Privacy in the Kingdom: A Guide to Saudi Arabia’s Personal Data Protection Law

The Kingdom of Saudi Arabia joins the growing list of nations with a comprehensive data protection law. Published September 24, 2021, the Personal Data Protection Law (PDPL) seeks to protect the personal data of Saudi residents, regardless of citizenship. The full text of the law is available here. The law regulates the collection, processing, and use of personal data in Saudi Arabia. In addition, the PDPL establishes rules and obligations related to data classification, data sharing, data privacy, freedom of information, and open data.

Effective date: March 23, 2022

Regulator: The Saudi Data & Artificial Intelligence Authority (“SDAIA”).

Who is covered by the law?

The Personal Data Protection Law applies to the processing of individual personal data collected in Saudi Arabia. Organizations operating in Saudi Arabia or foreign organizations processing data of Saudi residents will have one year to comply with the PDPL. The law governs all sensitive personal data, including genetic, credit, and financial data.

Data Owner Rights:

Individuals, defined as “data owners” by the PDPL, are given the right to access, correct, complete, or update their personal data. Additionally, and request the destruction or deletion of their data. Data processors also need to inform individuals of the legal and practical justification and purpose for collecting their personal data before starting data collection. The data owner has the right to know the purpose of the data collection.

Data Controllers:

1) The SDAIA requires data controllers to register and pay an annual fixed fee.

2) Prohibition on using personal data for marketing without first getting consent and subjects must have the option to opt-out.

3) Entities outside of the Kingdom must authorize a representative based in the Kingdom.

4) Employment or contractual relationship data must remain a secret even after termination.

5) If a data owner corrects or updates their data, the data controller must notify any other party that has the data.

Data Collection:

A data controller may only collect personal data directly from its owner, and data controllers may only process such data for the consent-given purpose of its collection.

Data Transfer Restrictions:

Except in extreme circumstances, the data controller may not transfer personal data outside the Kingdom or disclose it to a party outside the Kingdom. Additional exceptions apply when the Kingdom is a party involved, or to serve the interests of the Kingdom, or for other regulatory purposes.

Data controllers must sufficiently guarantee the confidentially of personal data to preserve the level of protection outlined in the PDPL and other regulations. Data transfer or disclosure is limited to the minimum amount of personal data needed. The competent government authority will grant exceptions on an individual basis.

Record Keeping:

The Kingdom requires data controllers to keep records for a set period according to the nature of the activity. The SDAIA may request records that are required to include the following:

1) Data Controller contact information

2) The purpose of processing personal data

3) Description of the categories of personal data subjects.

4) Any party to whom personal data has been, or will be, disclosed.

5) Whether personal data has been, or will be, transferred outside the Kingdom or disclosed to a party outside of the Kingdom.

6) The period the data controller expects to retain personal data.

Data Destruction:

The controller shall destroy the personal data as soon as the purpose of its collection ends. However, a data controller can keep data afterward if the data is anonymized.

Notification:

Organizations that have a breach, leak, or otherwise unauthorized access to personal data must notify the SDAIA and data owners as soon as the data controller is aware of the occurrence.

Marketing:

Except for sensitive data, data controllers may process personal data for marketing purposes if the data controller collects the data directly from its owner and the owner gives consent. Controllers must also offer the ability to opt-out.

Consent:

Data collectors may not process personal data or change the purpose of data processing without the consent of its owner. The consent must be in writing, and data owners can withdraw consent at any time.

Penalties:

Wrongful disclosure or publication of sensitive data can result in fines of up to three million Saudi Arabian Riyals (SAR) (~ USD $800,000) and up to two years in prison if the intent is to harm or achieve a personal benefit. Other violations carry up to one year in prison and other penalties determined by the government.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with PDPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/ and find more resources here.

Note: Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.