The Kingdom of Saudi Arabia has recently taken a significant step in safeguarding the privacy of individuals' personal data by introducing its groundbreaking legislation, the Personal Data Protection Law (PDPL). This law is a monumental milestone in the nation's commitment to ensuring data privacy and governing the practices of organizations regarding the collection, processing, disclosure, and retention of personal data. This law came into effect on 14th September 2023.
The PDPL encompasses many provisions, outlining processing principles, delineating data subjects' rights, specifying organizations' obligations in handling individuals' personal data, and establishing mechanisms for cross-border data transfers. Importantly, it also sets forth penalties for non-compliance, underlining the seriousness with which the Kingdom takes data protection.
A notable aspect of the PDPL is its commitment to not infringe upon any existing provisions that grant data subjects rights or offer superior protection under other laws or international conventions ratified by Saudi Arabia.
Who Must Adhere to the Legislation?
The PDPL governs organizational compliance based on two key dimensions: the nature of data and geographical jurisdiction.
Scope of Data
The PDPL pertains to the handling of personal data and sensitive personal data concerning individuals residing within Saudi Arabia. Furthermore, it extends its purview to encompass the personal data of deceased individuals as long as such data can potentially identify the dead or one of their immediate family members. It's important to note that the PDPL does not cover personal data processing for domestic purposes, which falls outside its application.
The PDPL applies to public and private organizations that process personal data associated with individuals residing in Saudi Arabia, employing any means to do so. Moreover, even foreign organizations processing personal data linked to individuals within Saudi Arabia's borders are subject to the PDPL's provisions and requirements.
Organizational Obligations under the PDPL
The Personal Data Protection Law (PDPL) imposes a range of crucial obligations on controlling authorities (data controllers) to ensure compliance:
Under the PDPL, organizations must obtain the owner's consent before processing personal data, except when specified in the Draft Regulation. Individuals have the right to withdraw their consent at any time, and organizations cannot make consent a mandatory condition for providing a service or benefit unless it directly pertains to the processing activity for which permission was initially given.
Furthermore, the PDPL outlines scenarios where consent is not obligatory:
When data processing offers a clear benefit, it is impractical to contact the data subject
When processing is mandated by law or a prior agreement in which the data subject is involved
If the controller is a public entity, and processing is necessary for security or judicial purposes
In cases of data collection for scientific, research, or statistical purposes, provided that all legal requirements are met
When processing serves the legitimate interests of the controller or another party, as long as it does not infringe upon the data subjects' rights. This exemption does not apply to sensitive personal data
This policy must include:
Collection Purpose: Explain why data is being collected.
Data Details: Specify what personal information will be gathered.
Collection Method: Describe how the data will be collected.
Storage: Detail where and how the data will be stored.
Processing: Clarify how the data will be used.
Destruction: Explain how data will be disposed of when no longer needed.
Owner's Rights: Outline the rights individuals have concerning their data.
Exercising Rights: Explain how individuals can exercise these rights.
Data Subject Rights Simplified
The PDPL grants data subjects essential rights to maintain control over their personal data:
Right to Information
You have the right to know who's collecting your data, why they're doing it, how they're collecting it, and whether they'll share or sell it.
Right to Correct Data
You can request corrections if your data needs to be completed, accurate, or updated.
Right to Delete Data
You can ask for your data to be deleted. This can be because you no longer want them to have it or if they don't need it anymore.
Right to Limit Processing
While not explicitly mentioned in the PDPL, you can restrict how organizations use your data for specific situations and periods. The regulatory authority's FAQs offer more details.
Right to Data Portability
You can get your data in an understandable format and transfer it to another controller.
These rights empower you to control your personal information, ensuring that organizations handle it responsibly and transparently.
The Saudi Data & Artificial Intelligence Authority (SDAIA) is the leading authority responsible for ensuring organizations follow the PDPL in Saudi Arabia. Their job isn't just about punishing rule-breakers; they also help organizations move data internally and monitor people's requests about their data rights.
But here's the twist: The SDAIA will only oversee this for the first two years. In 2024, watching over things might go to the National Data Management Office (NDMO).
Penalties for Non-compliance
Disclosing or publishing sensitive personal data:
Imprisonment of up to 2 years
Fine not exceeding SAR 3 million ($800,000)
Violations of other PDPL provisions:
Warning notice or
Fine not exceeding SAR 5 million ($1.3 million)
The fine can be doubled upon repeated offenses
Operationalizing the PDPL
Organizations need to:
Adjust their status within one year of the law's effective date.
Catalog and classify data inventories (sensitive personal data, personal data).
Evaluate the need for a representative in Saudi Arabia.
Register in Saudi Arabia.
Disclose data processing through formal policies and privacy notices.
Develop data collection and processing policies, including consent frameworks.
Establish data breach notification mechanisms.
Map processes and identify cross-border data flows, adhering to PDPL cross-border requirements.
Implement a framework for data subject requests.
Implement data tracking and reporting for compliance.
Employ technical and organizational security measures for data protection.
Conduct personal information protection impact, vendor, and risk assessments.
The introduction of the Personal Data Protection Law (PDPL) in Saudi Arabia signifies a significant stride toward safeguarding personal data privacy and data subject rights. With clear guidelines, obligations, and penalties for non-compliance, organizations must swiftly adapt to ensure lawful data processing practices. The transition period offers organizations ample time to operationalize the law, focusing on transparency, security, and comprehensive data protection measures.
As the Saudi Data & Artificial Intelligence Authority (SDAIA) oversees enforcement initially, followed by a potential shift to the National Data Management Office (NDMO), the PDPL sets a robust foundation for responsible data management in the digital age.