On 16 September 2021, the Kingdom of Saudi Arabia (the Kingdom) approved the Personal Data Protection Law (the PDP Law) with significant implications for businesses active in the Kingdom in addition to investors considering transacting with persons in the Kingdom.
The PDP Law will come into effect 180 days after its publication in the Official Gazette (i.e., approximately on 23 March2022). Before such date, the Saudi Data and Artificial Intelligence Authority (SDAIA) should have published the implementing regulations of the PDP Law.
Businesses will nevertheless have a grace period of one year from the effective date of the PDP Law to adjust their practices and comply with the provisions of the PDP Law.
The PDP Law covers a wide range of topics including, but not limited to, provisions that address data privacy and protection, the rights of data subjects, and the obligations, responsibilities, and liabilities of businesses. The PDP Law aims to protect personal data by ensuring transparency between businesses and data subjects, as well as the lawfulness of business activities in respect of such personal data.
Key Defined Terms of the PDP Law
“Controller” means any natural or legal person, public or private, which determines the purposes and means of the Processing of Personal Data, whether it processes the Personal Data itself or not.
“Collection” means obtainment by a Controller of Personal Data in accordance with the provisions of the PDP Law, whether directly from the Data Subject or otherwise.
“Data Subject” means the person to whom Personal Data relates, his or her representative or guardian.
“Personal Data” means any data –irrespective of its source – that would identify or enable the identification of a person, directly or indirectly, by reference to a name, an identification number, an address, a contact number, licenses and registration, personal properties, bank accounts, credit cards, photos or videos, or any other data of personal nature.
“Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public or private, which processes Personal Data on behalf of the Controller.
Scope of Application
The PDP Law applies to:
- any Processing of Personal Data which takes place in the Kingdom; or
- any Processing of Personal Data relating to residents and nationals of the Kingdom by an entity located outside of the Kingdom, in which case such entity shall appoint an authorized representative in the Kingdom to carry out its obligations under the PDP Law.
However, as an exception, the PDP Law does not apply to the Processing of Personal Data for purposes not exceeding personal or family use (to be further defined in the implementing regulations).
Further, if a Data Subject or Personal Data benefits from further protection under any other Saudi Arabian law or international treaty ratified by the Kingdom, such additional protection shall prevail over the PDP Law.
Rights of Data Subjects
The PDP Law enhances the protection with respect to the treatment of Personal Data under Saudi Arabian law by guaranteeing, at certain conditions and subject to certain exceptions, the following rights to Data Subjects in their relations with Processors and Controllers:
- Right to be informed of the Collection of their Personal Data;
- Right that Personal Data may only be Collected from the Data Subject;
- Right to consent to the Processing of their Personal Data;
- Right to access their Personal Data and to obtain a copy;
- Right to request rectification or updating of their Personal Data; and
- Right to request destruction of their Personal Data that is no longer needed or necessary in relation to the purposes for which it was Collected or Processed.
Obligations of Controllers
The PDP Law lays out also, subject to certain conditions and exceptions, several obligations on Controllers, including:
- to keep Personal Data inside the Kingdom;
- to select Processors providing the necessary guarantees to implement the PDP Law and its implementing regulations;
- to verify the accuracy, completeness, up-to-date character and relevance to the purpose for which it was Collected of any Personal Data before its Processing;
- not to disclose Personal Data except in specific circumstances listed in the PDP Law;
- to take administrative, organizational, and technical precautions to safeguard Personal Data;
- to notify the competent authority (i.e., currently SDAIA) as soon as becoming aware of any leakage or damage to Personal data or illegal access to it;
- to respond to request of Data Subject exercising their rights under the PDP Law;
- to carry out an impact assessment of their Processing activities;
- not use collected personal means of communications (e.g., email or postal address) for marketing purposes, unless they have obtained the consent of the relevant Data Subject or the sender includes a clear mechanism to allow the recipient to optout of such communications;
- not copy official documents identifying Data Subjects (e.g., passports and identity/residency cards), except if in implementation of a legal provision or if requested by a competent public entity;
- to appoint or assign at least one employee responsible for achieving compliance with the PDP Law;
- to organize seminars to familiarize their employees with the PDP Law;
- to keep records of the activities of Processing Personal Data; and
- to register through a publicly available portal and. for Controllers who are private entities or private individuals, to pay an annual fee of a maximum of SAR 100,000.
The implementing regulations of the PDP Law will provide for additional protection regarding the Processing of health data and credit data.
Without prejudice to any more severe penalty stipulated under any other law, failure to comply with the provisions of the PDP Law can expose individuals and businesses to the following fines of and prison terms:
- imprisonment of up to two (2)years and/or fine of up to three million Saudi Arabian Riyals (SAR 3,000,000)for anyone disclosing, in violation of the PDP Law, any information which includes a reference to a person’s ethnic origin, tribal origin, religious or political views or beliefs, or indicates a person’s membership in private associations or institutions as well as criminal and security data, biometric data that determines identity, genetic data, credit data, health data, location data, and data that indicate a person as being of unknown parent(s);
- imprisonment of up to one (1) year and/or fine of up to one million Saudi Arabian Riyals (SAR 1,000,000) for anyone who transfer Personal Data outside the Kingdom in violation of the PDP Law; and
- a warning or a fine of up to five million Saudi Arabian Riyals (SAR 5,000,000) for any other violation of the PDP Law or its implementing regulations.
According to the PDP Law, fines may also be multiplied for repeat offenders of the PDP Law.
Finally, and without prejudice to the penalties set out under the PDP Law, persons suffering any harm as a result of any violation of the PDP Law may claim compensation for moral or physical damages.