Personal Data Protection Law
Patent Registration in Saudi Arabia
October 29, 2024
Saudi Arabia Capital Markets Law
December 29, 2024
Show all

Personal Data Protection Law

Overview

The Personal Data Protection Law (PDPL), which was issued pursuant to Royal Decree No. M19/1443 (Saudi Arabia Cabinet Decision No. 98/1443 On Approving Personal Data Protection Law) and further amended pursuant to Royal Decree No. M148/1444, officially came into effect on14 September 2023 with a one-year transitional period. This means that 14 September 2024 will be the first day after the end of the transitional period. In addition to the PDPL, Saudi Data & Artificial Intelligence Authority (SDAIA) successively issued Saudi Arabia Administrative Decision No. 1516/1445 On Approving the Implementing Regulation of the Personal Data Protection Law as well as other regulations and guidelines, such as Guide to the Saudi Personal Data Protection Law [1,p7] and Guide to the Saudi Personal Data Protection Law For Controllers and Processors [2.p7]. In addition, SDAIA introduced National Data Governance Platform (NDGP) to provide PDPL-related services. Hence, entities, which are data controllers or processors in general, shall comply with PDPL and its implementing regulations as well as guidelines, or face penalties, such as warnings, fines of up to 500 million Saudi Riyals, and even imprisonment for up to two years.

Definitions

  • PDPL: Personal Data Protection Law
  • SDAIA: Saudi Data & Artificial Intelligence Authority
  • NDGP: National data Governance Platform
  • NDMO: National Data Management Office
  • DPO: Data Protection Officer
  • RoPA: Records of Processing Activities

Practical guidance

Competent authority

SDAIA was established in 2019, followed by the National Data Management Office (NDMO) in 2020. The 2021 PDPL (Royal Decree No. M19/1443) initially designated SDAIA as the competent authority for two years, with the possibility of transferring oversight to NDMO based on the PDPL’s enforcement outcomes and the data sector’s maturity.

Currently, NDMO monitors compliance with data management regulations, standards, and personal data protection policies. As NDMO is the sub-entity of and organizationally linked to SDAIA, NDMO submits reports and regulatory proposals to SDAIA, which issues PDPL-related rules and guidelines. In addition, SDAIA launched NDGP to provide PDPL-related services, such as assessment compliance.

Data controllers and processors

The PDPL primarily regulates data controllers and processors, which can be public entities, individuals, or private legal persons. Data controllers determine the purposes and methods of processing personal data, while processors handle the data on behalf of the controllers. Controllers have greater obligations, as they are liable for data processing and shall supervise processors. This article focuses on the compliance obligations of Chinese enterprises as data controllers.

To distinguish between data controllers and processors, consider the example of the Saudi food delivery platform Hunger Station. Hunger Station uses Amazon Web Services (AWS) to store and process user data for managing orders and improving search functionality. It collects users’ names, addresses, and contact information to provide needed products and enhance services based on feedback. Hunger Station acts as the data controller, determining the purpose of data processing—providing services to users—and the means of processing, such as using user addresses and contact information for order management. In contrast, Amazon Web Services (AWS) serves as the data processor, handling personal data according to Hunger Station’s instructions.

Extraterritorial Effect of the PDPL

The PDPL applies to data processing activities both within Saudi Arabia and for the personal data of residents processed outside the country. Therefore, foreign enterprises collecting personal data shall identify the data source. If the source is a Saudi resident, the PDPL shall be followed, regardless of the data’s volume.

The 2021 PDPL (M19/1443) required foreign data controllers to appoint a local representative, while the revised 2023 PRPL (M98/2023) allows the competent authority to designate tools and mechanisms to monitor compliance by foreign data controllers and processors. However, the Implementation Regulations lack clarity on this requirement, and related guidelines have not issued yet.

Our Firm believes that the local controllers will be the primary focus after the end of the transitional period, as indicated by the publication of Rules Governing the National Register of Controllers Within the Kingdom[3,p7].For foreign entities that do not establish an entity, or conduct operations, or deposit funds within Saudi Arabia, the competent authority may face challenges in enforcing penalties. Since foreign entities processing data of Saudi residents engage in the cross-border data transfer, the competent authority may regulate them by restricting such data transfers. Due to discrepancies between law enactment and enforcement, enforcement measures regarding foreign controllers shall be closely monitored.

How to comply with PDPL

Data compliance obligations for companies involve both internal management and external operations.

  • Internal management: companies shall create a sound organizational structure to enhance their management systems.
  • External operations: companies shall provide their privacy policy to data subjects and operate under the supervision of the competent authority, such as SDAIA.

 

For users: privacy policy

Before collecting and processing personal data, companies should inform data subjects of their privacy policy and make it easily accessible, either on their official website or by providing a link during registration. The policy should be available in multiple languages and updated regularly.

The privacy policy shall be made in compliance with the Elaboration and Developing Privacy Policy Guideline[4,p7]and include the following information:

  • Types of personal data to be collected
  • Methods and purposes of collection
  • Legal basis for data processing
  • Data sharing and disclosure
  • Geographic scope of data processing
  • Data retention period
  • Method of data destruction
  • Rights of the data subjects and how to exercise them
  • Contact information for the controller/Data Protection Officer (DPO)

When collecting data, entities shall specify the types of data to be collected, which can be categorized into the following:

  • Personal data, in electronic or physical form, such as the name, mobile number, email address. Kindly note that personal data includes personal opinions and inferences, such as e employee feedback on the work environment or a pharmacy’s health predictions based on customer purchase history.
  • Sensitive data, includes information revealing an individual’s racial or ethnic origin, beliefs, criminal convictions, biometric data (such as fingerprints and facial recognition), genetic information, health, and parentage.
  • Pseudonymized data, which can identify the data subject when combined with additional information. For example, Hunger Station has two databases: one with user names and another with transaction information, where user names are replaced with specific data. The transaction data is personal data since it can identify users when linked to the first database. Note that pseudonymized data differs from anonymized data, which removes all identifiable information and is not considered personal data. However, the process of anonymization is still regarded as processing personal data.
  • Data of a deceased individual, which can identify his or her family members.

The data shall be collected from the data subject directly or from third parties, such as from public sources. Nevertheless, the data collection, processing and storage shall comply with data minimization principle and the Minimum Personal Data Determination Guideline [5,p7].

When processing data, entities shall select and determine a suitable legal basis from those specified in PDPL, such as:

  • consent from the data subject, such as requiring the user to voluntarily click the “agree to terms and conditions”. Kindly note that consent is necessary when processing personal data for direct marketing.
  • legitimate interests of the data controller, such as detecting fraud operation, require a legitimate interest assessment. Note that sensitive data shall not be processed based on legitimate interests.
  • contract performance, such as an online subscription service for movies and TV shows requires data collection and processing to create user accounts and manage process payments.
  • legal obligation, such as processing employee’s payroll information to fulfill the tax obligations.

When it comes to data storage, government and financial data shall be stored within Saudi Arabia, while storage location requirement for other personal data is not specified in PDPL. Data retention shall follow the minimization principle and should be deleted once:

  • the purpose of collection has been achieved
  • the data subject exercises their right to deletion or withdraws consent
  • the data is processed unlawfully.

According to Personal Data Destruction, Anonymization, and Pseudonymisation Guideline[6,p7], data destruction shall ensure that the data is inaccessible, unrecoverable and unidentifiable, achieved through methods like data overwriting, demagnetization, secure erasure, shredding and distortion.

As for data sharing and disclosure, personal data shall not be disclosed to other parties unless data subject’s consent is obtained, or there is a legal justification as specified by the Personal Data Disclosure Cases Guideline[7,p7]. In terms of cross-border data transfers, one of the following requirements shall be fulfilled:

  • appropriate safeguards: a list of countries or international organizations offering a level of personal data protection equivalent to or greater than that in Saudi Arabia, determined by cooperation agreements.
  • standard contractual clauses: legal agreements that ensure data protection during transfers and shall be concluded in accordance with Standard Contractual Clauses For Personal Data Transfer[8,p7].
  • binding common rules: internal policies of data controllers and shall be made in compliance with Guidelines for Binding Common Rules (BCR) For Personal Data Transfer[9,p7].
  • certificate of accreditation: an approval certificated from an entity licensed by SDAIA and shall be obtained by the recipient party instead of the data controller when standard contractual clauses or binding common rules are lacking.

The rights of data subjects are essential in the privacy policy. Entities must clearly outline how to exercise these rights and respond to requests within 30 days. The rights of data subjects include:

  • Right to know
  • Right to access
  • Right to request provision of personal data
  • Right to request correcting
  • Right to request destruction
  • Right to withdraw consent
  • Right to file a complaint

In addition, the contract information of the entities or the Data Protection Officer (DPO) (If applicable) shall be provided.

 

For compliance: Registration and Record of Processing Activities:

In terms of registration, data controller within the Saudi Arabia shall register on the NDGP. For foreign controllers, SDAIA will issue corresponding registration guidelines, which Our Firm will monitor. Entities shall appoint a representative to complete the registration process and decide if a DPO is needed. If necessary, the representative can also serve as the DPO if they are appointed by the controller. Currently there are no qualification requirements for the representative, and no registration fee is required. Entities shall provide commercial registration (CR), representative information and DPO information (if applicable) in accordance with  Rules Governing the National Register of Controllers Within the Kingdom[3,p7]. Registration is valid for five years, with renewal applications allowed 30 days before expiration.

In terms of Records of Processing Activities (RoPA), it demonstrates the entities’ commitment to compliance with the PDPL. Hence, RoPA shall be maintained for the duration of data processing plus five years after cessation, to be used for compliance assessments and inspection by SDAIA. RoPA shall be in written, updated regularly and made in accordance with Personal Data Processing Activities Records Guideline[10,p7].

As for Impact Assessment Report, it shall be conducted for certain processing activities required by the Implementing Regulations, focusing on the potential impacts and risks to data subject based on the nature of the activity, such as potential data breaches. The Impact Assessment Report also shall be in written and updated regularly, which can be conducted through the NDGP. Impact Assessment Report is recommended as it helps ensure that data protection risks are minimized to an acceptable level with a documented mitigation plan.

Data incidents, such as breaches or unauthorized access, shall be reported to SDAIA via the NDGP within 72 hours, along with timely notifications to data subjects. Entities should establish an incident response team to monitor potential incidents, assess their nature and scope, classify the incidents, report promptly, document all actions, and conduct post-incident analysis.

 

Appointment of a Data Protection Officer (DPO)

Not all enterprises are required to appoint a DPO, but it is encouraged for effective data compliance.

Application: A DPO should be appointed in the following scenarios:

  • When the controller is a public authority processing personal date on a large-scale; or
  • When the controller’s core business involves regular and systematic monitoring of data subjects, such as collecting health data via wearable devices or analyzing customer transactions for fraud risks; or
  • When the controller’s core business includes processing sensitive data, such as insurance companies collecting health data for critical illness insurance or financial firms processing credit data for related

Qualifications: Companies determine the qualifications for appointing a DPO, who should have expertise in data protection and risk management, with no history of breaches of trust or illegal behavior according to the Rules for Appointing Personal Data Protection Officer[11,p7].

A DPO can be one or more individuals, either internal employees or external experts. While the nationality requirement of the DPO is not explicitly stated, it is advisable for the DPO to be a Saudi national given the current trends in increasing Saudization.

Appointment: Companies should appoint the DPO in writing, through internal documents or contracts, and promptly file with the NDGP.

Duties: The DPO’s responsibilities can be categorized into three areas:

  • To Regulators: Serve as a contact point, implement regulatory measures, and report data incidents.
  • To Internal Teams: Monitor data compliance, make recommendations, address non-compliance issues, conduct regular training, and liaise with other departments.
  • To Data Subjects: Respond to requests and complaints.

 

Conclusion

As the transitional period ends, SDAIA periodically releases guidelines. Enterprises processing personal data in or from Saudi Arabia shall implement technical, administrative, and organizational measures in line with PDPL and SDAIA guidelines. This includes enhancing their privacy policy, maintaining records of data processing, conducting impact assessments, and establishing a data management department.

 

Related content

Legislation

  • Saudi Arabia Royal Decree No. M19/1443 On Approving Personal Data Protection Law
  • Saudi Arabia Royal Decree No. M148/1444 On Approving Amendments to Personal Data Protection Law
  • Saudi Arabia Cabinet Decision No. 98/1443 On Approving Personal Data Protection Law
  • Saudi Arabia Administrative Decision No. 1516/1445 On the Approval of the Implementing Regulation of the Personal Data Protection Law
  • Saudi Arabia Administrative Decision No. 1517/1445 On the Approval of the Regulation on Personal Data Transfer Outside the Geographical Boundaries of the Kingdom, amended by the Regulation on Personal Data Transfer Outside the Kingdom.

 

Regulations

 

Websites

Authors