The Kingdom of Saudi Arabia has issued legislation to regulate the collection and processing of personal data in the country (the PDPL). While the law was originally due to come into force on March 23 last year, the enforcement date has been postponed until this March 17. In addition, further regulations that should clarify various aspects of the PDPL are expected imminently, perhaps this month.
The PDPL recently underwent public consultation with a view to numerous changes to the legal text. Companies will have one year from the new enforcement date in which to ensure compliance.
Based on the amended draft legal provisions arising out of the consultation for the PDPL, we understand that prior regulatory approval will not be required with respect to personal data exported out of the KSA to another country, provided always that the country being exported to has at least the same standards of data protection as the KSA.
In respect of the engagement of data processors, we understand that the regulations supplementing the PDPL will clarify any contractual protections/provisions which need to be included/accounted for as part of any arrangements with data controllers.
As the PDPL carries penalties for breaches of the law reaching up to SAR5,000,000 (US$1,333,000) and, in certain cases, imprisonment, we recommend all companies operating in the Kingdom, or processing the data of individuals based in the Kingdom should commence the review of any data processing related activities and seek to implement changes as needed to ensure compliance with the PDPL. We can provide practical support on:
- advising on the grounds/lawful basis on which employee data can be processed.
- updating the data protection wording in your template contracts of employment to reflect the new rules.
- reviewing and updating your data protection policies and privacy notices for staff. The PDPL encompasses a number of data privacy principles that must be adhered to for compliance with the law, particularly in cases where there are direct points of contact with data subjects. We would recommend that employees are provided with a privacy notice that explains the purpose and legal basis on which their data is processed, as well as containing information required by the law.
- providing training to your workforce affected by the new obligations.
- assisting with putting in place processes to deal with enhanced data subject rights.
- putting record-keeping processing systems in place – companies will need record-keeping systems to identify what employee data is processed, the purpose of that processing, to whom the data is transferred and the legal basis on which the processing takes place. This may form part of a wider HR data processing review.
- ensuring your procedures for handling data subject access requests have been updated.