The National Centre for Documents and Archives Royal Court published, on 24 September 2021, the new Personal Data Protection Law ('PDPL'), implemented by Royal Decree M/19 of 17 September 2021 in the Official Gazette after it had been approved by the Council of Ministers on 14 September 2021. In particular, the PDPL provides that it shall be applicable to the processing of personal data by companies or public entities, by any means, that takes place in the Kingdom of Saudi Arabia, including the processing of personal data relating to residents of the Kingdom by companies located outside the Kingdom. Furthermore, the Saudi Data & Artificial Intelligence Authority ('SDAIA') will be in charge of supervising and enforcing the implementation of the PDPL for the first two years, after which it may consider transferring the supervisory role to the National Data Management Office, the regulatory arm of SDAIA.

Notably, Article 43 of the PDPL provides that the law shall take effect 180 days after the date of its publication in the Official Gazette, meaning that it will be effective from 23 March 2022. However, this date shall be delayed for a period of up to five years, and as determined by SDAIA, for companies located outside the Kingdom that process personal data of Saudi Arabian residents.

Key features of the PDPL include:

• controller obligations, including a registration obligation, impact assessments, breach notification, maintenance of data processing records, and implementing a privacy policy;
• data subject rights, including the right to be informed, to update, correct, or request destruction of their personal data, and to withdraw consent at any time;
• provisions relating to the principles of purpose limitation and data minimisation; and
• penalties for breach of the law, including imprisonment for up to two years and/or fines of up to SAR 5 million (approx. €1.1 million).

You can read the PDPL, only available in Arabic, here.