Saudi Arabia Personal Data Protection Law (PDPL): An Overview

The Kingdom of Saudi Arabia (KSA) has implemented a robust data protection law called the Personal Data Protection Law (PDPL) with the aim of safeguarding the rights of individuals residing within the kingdom. In this article, we will delve into the details of Saudi Arabia’s data protection law, addressing any concerns you may have and providing guidance on ensuring compliance.

Whenever there is a new regulation is on the horizon, people often consider it as hard for their businesses. In recent years, we have seen a lot of new regulations keep coming up, and a lot of changes have to be implemented. Now it is Saudi Arabia’s Personal Data Protection Law has been added to the list.

It should not be considered as a pain for businesses. These regulations have clear intentions about protecting the personal data of individuals and not making things hard for businesses.

In fact, Saudi Arabia’s PDPL can be seen as a significant stride towards transforming the country into a thriving digital economy in line with the Saudi Vision 2030. It may seem hard to comply with these regulations, but the early adopters will gain the customer’s trust, which will eventually give them a competitive advantage in the market.

Now, let’s dig deeper into Saudi Arabia’s latest data protection regulation.

The Personal Data Protection Law (PDPL) of Saudi Arabia was officially enacted on March 17, 2023, following two years of discussions leading up to its implementation. The initial publication of the PDPL regulation occurred on September 24, 2021, with a planned effective date of March 23, 2022, set within 180 days.

Subsequently, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched a public consultation, leading to several amendments being introduced to the PDPL. The amended version of the law came into effect on March 17, 2023.

These amendments were preceded by a public consultation launched by the Saudi Data and Artificial Intelligence Authority (“SDAIA“) in late 2022.

However, organizations have been granted a grace period of one year, concluding on September 14, 2024, to ensure compliance with the PDPL requirements.

PDPL has set clear definitions for different terms associated with the law to make understanding a lot easier. Here are some of the important terms associated with the law:

• Personal data: As per PDPL, personal data can be defined as any information which could lead to identifying an individual. This could include direct or indirect information associated with the individual.
  For example: Name, Address, Email, Mobile Number, Images, etc.

• Data subject: The person whose data is being collected and processed is known as the data subject. PDPL grants some rights to data subjects to protect their personal data. We will discuss more about the data subject’s rights in the later part of this article.
  
  Furthermore, the law extends its protection to the personal data of deceased individuals, specifically safeguarding their information if it has the potential to identify the deceased individual or their family members.

• Data controllers: Data controllers can be an individual, a group, or an organization that controls the personal data of the data subjects. The data controller decides why and how the data should be processed.

• Processing party: An entity (an individual or a group) that handles personal data for processing is known as the processing party. A data controller decides what data should be collected, its purpose, and its means. At the same time, the processing party does the data processing for the data controller.

Data controllers give inputs to the processing party in handling the personal data of the data subjects. The processing party does the actions based on requirements given by the data controller.

The PDPL grants several rights to data subjects in terms of processing their personal data. These rights include:

• The right to be informed about the lawful grounds for processing personal data. This also grants users the right to know what data is collected, how it is processed, and the purpose it was collected for.
  
• Secondly, there is the right to access the data. Under this right, users can access their personal data at any time. They can request data in readable format free of charge.

• Thirdly, the right to rectify incorrect information. Data subjects have the right to request rectifying their personal information collected by the companies. Businesses should also ensure that the personal data stored is accurate and up-to-date. Any data shared or transferred should also be updated with the latest information.

• Finally, the right to ask for the deletion of personal data. The data subjects can request the erasure of personal data collected by the organization at any time of their choice. As well, once the original purpose of the data collection has been accomplished, it should no longer be stored.

These are the four major rights of a data subject under PDPL. There are some other rights related to the above rights, such as the right to object processing of personal data. It is worth noting that the PDPL may not explicitly mention the right to object to processing, but it is recommended to offer users the option to restrict the processing of their personal data. Other prominent privacy laws, such as the GDPR, do include this right.

Confusion often arises between the right to deletion and the right to restrict processing. The right to deletion allows users to request the deletion of their personal data entirely. On the other hand, the right to restrict processing means users can request to stop the active processing while retaining the stored data.

For instance, a user may choose to opt out of receiving email newsletters, exercising their right to restrict processing while retaining their data in the system.

1. Accountability

Data Controllers must be accountable for the lawful processing of personal data. It is important to document privacy policies and data processing procedures, which should be approved by the head of the entity or their designated representative. These policies should be circulated to all relevant parties.

2. Transparency

Data Controllers are required to create a Privacy Notice that clearly explains their privacy policies and procedures. The notice should be written in clear and easily understandable language, detailing the purposes for which personal data will be collected. Also, the privacy policy should be accessible to the data subjects before they consent.

3. Choice and Consent

Data Subjects should be informed of the purpose for collecting their personally identifiable data, and their explicit or implicit consent should be obtained prior to the collection, use, and disclosure of personal data. Data controllers should take specific consent from the data subjects at each data entry point.

4. Limiting Data Collection

Data Controllers should limit the collection of personal data to the minimum necessary to fulfill the purposes specified in the Privacy Notice.

5. Use, Retention, and Destruction

Personal data should only be used for the purposes outlined in the Privacy Notice and with the explicit or implicit approval of the Data Subject. Data should be retained for as long as necessary to achieve its intended purposes or as required by applicable laws and regulations.

Additionally, data should be securely and safely destroyed to prevent leakage, loss, theft, misuse, or unauthorized access.

6. Access to Data

Businesses should provide a means for Data Subjects to review, update, and correct their personal data held by the Data Controller.

7. Purpose Limitation

Personal data shall not be shared with third parties other than for the purposes specified in the Privacy Notice and approved by the Data Subject.

8. Data Security

Personal data must be protected from leakage, damage, loss, theft, misuse, modification, or unauthorized access. Controls issued by the National Cybersecurity Authority and relevant authorities should be followed.

9. Data Quality

Personal data should be maintained with accurate, complete, and timely information directly relevant to the purposes specified in the Privacy Notice.

10. Monitoring and Compliance

Data Controller’s privacy policies and procedures should be monitored to ensure compliance. Any inquiries, complaints, or disputes related to privacy should be addressed promptly.

11. Breach Response

Businesses should have a breach response mechanism in place. In the case of a data breach, the data controller should immediately inform the concerned authority. If there is a chance the leaked information could cause harm to the Data Subjects, they should be informed immediately.

12. Data Protection Impact Assessment

Data Protection Impact Assessment (DPIA) involves identifying the potential risks and evaluating the necessity, proportionality, and mitigation measures of data processing activities. It helps organizations anticipate and address any potential data protection risks before they occur, ensuring compliance with the PDPL and protecting the rights of Data Subjects.

13. Data Transfer Outside the Country

Data transfer to parties outside the Kingdom of Saudi Arabia is generally prohibited, except in cases where it is necessary to protect the vital interests of individuals abroad, prevent or treat diseases, or fulfill the interest of the Kingdom.

However, if data transfer serves the interests of the Kingdom, it must adhere to certain conditions:

• It should not compromise national security or vital interests
• The data must be safeguarded against leakage or disclosure,
• Only the minimum necessary data should be transferred with approval from the competent authority.

Businesses may be exempt from these conditions if the recipient country has a similar level of personal data protection. Also, businesses should have a local representative residing in the Kingdom for the accountability of the data transfer.

Below is the complete checklist to help you comply with the PDPL.

1. Beginning with data collection, personal data should be collected only on a lawful basis and should have a specific purpose.
2. Inform data subjects about the data collection and the purpose and means of processing the data.
3. Obtain prior consent from the data subjects for collecting their personal information. Consent is required at each stage of data collection.
4. Maintain a privacy policy for your website and keep it up-to-date. Add relevant information, such as how you handle the personal data of your users.
5. Ensure the personal data stored is accurate and up-to-date. Give users an option to update their personal information.
6. Do not disclose personal data to third parties unless specified for the reasons stated.
7. Ensure the safety of the personal data collected from the data subjects. Maintain necessary security measures and impact assessments to ensure the data is free from any unauthorized access.
8. Inform the concerned authority and the individuals (if possible) in case of a data breach at the earliest.
9. Keep documentation for the processing of personal data as proof of compliance when requested by the authorities.
10. Do not transfer personal data outside KSA without taking the appropriate measures suggested by the law.

In recent years, there have been a lot of new regulations coming up, and Saudi Arabia just added PDPL to the list. These laws may seem a pain for businesses, but the intent was to make the digital space safe for everyone. Businesses will have the advantage of winning the trust of their customers by respecting the privacy of their customers.

While various data privacy laws are being introduced, many of them share similar principles. This means that businesses can often make adaptations rather than undergoing extensive changes to comply with each individual law.

What are your thoughts on Saudi Arabia’s PDPL? Let us know in the comments.

Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.