Effective date: September 14, 2023. Compliance enforcement will begin after one year, on September 13, 2024.
The scope
The PDPL governs any kind of automatic or manual processing of personal data including collecting, using, storing, sharing, transferring, or updating of personal data of Saudi Arabia and United Arab Emirates residents. The legislation is extraterritorial, which means it applies to both public or private organizations located in or outside of Saudi Arabia or UAE that process personal data related to Saudi or UAE residents.
How it defines personal data
The PDPL defines personal data as any information that identifies a person specifically or could lead to their identification, including but not limited to: name, driver’s license number, phone number, email address, or social security number.
Personal data used for personal or household purposes is exempted from PDPL. The law also protects the personal data of deceased individuals if it could lead to the identification of the deceased or their family members specifically.
How it defines sensitive personal data
Sensitive personal data refers to certain types of personal data that require special handling. They include the following information:
- Ethnic or tribal origin
- Religious, intellectual or political beliefs
- Membership in civil associations or institutions
- Criminal and security data
- Credit data
- Genetic data
- Health data
- Location data
- Biometric data
- Data indicating an individual is unknown to one or both parents
Key requirements under PDPL
Collect valid user consent
The PDPL requires organizations to collect user consent that is given freely and obtained separately for each processing purpose before the processing takes place. Data subjects may withdraw their consent to the processing of personal data at any time. Controllers cannot make consent a condition of using a service unless the processing directly relates to or enables the service.
Consent for processing the personal data of children must be obtained from a parent or legal guardian.
There are exemptions to the requirement for data subject consent, including in the following cases:
- The data processing serves the data subject’s “actual interests” (known as “legitimate interest” under the GDPR).
- The data processing is carried out in compliance with another law, to fulfill a contract or implement an agreement.
- The controller is a public entity and the processing is required for security or to fulfill judicial purposes or requirements.
- The processing is necessary to achieve the controller’s lawful interest and the data is not considered sensitive.
Respect data subject rights
Like most other data protection regulations globally, the PDPL ensures that all data subjects are guaranteed certain rights:
- Right to know – Users have the right to be informed about the controller’s name and contact information and data processing details, such as types and purposes of data processing, how long the data will be retained, how the data will be collected and used, and who it will be shared with.
- Right to access – Users have the right to access their personal data and to have it available to the control authority.
- Right to correction – Users have the right to request correction of any data collected on them if it is incomplete, inaccurate, or obsolete.
- Right to deletion – Users have the right to request the deletion of personal data if it is no longer needed by a business.
- Right to portability – Users can obtain their personal data in a legible and clear format and request their personal data to be transferred to another controller.
The data controller must fulfill these requests within 30 days and record all data subject requests received.
Controllers can restrict a personal data subject’s request to exercise their rights if it is to protect the individual or others from harm, maintain security, or fulfill another law or judicial requirement.
Follow the requirements for data transfers
Controllers are required to store and process personal data within the geographical boundaries of Saudi Arabia. Personal data transfers or disclosure to parties outside of the Saudi Kingdom are restricted, though allowed in cases of:
- Extreme necessity, for example, lifesaving measures.
- For purposes determined by the PDPL.
- When governed by a formal agreement that the Kingdom is a party to or that serves its interests.
The following purposes and conditions are applicable in most cases to allow the transfer of personal data outside the Saudi Kingdom:
- The transfer must not harm national security or the Kingdom’s vital interests.
- The data must be protected to prevent its leakage or disclosure.
- The transfer is limited to the minimum amount of data required.
- The transfer was approved by the competent authority, as determined by the regulation.
Keep records of processing activities
Businesses must keep records of their personal data processing activities for a specified time (set by the government). These records must also be made available to the authorities when requested. The records should include:
- Contact details.
- The purpose for processing that personal data.
- The categories of individuals.
- Any party to whom data has been (or will be) disclosed.
- Data retention period.
Apply purpose limitation and data minimization
The purpose of collecting personal data must relate to the purposes of the owner, direct, clear, secure, and free from methods of deception, misleading, or extortion.
Personal data collected must be appropriate and limited to what is necessary to achieve the primary purpose. If the collected data is no longer necessary, data controllers must stop collecting or storing it and immediately destroy it.
Create and maintain a privacy policy
The PDPL requires that organizations adopt a privacy policy and make it available to data subjects to review before collecting their data. This policy shall include the purpose of its collection, the content of the personal data to be collected, the method of collecting it, the means of storing it, how it will be processed and destroyed, the rights of its owner, and how these rights will be exercised.
A privacy policy or notice must be regularly reviewed and updated, and data subjects must be notified about changes to the policy.
Adopt appropriate security measures
Businesses must take the necessary administrative, technical and organizational measures to maintain the security of personal data, including when it is transferred to another party.
Notify authorities about data breaches
When a business discovers that personal data has been breached, i.e. leaked, damaged, or illegally accessed, they must immediately notify the competent authority. If the breach would cause serious harm, they must notify the affected individual immediately.
Conduct impact assessments
A business should always assess the impact of processing personal data, including the purpose for which it is being processed. If personal data is no longer needed, data collection should be stopped immediately.
Appoint a data protection officer (DPO)
In many cases, controllers are required to appoint an employee (or more than one) as a data protection officer (DPO), to be responsible for the controllers’ obligations to the law and the organization’s data privacy operations and compliance.
Select the right data processors
When choosing the processing party, organizations must select an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and must continually verify that entity’s compliance with its instructions in all matters relating to the protection of personal data. There must be a contractual agreement outlining the rights and obligations of both parties.
Penalties for non-compliance
Anyone who discloses or publishes sensitive data in violation of the provisions of the law is subject to a maximum penalty of two years in prison and a fine not exceeding SAR 3 million ( $800,000), or either of these penalties.
Anyone who violates the provisions of cross-border data transfer is subject to a maximum imprisonment of one year and a fine not exceeding SAR 1 million ($267,000), or one of these two penalties.
For violations of all the other provisions, businesses will be issued a warning or a fine not exceeding SAR 5 million ($1.3 million). The imposed fine may be doubled for repeated violations (not exceeding SAR 10 million).