Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Saudi Arabia: SDAIA launches public consultation on proposed amendments to data protection law

The Saudi Data and Artificial Intelligence Authority ('SDAIA') launched, on 20 November 2022, a public consultation on its proposed amendments to the Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 dated 14 September 2021 ('PDPL'). In particular, SDAIA stated that it invites all public, private, and non-profit entities, as well as individuals to express their comments on the proposed amendments, noting that all opinions received will be analysed and reviewed accordingly. In this regard, the proposed amendments include the following:

  • with regard to the right to obtain personal data in a legible and clear format, Article 4 has been amended to include the right to data portability, whereby data subjects have the right to request the transfer of their personal data to another controller if it is technically possible;
  • the legitimate interests of the controller or any other party has been added as a case where data processing may be permitted without obtaining the consent of the data subject, provided that the personal data is not sensitive in nature;
  • Article 10 has been amended to include legitimate interests of the controller or any other party as a case where the controller may collect personal data from a person other than the data subject or process personal data for a purpose other than that for which it was collected;
  • Article 15 has been amended to include the legitimate interests of the controller or any other party as a case where the controller may disclose personal data;
  • Article 23 has been amended to add that, with regard to health data, the Executive Regulations shall also address the cases where the data subject must be notified of any request for disclosure of their health data;
  • Article 26 has been amended to allow the processing of personal data for marketing purposes where a clear mechanism is fixed to allow the target recipients to request the cessation of the processing whenever they wish to do so, and to allow the processing of sensitive personal data in this context only in circumstances where it is collected directly from the data subject and they expressly consent to such processing for marketing purposes;
  • Article 28 which had previously addressed the copying of identification documents has been replaced with a provision permitting data transfers outside the Kingdom in specific circumstances and in accordance with certain conditions;
  • Article 29 which previously prohibited the transfer of data outside the Kingdom, has been replaced with a provision noting that the competent authority shall be the entity in charge of overseeing the implementation of the PDPL and its Executive Regulations, whereby the authority may delegate some of its responsibilities to other public bodies, and controllers may be required to assist the authority in ensuring compliance with the PDPL. The same article also notes that the Executive Regulations will outline the circumstances where controllers will be required to appoint a data protection officer ('DPO');
  • with regard to keeping records of personal data, an addition to Article 30 notes that the controller shall keep records of the operations performed on personal data and shall set rules to restrict access to the same;
  • Article 31 has been amended to note the various powers of the competent authority under the PDPL; 
  • Article 32 which previously provided for the establishment of an electronic portal and controller register, has been amended to address, among other things, the issuance of licenses to entities for issue of accreditation certificates for controllers and processors, as well as licenses to authorise other entities to audit compliance with the PDPL; and
  • Article 39 provides that any party that suffers material or moral damage as a result of any of the violations stated in the PDPL or its Executive Regulations may apply to a competent court for proportionate compensation.

Notably, SDAIA specified that the consultation is open until 20 December 2022, and comments may be submitted on the consultation website.

You can access the consultation website here and the proposed amendments here.