabia’s PDPL Identify Consent
Saudi Arabia’s data protection law identifies consent as acquired before or during processing, characterized by being “clear and unambiguous.” Explicit consent involves express, specific, and freely given approval by the Data Subject. The PDPL allows obtaining consent through various means, such as written or electronic forms, application settings, verbal consent, or Implied Consent if permitted.
Processing PDPL Data
The PDPL only applies to data controllers and processors who are established in the Kingdom of Saudi Arabia or who process the personal data of individuals in the KSA. However, the law also applies to data controllers and processors operating outside the country if they process the data of individuals in the KSA.
The PDPL sets some critical principles that data controllers and processors must adhere to, including:
- Data controllers and processors must obtain consent from an individual before collecting, using, transferring, or storing personal data.
- Explicit consent is needed to process sensitive data for marketing and advertising purposes.
- Personal data must be collected and used for legitimate purposes only.
- Data controllers and processors must ensure that personal data is accurate, relevant, and up-to-date.
- Personal data must be kept secure and not disclosed to any third party without the individual’s written consent.
- Data controllers and processors must delete any personal data that is no longer needed.
- Data controllers and processors must provide individuals with information about how their data is being used.
- Controllers may not use personal communications (including post and email) to send advertising or informational materials to a Personal Data Subject without their prior consent.
- Controllers must provide clear opt-out mechanisms.
PDPL Consumer Rights
Article 4 of the proposed amendments to the PDPL created actionable data rights for Saudi Arabian citizens (data subjects), including but not limited to the right to access, right to correct, and right to delete. Additionally, the PDPL doesn’t allow the processing data to change without the consumer’s consent. But similar to the GDPR, consumers may also withdraw consent (without exceptions).
- Right to Be Informed: consumers need to be informed of the legal basis and purpose for using personal data.
- Right to Access: Consumers can request their information and have the right to know how the data is collected, stored, processed, and shared.
- Right to Correct: Consumers can request updates and corrections from the controller. However, the controller must also notify all parties that have received the information to correct, complete or update the personal data.
- Right to Destruction: Consumers can request deletion, with exceptions, for example, if the data is necessary for a legal purpose and only retained for a certain period. In addition, controllers may retain Personal Data after the Collection purpose no longer exists if they remove identifying factors from the Personal Data.
- Right to Obtain: Consumers have the right to obtain their personal data in a clear and concise format, including the right to request data transfer.
Record of Processing Activities: Under Saudi Arabia privacy laws organizations must keep record of the personal data processing activities, so that the documented records are available whenever requested by the Authority. The records should contain the purpose of processing, a description of categories of Data Subjects, contact details of the organization, and the expected period for which Personal Data will be retained.
Privacy Risk Assessments
Under the PDPL organizations must conduct a privacy risk assessment for processing of all personal data for any product or service provided to consumers.
The PDPL requires organizations to put in place appropriate safeguards to protect personal data from unauthorized access, disclosure, and use. In addition, the law sets out strict data breach notification requirements that organizations must comply with in the event of a data breach.
The PDPL requires that organizations notify the regulatory authority within three days of the breach. Additionally, organizations must provide a full beach analysis and show steps towards future accountability.
Saudi Arabia PDPL Data Transfers Requirements
Transfers of personal information in and out of Saudi Arabia under the PDPL are as follows:
- Data transfers are permitted to a third party subject to legal or corporate data protection rules similar to the PDPL.
- Certain types of transfer are exempt from the conditions, such as when an individual has consented to the transfer or where the transfer is necessary to fulfill an agreement.
- Data disclosures and transfers are limited to the minimum personal data required.
- Data transfers must preserve the interest, health, safety, or protect the life or health of a specific person;
- Data transfers must not adversely affect the national security or vital interests of the Kingdom of Saudi Arabia.
KSA PDPL Enforcement
According to PDPL Article 20(1), controllers must report data security breaches to the relevant authority. Executive regulations will detail conditions for notifying data subjects. If the breach poses significant harm, Article 20(2) mandates prompt notification to affected individuals. Penalties for sensitive data disclosure can include imprisonment for up to two years and/or a fine up to SAR 3 million.
Violating data transfer rules (Article 29) may lead to imprisonment for one year and/or a fine up to SAR 1 million. Other PDPL violations may result in a warning or fines not exceeding SAR 5 million.
Achieve PDPL Compliance with BigID
Ultimately, the PDPL is designed to help protect the privacy of individuals in the Kingdom of Saudi Arabia, and to ensure that businesses who process personal data are held accountable for how they use it. If you’re collecting, using, transferring, or storing personal data in Saudi Arabia, then it’s important to ensure that you comply with the PDPL.
With BigID, companies can avoid penalties and get ahead of PDPL compliance challenges:
- Discover data: Identify personal data and classify sensitive data.
- Contextualize data: Correlate relationships between data by bringing context to personal data and sensitive data.
- Label and tag data for legal purposes: Ensure data is being processed in agreement with privacy regulations.
- Document record of processing activities: Manage a Record of Processing Activities (RoPA)a to assess data assets, protection, breach status, location, PIA, data sharing and transfers.
- Detect out-of-policy, cross-border data transfers: Track data access, usage, and transfer violations across the organization for immediate action.
- Automate data rights fulfillment: Automate manual fulfillment of individual data access and deletion requests.
- Manage data risk: Discover, classify, and map data to apply controls for breach risk reduction and fulfill privacy impact assessments (PIA).
- Minimize duplicate or sensitive data: Enable data minimization with duplicate identification and apply retention rules based on a legal purpose.
- Report on whose data they have: Enable correction workflows and validate whether sensitive data is being captured.
Any organization processing the personal data of Saudi Arabia residents should ensure they’re in compliance with PDPL and pay close attention to any updates released from regulators over the next few months.