Skip links
saudi-arabia-personal-data-protection-law

Saudi Arabia’s Personal Data Protection Law: The Ultimate Guide for Businesses

With every country and Union coming up with their own Data Privacy Laws to protect the privacy of their residents, Saudi Arabia has left no stone unturned and came up with their own comprehensive Data Protection Law.  

The Kingdom of Saudi Arabia enforced its first-ever comprehensive data protection law on September 14, 2023.   

The Personal Data Protection Law (PDPL) is a set of rules businesses must follow while collecting, using, disclosing, or keeping personal data about individuals.    

The PDPL grants people, also called data subjects, several rights regarding their personal data.  

This article will help you understand everything you need to know about Saudi Arabia’s Personal Data Protection Law, from what PDPL is to how your business can operationalize the law.   

What is the Saudi Arabia Personal Data Protection Law (PDPL)?  

Whether based in the KSA or elsewhere, all businesses that process personal data of the Saudi citizens must comply with the PDPL, a comprehensive data privacy law.   

Any information that refers to an identified or identifiable individual is considered personal data under the law.  

Additionally, it outlines the guidelines for cross-border data transfer mechanisms and the consequences for organizations that fail to comply with the PDPL.  

One of the standout features of the PDPL is that it does not prejudice any provision that provides more robust protection for data subjects or provides them rights in another law or international agreement to which Saudi Arabia is a party.  

Who is implementing the regulations for PDPL?  

PDPL will be primarily enforced in KSA for the first two years by the Saudi Data & Artificial Intelligence Authority (SDAIA, the Primary Body responsible for implementing the PDPL), after which a transfer to the National Data Management Office (NDMO) will be considered in 2024.  

The initial implementation date for the PDPL was March 23, 2022.  

However, SDAIA submitted suggested changes to the PDPL for public review between November 20, 2022, and December 20, 2022.  

The Saudi Council of Ministers amended the PDPL on March 21, 2023.  

SDAIA released the Implementing Regulations to the PDPL and the Personal Data Transfers Regulations on September 7, 2023.   

The general requirements and principles highlighted in the PDPL are further explained in the Implementing Regulations and the Regulations on Personal Data Transfers.  

The following are some additional PDPL application guidelines that are included in the Implementing Regulations:  

  • The steps data controllers must take to adhere to the PDPL.  
  • Requirements for data processors.  
  • The steps for transferring personal data outside of the KSA.  
  • Guidelines for processing personally identifiable information.  

Who needs to comply with the law?  

Based on their legal status and the type of data they handle; the following is how the new law affects organizations:  

Material Scope    

The processing of sensitive personal data relating to individuals residing in Saudi Arabia is covered under the PDPL.  

The PDPL also applies to any personal information about the deceased that could be used to identify them or a family member.   

The PDPL does not apply to processing personal data for domestic purposes.  

Territorial Scope  

Public and private businesses that use any method to process residents’ personal data in Saudi Arabia are subject to the PDPL.   

The PDPL will also apply if a foreign organization handles the personal information of individuals who live in Saudi Arabia.  

Rights of Data Subjects under PDPL  

The PDPL assures that all data subjects are provided specific data subject rights, much like most other data protection laws worldwide.   

The Implementing Regulations elaborate these rights further. Thanks to these rights, all users will always have access to their data after it has been collected.   

Various types of data subject requests are provided under different data protection laws. The following are some of those that the PDPL guarantees:  

  • Right to Know/Information – Data subjects have a right to information regarding the details of the data controller, the specific purposes for data collection, the techniques employed, and whether the data will be shared or sold.  
  • Right to Request Correction – Any incomplete, incorrect, or out-of-date information acquired about a data subject may be requested to be corrected.  
  • Right to Request Destruction – Data subjects can ask that any information collected about them be destroyed. The reasons for this can be anything from the user withdrawing consent to the data collection to the data no longer being useful for the original purpose for which it was collected.  
  • Right to Limit/Restrict Processing – Data subjects can restrict or object to how long an organization may use their personal information for specific purposes. Although it is not expressly stated in the PDPL, the regulating body has published a series of FAQs on this entitlement; a link can be found below.   

(https://sdaia.gov.sa/ndmo/Files/QA.pdf 

  • Right to Data Portability – Data subjects can acquire their personal information and ask that it be transferred to another controller.  

The data controller must ensure that every data subject is appropriately informed about their rights and set up specific channels to exercise them.   

The data controller must respond to these requests promptly (within 30 days) and record all inquiries from data subjects.   

Multinational companies will have to act faster since the PDPL’s 30-day timeframe is much shorter when compared to the three-month timeframe laid out by GDPR.  

What are the Organizational Obligations Under PDPL?  

According to the PDPL, regulating authorities (data controllers) are subject to several requirements.  

The Personal Data Transfer Regulations and the Implementing Regulations have added to these.   

The data controllers (organizations) must ensure the personal data is accurate, complete, and relevant before processing it.   

The regulating authorities must also adhere to the principles of data protection, such as collection limitation, purpose limitation, data security, accountability, and retention limitation.   

The PDPL has given enterprises a 12-month grace time following the implementation date, September 14, 2023, to become compliant.  

 The essential requirements listed under the PDPL that businesses must adhere to remain compliant are as follows:  

  • Requirements for Consent 

Under the PDPL, organizations may not process personal data without the owner’s permission except in expressly stipulated cases by the Implementing Regulations.  

Organizations must get independent consent for each processing purpose that is freely granted. 

Consent must not be a requirement for the data controller to provide a service or benefit (unless the service or benefit is explicitly relevant to the processing activity for which consent was sought), and data subjects, at any point in the time, may withdraw their consent to the processing of personal data. 

According to the PDPL, consent is not necessary in the following situations:  

  • If data processing would result in a clear benefit and it is not feasible or practical to reach out to the data subject,  
  • If the data subject is a party to a prior agreement or law that requires it,  
  • If the processing is needed for security or judicial reasons and the controller is a public entity,  
  • If the controller has taken the required legal steps and is collecting data for scientific, research, or statistical purposes;  
  • Processing is required to protect the controller’s or another party’s legitimate interests as long as the rights of data subjects are not prejudiced. In the case of sensitive personal data, this is not true.  
  • Requirements for Privacy Policies  

The PDPL mandates that businesses create personal data privacy policies and make them accessible to data subjects for review before data collection.   

The purpose of its collection, the nature of the personal data to be collected, the methods of storing it, how it will be processed, how it will be destroyed, the rights of its owner concerning it, and how these rights will be exercised are all covered by this policy.  

When collecting personal information directly from data subjects, organizations must use appropriate means to notify such individuals of the following before beginning the data collection process:  
 

  • The valid legal or practical reason for obtaining their personal data;  
  • The basis for collecting their personal data, whether doing so is required or optional, and that their data will not be processed later in a way that is inconsistent with the reason for collection or in circumstances other than those listed in the PDPL;  
  • Unless the collection is necessary for security reasons, the name and address of the person collecting the personal information;  
  • Whether or if the personal data will be transferred, disclosed, or processed beyond the boundaries of the Kingdom; the organization(s) to which the personal data will be disclosed, and the organization’s capability;  
  • Consequences and risks that could result from not finishing the personal data collection process;  
  • Data subject rights; and   
  • The regulations set other criteria based on the nature of the organization’s activity.  
  • Security Needs  
     

According to the provisions and controls outlined in the Implementing and Personal Data Transfer Regulations, the PDPL mandates that organizations implement the necessary organizational, administrative, and technical measures and means to preserve personal data, including when it is transferred.  

Requirements for Data Breach 

Organizations must report to the regulatory body a data breach by 72 hours after first becoming aware of it, according to the PDPL and its associated Regulations.   

In addition, the data controller must give the regulatory body a thorough analysis of the breach and the precautions to ensure it doesn’t happen again.  

Additionally, the data controller must notify the data subjects right away if the data breach poses a severe risk to their personal information.   

Additionally, the controller must provide the relevant DPO’s contact information so that data subjects can inquire about what information has been exposed.  

Data Protection Officer Requirements  

According to the PDPL, organizations must designate a person (or people) to carry out the PDPL’s provisions.   

The Implementing Regulations outline the instances in which one of these people may be appointed.  
 
The role of the Data Protection Officer has also been described, in addition to its duties.  

Analyzing the impact of data protection 

According to the nature of their processing activities, organizations are required by the PDPL to analyze the effects of processing personal data for any good or service they provide to the general public. 

The Implementing Regulations go beyond providing the basic informational requirements for DPIAs.  

Record of Processing Activities

Organizations are required under the PDPL to maintain records of their processing activities for five years following the completion of the processing and during the period of processing.   

The following information should be included in the records at a minimum:  

The organization’s contact information.  

  • The purpose why personal data is processed;  
  • Description of the several types of data subjects;  
  • Anyone to whom personal information has been or will be disclosed;  
  • If personal information has been shared outside of Saudi Arabia or will be disclosed to a third party outside of Saudi Arabia and  
  • The expected amount of time that personal data would be retained.  
  • Requirements for Vendor Assessment and Third-Party Processing  
     

According to the PDPL, organizations must select a processing party that offers the necessary guarantees for enforcing the PDPL’s provisions and regularly monitor to ensure the processing party is following their instructions in protecting personal data.  

Requirements for Cross-Border Data Transfer  

The PDPL permits transfers outside of the Kingdom of Saudi Arabia.   

Still, it demands that the recipient nation have laws that guarantee adequate personal data protection and have a supervisory entity that imposes suitable systems and procedures on controllers to protect personal data.   

According to the Personal Data Transfer Regulations, the SDAIA has established the review criteria and, subject to exemptions, will be evaluating nations, international organizations, and specific sectors to permit the transfer of personal data outside of the Kingdom of Saudi Arabia.   

A few conditions for this criteria are as follows:  

  • Existence of laws assuring the protection of personal data subject rights and privacy;   
  • Presence of a supervisory authority that oversees data protection compliance;   
  • Accessibility of appropriate means for data subjects to lodge complaints regarding their data.  

The preservation of the public interest, public health, public safety, or protection of the life or health of a specific individual or individuals, performance of an obligation under a treaty to which the Kingdom of Saudi Arabia is a party, or performance of a duty of the personal data subject by the Draft Regulations are additional basis for transfer that are specified in Article 28 of the PDPL.  

National Register of Controllers  

The National Register of Controllers registration guidelines and a list of required controllers will be published by SDAIA.  

The Implementing Regulations reintroduced this requirement.  

Cross-border transfer was previously only permitted in rare circumstances and under strict conditions, such as protecting the data subject’s life outside of Saudi Arabia or his essential interests or preventing, diagnosing, or curing an infection.  

Additionally, SDAIA had to approve each transfer request individually.  

PDPL Implications on Businesses  

The PDPL will greatly influence businesses in the KSA that process personal data.  

Your company must take the required steps to safeguard personal data, enable secure data transfers, and ensure it complies with the PDPL’s implementing rules.  

Rise in compliance costs. 

Compliance costs will rise due to the need for businesses to spend on infrastructure and resources to meet PDPL obligations.   

This could entail making new organizational and technical security arrangements, recruiting data protection professionals, and conducting impact analyses.  

Changes in company practices 

To comply with the PDPL, businesses may need to change their current practices.  

Before processing sensitive personal data or collecting personal information from children, for instance, companies may need to get the explicit consent of the data subjects.  

Lesser risk of data breaches and reputational harm 

By adhering to the PDPL, businesses can reduce the likelihood of data breaches and reputational damage.   

This is because businesses will comply with the PDPL’s requirement to place suitable security measures to protect personal data.  

More transparency and trust: 

By adhering to the PDPL, companies can show their dedication to protecting the privacy of their customers and employees.   

Doing so can increase transparency and trust, benefiting businesses in the long term.  

How can you prepare your business for the PDPL?  

You can help your business get ready for the PDPL by doing the following:  

  • Conduct a data audit to determine all the personal data that your company collects, uses, and stores.  
  • Create and implement policies and procedures for data protection.  
  • Perform data protection impact analyses for processing activities that pose a high level of risk.  
  • Appoint a DPO if necessary.  
  • Register with the SDAIA.  
  • Update data transfer agreements to meet PDPL requirements.  
  • Implement the required organizational and technical security measures.  
  • Employees should receive training on PDPL and best practices for data protection.  
     

By adopting these actions, your company can reduce the risk of non-compliance and safeguard the personal information of its customers and workers.  

Conclusion  

Global privacy laws urge businesses to automate privacy and security operations and to take good care of their customers’ data.   

Organizations must use robotic automation to operationalize compliance to keep up with the rapidly changing digital landscape.  

The data protection landscape in Saudi Arabia will undergo significant shifts with the enforcement of PDPL from September 2023.   

Your company must take the required steps to safeguard personal data, enable secure data transfers, and ensure it complies with the PDPL’s implementing rules.  

Data controllers and processors must become aware of the PDPL’s regulations and implement robust data privacy policies to protect personal information and keep consumers’ trust.