Saudi Arabia’s Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (September 16, 2021), which approved Resolution No. 98 of 7/2/1443 H (September 14, 2021). It was published in the Republic Journal on September 24, 2021.

The Saudi Data and Artificial Intelligence Authority (SDAIA) will oversee the implementation of the new legislation for the first two years, after which a transfer of oversight to the National Data Management Office (NDMO) will be considered. The NDMO is the regulatory arm of SDAIA and had already published interim data governance regulations in 2020, which have now been superseded by the PDPL with regard to the protection of personal data.

According to the SDAIA announcement, the PDPL is intended to ensure the privacy of personal data, regulate data sharing and prevent abuse of personal data in line with the goals of the Saudi Vision 2030 to develop digital infrastructure and support the innovation to grow a digital economy.

PDPL Enforcement Scope

The Personal Data Protection Law (PDPL), as well as other legislation on the subject, is designed to protect personal data, that is, any information, in any form, through which a person can be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses and contact numbers, pictures, and video recordings of the person.

The PDPL applies to any personal data processing by companies or public entities carried out in Saudi Arabia by any means, including the processing of personal data of Saudi residents by entities located outside the Kingdom.

The PDPL does not apply to the processing of personal data for personal and family use.

The PDPL Pillars

Many of the features of the Personal Data Protection Law (PDPL) are consistent with the concepts and principles contained in other international data protection laws, such as:

• Data Subject Rights: Individuals (data subjects) shall, with some exceptions, have the right to be informed about the processing of personal data and the legal basis for such processing, the right to access their personal data (including to obtain a free copy thereof), the right to correct or update their personal data, and the right to request their destruction if they are no longer necessary. Data subjects can also file complaints related to the PDPL enforcement with the regulatory authority.
• Registration of Controllers: Organizations that collect personal data and determine the purpose for which they are used and the method of processing (controllers) must register with an electronic portal that will form a national register of controllers. There will be an annual fee payable for registration, to be determined in executive regulations (which will be issued in due course).
• Controller Obligations: Controllers will be obliged to ensure the accuracy, integrity, and relevance of personal data before processing them, to keep a record of the processing for a period that will be defined by the executive regulations, and to ensure their team is properly trained in the PDPL and data protection principles.
• Consent: Data subjects may withdraw their consent to the processing of personal data at any time, and consent shall not be a prerequisite for the controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).
• Processing not Based on Consent: Notwithstanding the provisions on withdrawal of consent, the PDPL makes it clear that data processing does not always require consent from the data subject. Consent is not required if processing achieves a clear benefit and it is impossible or impractical to contact the data subject, if required by law or prior agreement to which the data subject is a party, or if the controller is an entity and processing is required for security or legal purposes.
• Privacy Policy: Controllers must implement a privacy policy and make it available to data subjects before the collection of their personal data. The Personal Data Protection Law (PDPL) establishes the minimum information that must be included in the privacy policy, including when personal data is collected directly from the data subject.
• Purpose Limitation and Data Minimization: Organizations must make clear the purpose for which personal data is collected and used. Personal data must also be relevant and controllers must limit collection to the minimum necessary to achieve the intended purpose.
• Impact Assessments: Controllers must assess the impact of processing personal data and, if personal data is no longer needed to achieve the intended purpose, the controller must stop collecting such data.
• Marketing: Personal data may not be used for marketing purposes without the recipient’s consent or the use of opt-out mechanisms.
• Breach Notification: Data breaches, leaks, or unauthorized access to personal data must be notified to the supervisory authority, and incidents that cause material damage to the data subject must be notified to the data subjects.

Compliance with the PDPL

Disclosure or transmission of sensitive data contrary to the Personal Data Protection Law (PDPL) may result in imprisonment of up to two years or a fine of up to SAR 3,000,000 (equivalent to US $ 800,000).

Violation of the data transfer provisions can result in imprisonment of up to one year and a fine of up to SAR 1,000,000 (or US $ 266,600).

With respect to all other provisions of the PDPL, the penalties are limited to notice or a fine of up to SAR 5,000,000 (US $ 1,333,000).

Any of the fines may also amount to double the stated maximums for recidivism, and the court may order the confiscation of funds gained as a result of violating the law and/or require publication of the judgment in a newspaper or other media at the offender’s location.

The parties affected by the infringements can claim restitution.

PDPL’s Next Steps

The Personal Data Protection Law (PDPL) comes into force 180 days after its publication in the Republic Journal, which means it will come into force from March 23, 2022. Also during this period, the executive regulations that complement the Law may be amended. 

Consequently, it appears that there will be a transition period of at least 18 months until the PDPL is fully into force against local entities (and potentially longer for organizations based outside the Kingdom). 

The Council of Ministers’ approval of the Resolution also notes that the SDAIA will coordinate with the Saudi Central Bank and the Communications and Information Technology Commission (CITC) to address the enforcement of the PDPL to regulated financial institutions and ICT service providers, respectively.

In any case, all companies operating in Saudi Arabia or processing data from Saudi residents will now need to start evaluating their activities and making changes to align with the PDPL. 

Controllers will be required to train staff in accordance with the terms and principles of the Personal Data Protection Law (PDPL) and will need time to ensure that a data protection culture is properly incorporated into the organizations.