Privacy and Data Protection in the Kingdom of Saudi Arabia

In September 2021, the Kingdom of Saudi Arabia (KSA) issued its Personal Data Protection Law (PDPL) to regulate the processing of personal data. The PDPL is the first standalone data protection law of its kind in KSA and bears many similarities with the European Union’s (EU) General Data Protection Regulation (GDPR) when it comes to data owner rights and data controller responsibilities. 

For the first two years, the authority responsible for the implementation of the law will be the Saudi Data & Artificial Intelligence Authority (“SDAIA”) but this function is set to be delegated to the National Data Management Authority (“NDMO”), which falls under SDAIA, two years from the implementation of the legislation. 

The PDPL was set to come into effect 180 days after the original announcement—meaning the law would be effective March 23, 2022—but was postponed to March 17, 2023 based on feedback received by the authority during a public consultation on the draft. 

Personal Data Protection Law (PDPL) at a glance 

In terms of scope, the PDPL applies to any processing by businesses or public entities of personal data performed in KSA by any means whatsoever, including the processing of the personal data of KSA residents by entities located outside of Saudi Arabia. The PDPL grants many familiar rights to data owners including:

• a right to be informed 
• a right to access the data collected about them 
• a right to request correction, completion, and/or updating of their personal data 
• a right to request the deletion of their data 

The main basis for processing personal data under the PDPL is by obtaining the consent of the data owner. Data owners may withdraw their consent to the processing of personal data at any time. At the time of writing it is understood that consent must be an explicit opt-in. Consent is not required if the processing would achieve a clear benefit, if it is impossible or impractical to contact the data subject, if it is required by law or prior agreement with the data subject, or if the controller is a public entity and the processing is required for security or judicial purposes. So nothing too surprising so far, but where the legislation takes a different direction is on data transfers and enforcement. 

The PDPL prohibits data controllers from transferring personal data to an entity outside of KSA unless required to comply with an agreement to which KSA is a party, to serve KSA interests, or for other purposes that will be set out in the regulations. Feedback on this point is the main reason for the delay in the legislation going live; it almost certainly means there will be additional exceptions but what they are and how to get one is yet to be confirmed.

Data controllers will also be required to register with, and pay a fee to, the SDAIA (up to SAR100,000 / $27,000 / £25,000 / €35,000). In addition, data controllers will be required to upload a record of processing activities to a new online portal that must include the purpose of the processing, entities to which the personal data was or will be disclosed, whether the personal data was or will be transferred outside of KSA, and the expected retention period. 

Under the new law there are some serious penalties for non-compliance:

• The unlawful use of sensitive data can lead to imprisonment for up to two years and/or a fine of up to SAR3,000,000 / $800,000 / £660000 / €760,000.
• Failure to comply with the requirements relating to transfers of personal data can lead to imprisonment for up to one year and/or a fine of up to SAR1,000,000 (about USD 270,000). 
• Both of the above constitute criminal offenses which would be investigated by the KSA Public Prosecutor.
• Failure to comply with the requirements of the legislation other than those specified above can lead to fines of up to SAR5,000,000 / $1,350,000 / £1,185,000 / €1,285,000.
• Repeated offenses can lead to penalties of up to twice the maximums outlined above including the length of imprisonment and the fine amount. 

While it’s not certain who would be imprisoned in the case of a breach, I’d be more than mildly concerned if I was to be a DPO of an international organization doing business in KSA in 2023.

Additional highlights from the PDPL

The PDPL introduces a number of requirements that could significantly impact how companies operate in KSA including:

• Data controllers must create and maintain a record of how they process personal data which must be registered with the SDAIA.
• Any foreign company operating in the Kingdom and processing personal data of Saudi residents must appoint a local representative; additional guidance on this point is in the works. 
• Organizations will also be expected to appoint data officers to manage compliance with the law.
• Data controllers must assess projects, products, and services to identify data protection risks posed to individuals (basically Impact Assessments).
• Data controllers must implement a privacy notice specifying how data will be processed prior to collecting personal data from individuals. 
• Data controllers will be expected to report data breaches to the regulatory authority as soon as they become aware of an incident.
• Information such as genetic, health, credit, and financial data are deemed sensitive data, will fall under scope of the law, and likely to be subject to additional regulation.

September 2023 update

The PDPL came into effect as of September 14. One week earlier, our friends at SDAIA published the Implementing Regulations and Personal Data Transfer Regulations to the PDPL which build on the general principles and obligations outlined in the PDPL and introduce a couple new bits and pieces including new compliance requirements for data controllers which we’ll dive into next.

So what’s new?

The two new sets of regulations outline additional requirements, including:

• Adequacy system for data transfers for those countries that have been evaluated by SDAIA as providing an appropriate level of data protection and set out the evaluation criteria and the procedure for determining and reassessing adequacy—but the list of countries that passed muster is yet to be released.
• Additional bases for international data transfers including providing a service or benefit to the data subject and carrying out operational processes to enable the controller to carry out their activities.
• Consent; is much the same as the GDPR definition, where purposes for processing must be clear and specific, consent given freely, for each purpose of processing, documented, and given by a person who has full legal capacity. 
• The legitimate interest basis for processing data that again, is much the same as the GDPR definition, where controllers must meet specific conditions including balancing the rights and interests of the data subject against the legitimate interests of the controller.
• Controllers have agreements with third-party data processors that contain a commitment to notify the controller of a personal data breach added to which the controller is responsible for verifying the processor’s compliance with the PDPL and the Regulations.
• DSR requests must be responded to within 30 days; there may be an exception granted where the request is complex or there are multiple.
• Personal data breaches must be reported to the SDAIA within 72 hours. 
• Data Protection Impact Assessments (DPIA) must be completed for a whole host of additional situations so best make a list and check it, along with your DPIAs, twice.
• The new regulations detail when controllers must appoint somebody responsible for the protection of personal data, usually a Data Protection Officer (DPO), but not whether they need to be based in KSA but further information on DPOs is rumored to be in the pipeline.  
• Reintroduction of the requirement for registering controllers with SDAIA.
• Controllers must keep a record of processing activities (ROPA) when data is being processed, and for a further five years after the end of processing, and what should be included in the ROPA.  

What does this mean for you/r business?

The PDPL contains a 12-month grace period, meaning enforcement would be set to start from September 14, 2024. With these additional sets of regulations, the requirements for compliance have been made more clear. Organizations operating in KSA should begin efforts to understand what data is collected, how it’s used, if it is transferred internationally, and where it is transferred to, which is something your organization should have completed already or at the very least begun working on as part of compliance with existing privacy legislation in the EU and beyond. Familiarizing the relevant staff with KSA, DPIA, and ROPA format and requirements should definitely start sooner rather than later. Beyond that, keep a close eye on any  additional updates that may be forthcoming, and bookmark this article as we’ll be adding updates here as they come. If you’re not sure where to start in creating your privacy strategy, we’re here to chat.