This note has been prepared to provide an overview of the Personal Data Protection Law (the PDPL or Law) of the Kingdom of Saudi Arabia (the Kingdom)1 and its accompanying implementing regulations (the Implementing Regulations)2 which ultimately came into force on 14 September 2023 (the Effective Date). The PDPL aims to align the Kingdom's data protection framework more closely with international standards, particularly the General Data Protection Regulation (GDPR), a data privacy regulation adopted across the European Union (EU).
Entities have a one-year grace period from the Effective Date to ensure compliance with the provisions of the PDPL, ending on 14 September 2024.
The PDPL provides a comprehensive data protection framework that aims to (i) safeguard the personal data of individuals residing in the Kingdom (also known as “data subjects”) and (ii) regulate, among other things, the collection, processing, disclosure, transfer, and retention of personal data of such data subjects. It further sets out extensive requirements for data processing, rights of data subjects, and the obligations of entities when handling personal data. The Law also establishes mechanisms for the transfer of data across national borders and outlines penalties for non-compliance with the Law.
1. Material and Territorial Scope
The PDPL is a robust and encompassing legislation that aims to protect personal data, which is defined as any information, in any form, that may directly or indirectly identify an individual. Personal data is broadly defined and includes, among other things, individuals’ names, national identification numbers, contact numbers, photographs, and videos. Similar to the GDPR, indirect personal data is data that, when used in combination with other data, can uniquely identify an individual. This includes IP addresses, vehicle registration numbers, physical addresses, employer details, and information about income. The PDPL does not appear to regulate anonymous data, which cannot be used to identify individuals, and which is not subject to any approvals or review before being transferred out of Kingdom.
The Law is applicable to all forms of personal data processing relating to individuals residing in the Kingdom carried out by public or private entities located inside or outside the Kingdom. Like the GDPR, the PDPL has extraterritorial application and data sovereignty provisions. Therefore, entities should ensure that they are aware of the origination of data and the circumstances in which provisions of the PDPL apply when processing the personal data of individuals residing in the Kingdom (ie, data subjects). The PDPL is not applicable to the processing of personal data for personal and family purposes. The Implementing Regulations define “personal and family purposes” as the processing of “personal data by an individual within their family or limited social circle as part of any social or family activity.”
The PDPL also categorises certain types of personal data as “sensitive”. This category of data requires enhanced levels of protection, and includes, but is not limited to, personal data that reveals a data subject's genetic information, racial or ethnic origin, religious affiliation, intellectual or political beliefs, health related information, or information related to criminal offences or convictions. The processing of sensitive data requires the explicit consent of data subjects and more stringent compliance procedures by data controllers and processors. This is in line with the definitions and protection requirements of "sensitive data" under the GDPR. However, unlike the GDPR, the PDPL also applies to deceased persons’ data, if that data can lead to the specific identification of the deceased person or their family members.
2. Regulatory Authority
The Saudi Authority for Data and Artificial Intelligence (SDAIA) is the initial regulatory authority tasked with overseeing the enforcement of the PDPL. SDAIA will issue further guidelines and policies regarding safeguarding data transfer mechanisms, overseeing the handling of individual rights, as well as impose penalties for non-compliance. The National Data Management Office (NDMO), the regulatory subdivision of SDAIA, will likely succeed SDAIA in the implementation of the PDPL and Implementing Regulations in due course.
3. Obligations for Data Controllers
"Data controllers" are those who determine the purpose and method of personal data processing. The PDPL provides that data controllers must take sufficient steps to verify the accuracy, completeness, and relevance of personal data prior to processing it. They will be required to maintain a record of processing activities during the period of their data processing activity and an additional five years following the termination of the data processing activity. Data controllers are also obliged to adhere to data protection principles, which include limitations on data collection, purposes, and retention, as well as, ensuring data security and accountability.
The PDPL establishes that entities must obtain the prior consent of data subjects prior to processing their personal data, subject to certain exceptions provided by the Law, which are fairly similar to the exceptions set out in the GDPR. These exceptions include situations where:
- the processing of the data would result in an actual interest to the data subject and the data subject cannot be practically or possibly contacted;
- the processing is mandated by law or by a prior agreement to which the subject is a party;
- the data controller is a public entity, and the processing of data is essential for security or judicial purposes; or
- the processing is necessary and in the legitimate interests of the data controller or another party, provided that it does not prejudice the rights of data subjects. This is not applicable to the processing of sensitive personal data.
A data controller is not required to obtain the consent of the data subject for collecting data related to scientific, research, or statistical purposes, provided that the following are complied with: (i) it does not specifically identify the data subject; (ii) if evidence of the data subject’s identity will be destroyed during processing and prior to the disclosure of such data to any other entity (provided that it does not fall under the “sensitive” data category); or (iii) if collection and processing of personal data for scientific, research, or statistical purposes is required by another law or in implementation of a previous agreement to which the data subject is a party. The Implementing Regulations set out more specific controls for such circumstances.
Under the Law, data subjects have the right to withdraw consent for the processing of their personal data at any time. Prior to obtaining consent, the data controller should establish procedures that allow the withdrawal of consent and take necessary measures to ensure its implementation, provided that the procedures for withdrawing consent are similar or simpler than the procedures for obtaining consent. If a data subject's personal data is transferred outside of the Kingdom, the data subject's right to withdraw their consent should not be affected. Furthermore, consent cannot be made a prerequisite for the provision of a service or benefit by the data controller, unless the service or benefit is directly related to the specific processing activity for which consent is being sought.
The Implementing Regulations distinguish between situations requiring “explicit consent” to those requiring “implied consent” based on the types of data collected and the processing purposes. This is in line with international practices, such as those outlined in the GDPR and similar regulations. For instance, the Law mandates explicit consent for the processing of credit data, which pertains to an individual's creditworthiness or ability to obtain and repay debts.
We anticipate that data controllers and processors will need to meticulously document explicit consent to make it accessible for future scrutiny by regulators or data auditors. From a practical perspective, data subjects will likely be required to actively and clearly opt-in to the processing of certain types of data. This could involve affirmative action, such as consenting prior to receiving marketing materials or allowing the placement of certain types of cookies on their devices. Various data protection regulators across the globe have imposed substantial fines on data controllers and processors who failed to obtain explicit consent for placing certain cookies on users’ devices for targeted online behavioural advertising. While it is too soon to predict how the provisions of the PDPL will be enforced in practice, considering that it imposes more onerous requirements than the GDPR in some respects, entities that control or process data collected from the Kingdom are encouraged to adopt a rigorous and transparent data protection framework, carry out appropriate risk and impact assessments, and monitor third parties' and subcontractors' compliance with the Law.
Personal data may be collected and processed by entities for marketing purposes, with the exception of sensitive data, provided that the data is collected directly from the data subject and the data subject has provided their prior consent in accordance with the Law.
Additionally, prior to processing personal data for direct marketing purposes, the PDPL requires that a data controller establishes a straightforward mechanism that allows data subjects to opt-out of receiving marketing materials when desired.
Data Protection Officer
Entities shall need to appoint one or more individuals, known as data protection officers (DPO), who shall bear the responsibility for ensuring compliance with the requirements set out in the PDPL and its Implementing Regulations. The DPO(s) shall be responsible for providing any documentation or information on behalf of the entity in response to requests from the regulatory authority pursuant to the Law and its Implementing Regulations. The regulatory authority requires that entities register with a national data controller register. This registration may entail a fee, covering registration and potential data protection services provided by the regulatory authority.
Entities are obligated to inform the regulatory authority upon becoming aware of a data breach.3 This requirement entails immediate notification to the regulatory authority, signifying a more rigorous approach compared to the GDPR. Entities will be required to submit a comprehensive analysis of the breach and outline the measures being implemented to prevent similar incidents in the future. If the breach poses a significant risk to the personal information of individuals, entities must promptly notify the affected individuals. The Implementing Regulations provides that the data controller has a duty to notify the regulatory authority4 within 72 hours of becoming aware of the incident, if such breach potentially causes harm to personal data or to the data subject, or will lead to a conflict with their rights or interests, and sets out the details to be included in such notification. The 72 hours may be extended if the data controller is not able to provide any of the required information and provides justifications behind the delay. That said, data controllers have a duty to notify data subjects, without undue delay, of any personal data breach, if it may cause damage to their data or conflict with their rights or interests. Data Controllers or processors may also be required to submit reports or notifications under other laws such as, the National Cybersecurity Authority or any other applicable laws in the Kingdom.
Entities are obliged to evaluate the potential impact of personal data processing for any public-facing products or services they offer according to the specific nature of their data processing activities. Entities shall need to put in place data minimisation procedures to ensure that data processing is limited to the relevant purposes it was collected for. If the personal data is no longer necessary for its original purpose, then the data controller or processor should cease collecting such data without undue delay.
The PDPL provides that entities are required to select a processing party that offers sufficient guarantees for upholding the provisions of the Law. Entities must regularly verify that the chosen party complies with their instructions regarding the protection of personal data.
Additionally, if personal data is corrected, completed, or updated, the original data controller shall notify such amendment to all other entities (such as processors) to which personal data has been transferred to.
4. Data Subject Rights
The PDPL guarantees specific rights, for individuals whose data is being collected, also known as data subject rights. This is to ensure that individuals have control over their collected data. These rights include:
- the right to be informed about the processing of their personal data and the legal basis for such processing;
- the right to access their personal data and be provided with a copy of all their data held by the entity;
- the right to correct and/or update their personal data; and
- the right to request deletion of their data if it is no longer necessary.
Additionally, data subjects have the option to file complaints regarding the application of the PDPL with the relevant regulatory authority.
The Implementing Regulations further set out details of data subject rights and require data controllers to respond to data subject requests within a period of 30 days. This period can be extended by an additional 30 days, where responding to the request requires disproportionate effort, or if the controller receives multiple requests from the data subject. This is more onerous than the timeframe provided by the GDPR, which allows for a response within a maximum of three months.
5. Cross-border Data Transfer
The PDPL permits cross-border data transfers, provided that the data controller has a specific legitimate purpose for transferring the personal data extraterritorially and the recipient country or entity has regulations or safeguards in place to ensure adequate protection of the data without prejudice to the level of protections guaranteed by the Law. However, the PDPL applies a more rigorous approach to data sovereignty than the GDPR or other international data protection laws.
The Law provides that cross-border data transfers are permitted under certain circumstances, such as preserving public interest, health, and safety, as well as protecting individual or collective life or health, fulfilling obligations under international agreements, or complying with provisions of the Law relating to data subjects.
The Data Transfer Regulations set out evaluation criteria for this purpose and SDAIA is set to publish a list of countries that meet their data protection accreditation standards (i.e., a whitelist). It is expected that SDAIA shall publish adequacy decisions (i.e., a whitelist) during the one-year grace period from the Effective Date.
The Law permits data controllers to transfer personal data outside of the Kingdom, if the purpose of such transfer is to achieve any of the following:
- if such transfer is required to comply with an agreement to which the Kingdom is a party;
- to serve the interests of the Kingdom;
- for the performance of an obligation to which the data subject is a party;
- if conducting processing operations enables the controller to carry out its activities, including central management operations;
- if that results in providing a service or benefit to the personal data subject; or
- if this is to conduct scientific research and studies..
If an entity wishes to transfer personal data outside of the Kingdom for any of the above reasons, it must adhere to the following conditions: (i) the transfer shall not cause any prejudice to the Kingdom’s national security or vital interests or violate any other laws of the Kingdom; (ii) there is an adequate level of protection for personal data outside the Kingdom (such level of protection shall be at least equivalent to the level of protection guaranteed by the Law and the Implementing Regulations, according to the results of an assessment conducted by the regulatory authority (i.e. a whitepaper) in coordination with whom it deems appropriate from other relevant authorities); and (iii) the transfer shall be limited to the minimum amount of personal data necessary to achieve the purpose of the transfer or disclosure through the use of any appropriate means including data maps that indicate the need to transfer or disclose each data category and link it to one of the purposes for processing outside the Kingdom.
Additionally, the transfer or disclosure of personal data outside of the Kingdom should not impact the privacy of data subjects, their ability to enforce appropriate safeguards, or the level of protection guaranteed to personal data under the Law and the Implementing Regulations.
In the absence of an adequacy decision, a data controller may transfer or disclose personal data outside of the Kingdom provided there are appropriate safeguards in place. Appropriate safeguard transfer mechanisms may include: (i) binding common rules that shall apply to all parties involved in entities engaged in a joint economic activity; (ii) standard contractual clauses (such as agreements between controllers to controllers and controllers to processors) to ensure a sufficient level of protection for personal data when transferred outside the Kingdom; (iii) certificates of compliance with the Law and the Implementing Regulations; or (iv) binding codes of conduct approved by the regulatory authorities. To date, SDAIA has yet to issue further guidelines on these safeguard transfer mechanisms, however, it is expected that they shall be substantially similar in form and substance to the mechanisms adopted by other leading data protection legislation such as the GDPR.
Furthermore, the Data Transfer Regulations provide for limited exceptions where personal data may be transferred or disclosed outside of the Kingdom where no safeguard transfer mechanisms are in place. These limited exceptions include: (i) the transfer is necessary for the performance of an agreement to which the data subject is a party; (ii) the Controller is a public entity (eg, ministry or public authority in the Kingdom) and the transfer or disclosure is necessary for the protection of the Kingdom’s national security or for the public interest; (iii) if the controller is a public entity and the transfer or disclosure is necessary for the investigation or detection of crimes, or the prosecution of their perpetrators, or for the execution of penal sanctions; or (iv) the transfer is necessary to protect the vital interests of a data subject that is unreachable.
According to the Data Transfer Regulations, if controllers intend to transfer data outside of the Kingdom, they shall be required to conduct a risk assessment to determine whether the controller or processor located outside the Kingdom has adequate levels of safeguards to protect Saudi data subject rights.
6. Penalties for Non-compliance
The PDPL provides for criminal penalties for violation of the Law in certain circumstances.
Subject to other applicable laws in the Kingdom, any individual that discloses or publishes sensitive data in violation of the Law with the intention of harming data subject, or achieving a personal benefit, may be indicted and imprisoned for up to a two-year period, or face a fine of up to SAR 3,000,000 (approx. USD 800,000), or both. For repeat offenders, the competent court is empowered to double permitted sanctions to a maximum of a four-year prison sentence, or a fine of up to SAR 6,000,000 (approx. USD 1,600,00) or both.
For breaches of other provisions of the PDPL, penalties are limited to a warning or a fine not exceeding SAR 5,000,000 (approx. USD 1,333,200). In the case of repeated offenses, the fine may be doubled.
Additionally, without prejudice to the rights of bona fide third parties, a competent court may order that funds obtained as a result of committing violations stipulated in the Law may be confiscated and that penalties, judgements, or judicial decisions may be published in one or more local newspapers, or such other means as the court decides, at the violator’s expense.
While the PDPL's financial penalties for non-compliance are not as severe as the GDPR’s fines of EUR 10,000,000 or two percent of a firm’s worldwide annual revenue, the PDPL is stricter in that it does criminalise the unauthorised disclosure or publication of sensitive personal data which may lead to imprisonment.
7. Ensuring Compliance
It is essential for all entities operating in the Kingdom that handle personal data to conduct a thorough gap analysis of their data processing activities. This will provide entities with the ability to assess the impact of their operations and make necessary adjustments to align with the requirements of the Law. Entities should proactively revise their policies and procedures, as well as review and update contracts to incorporate the rights and obligations mandated by the PDPL. Furthermore, entities must integrate data protection practices into their core operations, conduct comprehensive staff training for employees involved in personal data processing, establish robust consent frameworks for data control and processing, maintain thorough documentation of personal data collection and handling, and adopt other appropriate data protection protocols.
It is clear that the Kingdom’s data protection framework shall continue to grow and evolve, particularly given the integral part that personal data shall play in the Kingdom’s current technological trajectory towards Vision 2030. We envisage the publication of additional data protection legislative instruments in due course, which are expected to enhance protections for sensitive data categories, such as credit and health related data, as well as to align with the legal framework of other Saudi regulators, including the Saudi Central Bank (SAMA), the Council of Cooperative Health Insurance (CCHI), Ministry of Human Resources and Social Development (MHRSD), Ministry of Tourism (MoT), and numerous governmental and semi-governmental entities.
- The Personal Data Protection Law was issued pursuant to Royal Decree No. M/19 dated 09/02/1443H (corresponding to 16 September 2021) which was scheduled to take effect on 23 March 2023. The PDPL was later on amended by Royal Decree No. M/148, dated 05/09/1444H (corresponding to 27 March 2023).
- on 7 September 2023, one week prior to the PDPL coming into force, the new Implementing Regulations were issued and incorporate the Regulations on Personal Data Transfer outside of the Geographical Boundaries of the Kingdom ("Data Transfer Regulations").
- Article 1 of the Implementing Regulations define a data breach as "any incident that leads to the Disclosure, Destruction, or unauthorised access to Personal Data, whether intentional or accidental, and by any means, whether automated or manual."
- Article 1 of the PDPL defines Competent Authority as "the authority to be determined by a resolution of the Council of Ministers," which, at the date of the publication of this note, is yet to be determined.