Saudi Arabia’s first comprehensive data protection legislation, the Personal Data Protection Law (PDPL) came into effect on 14 September 2023, with enforcement due to start on the first anniversary of that date. Whilst it was initially due to come into force in March 2022, it had been delayed to allow for the Saudi Data and Artificial Intelligence Authority to include additional amendments.
The PDPL was developed to address increasing demand to bring the Kingdom in line with global standards relating to privacy of personal data, prevention of data misuse and regulation of data controllers, as seen recently in other jurisdictions, such as the European Union's General Data Protection Regulation. Some of the amendments made to the PDPL including the introduction of a "legitimate interest" basis are considered to potentially be derived from this EU regulation.
One week before the PDPL came into effect, the implementing regulations (Regulations) were also published by the Saudi Data & Artificial Intelligence Authority. The Regulations expand on and add clarity to sections of the PDPL. Therefore, both the PDPL and the Regulations should be read in conjunction with each other for those trying to develop a comprehensive understanding of the new law.
Data Subject Rights
Under the PDPL data subjects' rights include the following:
- Right to access their personal data held by data controllers (except in certain circumstances set out in Article 9 of the PDPL and the Regulations). There is no allowance for data subjects to be required to pay for data access requests.
- Right to be informed about the legal basis and purpose of the collection of their personal data.
- Right to obtain their personal data held by the controller in a readable and clear format.
- Right to request correcting, completing or updating of their personal data held by the controller.
- Right to request destruction of their personal data held by the controller when such data is no longer needed (although this is subject to exceptions in Article 18 of the PDPL).
With respect to how data subjects should communicate requests to exercise the above rights, the Regulations require data controllers "to provide appropriate means to process requests". The Regulations do not explicitly state that requests can be made verbally, however, they state that requests can be made by email, SMS, post, electronic applications and any other lawful communication method provided by a data controller for this purpose.
There is an ability for data controllers to process personal data without the consent of the data subject where such processing is necessary to achieve a legitimate interest. It must be noted that this ability may not be utilised for sensitive personal data such as health data.
Obligations on Data Controllers
The PDPL's obligations on data controllers include:
- Notifying the regulator within 72 hours of becoming aware of a data breach and notifying, without undue delay, data subjects of a data breach.
- Carrying out a data protection impact assessment where sensitive personal data is processed.
- Maintaining a record of all its personal data processing for at least a five-year period from the end of the relevant processing activity in accordance with the implementing regulations.
- Appointing one or more data protection officer(s), in certain circumstances set out in the Regulations.
- Obtaining consent from a targeted recipient before sending advertising material where there is no prior interaction with the recipient.
- Ensuring that any data processor provides sufficient guarantees to protect personal data and that the agreement between the data controller and processor includes the required information specified in Article 17 of the Regulations (this includes identifying subcontractors, identifying categories of personal data being processed, the duration of processing, the purpose of processing etc).
Data Transfer outside of Saudi Arabia
Data transfer/disclosure of personal data outside of Saudi Arabia is generally permitted provided it does not impact the Kingdom's national security, vital interests or violate any of its laws. The Regulations provide that this type of transfer/disclosure should be kept to the minimum necessary to achieve the purpose of the data transfer. Data maps can be used for this purpose to indicate the need for and location of each data transfer. Data controllers are required to ensure that transferring/disclosing the data outside of the Kingdom will not impact the above-mentioned rights, level of protection and privacy that data subjects have within the Kingdom.
Penalties
Disclosing sensitive data contrary to the PDPL can result in imprisonment for up to two years and a fine of up to 3,000,000SR. For breaches of all other provisions of the PDPL, the penalty may be a warning or a fine of up to 5,000,000SR (which can be doubled for repeat offences).
Grace period and next steps
Data controllers have until 14 September 2024 to ensure they are in compliance with the PDPL.
Data controllers should:
- Review the nature of personal data they handle and how that data is stored to understand how they will need to evolve to comply with the PDPL and the implementing regulations. As part of this exercise, a distinction should be made between sensitive and non-sensitive data as the PDPL specifically permits certain types of data processing on the basis that sensitive data is not included. Sensitive data includes personal data revealing racial or ethnic origin, or religious or intellectual or political belief, data relating to security criminal convictions and offenses, biometric or genetic data for the purposes or identifying a person, health data and data that indicates that one or both of the individual's parents are unknown.
- Ensure their management teams aware of the PDPL as soon as possible so they can plan changes to their processes and policies and request external support if necessary.
- Make any necessary updates to staff training procedures, operation manuals, policies and procedures to take account of the changes.
- Where necessary, appoint one or more data protection officer(s).
- Become familiar with the PDPL and, in particular, with the cross-border personal data transfer regulation if their business involves data transfers outside of Saudi Arabia.
- Review the procedures it follows to appoint and periodically assess processors of data to ensure their compliance with the PDPL and Regulations, whether the data is processed by the processors or their sub-contractors.
- Review agreements in place with processors of data to ensure those comply with Article 17 of the Regulations and contain the requisite guarantees and provisions relating to appointment of sub-processors.
- For data controllers which carry out marketing activities and advertising, develop processes to ensure the relevant consent of targeted recipients of their marketing material is obtained first and that a mechanism is in place to enable recipients to stop receiving marketing material whenever they desire. Articles 28 and 29 of the Regulations set out further requirements regarding data processing for advertising and direct marketing purposes (such as ensuring misleading methods are not used to obtain consent, how consent should be documented, clearly mentioning sender's name when circulating marketing material etc).
The introduction of the PDPL is part of a wider trend across the GCC to introduce rules and regulations to deal with the protection of personal data with Bahrain and Oman introducing similar regimes based on the GDPR regime in Europe. This will further encourage investment in KSA and provide protection to data subjects in KSA. The grace period of 12 months provides businesses time to review their current practices and work towards compliance with the PDPL, although often this seen as only a first step on this journey.