The Saudi Arabia Personal Data Protection Law (PDPL)
Saudi Arabia has officially introduced the PDPL, its data protection law. Published in the Official Gazette, the country’s online English language newspaper, this legal framework was unveiled on September 24, 2021.
Subsequently, amendments were confirmed in March 2023, paving the way for the law to come into effect in September of the same year, with enforcement beginning a year after that. This regulation is set to have a significant impact on businesses operating within the Saudi Arabian jurisdiction. It is important for organizations to comprehend its nuances and implications to achieve and maintain compliance in their operations when processing personal data.
What is Saudi Arabia’s Personal Data Protection regulation?
The Saudi Arabia Personal Data Protection Law (PDPL) is the first data privacy law passed in the country. Jurisdictionally, it also covers the United Arab Emirates. It was passed by a royal decree in September 2021, with amendments passed March 23, 2023. It will officially come into effect on September 14, 2023, with enforcement beginning after a year, on September 13, 2024.
The PDPL is designed to protect the privacy of consumers’ personal data, prevent unauthorized use of it, and regulate how it can be shared. The PDPL takes inspiration from the European Union’s General Data Protection Regulation (GDPR) and is aligned with other international protection regulations. It has the standard principles and responsibilities, like purpose limitation, data minimization, data controller responsibilities, data subjects’ rights, and penalties for violations. The PDPL also requires prior consent for data processing of personal information.
Key definitions in the Saudi Personal Data Privacy Law
While some specific terminology in the PDPL may look different from other privacy laws, this may be a function of translation, and the definitions themselves are largely standard.
How the PDPL defines adequacy list
The regulatory body prepares a list of countries deemed to provide adequate protection for personal data and data subjects’ rights. Regular reviews and updates to the list are required.
How the PDPL defines anonymization
“Removing any direct or indirect characteristics from the Personal Data, that may make the Personal Data Subject specifically identified.”
How the PDPL defines personal data subject
A private person/individual who resides in Saudi Arabia or the UAE, who has rights regarding their personal data, its privacy and protection, and whose information may be processed by organizations.
How the PDPL defines child
Any person under the age of 13, and consent to process their personal data must be obtained by a parent or legal guardian.
How the PDPL defines codes of conduct
“Set of general rules and specific responsibilities approved by the Regulatory Authority, which Controllers and Processors are obligated to comply with, to face the challenges relating to protection of Personal Data in a specific sector, in order to establish a system of proper practices in that sector and to comply with that system.”
How the PDPL defines regulatory authority
Authorities responsible for regulation or oversight of the law. Any government entity with an “independent public personality” and powers, duties, and responsibilities over a certain sector of the Saudi Kingdom.
These authorities are responsible for PDPL enforcement, public education of individuals and organizations, and penalizing violators. The Saudi Data and Artificial Intelligence Authority (SDAIA) will be the specific relevant authority for the first two years of the law being in force.
How the PDPL defines consent
Consent must be obtained before or at the time of processing. It must be “clear and unambiguous”.
Explicit consent:“Verbal or written consent that is express, specific and given freely by the Data Subject, proofing that the Data Subject agrees to process their Personal Data.”
The PDPL specifies that the “Controller shall obtain consent by any appropriate means or in any appropriate form, including by means of written consent forms, electronic forms, settings in applications, verbal consent or Implied Consent if allowed.”
How the PDPL defines means of communication and notification
The PDPL lists specific acceptable information for controller and data subject communication. Where possible, personal data subjects may change the preferred mode of communication. The acceptable means must be “valid and effective” and include:
- text messages to authenticated mobile phones
- accounts registered in government automated systems
- postal mail
- applications’ notifications and alerts
- any other electronic means designated for that purpose and recognized in the Saudi Kingdom
How the PDPL defines personal data
Any information that can specifically identify a person or lead to their identification, alone or combined with other information (definition of personally identifiable information). Examples include: name, phone number, email address, or driver’s license number.
How the PDPL defines sensitive personal data
Certain types of personal data, which, if damaged, lost, or misused, could cause harm to data subjects, including information inferred from:
- ethnic or tribal origin
- religious, intellectual or political beliefs
- membership in civil associations or institutions
- criminal and security data
- credit data
- genetic data
- health data
- location data
- biometric data
- data indicating an individual is unknown to one or both parents
How the PDPL defines profiling
“Automated Processing of Personal Data and using such Personal Data to analyse and assess certain personal aspects of the Data Subject, and to forecast aspects relating to the Data Subject’s performance at work, financial status, health, personal preferences, interests, behaviour, location or movement, for the purpose of creating a profile of the Data Subject.”
How the PDPL defines scope of application
“Processing personal data by an individual within their family or within their limited social circle taking part in any social or family activity.”
It excludes public disclosure of personal data or using it for “professional, non-profit or commercial activity.”
What organizations have to comply with the Saudi data privacy law?
The PDPL is extraterritorial, and both private and public organizations processing personal data of Saudi Arabia’s or the UAE’s residents must comply, even if they are located outside of Saudi Arabia or the UAE.
Processing refers to: collection, use, sharing, updating, transfer, or storage of personal data, whether done manually or automatically. Sensitive personal data is also a category included, requiring special protection and handling.
For many organizations a Data Protection Officer will be appointed. They are responsible for compliance, personal data subject requests, data breaches, working with authorities, training, and more.
What rights does the PDPL give consumers?
The Saudi data privacy law does not overrule any other law or statute that provides data subjects with even more protection for privacy and personal data. The law also covers the personal data of deceased persons if it could be used to identify them or family members.
Specific rights for personal data subjects under the PDPL:
- Right to know: information about the controller and data processing, including:
- name of controller (with some exceptions)
- contact information
- types of personal data processed
- purpose of processing
- legal justification for processing
- period for which personal data collected is kept
- how the personal data is collected and used
- entities that data may be shared with
- data sources personal data will be collected from (if not publicly available)
- Right to access: confirmation if the controller is processing the consumer’s personal data and access to it with some exceptions
- Right to correction: also completion or update of any inaccurate or outdated information the controller has on the data subject
- Right to deletion: or destruction of any personal data the controller has about or from the consumer, with some exceptions
- Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a legible and clear format, with some exceptions
If fulfilling a data subject’s request to exercise their rights under the PDPL would risk harm to them or others, or contravene another law or judicial requirements, controllers can refuse or restrict compliance with requests.
What is required for consent to be valid under the PDPL?
Consent is the main legal basis for data processing under the Saudi privacy law. Legitimate interest was added with the recommended amendments to the, but it does not apply for processing of sensitive personal data.
PDPL requirements for valid data subject consent are:
- notification of the reason(s) for the consent request and the legal justification or practical need for it
- notification that data processing will be limited to the minimum amount of data needed to fulfill the stated purpose (purpose limitation and data minimization)
- notification of all purposes for data processing and consent options
- notification of the right to withdraw consent at any time
- establish procedures to enable withdrawal of consent (which must be as easy as those for obtaining consent)
- obtaining and documenting explicit consent in a provable and auditable way
- obtain consent in writing for sensitive personal data processing
- obtain consent from a legal guardian for processing of personal data of a person who is a child, legally incompetent, or deceased
Exemptions data subject consent requirements:
- data processing serves the data subject’s “actual interests” (“legitimate interest” under the GDPR)
- data processing is pursuant to another law, contract fulfillment, or implementation of an agreement
- controller is a public entity and the processing is required for security or to fulfill judicial purposes or requirements
- processing is required to achieve the controller’s lawful interest and the data is not sensitive
How does the PDPL require children’s data to be processed?
Consent for processing the personal data of children must be obtained from a parent or legal guardian.
What responsibilities do companies have under the Saudi data protection law?
Notification requirements for personal data subjects
Companies must comply with the PDPL if they process the personal data of Saudi Arabia or UAE residents. Organizations must notify data subjects about what data is processed and for what purpose, what entities the data may be shared with, what data subjects’ rights are, and how to exercise them.
Requirements for international transfers of personal data
Data controllers must process and store personal data they collect within the geographical boundaries of the Saudi Kingdom. If there is not a security risk, under some circumstances data can be stored or processed outside of the Kingdom. However, a prior impact assessment must be done, and written approval obtained from the regulatory authority, which is provided on a case by case basis.
There is an exemption to international data transfer requirements for Saudi government-affiliated entities abroad, though while restricted, data transfers or disclosures to parties outside the Saudi Kingdom can be done in cases of extreme necessity, like for life-saving measures, for purposes determined by the PDPL, or when governed by a formal agreement to which the Saudi Kingdom is party and/or that serves its interests.
The following purposes and conditions are applicable in most cases to allow the transfer of personal data outside the Saudi Kingdom:
- there is not a risk to national security or the Kingdom’s vital interests in transfer or disclosure of the personal data
- guarantees of preservation and confidentiality of the personal data are sufficient and to the standards of the law and regulations
- transfer or disclosure is limited to the minimum amount of data necessary
- approval from the regulatory authority has been obtained
If personal data is to be transferred to a country not on the Adequacy List, an impact assessment must be completed and appropriate safeguards employed. Additionally, the regulatory authority can issue an exemption to a controller for one of the transfer conditions if it has been adequately assessed that there will be an appropriate level of protection for the personal data transferred or disclosed, and it is not sensitive data.
Consent requirements and conditions under the PDPL
The PDPL requires prior consent, or opt-in, before any collection or processing of personal data, or re-obtain consent if the purposes for data processing change. Data subjects must also be able to withdraw consent at any time. Consent cannot be a condition of accessing or using a service unless processing directly enables the service.
Data processing purpose limitations and data minimization
Most international data privacy laws, including the PDPL, require that controllers only collect and process the minimum amount of personal data that fulfills the stated and necessary purpose(s). The minimum amount of data under the PDPL refers to:
- appropriate and necessary to achieve the specified purpose, also directly related to that purpose
- necessity limitation to achieve the purpose and without any additional data collection
- exercising care to reasonably benefit from technological capabilities that help achieve the purpose without collecting unnecessary data
- documenting procedures to determine the content of the personal data in accordance with the law
Retention period for personal data
Previously collected personal data should not be collected or stored any longer than necessary. When the personal data is no longer needed for the purpose for which it was collected, all further collection should cease, and the data should be destroyed without delay.
Consent management for marketing
When there is personal data processing for marketing activities, controllers must enable data subjects to opt out or withdraw consent at any time, via a clear mechanism on their website.
Personal data processing for advertising
Controllers must obtain valid and explicit consent from the data subject before they can be contacted for advertising purposes or “awareness-raising material” via physical or electronic means. If consent cannot be documented and verified, or if it’s only implied, it is not valid.
Controllers must also comply with the following:
- notification of how advertisements are sent
- explain and provide a clear mechanism accessible at any time to stop receiving such material
- stop sending advertising as soon as the data subject requests it
- Requesting advertising be stopped and having the request fulfilled must be free of charge
- necessary licenses must be obtained from authorities and advertising rules and requirements adhered to
- sender’s name must be clearly displayed in every advertisement and not concealed in any manner
- records of times and methods of data subjects’ consent must be maintained
- advertisements must be sent by the entity to which data subjects have given their consent, and not by a third party, with limited exceptions
- legal basis for personal data collection
- purpose(s) of personal data collection, including which data is mandatory for the purpose
- identity of the person or organization collecting personal data
- data subjects’ rights
- risks and consequences of not collecting the personal data
- address of the data controller’s representative
Data Protection Officer (DPO)
Controllers are required to appoint an employee (or more than one) as a Data Protection Officer in many cases. This person has responsibilities for the controllers’ obligations to the law as well as the organization’s data privacy operations and compliance.
The DPO is the contact person for the regulatory authority and responsible to carry out the authority’s decisions and instructions. They also oversee and enable:
- data breaches or other violation response
- data subject access requests (exercising their rights)
- training for employees
- data protection impact assessment procedures and audits
Data processors contracts
Data controllers must ensure that data processing vendors and partners provide strong guarantees of PDPL compliance. This includes adequate personal data security, risk assessments, and reviews. All parties must comply with conditions set by the regulatory authority.
The controller must have a contractual agreement with all processors, which includes all parties’ rights, obligations, and the requirements of the data processing work. Like with notifications to data subjects, these contracts must also outline the purpose of processing, and categories and types of data to be processed.
Processors that are contractually engaged with one controller must obtain that controller’s approval before they can enter into a new contract with another controller or other party to process personal data.
If a data breach or other unauthorized access or damage to personal data occurs, or there is a risk of one, the processor must notify the controller immediately.
Saudi Arabia’s data privacy act penalties and enforcement
Receipt of notification of violations, investigation, and actions taken fall under the responsibility of multiple entities.
Complaint submission and enforcement authorities
The Saudi Data and Artificial Intelligence Authority (SDAIA) will be primarily responsible for enforcing the PDPL within the borders of Saudi Arabia. In the law’s text, enforcement authorities are referred to as the Competent Authority and Regulatory Authority. The Public Prosecution Office will have responsibility for investigation and prosecution of violations.
The SDAIA will oversee the implementation of the law, advise organizations on operational compliance and keep track of data subjects rights requests for the first two years, in addition to other duties like levying penalties for violations. After that, supervision will be transferred to the National Data Management Office (NDMO).
Violation Detection Officers will investigate complaints and alleged violations. Individuals can make reports or complaints of violations to these Officers. The authorities must ensure “speedy and quality” procedures for complaints and communications. They can also request evidence or additional information about issues from relevant parties.
Complaints from data subjects should be made within 60 days of the violation or when the data subject became aware of it. Either Authority may review cases and notify the complainant of the outcome.
Notifications for data breaches
A breach can include a leak or illegal access to, or damage or destruction of personal data. If an organization discovers a personal data breach, they must notify the regulatory authority immediately. Victims of the breach als need to be notified immediately if there is a risk of the breach causing them serious harm.
Fines and penalties
If the Public Prosecution Office finds a controller or other entity guilty of violating the PDPL, the penalty can range from a warning to fines up to SAR 5 million (~€ 1.19 million or ~US $1.33 million). For repeat offenses, the court may double the fine, up to SAR 10 million.
Violations involving cross-border data transfer are subject to imprisonment for a maximum of one year and/or a fine up to SAR 1 million (~€ 237000 or ~US $266,000).
Any entity that publishes or otherwise discloses sensitive personal data with the intent to cause damage to the data subject or to achieve personal benefit is subject to imprisonment for up to two years and a fine of up to SAR 3 million (~€ 711000 or ~US $800,000)
How can companies comply with the Saudi data privacy law?
If an organization is already GDPR-compliant, much of the work toward PDPL compliance has been done. All entities processing personal data of Saudi or UAE residents need to ensure their familiarity with the particulars of the Saudi privacy law and consult qualified legal counsel and/or their Data Protection Officer.
Operations should include data inventories and audits to accurately classify data and its level of sensitivity. Organizations should implement other data privacy best practices as well, such as:
- formalizing and regularly reviewing policies and processes, including those for data breach response
- maintaining a robust training program for employees
- managing data subject access requests in a timely manner
Clearly communicate with data subjects about data processing and their rights, and obtain valid consent for collecting and processing their personal data. Ensure consent can be easily changed or revoked.
Clearly document data flow and processes for cross-border data transfers and ensure the adequacy list of countries is up to date.
Implement robust technical and organizational measures to secure and protect data, and conduct data protection impact assessments, vendor assessments, and other similar measures.
Determine if it is necessary to appoint a Data Protection Officer and/or a representative in Saudi Arabia if operations are not located there. Organizations should also be registered in the Kingdom.
Notify data subjects with the privacy notice about data processing activities, and any changes to them when they’re reviewed and updated. A consent management platform (CMP) can be valuable websites and apps to manage cookie consent.
If you have questions or concerns about data privacy compliance, or interest in implementing a consent management platform to help achieve compliance with regulations around the world, check your website’s compliance today or start a free 14-day trial of Cookiebot CMP.
Usercentrics A/S (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.