Support Centre

Saudi Arabia

Summary

Law: The Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021, and amended on 21 March 2023 (available in Arabic here and in English here) ('PDPL, as amended')

Regulator: The Saudi Data & Artificial Intelligence Authority ('SDAIA').

Summary: The PDPL was published in the Official Gazette on 24 September 2021 and marks the introduction of Saudi Arabia's first data protection law. Additionally, a draft version of the executive regulations supplementing the PDPL ('the Executive Regulations') was issued, on 10 March 2022, for public consultation but was then withdrawn.

The aim of the PDPL is to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data. Notably, the PDPL covers key principles such as purpose limitation and data minimisation, controller obligations, including registration and maintenance of data processing records, data subject rights, and penalties for breach of provisions.

The PDPL will bring Saudi Arabia into closer alignment with both its Middle East counterparts as well as international standards. In the meantime, the National Data Management Office has developed the National Data Governance Interim Regulations which encompass the Personal Data Protection Interim Regulations ('the Data Protection Interim Regulations') and the Data Sharing Interim Regulations ('the Data Sharing Interim Regulations'). The Data Protection Interim Regulations cover key principles such as accountability, transparency, data disclosure, and data subject rights, while the Data Sharing Interim Regulations address data security, legal basis, and ethical data use.

At the end of November 2022, SDAIA launched a public consultation on proposed amendments to the PDPL, which were approved by the Saudi Council of Ministers on 21 March 2023 and thereafter by the Bureau of Experts at the Saudi Council of Ministers. According to Article 43 of the PDPL, as amended, the same shall enter into force 720 days from the date of publication in the Official Gazette (i.e. 24 September 2021), namely on 14 September 2023. In addition, according to the preamble of the PDPL, as amended, entities will have a one-year transition period from such date to bring their operations into compliance.

On September 7, 2023, the PDPL Implementing Regulations (only available in Arabic here) and the Regulations on personal data transfers (only available in Arabic here) were published in the Official Gazette of Saudi Arabia, after a public consultation launched by SDAIA in July 2023. Both sets of regulations will enter into force with the PDPL on September 14, 2023.

Insights

With the entry into force of the Personal Data Protection Law (PDPL), the Implementing Regulations of the PDPL (Implementing Regulations) (only available in Arabic here), and the Regulation on Personal Data Transfer (Transfer Regulations) (only available in Arabic here), the Kingdom of Saudi Arabia has adopted a comprehensive regulatory framework governing the processing of personal data.

Overall, the regulatory framework is a successful accomplishment for the Kingdom. Although formal guidelines and opinions are expected from the competent authorities, the enacted framework projects the Kingdom among those jurisdictions equipped with advanced data protection legislation, which resonates with most of the key principles and best practices adopted in other key jurisdictions. 

In this Insight article, Gianluca de Feo, Lawyer at AX Law, highlights some of the most significant practical aspects and key takeaways from the Implementing Regulations and the Transfer Regulations.

The Kingdom of Saudi Arabia (KSA) has revamped its regulatory regime for telecommunications with the issuance of a new Telecommunications and Information Technology Act1 (the Telecoms Act) and the publication of implementing regulations to support the new law. Dino Wilkinson, Masha Ooijevaar, Shamma Sied, and Ken Wong, from Clyde & Co, take a look at the provisions of the Telecoms Act, how it differs from previous legislation, and what companies need to consider.

With the Personal Data Protection Law (PDPL), in the recently amended version, set to enter into force on September 14, 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) issued for public consultation, on July 11, 2023, draft PDPL Implementing Regulations and draft Regulations on Personal Data Transfers. Both sets of regulations serve the purpose of providing further details regarding the application of the PDPL.

In this Insight article, OneTrust DataGuidance highlights some of the most significant aspects and key takeaways from the draft Implementing Regulations and the draft Data Transfer Regulations, featuring comments from Gianluca de Feo, Lawyer at AX Law.

An amended version of the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. Brian Meenagh and Lucy Tucker, from Latham & Watkins, LLP, discuss the amendments and draw comparisons between the PDPL and the General Data Protection Regulation (GDPR), with concluding thoughts on next steps.

Following a series of data protection developments in the Middle East, the latest marks Saudi Arabia's first data protection law, namely the Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 dated 14 September 2021 ('PDPL'), which was published in the Official Gazette on 24 September 2021.

Although the PDPL's original entry into force date was set for 23 March 2022, and later postponed until 17 March 2023, that date now stands at 14 September 2023, following the recent approval of amendments to the PDPL (reference to the 'PDPL' henceforth refers to the PDPL as amended).

In this Insight article, OneTrust DataGuidance Research summarises key provisions of the PDPL, as well as key considerations and challenges for practitioners to build and progress their privacy programs towards compliance with the law.

Saudi Arabia's much awaited Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021 ('PDPL') was issued in September 2021. Originally it was due to come into force on 23 March 2022. Following amendments published in March 2023, the PDPL is now expected to come into effect on 14 September 2023. Simon Stokes and Nick O'Connell, from Al Tamimi & Company, provide a brief overview of the proposed amendments and how businesses can prepare.

This Insight article was updated in May 2023.

The Kingdom of Saudi Arabia ('KSA') has focused on digital transformation as part of its Vision 2030 plan to develop its infrastructure and support the transition away from reliance on oil towards a knowledge-based economy. In keeping with this increased focus on technology in the economy, there has been an associated rise in regulation of digital activity. Dino Wilkinson, Masha Ooijevaar, Adwa Aljebreen, and Zahra Laher, from Clyde & Co., discuss how cybersecurity has evolved in the KSA as well as recent guidelines, controls, frameworks, and regulations.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Data Protection Law (PDPL) (available in Arabic here and in English here).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPL with the  GDPR.

You can access the latest version of the report here.

Saudi Arabia's new Personal Data Protection Law1 ('PDPL') was recently published in the Official Gazette, triggering a 180-day period that will require the publication of additional Executive Regulations and see the PDPL come into effect on 23 March 2022. Controlling entities will then have one year from this date to achieve compliance. Article 29 of the PDPL provides that a controlling entity may only transfer personal data outside the Kingdom, or disclose it to a party outside of the Kingdom, in specific circumstances and after certain conditions are met. In Part 12 of this two-part Insight article series, Dale Waterman, Managing Director for the Middle East & North Africa at Breakwater Solutions, shared his initial observations on the interpretation and potential operationalisation of Article 29. In Part 2, Dale seeks to offer newly appointed compliance stakeholders in the region a few suggestions on how they might consider ways to begin preparing for future data sovereignty obligations in advance of receiving the Executive Regulations and the PDPL coming into effect.

Saudi Arabia's new Personal Data Protection Law1 ('PDPL') was recently published in the Official Gazette. This triggered a 180-day period that will require the publication of additional Executive Regulations and see the PDPL come into effect on 23 March 2022. Controlling entities will then have one year from this date to achieve compliance. Whilst setting out many familiar data protection principles and obligations, the PDPL notably lays down obligations with respect to data sovereignty, which have garnered significant attention and may present operational challenges for organisations subject to the PDPL. In this two-part Insight article series, Dale Waterman, Managing Director for the Middle East & North Africa at Breakwater Solutions, takes a deep dive into these provisions and the evolving data sovereignty landscape in Saudi Arabia. In Part 1, Dale shares his initial observations on the interpretation and potential operationalisation of the data localisation provisions under the PDPL, before offering newly appointed compliance stakeholders in the region a few suggestions on how they might consider preparing to effectively manage future data sovereignty obligations while they await the release of the Executive Regulations and the launch of PDPL in Part 22.

Feedback