Omar Alrasheed Law Firm
What law(s) specifically govern personal data / information?
The Personal Data Protection Law (PDPL) was issued by Royal Decree M/19 on 16 September 2021 and came into effect on 17 October 2023. The PDPL is the first comprehensive data protection legislation in the Kingdom of Saudi Arabia (the “Kingdom”). Additionally, the Implementing Regulations of the PDPL (the “Regulations”) were issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) on 18 October 2023. These regulations provide further details on the implementation of the PDPL and clarify the obligations of data controllers and processors.
Other relevant laws that touch upon aspects of data protection and privacy include the Anti-Cyber Crime Law, the E-Commerce Law, and the Telecommunications and Information Technology Law (Telecom Act). However, the PDPL is the primary legislation that specifically governs personal data protection in Saudi Arabia.
What are the key data protection principles in this jurisdiction?:
The key data protection principles are outlined in the PDPL, which includes:
- Lawful Basis: Personal data must be processed lawfully, fairly, and transparently.
- Purpose Limitation: Personal data can only be collected for specified, explicit, and legitimate purposes.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date.
- Storage Limitation: Personal data should be kept in a form that allows for identification only for as long as is necessary.
- Integrity and Confidentiality: Personal data must be processed in a way that ensures its security and protects against unauthorised processing, loss, destruction, or damage.
- Accountability: Controllers and processors of personal data must implement appropriate technical and organisational measures to ensure compliance with the data protection principles and to demonstrate accountability.
What is the supervisory authority / regulator in charge of data protection?
SDAIA oversees the implementation of the PDPL within the Kingdom. Through SDAIA’s regulatory arm, the National Data Management Office (NDMO), SDAIA plays a crucial role in developing policies, governance mechanisms, standards, and controls for data and artificial intelligence. This framework ensures ethical and responsible use of data and AI technologies, and streamlines data management and standards to maintain consistency in AI development across various sectors. Additionally, SDAIA is also responsible for devising controls to safeguard data privacy and security, which in turn contributes to the Kingdom's overall digital ecosystem and fosters trust in the nation's data-driven initiatives.
Is there a requirement to register with a supervisory authority / regulator?
The National Data Governance Platform (NDGP) was established by SDAIA to serve as the platform for registering entities subject to the PDPL, Through the NDGP, SDAIA has created a comprehensive resource that not only simplifies the registration process but also provides ongoing assistance to organizations as they navigate the complexities of data protection regulations.
By offering a combination of support, advice, and assistance, the platform ensures that organizations have the tools and knowledge necessary to protect personal data and maintain compliance with the PDPL.
Is there a requirement to notify the supervisory authority / regulator?
Yes, there is a requirement to notify the supervisory authority under certain instances.
According to Article 24 of the Regulations, data controllers must notify SDAIA within 72 hours of becoming aware of a personal data breach. A personal data breach, as defined in the PDPL, refers to any incident that results in the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Data controllers must assess the potential risks associated with the breach and notify the SDAIA if it is likely to pose a risk to individuals' rights.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, both government and private entities have the convenience of registering online through the National NDGP. This platform has been specifically designed to streamline the registration process and make it accessible and user-friendly for all entities seeking to comply with the PDPL.
The registration process on the NDGP is straightforward and efficient. Entities need to create an account on the platform and provide the necessary information, such as their organization's details, industry type, and the nature of their data processing activities. Once the account is created and the required information is provided, entities can submit their registration electronically.
What are the key data subject rights under the data protection laws of this jurisdiction?
Key Data subject rights include:
Right to be informed: This includes informing the data subject of the legal justification for collecting their personal data, the purpose of the collection, the identity and reference address of the data collector, the entities to which the personal data may be disclosed, and their capacity; whether the personal data will be transferred, disclosed, or processed outside the Kingdom, the potential risks and consequences of not completing the data collection process, and the rights of the data subject.
Right of access: This includes requesting a copy of their personal data from the controller in a clear and readable format.
Right to request personal data correction: This includes requesting the correction, completion, or updating of personal data held by the controller.
Right to correction: This includes requesting the correction, completion, or updating of personal data held by the controller.
Right to deletion/right to be forgotten: The data subject has the right to request that the controller destroy any of their personal data that is no longer needed.
Right to restriction of processing: The data subject may withdraw consent to process their personal data at any time, except in cases stipulated by the PDPL and its Regulations.
Right to withdraw consent: Data subjects can choose to revoke their previously given consent, and the data controller must respect this decision and cease processing the data. However, there may be certain exceptions to this right as stipulated by the PDPL and its Regulations. It is important for individuals to be aware of their rights and for organisations to have processes in place to handle consent withdrawals effectively.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, under certain circumstances, data controllers in Saudi Arabia may be required to appoint a Data Protection Officer (DPO).
The NDGP has an online guidance tool which helps identify whether or not the DPO appointment is mandatory: https://dgp.sdaia.gov.sa/wps/portal/pdp/services/servicesdetails/TooltoDeterminingDataProtectionOfficer
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, Article 25 of the Regulations of the PDPL mandates that data controllers conduct written and documented privacy impact assessments (DPIAs) in different scenarios which include:
1. Processing of Sensitive Data.
2. Collecting, comparing, or linking two or more datasets of Personal Data obtained from different sources.
3. If the activity of the controller includes large scale and repetitive processing of Personal Data of those who lack full or partial legal capacity, or processing operations that by their nature require constant monitoring of Data Subjects, or processing Personal Data based on newly adopted technologies.
4. Making decisions based on automated Personal Data Processing.
5. Providing a product or service that involves Processing Personal Data that is likely to cause serious harm to Data Subject’s privacy.
This requirement helps ensure that organisations assess the potential risks associated with their data processing activities and take appropriate measures to mitigate those risks.
Does this jurisdiction have any specific data breach notification requirements?
Yes, Article 24 of the Regulations of the PDPL mandates data breach notifications to the SDAIA within 72 hours if the breach poses potential harm to personal data or data subjects. The notification should include breach details, such as the nature of the breach, affected individuals, and related risks. Prompt notification enables the SDAIA to assess the breach's impact and ensure appropriate protection measures.
What restrictions apply to the international transfer of personal data / information?
According to Article 29 of Saudi Arabia's PDPL, international transfer of personal data is restricted. Organisations must ensure compliance with the law by obtaining consent, ensuring adequate protection, implementing safeguards, and meeting specific conditions. Additional requirements apply to sensitive data or transfers to countries lacking adequate data protection laws. Compliance is crucial for secure and lawful data transfers.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The PDPL has extraterritorial effect, applying to organisations both within and outside the Kingdom. According to Article 2 of the PDPL, any processing of personal data within the borders of the Kingdom of Saudi Arabia is covered by the law. Additionally, organisations outside the jurisdiction may also be subject to the PDPL if their processing activities involve goods, services, or monitoring of behavior related to individuals within the Kingdom. Organisations must understand and comply with the law's requirements to avoid potential penalties and legal consequences.
What rules specifically deal with marketing?
Articles 25 and 26 of the PDPL outline specific rules that address marketing-related activities, to ensure that their personal data is not misused for marketing purposes. The processing of sensitive data for marketing purposes is expressly prohibited under these articles, providing an additional layer of protection for data subjects.
Entities must secure the explicit consent of the recipient before sending any marketing materials. This ensures that individuals are aware of and have agreed to their personal data being used for marketing purposes. Entites are also required to provide a clear and easily accessible mechanism, as outlined in the Regulations, that allows recipients to opt-out of receiving marketing materials. This ensures that individuals have control over the marketing communications they receive and can exercise their right to privacy.
Do different rules apply to business-to-business and business-to-consumer marketing?
The PDPL and its Regulations apply to both business-to-business (B2B) and business-to-consumer (B2C) marketing, but there may be differences in their application due to the nature of data subjects and purposes of data processing.
In B2B marketing, personal data may be collected from individuals representing businesses, whereas in B2C marketing, personal data is collected directly from consumers.
Consent is a crucial aspect for data processing in both cases. However, the type of data collected and the process of obtaining consent may vary. The usage of personal data for marketing purposes should be reasonable and within the expectations of the data subject, and businesses must respect the context of data collection and ensure that the data is used appropriately within the scope of the original consent.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Additional rules, such as the Digital Content Platforms Regulations from the Saudi Communications and Information Technology Commission (CITC), govern providers of digital content platforms and their usage including e-marketing. Organisations must adhere to these rules and ensure compliance to avoid potential penalties.
What rules specifically deal with cookies?
Cookie usage falls under the scope of PDPL and its Regulations, which require obtaining consent for processing personal data. The Digital Government Regulatory Authority has issued non-binding Guidelines for the Use of Cookies and Similar Technologies, emphasising transparency, consent, and user control. Organisations should follow these guidelines to ensure compliance with the PDPL and other relevant regulations.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Non-compliance with data protection laws in Saudi Arabia, including marketing laws, can result in several consequences. PDPL grants SDAIA the power to impose penalties on violators, including:
Financial penalties: The PDPL allows for fines of up to Five Million Saudi Arabian Riyals (approximately 1.33 million USD) or 2% annual revenue, whichever is higher, for certain violations. In some cases, the fine may doubled.
Suspension of data processing activities: The SDAIA can order the temporary or permanent suspension of data processing activities in cases of non-compliance.
Administrative sanctions: Non-compliant entities may face administrative sanctions, such as warnings, rectification orders, or temporary or permanent suspension of operations.
Reputational damage: Non-compliance with data protection laws can lead to reputational damage, loss of customer trust, and potential financial losses.
It is crucial for organisations operating in the Kingdom to understand their obligations under the PDPL and other relevant laws and regulations and ensure compliance to avoid these potential consequences.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
In broad terms, multinational organisations processing personal data from individuals within Saudi Arabia without being physically present should be aware of the following key factors:
Extraterritorial applicability: The PDPL applies to organisations processing personal data of individuals within Saudi Arabia, regardless of whether the processing takes place inside or outside the Kingdom.
Legal basis for processing: Organisations must establish a clear legal basis for processing personal data, such as consent, contractual obligations, or legitimate interests, and ensure it aligns with the PDPL's requirements.
Data transfer restrictions: When transferring personal data outside of Saudi Arabia, organisations must ensure that an adequate level of protection is provided for the transferred data and comply with the PDPL's requirements for international data transfers.
Data subject rights: Individuals in Saudi Arabia have certain rights under the PDPL, such as the right to access, rectify, erase, and object to the processing of their personal data. Organisations must facilitate these rights and implement appropriate measures to ensure compliance.
Data breach notification: In the event of a data breach, organisations may be required to notify SDAIA within 72 hours and, in some cases, inform the affected individuals without undue delay.
Multinational organisations should seek professional legal advice to ensure full compliance with Saudi Arabia's data protection laws and regulations, given the complexity and potential consequences of non-compliance.
What upcoming data protection developments should multinational organisations be aware of?
Multinational organisations should be aware of the following upcoming data protection developments in Saudi Arabia:
- Full enforcement of the PDPL: SDAIA began full enforcement of the PDPL after the compliance transition period ended on 14 September 2024.
- Regulations: The PDPL's Regulations provide additional guidance and clarify certain provisions of the law. The SDAIA may update or amend these regulations over time, so organisations should monitor any changes and adjust their compliance strategies accordingly.
- Guidelines and industry-specific regulations: The SDAIA may issue additional guidelines or regulations to address specific sectors or data processing activities, such as healthcare, banking, or digital marketing. Organisations should stay informed of these developments and assess their impact on their operations.
- Global data protection trends: Multinational organisations should also monitor international data protection developments and best practices, as these may influence Saudi Arabia's data protection landscape. This includes trends in privacy by design, cross-border data transfers, and privacy-enhancing technologies.
Keeping up-to-date with these developments will help organisations ensure ongoing compliance and adapt their data protection strategies as needed.