The Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443 AH (September 16, 2021), amended pursuant to Royal Decree No. M/148 dated 05/09/1444 AH (March 27, 2023). The law came into effect on September 14, 2023, and data controllers are given 12 months to comply.
The “Implementing Regulation of the Personal Data Protection Law” and the “Regulation on Personal Data Transfer outside the Kingdom” provide further guidance regarding the enactment of said law.
The Saudi Data and Artificial Intelligence Authority (SDAIA) will oversee the implementation of the new legislation. The SDAIA is a government agency directly chaired by the Crown Prince and the Prime Minister.
Aside from the PDPL, sector-specific legislation may impact the collection, use and disclosure of personal data, such as:
- the Anti-Cyber Crime Law of 2007;
- the Telecommunication and Information Technology Act;
- the Electronic Commerce Law;
- the Electronic Transactions Law;
- the Law of Practicing Healthcare Professions; and
- the Payment Service Provider Regulatory Guidelines issued by the Saudi Central Bank (SAMA).
However, for the sake of brevity, this chapter will exclusively tackle the provisions of the PDPL.
The PDPL applies to any processing of personal data related to individuals, carried out by a controller or a processor entering the territorial scope of the law (see Question 3, below).
The PDPL does not apply to the processing of personal data by individuals within their family or limited social circle as part of any social or family activity, except when:
- personal data is published (available to the public) or is disclosed to any person outside the definition of personal or family use; or
- personal data is being used for professional, commercial, or non-profit purposes.
The PDPL is also applicable when processing the data of a deceased person if it would lead to them or a member of their family being identified specifically.
The PDPL applies to all processing of personal data carried out in the territory of the Kingdom of Saudi Arabia, as well as to all processing of personal data of natural persons located within the territory of the Kingdom carried out by an organization located outside the Kingdom.
The PDPL regulates any operation carried out on personal data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.
The PDPL regulates the processing of any data, regardless of its source or form, that may lead to identification of an individual specifically, or that may directly or indirectly make it possible to identify an individual.
Anonymized data, known as data that does not include direct and indirect identifiers that indicate the identity of a data subject in a way that permanently makes it impossible to identify them, shall not be considered personal data.
This is, however, not the case for pseudonymized data, known as data which was subject to the conversion of the main identifiers of the data subject into codes that make it difficult to directly identify them without using additional information.
The PDPL and its regulations require that additional controls and procedures be set out for the processing of certain categories of personal data, such as:
- health data;
- credit data;
- sensitive data; and
- official documents.
Consent as a legal basis for processing personal data
The PDPL states that personal data may not be processed, nor may the purpose of personal data processing be changed, without the consent of the data subject. Moreover, data subjects’ consent may not form a condition of providing a service or a benefit, unless such a service or benefit is directly related to the processing of personal data for which the consent is given.
Controllers shall obtain the data subjects’ consent based on these conditions:
- consent shall be given freely and not obtained through misleading methods;
- processing purposes shall be clear, specific, and shall be explained and clarified to the data subject before requesting consent;
- consent shall be given by a person who has full legal capacity (a legal guardian can act on behalf of a data subject that partially or fully lacks the legal capacity, on the condition that the legal guardian acts in the best interests of the data subject);
- consent shall be documented in a way that allows verification in the future; and
- independent consent shall be obtained for each processing purpose.
The data subject’s consent shall be explicit when:
- the processing involves sensitive data or credit data; and
- when decisions are made solely based on automated processing of personal data.
Data subjects have the right to withdraw their consent for processing their personal data at any time, and they shall inform the controller of this through any available means.
Other legal bases for processing personal data
Processing of personal data shall not be subject to the consent of data subjects if:
- the processing serves the actual interests of the data subject, but communicating with the data subject is impossible or difficult;
- the processing is provided for by another law or a previous agreement to which the data subject is party;
- the controller is a public entity, and the processing is required for security purposes or to satisfy judicial requirements; or
- the processing is necessary for the purpose of the legitimate interest of the controller, without prejudice to the rights and interests of the data subject, and provided that no sensitive data is to be processed.
In addition, personal data may be collected or processed for scientific, research, or statistical purposes without the consent of the data subject if:
- said data does not specifically identify the data subject;
- evidence of the data subject’s identity will be destroyed during the processing and prior to disclosure of such data to any other entity, if it is not sensitive data; and
- if personal data collected or processed for these purposes is required by another law or agreement to which the data subject is party.
To carry out personal data processing, a controller should abide by the obligations set out below.
General data protection principles
- The purpose for which personal data is collected shall be directly related to the controller’s purposes and shall not contravene any legal provisions.
- The methods and means of personal data collection shall not conflict with any legal provisions, shall be appropriate for the circumstances of the data subject, shall be direct, clear and secure, and shall not involve any deception, misleading or extortion.
- The content of the personal data shall be appropriate and limited to the minimum amount necessary to achieve the purpose of the collection.
- If the personal data collected is no longer necessary for the purpose for which it has been collected, the controller shall, without undue delay, cease their collection and destroy previously collected personal data.
- The controller shall only select processors providing the necessary guarantees to implement the provisions of the PDPL and its executive regulations and shall monitor the compliance of said processors.
- The controller shall implement all the necessary organizational, administrative, and technical measures to protect personal data, including during their transfer.
Obligations regarding indirect collection of personal data
When the controller is a public entity, and the collection or processing of the personal data is required for public interest or security purposes, or to implement another law, or to fulfil judicial requirements, the controller may collect personal data from a source other than the data subject and may process personal data for purposes other than the ones for which they have been collected.
In all other cases, when the controller processes personal data collected from sources other than the data subject directly, the controller shall consider that the processing should:
- be necessary and proportionate to the specified purpose; and
- not affect the rights and interests of the data subject.
Appointment of a data protection officer
The controller shall appoint a data protection officer to be responsible for the protection of personal data in the following cases:
- where the controller is a public entity that provides services involving the processing of personal data on a large scale;
- where the primary activities of the controller consist of processing operations that require regular and continuous monitoring of individuals on a large scale; and
- where the core activities of the controller consist of processing sensitive personal data.
Data breach notification
The controller shall notify the competent authority within a delay not exceeding 72 hours of becoming aware of any breach, damage, or illegal access to personal data.
Such notification should include the following information:
- a description of the personal data breach incident, including the time, date, and circumstances of the breach and the time when the controller became aware of it;
- data categories, actual or approximate numbers of impacted data subjects, and the type of personal data;
- a description of the risks of the personal data breach, including the actual or potential impact on personal data and data subjects, and the actions and measures taken by the controller to prevent or limit the impact of those risks, as well as the future measures that will be taken to avoid a recurrence of the breach;
- a statement on whether the data subject has been notified of the breach of their personal data; and
- the contact details of the controller or its data protection officer.
The controller shall also notify the data subject of any breach, damage or illegal access to their personal data that would cause damage to their data or cause prejudice to their rights and interests.
Records of personal data processing activities
The controller should maintain a record of personal data processing activities containing:
- the contact details of the controller;
- information about the data protection officer;
- the purpose of the personal data processing;
- a description of the categories of personal data subjects;
- details of any other entity to which personal data has been, or will be, disclosed;
- a description of the procedures and measures in place to ensure the security of personal data;
- a statement on whether the personal data has been or will be transferred outside the Kingdom or disclosed to an entity outside the Kingdom; and
- the expected period for which personal data shall be retained.
Data protection impact assessment
The controller shall conduct an impact assessment for personal data processing in the following cases:
- processing of sensitive data;
- collecting, comparing, or linking two or more sets of personal data obtained from different sources;
- where the activity of the controller includes continuous and large-scale processing of personal data of those who fully or partially lack legal capacity, or processing operations that by their nature require continuous monitoring of data subjects, or processing personal data using new technologies, or making decisions based on automated processing of personal data; and
- providing a product or service that involves processing personal data that is likely to cause serious harm to the privacy of data subjects.
Registration in the National Register of Controllers
The controller, when required by the SDAIA’s rules, shall register in the National Register of Controllers.
Data subject rights
Data subjects have the right to:
- be informed about the legal basis and the purpose of the collection of their personal data, as well as the means used for collection, processing, storage and destruction, and be informed about their rights and how to exercise such rights;
- access their personal data, held by the controller;
- request to obtain their personal data from the controller in a readable and clear format;
- request the correcting, completing, or updating of their personal data, held by the controller;
- request the destruction of their personal data by the controller; and
- submit to the SDAIA any complaint that may arise out of the implementation of the PDPL.
Limitation of data subject rights
The controller shall prevent the data subject from accessing personal data if such disclosure:
- represents a threat to security, harms the data subject, or other parties, or the reputation of the Kingdom, or conflicts with its interest;
- negatively impacts the rights of others, such as intellectual property rights or trade secrets;
- affects the Kingdom’s relations with any other state;
- prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures;
- results in violation of the privacy of an individual other than the data subject; or
- conflicts with the interests of a person that fully or partially lacks legal capacity.
The controller may set time frames for exercising the right to access personal data.
Controllers may process personal data (except for sensitive data) for marketing purposes by:
- obtaining the consent of the data subject;
- providing a mechanism enabling the data subject to opt out and ensuring that the relevant procedure to opt out is as easy and straightforward as to give consent;
- clearly identifying the identity of the sending entity; and
- immediately ceasing to send marketing material when the data subject withdraws their consent.
A controller may transfer personal data outside the Kingdom of Saudi Arabia or may disclose it to a party outside the Kingdom if such a transfer:
- is related to performing an obligation under an agreement to which the Kingdom is party;
- would serve the interest of the Kingdom;
- is necessary to perform an obligation by the data subject; or
- would serve the purposes as mentioned in the regulations on personal data transfer outside the Kingdom.
While transferring personal data outside the Kingdom, the controller should abide by the following conditions:
- The transfer or disclosure of personal data shall not cause any prejudice to national security or vital interests of the Kingdom.
- An adequate level of protection for personal data should be ensured outside of the Kingdom. Such a level of protection shall be at least equivalent to the level of protection guaranteed by the law and regulations, according to the results of an assessment conducted by the SDAIA.
- The transfer should be limited to the minimum amount of personal data needed.
Moreover, in the absence of an adequate level of protection of personal data in the jurisdiction of destination, the personal data may nevertheless be transferred by implementing appropriate safeguards as approved by the competent authority:
- binding common rules;
- standard contractual clauses;
- certification of compliance by an entity authorized by the competent authority; and
- binding codes of conduct.
The controller must conduct a risk assessment for the transfer of personal data outside the Kingdom or disclosure to a party outside the Kingdom in any of the following cases:
- when the transfer is based on the aforementioned appropriate safeguards;
- when the appropriate safeguards for transfer of personal data outside the Kingdom are not required; or
- when continuous or large-scale transfer of sensitive personal data is to be conducted outside the Kingdom.
The SDAIA, as the national competent authority, has the power to:
- oversee the implementation of the PDPL and its executive regulations;
- require controllers to communicate documents and other information to attest to their compliance with the PDPL and its executive regulations;
- specify the appropriate tools and mechanisms to monitor compliance with the PDPL, such as holding the national register for controllers;
- receive and take actions regarding complaints of data subjects;
- grant licenses to entities that issue accreditation certificates to controllers and processors;
- grant licenses to entities that conduct audits or checks of personal data processing activities related to the controller’s activity; and
- seize the means or tools used in committing a violation of the PDPL until a decision is made on it.
Without prejudice to any harsher penalty stipulated in another law, any individual who discloses or publishes sensitive data, in violation of the provisions of the PDPL, with the intention of harming the data subject or achieving a personal benefit, shall be punished with imprisonment for a period not exceeding two years, or a fine not exceeding SAR 3 million, or both.
In other cases, a warning or a fine not exceeding SAR 5 million shall be imposed on every person with a special natural or legal capacity who violates any of the provisions of the PDPL or its regulations.
The fine penalties above may be doubled by competent courts in the case of recidivism, even if it results in exceeding its maximum limit, provided that it does not exceed double this limit.
Also, any individual that suffers a damage as a result of any of the violations stated in the PDPL or its executive regulations may apply to a competent court for proportionate compensation for the material or moral damage.