Competent authority
SDAIA was established in 2019, followed by the National Data Management Office (NDMO) in 2020. The 2021 PDPL (Royal Decree No. M19/1443) initially designated SDAIA as the competent authority for two years, with the possibility of transferring oversight to NDMO based on the PDPL’s enforcement outcomes and the data sector’s maturity.
Currently, NDMO monitors compliance with data management regulations, standards, and personal data protection policies. As NDMO is the sub-entity of and organizationally linked to SDAIA, NDMO submits reports and regulatory proposals to SDAIA, which issues PDPL-related rules and guidelines. In addition, SDAIA launched NDGP to provide PDPL-related services, such as assessment compliance.
Data controllers and processors
The PDPL primarily regulates data controllers and processors, which can be public entities, individuals, or private legal persons. Data controllers determine the purposes and methods of processing personal data, while processors handle the data on behalf of the controllers. Controllers have greater obligations, as they are liable for data processing and shall supervise processors. This article focuses on the compliance obligations of Chinese enterprises as data controllers.
To distinguish between data controllers and processors, consider the example of the Saudi food delivery platform Hunger Station. Hunger Station uses Amazon Web Services (AWS) to store and process user data for managing orders and improving search functionality. It collects users’ names, addresses, and contact information to provide needed products and enhance services based on feedback. Hunger Station acts as the data controller, determining the purpose of data processing—providing services to users—and the means of processing, such as using user addresses and contact information for order management. In contrast, Amazon Web Services (AWS) serves as the data processor, handling personal data according to Hunger Station’s instructions.
Extraterritorial Effect of the PDPL
The PDPL applies to data processing activities both within Saudi Arabia and for the personal data of residents processed outside the country. Therefore, foreign enterprises collecting personal data shall identify the data source. If the source is a Saudi resident, the PDPL shall be followed, regardless of the data’s volume.
The 2021 PDPL (M19/1443) required foreign data controllers to appoint a local representative, while the revised 2023 PRPL (M98/2023) allows the competent authority to designate tools and mechanisms to monitor compliance by foreign data controllers and processors. However, the Implementation Regulations lack clarity on this requirement, and related guidelines have not issued yet.
Our Firm believes that the local controllers will be the primary focus after the end of the transitional period, as indicated by the publication of Rules Governing the National Register of Controllers Within the Kingdom[3,p7].For foreign entities that do not establish an entity, or conduct operations, or deposit funds within Saudi Arabia, the competent authority may face challenges in enforcing penalties. Since foreign entities processing data of Saudi residents engage in the cross-border data transfer, the competent authority may regulate them by restricting such data transfers. Due to discrepancies between law enactment and enforcement, enforcement measures regarding foreign controllers shall be closely monitored.
How to comply with PDPL
Data compliance obligations for companies involve both internal management and external operations.
For users: privacy policy
Before collecting and processing personal data, companies should inform data subjects of their privacy policy and make it easily accessible, either on their official website or by providing a link during registration. The policy should be available in multiple languages and updated regularly.
The privacy policy shall be made in compliance with the Elaboration and Developing Privacy Policy Guideline[4,p7]and include the following information:
When collecting data, entities shall specify the types of data to be collected, which can be categorized into the following:
The data shall be collected from the data subject directly or from third parties, such as from public sources. Nevertheless, the data collection, processing and storage shall comply with data minimization principle and the Minimum Personal Data Determination Guideline [5,p7].
When processing data, entities shall select and determine a suitable legal basis from those specified in PDPL, such as:
When it comes to data storage, government and financial data shall be stored within Saudi Arabia, while storage location requirement for other personal data is not specified in PDPL. Data retention shall follow the minimization principle and should be deleted once:
According to Personal Data Destruction, Anonymization, and Pseudonymisation Guideline[6,p7], data destruction shall ensure that the data is inaccessible, unrecoverable and unidentifiable, achieved through methods like data overwriting, demagnetization, secure erasure, shredding and distortion.
As for data sharing and disclosure, personal data shall not be disclosed to other parties unless data subject’s consent is obtained, or there is a legal justification as specified by the Personal Data Disclosure Cases Guideline[7,p7]. In terms of cross-border data transfers, one of the following requirements shall be fulfilled:
The rights of data subjects are essential in the privacy policy. Entities must clearly outline how to exercise these rights and respond to requests within 30 days. The rights of data subjects include:
In addition, the contract information of the entities or the Data Protection Officer (DPO) (If applicable) shall be provided.
For compliance: Registration and Record of Processing Activities:
In terms of registration, data controller within the Saudi Arabia shall register on the NDGP. For foreign controllers, SDAIA will issue corresponding registration guidelines, which Our Firm will monitor. Entities shall appoint a representative to complete the registration process and decide if a DPO is needed. If necessary, the representative can also serve as the DPO if they are appointed by the controller. Currently there are no qualification requirements for the representative, and no registration fee is required. Entities shall provide commercial registration (CR), representative information and DPO information (if applicable) in accordance with Rules Governing the National Register of Controllers Within the Kingdom[3,p7]. Registration is valid for five years, with renewal applications allowed 30 days before expiration.
In terms of Records of Processing Activities (RoPA), it demonstrates the entities’ commitment to compliance with the PDPL. Hence, RoPA shall be maintained for the duration of data processing plus five years after cessation, to be used for compliance assessments and inspection by SDAIA. RoPA shall be in written, updated regularly and made in accordance with Personal Data Processing Activities Records Guideline[10,p7].
As for Impact Assessment Report, it shall be conducted for certain processing activities required by the Implementing Regulations, focusing on the potential impacts and risks to data subject based on the nature of the activity, such as potential data breaches. The Impact Assessment Report also shall be in written and updated regularly, which can be conducted through the NDGP. Impact Assessment Report is recommended as it helps ensure that data protection risks are minimized to an acceptable level with a documented mitigation plan.
Data incidents, such as breaches or unauthorized access, shall be reported to SDAIA via the NDGP within 72 hours, along with timely notifications to data subjects. Entities should establish an incident response team to monitor potential incidents, assess their nature and scope, classify the incidents, report promptly, document all actions, and conduct post-incident analysis.
Appointment of a Data Protection Officer (DPO)
Not all enterprises are required to appoint a DPO, but it is encouraged for effective data compliance.
Application: A DPO should be appointed in the following scenarios:
Qualifications: Companies determine the qualifications for appointing a DPO, who should have expertise in data protection and risk management, with no history of breaches of trust or illegal behavior according to the Rules for Appointing Personal Data Protection Officer[11,p7].
A DPO can be one or more individuals, either internal employees or external experts. While the nationality requirement of the DPO is not explicitly stated, it is advisable for the DPO to be a Saudi national given the current trends in increasing Saudization.
Appointment: Companies should appoint the DPO in writing, through internal documents or contracts, and promptly file with the NDGP.
Duties: The DPO’s responsibilities can be categorized into three areas:
As the transitional period ends, SDAIA periodically releases guidelines. Enterprises processing personal data in or from Saudi Arabia shall implement technical, administrative, and organizational measures in line with PDPL and SDAIA guidelines. This includes enhancing their privacy policy, maintaining records of data processing, conducting impact assessments, and establishing a data management department.
Legislation
Regulations
Websites