Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Saudi Arabia - Data Protection Overview
Back

Saudi Arabia - Data Protection Overview

November 2023

1. Governing Texts

Saudi Arabia issued its first comprehensive and unified national data protection law in September 2021 to regulate the collection and processing of personal data. The Saudi Arabia Personal Data Protection Law (as amended) ('the PDPL') has been implemented by Royal Decree No. M/19 of 9/2/1443H (16 September 2021) approving Resolution No.98 of 7/2/1443H (14 September 2021) and amended by Royal Decree No. M/147 of 5/9/1444H (21 March 2023), and came into effect on September 14, 2023.

1.1. Key acts, regulations, directives, bills

The PDPL was published in the Official Gazette on September 24, 2021. It was originally stated to take effect 180 days after its publication in the Official Gazette, which meant it was intended to be effective from March 23, 2022. Draft executive regulations were issued for public consultation within this period.

On March 22, 2022, the Saudi Data & Artificial Intelligence Authority ('SDAIA'), which is the current competent authority of the PDPL announced the postponement of the enforcement of the PDPL until March 17, 2023, in light of responses the SDAIA received from a range of stakeholders to the draft executive regulations.

This was followed by the issuance of draft amendments to the PDPL for public consultation in November 2022, and in March 2023, an amended version of the PDPL was implemented via Royal Decree No. M/147 of 5/9/1444H (21 March 2023), which pushed the effective date of the PDPL to 720 days after the initial publication date: the PDPL was therefore effective from September 14, 2023.

The implementing decree of the PDPL provides that controllers will be required to adjust their status in accordance with the provisions of the PDPL within a period not exceeding one year from the date that it becomes effective, i.e. by September 14, 2024.

The Implementing Regulation of the Personal Data Protection Law ('the Implementing Regulations') and the Regulation on Personal Data Transfer outside the Kingdom (only available in Arabic here) ('Data Transfer Regulations') (collectively, 'the Regulations') were published for public consultation on July 11, 2023, and were formally issued on September 7, 2023. The Regulations expand on the general principles and obligations outlined in the PDPL and introduce new compliance requirements for organizations.

Prior to the enactment of the PDPL the privacy of data was considered under general Shari'ah principles, in addition to a number of provisions in sector-specific laws such as finance, insurance, and telecommunication:

The Cybercrimes Law: The right to privacy is reflected in Article 6(1) of Cabinet Decision No. 79/1428 on the Approval of the Anti-Cyber Crime Law ('the Cybercrimes Law'), which criminalizes the 'production, preparation, transmission, or storage of material impinging on public order, religious values, public morals, and privacy, through the information network or computers.' The offense carries a fine of SAR 3 million (approx. $800,000) and/or up to four years imprisonment. In particular, the Cybercrimes Law stipulates that an individual's consent must be obtained to process their personal information, including disclosing any documents obtained by such processing.

E-commerce Law: Under Article 5 of Cabinet Decision No. 628/1440 On the Approval of the E-Commerce Law ('the E-commerce Law'), a service provider falling within the scope of the E-commerce Law is restricted from storing the consumer's personal or contact information for a period exceeding the period required by the nature of its activity, and this extends to its agents or affiliates unless agreed otherwise with the consumer (for example, through obtaining the customer's explicit consent). Furthermore, regulated service providers are required to take the necessary measures to protect the consumer's information and are liable for the protection of any information under their possession or control. These service providers are also prohibited from using the consumer's information for any purpose other than the purpose for which the information was disclosed, whether such use is for profit or not, unless they obtain the consumer's consent.

Financial Services and Privacy: The Saudi Arabian Monetary Agency's ('SAMA') Financial Consumer Protection Principles and Rules refer to the protection of data and information as one of the 10 core principles of consumer protection applicable to all financial institutions. Financial institutions must develop appropriate mechanisms according to relevant applicable regulations, instructions, and policies to protect the privacy of consumers' financial, credit, insurance, and/or personal information, and the rights set out in the PDPL are referred to as a minimum standard. The SAMA has also issued regulations intended to govern the data exchanged between creditors and borrowers. Article 3 of the Credit Rating Agencies Regulations ('CRA Regulations') requires the personal data of consumers to be kept confidential, to be processed solely for credit borrowing purposes, and to consult the Saudi Credit Bureau to verify any information exchanged. Regulation No. 4/1434 Implementing the Regulation of the Finance Companies Control Law ('FCC Law') also protects the privacy of the financial information of individuals under Article 88: 'The finance company and its employees shall maintain the confidentiality of clients' data and transactions, and shall not disclose or pass such information to other parties, except in accordance with relevant laws and instructions.'

Insurance and Privacy: Several regulations governing the insurance sector include privacy and data protection obligations. For example, the Outsourcing Regulation for Insurance And Reinsurance Companies and Insurance Service Providers ('Outsourcing Regulations') issued by the SAMA, requires insurers and insurance service providers to establish proper safeguards to protect the integrity and confidentiality of policyholder data and financial data including by (Article 33 of the Outsourcing Regulations):

  • entering into non-disclosure agreements;
  • providing financial data and data of the insured to a third party on a need-to-know basis only; and
  • requiring the third party to segregate their data from other data pools.

The SAMA has also issued the Insurance Market Code of Conduct Regulation ('the Insurance Code'), in which Section 17 deals with data confidentiality. The Insurance Code provides that companies must, at all times, ensure that customer personal data is protected. This means that the data:

  • must be obtained and used only for specified and lawful purposes;
  • must be kept by the company in Saudi Arabia;
  • must be kept secure and up to date for a period of 10 years;
  • must be provided to the customer upon their written request; and
  • must not be disclosed to a third party without the prior authorization of the SAMA (other than the companies' auditors, actuaries, reinsurers, and co-insurers).

NDMO Regulations: The National Data Management Office ('NDMO'), the regulatory arm of the SDAIA, issued the National Data Governance Regulations on June 1, 2020, which include the Personal Data Protection Regulations (PDPR). The PDPR includes requirements relating to the principles of transparency, purpose limitation, and data minimization, as well as data collection and disclosures and data subject rights. The PDPR has not been formally repealed as of the date of this publication.

NCA Cybersecurity Controls: The National Cybersecurity Agency ('NCA') has issued a number of cybersecurity controls to regulate Saudi Arabia's cyberspace which apply to government organizations (including private companies that provide services to such organizations). For example, the Essential Cybersecurity Controls contain minimum measures that organizations need to implement to detect, prevent, or address security risks and to manage threats to information and technology assets. The Data Cybersecurity Controls aim to support organizations' cybersecurity through the data life cycle in order to protect data and information assets from cybersecurity threats and risks. It includes controls relating to data and information protection and secure data disposal, and classifies data into four categories: public, confidential, secret, and top secret. 

Telecommunications and Privacy: Provisions on data protection and cybersecurity are also available in the Telecommunications and Information Technology Act approved pursuant to Royal Decree No. M/106 dated 02/11/1443 AH (1 June 2022) ('the Telecoms Act'), which apply to digital service providers. The Telecoms Act requires service providers to comply with the provisions of the PDPL when using, controlling, or processing any user's personal data. User data cannot be disclosed without the consent of the user. Additionally, service providers have a duty to notify users and the Communications, Space & Technology Commission ('CST') in the case of a breach of users' personal data and to take appropriate measures to protect personal data, including those contemplated under the General Principles for Personal Data Protection in the Telecommunications, Information Technology and Postal Sectors.

Cloud Computing and Privacy: the Cloud Computing Services Provisioning Regulations ('the Cloud Regulations'), issued as a fourth version in October 2023 by the CST, applies to cloud service providers ('CSPs') that provide cloud services to cloud computing subscribers (i.e., any person to whom a CSP agrees to provide its services under a cloud computing contract or other commercial relationship between the CSP and such person) that reside or have a subscribers address in Saudi Arabia. The Cloud Regulations address the issue of protection of personal data in a cloud context and introduce a set of minimum data protection rights that CSPs need to respect. The scope of these data protection rules in the Cloud Regulations is not limited to the personal data of individuals but covers all types of cloud computing subscriber data, including business information that would not normally qualify as 'personal data.' The Cloud Regulations explicitly prohibit the transfer of any content of Saudi government agencies outside Saudi Arabia for any purpose, or in any form, whether permanently or temporarily, unless it is expressly stated that it is permitted according to the laws or regulations in Saudi Arabia. Additionally, cloud computing subscribers may not transfer, store, or process such content of Saudi government agencies to any cloud system unless the CSP is registered with the CST. CSPs must inform subscribers and the CST without delay of any breaches of user information or documents, and the CST will notify the NDMO if these breaches affect or are likely to affect government agencies or a large number of people in Saudi Arabia due to the reliance on the services of one or more cloud computing subscribers that have been affected by the breach.

Article 3 of the PDPL expressly stipulates that the PDPL does not intend to prejudice any sector-specific regulations, including the ones highlighted above, to the extent that they grant any rights to data subjects or confer better protection to personal data.

However, the implementing decree to the PDPL specifies that the SDAIA will coordinate with the SAMA and the CST to prepare a Memorandum of Understanding to regulate some of the aspects related to the application of the provisions of the PDPL and the Regulations on the entities regulated by the SAMA and the CST. This suggests that there will be some element of transition from the prior state of sector-specific regulation towards the PDPL as the overarching data legislation in Saudi Arabia.

1.2. Guidelines

The NDMO published  the Self-assessment for public and private entities regarding the regarding the key requirements of the PDPL. Further guidance is expected to be released by the SDAIA to clarify some of the key requirements in the PDPL including, for example, the registration of controllers.  

1.3. Case law

There is no known case law pertaining to the data protection provisions of the PDPL at the time of publication.

2. Scope of Application

2.1. Personal scope

Article 2 of the PDPL applies to any processing of personal data that is performed in Saudi Arabia by any means whatsoever, including any processing of personal data of individuals who are residing in Saudi Arabia carried out in any manner whatsoever by an entity located outside Saudi Arabia.

Unlike other data protection laws, the PDPL includes the processing of personal data of deceased persons if the personal data leads to the identification of the deceased person or their family members specifically.

The provisions, requirements, and conditions set forth in the PDPL do not apply to the processing of personal data by an individual for personal or family use, as long as the personal data is not published or disclosed to others. Article 2 of the Implementing Regulations clarify that personal or family use means that the individual processes personal data within their family or limited social circle within any social or family activity. The following is not considered to be 'personal or family use':

  • the individual publishes personal data to the public or discloses it to any person outside the scope specified above; and
  • using personal data for purposes of a professional, commercial, or non-profit nature. 

2.2. Territorial scope

The PDPL applies to Saudi entities that perform personal data processing activities in the Kingdom of Saudi Arabia ('KSA').

The PDPL also applies extra-territorially to non-Saudi entities that process the personal data of individuals residing in Saudi Arabia.

2.3. Material scope

The provisions of the PDPL apply to any processing of personal data by any means. The PDPL also applies to the processing of sensitive data (which includes health and genetic data), subject to a limited scope and/or added protection and controls.

Note that the PDPL does not apply to the processing of corporate, government, technical, or any other data if it does not identify natural persons.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The SDAIA will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the NDMO will be considered.

3.2. Main powers, duties and responsibilities

The SDAIA is the competent authority in Saudi Arabia concerned with data and artificial intelligence ('AI') including big data. The SDAIA is also the national reference in all matters related to the organization, development, and handling of data and AI. Additionally, it has competence in all matters related to operation, research, and innovation in the field of data and AI.

The SDAIA is responsible for implementing the data and AI agenda at a national level, including enforcing the PDPL.

4. Key Definitions

Data controller: Any public authority or any natural or legal person which determines the purpose and method of processing personal data, whether such processing is performed by it or by the processor.

Data processor: Any public authority or any natural or legal person which processes personal data for or on behalf of a controller.

Personal data: Any data, whatever its source or form, through which a person can be specifically identified either directly or indirectly, including the name, ID number, addresses, contact numbers, license numbers, registration numbers, property, bank account numbers, credit cards numbers, still and moving images of the person, and other personal data.

Sensitive data: Any personal data that includes a reference to a person's ethnic or tribal origin, their religious, intellectual, or political beliefs, their security and criminal data, biometric data that identifies identity, genetic data, health data, or data indicating that a person has an unknown parent/parents.

Health data: Any personal data that is related to the health condition of a person, whether physical, mental, psychological, or related to the provision of health services to them.

Biometric data: The PDPL does not provide a definition of biometric data. However, though slightly different, the PDPL does define genetic data as any personal data related to the genetic or gained features of a natural person which uniquely determines the physical or health features of such person. Such data is extracted by analyzing a biological sample such as an analysis of DNA or any other analysis which results in extracting genetic information.

Pseudonymization: Conversion of the main identifiers that indicate the identity of a person into codes that make it difficult to directly identify them without using additional data or information. The PDPL also defines anonymization as the removal of direct and indirect identifiers that indicate the identity of a person in a way that permanently makes it impossible to identify them.

5. Legal Bases

Article 6 of the PDPL provides that the processing of personal data is not subject to consent if any of the following circumstances apply:

  • the processing serves actual interests of the data subject, but communicating with the data subject is impossible or difficult;
  • the processing is pursuant to another law (i.e., legal obligation);
  • the processing is pursuant to the implementation of a previous agreement to which the data subject is a party;
  • the controller is a public entity, and the processing is required for security purposes or to fulfil judicial requirements; or
  • the processing is necessary to achieve a legitimate interest of the controller, without prejudice to the rights and interests of the data subject, and provided the personal data is not sensitive data, in accordance with the rules and provisions set out in the Regulations.

Additionally, Article 10 specifies that controllers may collect personal data from the data subject and any processing of such data must be done for the purpose for which the personal data was collected. In the following cases, however, a controller may collect personal data from another source (other than the data subject) or process personal data for another purpose:

  • the data subject consents to the collection of the personal data or the processing for a new purpose;
  • the personal data is publicly available or collected from publicly available sources;
  • the controller is a public entity, and the personal data was not directly received from the data subject or was processed for a purpose other than that for which it was collected, as required for public interest objectives, security purposes, or to implement another law or to fulfil judicial requirements;
  • compliance with this restriction may cause harm to the data subject or affect the vital interests of the data subject;
  • the collection or processing of personal data is necessary to protect the public health, public safety, or to protect the life or health of a specific individual;
  • the personal data will not be recorded or stored in a form that makes it possible to directly or indirectly identify the data subject (i.e., anonymization); and
  • the collection or processing of the personal data is necessary to achieve legitimate interests of the controller or any other party, without prejudice to the rights or interests of the data subject, and provided that the personal data is not sensitive data.

A separate basis is required when disclosing personal data. In accordance with Article 15, controllers cannot disclose personal data except in the following cases:

  • the data subject has consented to such disclosure;
  • the personal data has been collected from a public source;
  • the entity requesting disclosure of data is a public authority and the disclosure is required for public interest purposes, security purposes, to comply with law, or to fulfil judicial requirements;
  • the processing is necessary to protect public health, safety, or lives or health of one or more persons;
  • the personal data disclosure will be limited to a subsequent processing in a way that does not directly or indirectly disclose the identity of the data subject or any other specific person; or
  • the disclosure is necessary to achieve the legitimate interests of the controller, unless it prejudices the rights of data subjects or conflicts with their interests and provided that the personal data is not sensitive data.

There are circumstances when disclosures will not be permitted. The controller may not disclose personal data in the cases set out in Article 15(1), 15(2), 15(5), and 15(6) of the PDPL, as amended, (see above) if the disclosure:

  • poses security risks, distorts the KSA's reputation, or works against the KSA's interests;
  • impacts the KSA's relationships with other countries;
  • prevents disclosure of a crime, impacts the rights of an accused to receive fair trial, or affects the integrity of ongoing criminal procedures;
  • exposes people to danger;
  • leads to violation of the privacy of a person other than the data subject, as set out by the Regulations;
  • contradicts with the interest of a minor or incapacitated person;
  • violates lawful professional standards;
  • violates a judicial order, procedure, or obligation; or
  • discloses a secret information source that should not be disclosed for the public interest.

5.1. Consent

The general rule is that consent is required unless there is an express exception that stipulates otherwise in the PDPL, as amended. Consent therefore is one of the main legal bases for processing personal data, for collecting personal data indirectly from a data subject, or using the data for any purpose other than the purpose for which the data was originally collected, and for disclosures.

Consent may not form a condition of providing a service or benefit, unless such service or benefit is related to the processing of personal data for which consent is given (Article 7 of the PDPL, as amended).

According to Article 11 of the Implementing Regulations, the controller must obtain the data subject's consent for processing their personal data in any appropriate form or means, including written or verbal consent or by using electronic methods, subject to the following conditions:

  • consent must be given freely and not obtained through misleading methods. Consent must be obtained by taking into account the provision in Article 7 of the PDPL, as amended (i.e., consent should not be a prerequisite for offering a service or a benefit, unless such a service or benefit is related to the personal data processing for which consent is granted);
  • the purposes of processing must be clear and specific, and those purposes must be made clear to the data subject before or at the time of requesting consent;
  • consent must be given by a person who has full legal capacity;
  • consent must be documented in a way that allows verification in the future, including keeping records that include the consent of data subjects, indicating the time and means of consent; and
  • independent consent must be obtained for each purpose of processing.

A data subject's consent must be 'explicit' in the following cases:

  • when the processing involves sensitive data;
  • when the processing involves credit data; or
  • if decisions will be taken based entirely on automated processing of personal data.

According to Article 12 of the Implementing Regulations, data subjects have the right to withdraw their consent for processing at any time, and they may inform the controller of their withdrawal by any of the available means in accordance with Article 4 of the Implementing Regulations (the right to be informed).

Additionally, consent is the legal basis for processing personal data for advertising and direct marketing purposes. In line with Articles 25 and 26 of the PDPL, as amended, except for educational materials sent by public authorities, a controller may not use personal contacts (including postal and electronic mail addresses) of the data subject to send them advertising or educational materials, unless it satisfies the following conditions:

  • the target recipient (i.e., individual) consents to receiving such material; and
  • the sender of the material (e.g., the controller), as set out in the Implementing Regulations, provides a clear way that enables the target recipient to express their wish to stop receiving such material.

Except for sensitive data, personal data may be processed for marketing purposes if:

  • the data is collected directly from a data subject; and
  • the data subject consents to such processing in accordance with the PDPL, as amended.

In addition, Article 28(1) of the Implementing Regulations states that controllers must obtain consent from the targeted recipient before sending 'advertising or awareness materials' in case there is no prior interaction between the controller and the targeted recipient. Article 28(2) provides the conditions for obtaining the targeted recipient's consent for advertising or awareness materials.

Furthermore, before processing personal data for 'direct marketing' purposes, the controller must:

  • obtain consent from the data subject (as per Article 11 of the Implementing Regulations);
  • provide a mechanism that allows the data subject to stop receiving marketing materials whenever they desire and such procedures must be easy, simplified, and similar or easier than the procedures for obtaining consent to receive such materials;
  • when direct marketing materials are sent to the data subject, the name of the sending party must be mentioned clearly without any concealment of its identity; and.
  • if the data subject withdraws their consent to direct marketing, the controller must stop sending direct marketing materials to them without undue delay.

5.2. Contract with the data subject

Article 6(2) of the PDPL, as amended, provides that the processing of personal data is not subject to consent in certain circumstances, which include the case where the processing is pursuant to the implementation of a previous agreement to which the data subject is a party. However, this appears to be based on a 'previous agreement' to which the data subject is party rather than 'for the performance of a contract' as under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

5.3. Legal obligations

Pursuant to Article 6(2) of the PDPL, as amended, the processing of personal data is not subject to consent if the processing is pursuant to another law (i.e., legal obligation).

Under Article 20(3) of the Implementing Regulations, when disclosing personal data in response to a request from a public authority for security purposes, to implement another law, to satisfy legal requirements, or if the disclosure is necessary to protect public health, public safety, or the life or specific individuals' health, the following measures shall be taken:

  • the request for disclosure should be documented; and
  • the type of personal data required to be disclosed should be accurately defined.

5.4. Interests of the data subject

Under Article 6(1) of the PDPL, as amended, the processing of personal data is not subject to consent if the processing serves the 'actual interests' of the data subject, but communicating with the data subject is impossible or difficult.

Article 1 of the Implementing Regulations defines actual interests as 'any moral or material interest of the data subject directly related to the purpose of processing personal data, and the processing is necessary to achieve that interest.'

According to Article 14 of the Implementing Regulations, when processing is necessary to achieve an actual interest of the data subject, the controller must retain evidence that such an interest exists and that it is impossible or difficult to contact the data subject.

Additionally, Article 10 specifies that personal data may not be indirectly collected or processed for another purpose unless compliance with this restriction may cause harm to the data subject or affect the vital interests of the data subject.

5.5. Public interest

While there is no equivalent specific public interest basis as under the GDPR, the principle of public interest underlies numerous provisions in the PDPL, as amended.

First, in terms of bases for processing personal data, Article 6(3) of the PDPL, as amended, stipulates that personal data may be processed without the data subject's consent if the controller is a public entity and the processing is required for security purposes or to fulfill judicial requirements.

Second, in regard to the collection of personal data, although the general rule requires that data is only collected from the data subject and that the personal data is only used for the purposes disclosed at the time of collection, Article 10(3) of the PDPL, as amended, allows the indirect collection of personal data or for other purposes as required for public interest objectives, security purposes, to implement another law, or to fulfill judicial requirements. Furthermore, the same applies to cases where it is necessary to protect public health, public safety, or to protect the life or health of specific individuals, per Article 10(5) of the PDPL, as amended.

Finally, Article 15(3) of the PDPL, as amended, permits the disclosure of personal data if the entity requesting it is a public entity and the collection or processing is required for public interest or security purposes, to implement another law, or to fulfill judicial requirements. Article 15(4) also permits disclosure if necessary to protect public health, public safety, or to protect the lives or health of specific individuals.

According to Article 21 of the Implementing Regulations, when a public entity collects personal data directly from someone other than the data subject, processes the data for a purpose other than the one for which the data was collected, or requests disclosure to achieve a public interest, it must comply with the following:

  • ensure that this is necessary to achieve a clearly defined public interest;
  • ensure that the public interest is related to the competencies prescribed for it by law;
  • take appropriate means to limit the damages that may result from this, including setting the necessary administrative and technical controls to ensure that its employees comply with the provisions of Article 41 of the PDPL, as amended (i.e., whoever carries out any personal data processing business must keep the data secret even after termination of the employment contract);
  • include these operations in the records of processing activities; and
  • collect and process the minimum personal data necessary to achieve the purpose.

5.6. Legitimate interests of the data controller

Personal data may be processed, collected indirectly or processed for other purposes, or disclosed in accordance with the legitimate interest basis as per Articles 6, 10, and 15 of the PDPL, as amended. The legitimate interest basis was introduced in the amended version of the PDPL, as amended, issued in March 2023.

According to Article 16 of the Implementing Regulations, except in cases where the controller is a public entity, the controller may process personal data to achieve a legitimate interest provided that the following conditions are met:

  • the purpose of processing does not violate any Saudi laws;
  • the rights and interests of the data subject and the legitimate interests of the controller are balanced so that the interests of the controller do not affect the rights and interests of the data subject;
  • the processing does not include sensitive data; and
  • the processing must be within the reasonable expectations of the data subject.

Article 1 of the Implementing Regulations defines legitimate interest as 'any necessary interest of the controller whose fulfillment requires the processing of personal data for a specific purpose, provided that it does not affect the rights and interests of the personal data subject.'

Under Article 16(2) of the Implementing Regulations, examples of legitimate interests include detecting fraud and protecting the security of networks and information, and other legitimate interests that meet the conditions specified in Article 16 of the Implementing Regulations.

As per Article 16(3) of the Implementing Regulations and in accordance with Article 6(4) of the PDPL, as amended (i.e., relying on legitimate interests to process personal data), before processing personal data for a legitimate interest, the controller must conduct and document an assessment of the proposed processing and its impact on the rights and interests of the data subject. The assessment should include the following:

  • specifying the proposed processing, its purposes, the type of data, and the categories of data subjects;
  • evaluating the purpose to ensure it is legitimate and compliant with Saudi laws;
  • verifying the necessity to process personal data to achieve the legitimate purpose of the controller;
  • evaluating whether the proposed processing will cause any harm to the interests of the data subjects or their ability to exercise their legally established rights; and
  • evaluating whether there are any measures that need to be taken to avoid potential risks or damages, in accordance with Article 25(2) of the Implementing Regulations (on Data Protection Impact Assessments ('DPIAs')).

Finally, per Article 16 of the PDPL, as amended, there are certain circumstances when disclosure will not be permitted on the basis of legitimate interest. See the section on legal bases above.

5.7. Legal bases in other instances

Other legal bases that may apply to the indirect collection of personal data or use of the data for other purposes under Article 10 or for disclosures under Article 15 include:

  • where the personal data is publicly available or collected from publicly available sources. Article 15 of the Implementing Regulations further specifies that the collection of data from publicly available sources must be lawful;
  • if the collection or processing of personal data is necessary to protect the public health, public safety, or to protect the life or health of a specific individual; and
  • if the personal data will not be recorded or stored in a form that makes it possible to directly or indirectly identify the data subject (i.e., in anonymized form). Article 9 of the Implementing Regulations sets out conditions for anonymizing data, including ensuring that the identity of the data subject cannot be re-identified after the identity has been concealed and, where required, evaluating the impact, including the possibility of re-identifying the data subject. 

Pursuant to Article 16 of the PDPL, as amended, there are certain circumstances when disclosure will not be permitted on the bases of the data being publicly available or if the data is recorded or stored in anonymized form. See the section on legal bases above.

6. Principles

The PDPL, as amended, sets out a number of principles which are similar to the GDPR, such as:

Purpose limitation: The purpose of collecting personal data shall be directly related to the purposes of the controller and shall not contradict with the provisions of the PDPL, as amended (Article 11(1) of the PDPL, as amended).

Security: The methods and means of collecting personal data may not violate any provisions of the PDPL, as amended and must be suitable to the circumstances of the data subject, direct, clear, safe, and free from any types of fraud, deceit, or blackmail (Article 11(2) of the PDPL, as amended).

Data minimization: The content of the personal data must be relevant and restricted to the minimum extent required to achieve the intended purpose. Such content should not lead to the direct identification of the data subject, provided that the objective of data collection is achieved (Article 11(3) of the PDPL, as amended).

Article 19 of the Implementing Regulations further states the controller must collect only the minimum amount of personal data necessary to achieve the purpose of the processing and ensure the following:

  • collect only the necessary personal data that is closely and directly related to the purpose of processing the data, which is determined through the use of appropriate means, including maps that indicate the need for each collected data and linking it to each purpose of processing or other means; and
  • provide necessary care to achieve the purpose of the processing without collecting unnecessary personal data.

The controller must retain the minimum amount of personal data necessary to achieve the purpose of processing.

Storage limitation: If it becomes clear that personal data being collected is no longer necessary to achieve the intended purpose of its collection, the controller must stop the data collection and destroy the data without delay (Article 11(4) of the PDPL, as amended).

Accuracy: The controller may not process personal data without taking sufficient measures to ensure accuracy, completion, recency, and relevancy of the data based on the purpose of its collection in accordance with the provisions of the PDPL, as amended (Article 14 of the PDPL, as amended).

7. Controller and Processor Obligations

7.1. Data processing notification

Article 30(4) of the PDPL, as amended, states that in order to carry out its tasks related to supervising the implementation of the provisions of the PDPL, as amended, and the Regulations, the SDAIA may identify the appropriate tools and mechanisms for monitoring and tracking the compliance of controllers with the provisions of the PDPL, as amended and the Regulations, including the establishment of a national registry of controllers for this purpose.

Article 34 of the Implementing Regulations builds upon this and provides that the SDAIA shall issue the rules for registration in the National Register of Controllers, provided that the rules also include the relevant controllers that have to register. The rules will likely specify the type of controllers that will have to register with the SDAIA.

Once the rules have been issued, organizations should identify whether they need to register with the SDAIA.

7.2. Data transfers

Article 29 of the PDPL, as amended allows controllers to transfer or disclose personal data outside Saudi Arabia as long as:

  • they have a purpose for such transfer/disclosure in accordance with the PDPL, as amended and the Regulations; and
  • the transfer/disclosure meets the conditions specified in the PDPL, as amended, and the Regulations.

In accordance with Article 29(2) of the PDPL, as amended, and Article 2(4) of the Data Transfer Regulations, controllers may transfer personal data outside Saudi Arabia or disclose it to a party outside Saudi Arabia in order to achieve any of the following purposes:

  • if it is necessary for fulfilling an obligation under an agreement to which the KSA is a party;
  • if it is necessary to serve the interests of the KSA;
  • if it is necessary for fulfilling an obligation to which the data subject of the personal data is a party;
  • carrying out operational processes for processing to enable the controller to carry out its activities, including the operations of the central administration;
  • providing a service or benefit to the data subject; or
  • conducting scientific research and studies.

In addition to a purpose set out above, Article 29(2) of the PDPL, as amended, states that the controller must also meet the following conditions when transferring or disclosing personal data:

  • the transfer or disclosure must not compromise national security or the vital interests of KSA;
  • there is an appropriate level of protection of personal data outside the KSA, which must not be less than the level of protection established in the PDPL, as amended, and the Regulations, according to the results of an evaluation conducted by the SDAIA in this regard in coordination with whomever it deems appropriate among the designated authorities; and
  • the transfer or disclosure shall be limited to the minimum amount of personal data that is necessary (a form of data minimization for data transfers).

Article 29(3) of the PDPL, as amended, states that the conditions shall not apply to cases of extreme necessity to preserve the life or vital interests of the data subject or to prevent, examine, or treat infectious diseases (e.g., relating to COVID-19).

The Data Transfer Regulations specify further data transfer requirements. In particular, Article 2 of the Data Transfer Regulations states that the controller must consider the following:

  • controllers may transfer or disclose personal data to a party outside the KSA, unless such transfer/disclosure affects national security or vital interests of the KSA, or if the transfer or disclosure is in violation of another law in the KSA;
  • the controller must limit the transfer/disclosure of personal data outside the KSA to the minimum necessary to achieve the purpose of the transfer/disclosure. This should be determined through the use of any appropriate means, including data mapping, that indicate the need to transfer/disclose the data and should be linked to each of the purposes for processing outside the KSA; and
  • When transferring/disclosing personal data to a party outside the KSA, the controller must ensure that it does not affect the privacy of data subjects or the level of protection guaranteed for personal data in accordance with the PDPL, as amended and the Regulations by ensuring that the transfer/disclosure will not violate, as a minimum, any of the following:
    • the ability of the data subject to exercise their rights guaranteed in the PDPL, as amended;
    • the ability of the data subject to revoke their consent to the processing;
    • the ability of the controller to comply with the requirements of notification of personal data breaches;
    • the ability of the controller to comply with the provisions, controls, and procedures of disclosure of personal data;
    • the ability of the controller to adhere to the provisions and controls for destroying personal data; and
    • the ability of the controller to take the necessary organizational, administrative, and technical measures to ensure the security of personal data.

In addition to the above requirements, Article 3 of the Data Transfer Regulations introduces an evaluation and adequacy system. This appears to be a similar adequacy system as implemented by other data protection authorities. For information about how the SDAIA will determine the adequacy of other countries, review Articles 3 to 6 of the Data Transfer Regulations.

Article 5 of the Data Transfer Regulations sets out exemption cases and appropriate safeguards required in the absence of an adequacy decision (or international agreement with the country). The transfer/disclosure of personal data will be subject to the condition that the legal requirements in that country or its sectors or the international organization do not negatively impact the privacy of data subjects or the ability of the controller to comply with the application of appropriate safeguards, in addition to adopting the following safeguards by the controller:

  • Binding Corporate Rules ('BCRs'), which apply to each concerned party in a group of entities operating in a joint economic activity, including its employees, whose terms and conditions are approved by the SDAIA;
  • Standard Contractual Clauses ('SCCs') that guarantee an adequate level of protection for personal data when transferring outside the KSA, according to a standard form issued by the SDAIA;
  • Certifications of compliance with the PDPL, as amended, and the Regulations, issued by an authorized entity licensed by the SDAIA; and
  • Binding Codes of Conduct, which are approved by the SDAIA based on requests submitted in each case separately.

In the absence of an adequacy decision and the inability of the controller to use any of the above safeguards, the transfer/disclosure is permitted in any of the following cases (i.e., derogations):

  • the transfer or disclosure is necessary to conclude or implement an agreement to which the data subject is a party;
  • the controller is a public authority and the transfer/disclosure is necessary to protect the national security of the KSA or to achieve a public interest;
  • the controller is a public authority and the transfer/disclosure is necessary to investigate, detect, or prosecute crimes or to implement criminal penalties; and
  • the transfer or disclosure is necessary to protect the vital interests of the data subject and it is impossible to contact them.

Under Article 8 of the Data Transfer Regulations, there is also a requirement for controllers to carry out a risk assessment in the following cases:

  • a safeguard is applied for the transfer of the data (e.g., SCCs);
  • an exemption (i.e., derogation) is relied upon to transfer the data; and
  • the transfer involves continuous or large-scale transfers of sensitive data outside the KSA.

The risk assessment should include the following elements as a minimum:

  • the purpose and legal basis of the transfer/disclosure;
  • a description of the nature of the transfer/disclosure and its geographic scope;
  • appropriate means and guarantees are taken for transferring personal data outside the KSA, and the extent to which they are sufficient to achieve the required level of protection of personal data;
  • measures taken to ensure that the transfer or disclosure is limited to the minimum amount of personal data necessary to achieve the purposes;
  • the material or moral impact that may result from the transfer or disclosure, and the possibility of any harm to the data subjects; and
  • measures that will be taken to prevent and mitigate identified risks to protect personal data.

If a controller relies on a safeguard or derogation, it must cease transferring/disclosing the personal data to a party outside Saudi Arabia in any of the following cases:

  • it becomes clear that the transfer/disclosure affects national security or the vital interests of the KSA;
  • the results of the risk assessment of transferring/disclosing personal data outside the KSA indicate that the transfer/disclosure will result in high risks to the privacy of data subjects (see below);
  • appropriate guarantees applied by the controller will cease to apply; and
  • the controller is unable to abide by the appropriate guarantees applied by it.

The SDAIA intends to issue forms, guidance, and procedural guides related to the provisions in the Data Transfer Regulations.

7.3. Data processing records

Article 31 of the PDPL, as amended, requires controllers to keep records for personal data processing activities for a period prescribed by Article 33 of the Implementing Regulations, i.e., for the duration of the processing activity in addition to five years starting from the date of the end of the personal data processing activity.

The minimum data that should be included in the Records of Processing Activities ('ROPA') are:

  • the name and contact details of the controller;
  • the data of the Data Protection Officer (where required);
  • a description of the categories of personal data being processed, and the categories of data subjects;
  • the purpose of personal data processing;
  • categories of recipients of personal data;
  • whether the personal data is or will be transferred outside the KSA or disclosed to a party outside the KSA, including a description of the transfer and the legal basis for the transfer and parties or whom the data is transferred;
  • the expected period of retention for each category of personal data (as far as possible); and
  • a description of the organizational, administrative, and technical procedures and means that ensure the preservation of the personal data (as possible).

Controllers should make the ROPA available whenever requested by the SDAIA.

7.4. Data protection impact assessment

Article 22 of the PDPL, as amended, states that controllers must conduct an evaluation of the impacts of processing personal data for any product or service provided to the public in accordance with the activities carried out by the controller.

However, Article 25 of the Implementing Regulations then stipulates other circumstances when a 'written and documented assessment of the impacts and risks that may affect the data subject as a result of the processing personal data' should be conducted. Risk assessments should be conducted in the following cases:

  • when processing sensitive data;
  • when collecting, comparing, or linking two or more sets of personal data obtained from different sources;
  • where the activity of the controller includes systematic, large-scale processing of personal data of those who fully or partially lack legal capacity;
  • where the activity involves processing operations that, by their nature, require the continuous monitoring of data subjects;
  • where the activity involves the processing of personal data using new technologies;
  • where the activity involves making decisions based on the automated processing of personal data; and
  • where the processing involves the provision of a product or service that involves the processing of personal data that is likely to cause serious harm to the privacy of data subjects.

Article 25(2) of the Implementing Regulations states that a risk assessment should include at least the following information:

  • the purpose of the processing and the legal basis;
  • a description of the nature of the processing to be conducted, the types and sources of personal data to be processed, and any entities to whom the personal data is to be disclosed;
  • a description of the scope of the processing, which identifies the type of personal data and the geographical scope of the processing;
  • a description of the context of the processing, which identifies the relationship between the data subjects, the controller, and the processors, as well as any other relevant circumstances;
  • an assessment of the necessity and proportionality of the processing, which identifies the measures to be taken to enable the controller and processors to process the minimum personal data necessary to achieve the purposes of the processing;
  • the impact of the processing, based on the severity of its impact, materially and morally, and the likelihood of any negative impact on data subjects, including any psychological, social, physical, or financial impact, and the likelihood of their occurrence;
  • the measures that will be taken to prevent or limit the magnitude of identified risks; and
  • an evaluation of the suitability of the measures envisaged to avoid identified risks.

Article 25(4) of the Implementing Regulations provides that where the results of the assessment indicate that the processing will harm the privacy of data subjects, the controller must address the reasons and re-conduct the assessment. 

7.5. Data protection officer appointment

Article 30(2) of the PDPL, as amended, states that the Regulations will specify the cases in which a controller must appoint or designate one or more persons to assume the role of Data Protection Officer ('DPO').

Under Article 32 of the Implementing Regulations, a controller must appoint one or more individuals to be responsible for the protection of personal data in any of the following cases:

  • the controller is a public entity that provides services that involve the processing of personal data on a large scale;
  • the primary activities of the controller consist of processing operations that require the regular and systematic monitoring of data subjects; and
  • the core activities of the controller consist of processing sensitive personal data.

Article 32(4) provides that the SDAIA will issue rules for the appointment of a DPO, as well as the circumstances under which a DPO should be appointed, and their duties and responsibilities.

7.6. Data breach notification

Notification to the SDAIA

Per Article 20(1) of the PDPL, as amended and Articles 24(1) and 24(2) of the Implementing Regulations, controllers must notify the SDAIA within a period not exceeding 72 hours of becoming aware of any personal data leak, damage, or unauthorized access, if such breach may cause harm to the personal data or the data subject, or conflicts with their rights or interests unless the controller is not able to provide the required information. In this case, controllers shall provide the information as soon as possible with a justification for the delay.

Article 24(1) of the Implementing Regulations provides that the notification to the SDAIA should include the following:

  • a description of the personal data breach incident, including the time, date of the breach, and the time when the controller became aware of it;
  • data categories, actual or approximate numbers of impacted data subjects, and the type of personal data;
  • a description of the risks of the personal data breach, including the actual or potential impact on personal data and data subjects, and the actions and measures taken by the controller to prevent or limit the impact of those risks and mitigate them, as well as the future measures that will be taken to avoid a recurrence of the breach;
  • a statement if the data subject has been notified of the breach of their personal data; and
  • the contact details of the controller or its DPO, if any, or any other official who has information regarding the reported incident.

Notification to the data subject

Under Article 20(2) of the PDPL, as amended, and Article 24(5) of the Implementing Regulations, controllers must also notify the data subject without undue delay in case of personal data leaks, damage, or unauthorized access that may result in damage to their personal data or conflict with their rights or interests, provided that the notification is in simple and clear language.

The notification should include the following:

  • a description of the personal data breach;
  • a description of the potential risks arising from the breach, and the measures taken to prevent or limit risks and their impact;
  • the name and contact details of the controller and its DPO, if any, or any other appropriate means of communication with the controller; and
  • any recommendations or advice that may assist the data subject in taking appropriate measures to avoid the identified risks or limit their impact.

7.7. Data retention

In addition to the storage limitation principle under Article 11(4) of the PDPL, as amended, whereby personal data should not be processed for longer than is necessary to achieve the intended purpose of processing, Article 18 of the PDPL, as amended, requires controllers to destroy personal data after achieving the purpose of collecting such data, without delay.

Controllers may retain personal data after the purpose of collection expires if all identifiers that could lead to the identification of the data subjects have been removed.

In the following circumstances, a controller may retain personal data after the purpose of collection has expired:

  • if there is a legal justification for retaining personal data for a specific period, in which case the personal data shall be destroyed upon the lapse of that period; or
  • if the personal data is closely related to a case under consideration before a judicial authority and its retention of personal data is required for that purpose, in which case the personal data shall be destroyed once the judicial procedures are concluded.

Therefore, controllers will need to consider their data retention policies or put such policies in place, and also consider how personal data will be deleted, destroyed, or anonymized once the retention periods expire.

7.8. Children's data

Article 16 of the PDPL, as amended, provides that a controller may not disclose personal data if the disclosure contradicts the interest of a minor or incapacitated person.  

Where a data subject is a minor or incompetent, their legal guardian can exercise their rights on the data subject's behalf (Article 3(3) of the Implementing Regulations).

In accordance with Article 13 of the Implementing Regulations, considering applicable legal requirements, a legal guardian of a data subject that lacks full or partial legal capacity (which may be a minor) must act in the best interests of the data subject, and for this purpose, they have the following options:

  • exercise the rights granted to the data subject under the PDPL, as amended, and the Regulations; or
  • consent to the processing of the data subject's personal data in accordance with the provisions of the PDPL, as amended, and the Regulations.

In addition to the consent requirements set out in Article 11 of the Implementing Regulations, in case of the processing of personal data of a data subject that lacks full or partial legal capacity, obtaining the consent of the legal guardian is conditional upon taking appropriate measures to verify guardianship validity over the data subject. When obtaining consent from the legal guardian of a data subject that lacks full or partial legal capacity, the controller must comply with the following provisions:

  • consent given by the legal guardian should not cause any harm to the interests of the data subject; and
  • the data subject must be allowed to exercise their rights stipulated in the PDPL, as amended, and the Regulations when they reach legal capacity.

7.9. Special categories of personal data

The PDPL, as amended, does not contain additional conditions for processing sensitive data unlike international data protection laws, such as the GDPR. However, there are a number of restrictions with respect to processing sensitive data, as well as further requirements for certain categories of sensitive data.

Sensitive data is defined as personal data that reveals an individual's racial or ethnic origin, religious, intellectual, or political belief, data relating to security criminal convictions and offenses, biometric or genetic data for the purpose of identifying the person, health data, and data that indicates that one or both of the individual's parents are unknown.

Where consent is relied upon to process sensitive data, the consent must be explicit (Article 11(2) of the Implementing Regulations). The term explicit, however, is not specifically defined in the PDPL, as amended. 

When relying on the legitimate interests basis to process personal data, controllers should note that this basis does not apply to sensitive data (Articles 6, 10, and 15 of the PDPL, as amended, and Article 16(1)(c) of the Implementing Regulations). Moreover, sensitive data may not be processed for marketing purposes (Article 26 of the PDPL, as amended).

Where a controller's activities require continuous or large-scale processing of personal data on individuals lacking full or partial legal capacity or whose parents are unknown, continuous monitoring of data subjects, adoption of new technologies, or making automated decisions, in addition to the information requirements in Article 4(1) of the Implementing Regulations, controllers must also provide the means and methods of collecting and processing sensitive data, where applicable (Article 4(5) of the Implementing Regulations).

Article 32(1)(c) of the Implementing Regulations requires a DPO to be appointed if the core activities of the controller consist of processing sensitive personal data.

The penalty for disclosing or publishing sensitive data in violation of the PDPL, as amended with the intention of harming the data subject or achieving a personal benefit may be a fine or criminal sanctions. According to Article 35(1) of the PDPL, as amended, the offense carries imprisonment for a period not exceeding two years or a fine not exceeding SAR 3 million (approx. $800,000).

The PDPL, as amended also governs the following sensitive data which require additional controls under the PDPL, as amended and, in some cases, other laws and regulations applicable in Saudi Arabia.

Health data

Health data includes any personal data relating to an individual's health conditions or related to health services received by that individual, as well as genetic data.

Article 23 of the PDPL, as amended, explains that the processing of health data is subject to additional requirements and procedures to ensure the privacy of data subjects and to protect their rights under the PDPL, as amended. This includes:

  • the right of health data access, including medical records, must be restricted to the lowest number of staff and only for the purpose of offering necessary healthcare services; and
  • health data processing operations and procedures shall be restricted to the lowest number of staff and only for the purpose of offering healthcare services or medical insurance programs.

Articles 26(1) to 26(6) of the Implementing Regulations build upon this and stipulate that the controller must take appropriate organizational, technical, and administrative measures to safeguard health data from any unauthorized use, misuse, use for purposes other than for which it was collected, or breach, and any procedures or means that guarantee the preservation of the privacy of its owners.

Credit data

Credit data includes personal data related to an individual's request for, or obtaining of, financing from a financing entity, whether for a personal or family purpose, including any data relating to that individual's ability to obtain and repay debts, and the credit history of that person.

Article 24 of the PDPL, as amended, explains that the processing of credit data is subject to additional requirements and procedures to ensure the privacy of data subjects and to protect their rights under the PDPL, as amended, and the Credit Information Law.

This shall include the following:

  • taking the necessary action to verify the written explicit consent of the data subject for the collection of such data or to change the purpose of data collection, data disclosure, or publishing in accordance with the provisions of the PDPL, as amended and the Credit Information Law; and
  • the data subject shall be informed upon receiving a request to disclose their credit data from any entity.

Article 27 of the Implementing Regulations builds upon this and stipulates that without prejudice to the provisions of the Credit Information Law and its implementing regulations, the controller must take organizational, technical, and administrative measures to safeguard credit data from any authorized use, misuse, access by unauthorized individuals, or use for purposes other than for which it was collected and disclosure. The controller must adopt the following controls and procedures:

  • adopt and implement requirements and controls issued by the SAMA and other relevant authorities which define the roles and responsibilities of employees of establishments providing credit information services and of the parties that have contracts with such establishments to process credit data; and
  • obtain the consent of the data subject and notify them of any request to disclose their credit data in accordance with the provisions of the Credit Information Law, taking into account the provisions of Article 11(1)(d) of the Implementing Regulations (relating to documenting consent). 

7.10. Controller and processor contracts

Article 8 of the PDPL, as amended, states that controllers, when appointing a processor, must be committed to choosing an entity that can provide necessary guarantees to implement the provisions of the PDPL, as amended, and the Regulations. Furthermore, the controller must verify the processor's compliance with the provisions of the PDPL, as amended, and Regulations, without prejudice to the controller's responsibilities towards the data subject or the SDAIA.

Article 17(1) of the Implementing Regulations supplements the PDPL, as amended, by stating that a controller must ensure that any data processor chosen provides sufficient guarantees to protect personal data, and that an agreement with the data processor includes the following:

  • the purpose of processing;
  • categories of personal data being processed;
  • the duration of processing;
  • the data processor's commitment to notify the controller in case of a personal data breach, in accordance with the PDPL, as amended, and the Regulations, and without undue delay;
  • clarification of whether the data processor is subject to regulations in other countries and the impact on their compliance with the PDPL, as amended, and Regulations.
  • not requiring the controller's prior consent for mandatory disclosure of personal data under applicable laws in the KSA, provided that the data processor notifies the controller of such disclosure; and
  • identifies any subcontractors contracted by the data processor, or any other party to whom personal data will be disclosed.

The controller must issue clear instructions to the processor. In case of any violation of the controller's instructions or any applicable Saudi laws, the processor must notify the controller in writing without undue delay (Article 17(2) of the Implementing Regulations).

The controller is responsible for periodically assessing the processor's compliance with the PDPL, as amended, and the Regulations, and ensuring that all regulatory requirements are met, whether the processing is achieved by the processor or third parties acting on its behalf. The controller may appoint an independent third party to assess and monitor the processor's compliance on its behalf (Article 17(3) of the Implementing Regulations).

If a processor violates the instructions issued by the controller or the agreement regarding the processing of personal data, the processor will be considered as a controller and held directly accountable for any violation of the PDPL, as amended, (Article 17(4) of the Implementing Regulations).

In accordance with Article 17(5) of the Implementing Regulations, before entering into subsequent contracts with sub-processors, the processor should abide by the following:

  • take sufficient guarantees to ensure that such contracts would not impact the level of protection afforded to the personal data being processed;
  • choose only sub-processors that provide necessary guarantees to comply with the PDPL, as amended, and the Regulations; and
  • obtain prior approval from the controller, with the controller being notified before entering into such contracts and enabling the controller to object to them within a timeframe agreed upon between the control and processor.

8. Data Subject Rights

8.1. Right to be informed

Article 4(1) of the PDPL, as amended, provides data subjects with the right to be informed, which includes informing data subjects of the lawful basis and purpose of collecting personal data. This right ties in with Article 12 of the PDPL, as amended, the requirement for controllers to provide data subjects with notice of their data processing by way of a privacy policy. The privacy policy must be made available to data subjects prior to commencing the collection of their personal data. As a minimum, the privacy policy must specify the purpose of collection, the personal data to be collected, the means used for collection, processing, storage, and destruction, and information about data subjects' rights and how to exercise them (as well as the information set out in Article 13 of the PDPL, as amended when collecting personal data directly from data subjects).

Article 4 of the Implementing Regulations supplements the right to be informed and the requirements in Articles 12 and 13 of the PDPL, as amended, by specifying the information that should be provided to data subjects when their data is collected directly or indirectly from data subjects, as well as additional information that should be provided under certain circumstances (e.g., if the controller engages in activities that involve the continuous monitoring of data subjects, the use of emerging technologies, or automated decision-making).

8.2. Right to access

Article 4(2) of the PDPL, as amended, provides data subjects with the right to access their personal data held by the controller in accordance with the rules and procedures set out in Article 5 of the Implementing Regulations.

8.3. Right to rectification

Article 4(4) of the PDPL, as amended, provides data subjects with the right to request correction, completion, or updating of their personal data. When correcting the personal data, the controller must comply with the conditions specified in Article 22 of the Implementing Regulations.

Article 17 of the PDPL, as amended, further provides that if personal data is corrected, completed, or updated, the controller must inform any entity that received such data of such change, and it must allow the entity to make such change.

The data subject may, in the event that their personal data is not correct, request that the processing of the data is restricted for a period during which the controller can verify the validity of the data (Article 7 of the Implementing Regulations). The restriction will not apply if providing the data contravenes the PDPL, as amended, and the Regulations.

8.4. Right to erasure

Article 4(5) of the PDPL, as amended, provides data subjects with the right to request the deletion of personal data without prejudice to the provisions of Article 18 of the PDPL, as amended (concerning the destruction of personal data). Article 8 of the Implementing Regulations specifies the cases when a controller must destroy personal data as:

  • upon the data subject's request;
  • if the personal data is no longer necessary to achieve the purpose for which it was collected;
  • if the data subject withdraws consent; or
  • if the controller becomes aware that the personal data is being processed in a way that violates the PDPL, as amended.

When destroying personal data, the controller must take the steps specified in Article 8(2) of the Implementing Regulations, including taking appropriate measures to notify other parties to whom the controller has disclosed the personal data and request the destruction of such data.

8.5. Right to object/opt-out

Article 5(2) of the PDPL, as amended, provides data subjects with the right to withdraw consent at any time, in relation to consent which they previously gave to the processing of their personal data.

Article 12 of the Implementing Regulations specifies the conditions for withdrawing consent, including requiring a controller to establish procedures that allow for the withdrawal of consent as easily as it is to obtain the consent.

8.6. Right to data portability

Article 4(3) of the PDPL, as amended, provides data subjects with the right to request access to their personal data in a format that is readable and clear, in accordance with the rules and procedures set out in Article 6 of the Implementing Regulations.

8.7. Right not to be subject to automated decision-making

The PDPL, as amended, does not contain a specific provision on objecting to automated decision-making. Where consent is relied upon to process personal data for automated decision-making, such consent must be explicit (Article 11(2) of the Implementing Regulations). Additionally, where the controller relies on automated processing, it must clarify whether decisions will be based entirely on automated processing (Article 4(5) of the Implementing Regulations).

Moreover, an impact assessment is required in circumstances where the controller's processing activity involves making decisions based on the automated processing of personal data.

8.8. Other rights

Article 34 of the PDPL, as amended, provides that the data subject may approach the SDAIA to file a complaint relating to the application of the PDPL, as amended, and/or the Regulations.

In addition, where a controller receives a request from a data subject, it must implement the request within a period not exceeding 30 days without delay. The controller may extend this time period for no more than 30 additional days, if implementation of the request requires an unexpected or unusual additional effort, or if the controller receives multiple requests from the data subject, provided that the controller notifies the data subject in advance of the extension and its justifications (Article 3(1) of the Implementing Regulations).

Controllers can refuse to act on a request when it is unjustifiably repetitive or it requires extraordinary effort, in which case the data subject should be notified of the reason for the refusal (Article 3(2) of the Implementing Regulations).

9. Penalties

Article 35 of the PDPL, as amended provides that, without prejudice to any stricter punishment provided for in another law, anyone who discloses or publishes sensitive data in violation of the provisions of the PDPL, as amended, whether with the intent of harming the data subject or with the intent of achieving a personal benefit, will be punished with imprisonment for a period not exceeding two years and/or a fine not exceeding SAR 3 million (approx. $800,000).

The public prosecution is responsible for investigating and prosecuting before the competent court any violations of sensitive data. The competent court will hear claims arising from the application of Article 35 of the PDPL, as amended, and issue the prescribed punishments.

The competent court may double the fine for breaches of sensitive data processing in case of repetitive violations, even if it results in exceeding the maximum limit, provided that it does not exceed double the limit. For repeat offenses, therefore, the courts may double the fines.

Article 36 of the PDPL, as amended, provides that, without prejudice to any stricter punishment provided for in another law (and unless it relates to sensitive data, in which case the above penalties apply), every natural or legal person governed by the PDPL, as amended, that violates any of the provisions of the PDPL, as amended, and the Regulations shall be punished by a warning notice or a fine of no more than SAR 5 million (approx. $1.33 million).

A committee shall be established with no fewer than three members, including a chair, a technical specialist, and a legal advisor. The committee shall consider violations of the PDPL, as amended, and impose penalties of warnings or fines as stipulated in Article 36 of the PDPL, as amended. The committee shall consider:

  • the type of violations committed;
  • the seriousness of the violation; and
  • the impact of the violation.

The party against whom the committee issues a resolution shall have the right of grievance against such resolution before a competent court.

Article 38(1) of the PDPL, as amended, provides that without prejudice to the rights of bona fide third parties, the competent court may order the confiscation of funds obtained as a result of breaches of the PDPL, as amended.

Article 38(2) of the PDPL, as amended states that the competent court or committee may also add to the punishment, judgment, or decision, a provision requiring publication of the judgment, or decision at the expense of the violating party in one or more newspapers or any other appropriate media, depending on the type, impact, and seriousness of the violation. The publication shall be carried out after the judgment becomes final.

Article 39 of the PDPL, as amended, provides that a public authority shall interrogate and discipline its staff who violate the provisions of the PDPL, as amended, and the Regulations in accordance with the legally established rules of accountability and discipline.

9.1 Enforcement decisions

There are no current decisions related to the enforcement of the provisions under the PDPL, as amended. The implementing decree to the PDPL, as amended, provides a one-year grace period for organizations to comply with the requirements in the PDPL, as amended, and the Regulations, and therefore it is unlikely that there will be any material enforcement actions before this time.

Feedback