Data Protection | Kingdom of Saudi Arabia

The Kingdom of Saudi Arabia (KSA) made great developments in protecting personal data and has been influenced by the EU General Data Protection Regulation (GDPR), reflecting many of their key concepts, including the seven principles governing (GDPR), and the key rights that (GDPR) gives to data subjects.[1]

The Personal Data Protection Act (PDPL) implemented by Royal Decree M/19 of 9/2/1443H[2], which came into force on March 23, 2022, was the first data protection legislation introduced in the Kingdom of Saudi Arabia that goes beyond the principles of personal privacy, and data listed in Shariah Law.

The rights granted to the data subjects under the (PDPL) are consistent with the rights granted to the data subject under the (GDPR) Rights, such as the right to be informed, the right to data portability, the right to object, and not to be subject to automated decision making.

The Personal Data Protection Act applies to (i) the processing of personal data by businesses or public authorities within KSA, and (ii) the processing of personal data of Saudi residents by foreign companies.

Therefore, any (KSA) based company that sells goods or services to customers may be subject to “PDPL”, and this applies to companies that are not located in KSA through a subsidiary or branch office if their goods or services target KSA-based clients.

Accordingly, the controllers (of the KSA entity) must comply with “PDPL” within one year from the effective date.

While Companies located outside the (KSA), are required to comply with the “PDPL” and to assign a representative for them in (KSA) within five years from the effective date, controllers are required to upload a record of processing activities to a new online portal that forms a (KSA) national record, indicating the purpose of processing, the entity to which or will the personal data be shared, and whether personal data has been or will be transferred outside of (KSA), including the expected retention period, in addition of the requirement of paying the annual registration fee.

“PDPL” defines "personal data" as any form of information that can directly or indirectly identify an individual. This includes a person's name, identification number, address, contact number, photo, and video recordings.

Organizations need to consider that (PDPL) is stricter when transferring personal data across national borders, since “Controllers” are not allowed to transfer personal data outside of (KSA), unless they comply with an agreement involving (KSA) or serve the interests of the Kingdom of Saudi Arabia, or for other purposes specified in the PDPL's regulations.

In addition to that, other requirements must be met, such as data transfer or disclosure to parties outside the Kingdom not affecting national security or Saudi Arabia's interests and obtaining approval from the “Saudi Arabia Data & Artificial Intelligence Authority” (SDAIA).

Penalties for non-compliance with any aspect of (PDPL) regulations include imprisonment for up to 2 years and a fine of up to 3 million SAR (about $ 800,000). Repeated cases may result in higher fines and the party affected can claim losses.

(PDPL) is expected to evolve in the first five years from the effective date, with further details expected to be introduced regarding the processing of health and credit data.

In conclusion, (GDPR) principles have become the global standard for data protection and have inspired several countries to follow including GCC countries. However, controllers operating under GCC must consider the peculiarities of different jurisdictions specially when stricter safeguards are needed. This is particularly true if local law prohibits the cross-border transfer of all or certain categories of data.

_________________________________________

For further information, please get in touch by sending your query to admin@j-plegal.com.

Disclaimer: This publication is for informational purposes only and does not provide any legal advice.

Authors:   Anas Jeser, Partner, J&P Legal   |   Layan Al Fatayri, Paralegal, J&P Legal

[1] ("Data subject") means a natural person who holds personal data and can be directly or indirectly identified from that personal data by the data controller ("administrator").[2] Implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021)

‍