Saudi Arabia Personal Data Protection Law (PDPL): Implementing Regulations and Data Transfer in 2023

The Kingdom of Saudi Arabia (KSA) is set to enforce its Personal Data Protection Law (PDPL) on September 14, 2023. This law is the first comprehensive data privacy law in Saudi Arabia, and it aims to regulate the collection, processing, and transfer of personal data in the country. The PDPL gives individuals, known as data subjects, various rights regarding their personal data.

What is the Saudi Arabia Personal Data Protection Law (PDPL)?

The PDPL is a comprehensive law that applies to all organizations that process personal data in the KSA, regardless of whether they are located in the KSA or abroad. The law defines personal data as any information that relates to an identified or identifiable individual.

Who is implementing the regulations for PDPL?

The Saudi Data & Artificial Intelligence Authority (SDAIA) issued the Implementing Regulations to the PDPL on September 7, 2023. The Implementing Regulations provide further guidance on the application of the PDPL, including the following:

• The procedures that data controllers must follow to comply with the PDPL
• The requirements for data processors
• The procedures for the transfer of personal data outside the KSA
• The requirements for processing sensitive personal data
  

What are data subject rights under the PDPL?

Under the PDPL, data subjects have a number of rights, including the right to:

• Access their personal data
• Rectify their personal data
• Erase their personal data
• Restrict the personal data processing
• Object to the personal data processing activities
• Port their personal data
  

What are the lawful grounds for data processing under the PDPL?

Your business can only process personal data if they have a lawful ground to do so. The PDPL specifies the following lawful grounds for data processing:

• Consent of the data subject
• Necessity for the performance of a contract
• Compliance with a legal obligation
• Protection of the vital interests of the data subject or another individual
• Public interest in the area of public health
• Statistical purposes
• Archival purposes in the public interest, scientific or historical research purposes, or statistical purposes
• Exercise of the rights of the controller or another individual
  

What are the procedures for data controllers under PDPL?

Under the PDPL, data controllers have a number of obligations, including:

• Registering with the SDAIA. Data controllers must register with the SDAIA unless they are exempt under the law.
• Developing and implementing data protection policies and procedures. These policies and procedures should outline the organization's approach to processing personal data in compliance with the PDPL.
• Conducting data protection impact assessments (DPIAs) for high-risk processing activities. DPIAs are used to identify and assess the risks to personal data associated with a specific processing activity.
• Appointing a data protection officer (DPO) if required. DPOs are responsible for overseeing the organization's compliance with the PDPL.
• Providing data subjects with information about their rights and how to exercise them. This includes the right to access, rectify, erase, and restrict the processing of their personal data.
  

What are the requirements for data processors under PDPL?

Data processors are organizations that are in charge of processing personal data on behalf of data controllers. Under the PDPL, data processors have a number of obligations, including:

• Only processing personal data in accordance with the instructions of the data controller. This means that data processors cannot process personal data for any purpose other than the purpose of the data collected.
• Implementing appropriate technical and organizational security measures to protect personal data. This includes measures such as encryption, access control, and data breach prevention measures.
• Reporting data breaches to the data controller and the Saudi Data and Artificial Intelligence Authority (SDAIA). Data processors must report data breaches to the data controller within 72 hours of becoming aware of the breach.

Here are some additional tips for data processors to comply with the PDPL:

• Conduct a risk assessment to identify and mitigate risks to personal data. This assessment should be conducted on a regular basis and updated as needed.
• Develop and implement a data processing policy that outlines the organization's procedures for processing personal data. This policy should be communicated to all employees and subcontractors.
• Train employees on the PDPL and the organization's data processing policy.
• Regularly audit data processing practices to ensure compliance with the PDPL.
  

What are the requirements to transfer personal data under the PDPL?

The Saudi Arabia Personal Data Protection Law (PDPL) imposes specific data transfer regulations for personal data outside the Kingdom. Organizations must:

• Obtain the consent of the data subject. This means that the data subject must be informed of the transfer and provide their explicit consent.
• Ensure that the receiving country has an adequate level of protection for personal data. The National Data Management Office (NDMO) publishes a list of countries that have been designated as having an adequate level of protection. If the receiving country is not on the list, the organization must implement additional safeguards.
• Implement additional safeguards, if necessary. This may include binding corporate rules (BCRs) or standard contractual clauses (SCCs). BCRs are a set of rules that an organization implements to protect personal data that is transferred to its affiliates within the group. SCCs are a set of contract terms that are agreed upon between the sending and receiving organizations to protect the personal data transfer between them.
  

What are the additional requirements for processing sensitive personal data under the PDPL?

In addition to the general data transfer requirements under the PDPL, organizations must also comply with the following requirements for the transfer of sensitive data:

• Implement appropriate security measures to protect the data in transit and at rest. This may include measures such as encryption, access control, and data breach prevention measures.
• Notify the data subject of the transfer and provide them with information about the recipient country's data protection laws. This information should include the recipient country's data protection laws and regulations, as well as the contact information for the recipient country's data protection authority.
• Obtain a written agreement from the recipient country's organization that outlines the security measures that will be taken to protect the data. This agreement should also include provisions for the data subject to exercise their rights under the PDPL.
  

Examples of Sensitive Personal Data

Examples of sensitive personal data include:

• Racial or ethnic origin
• Religious or philosophical beliefs
• Political opinions
• Trade union membership
• Genetic data
• Biometric data
• Health data
• Sexual orientation
• Gender identity
• Criminal history
• Financial and credit data

Organizations that process sensitive personal data should take all necessary steps to ensure that they comply with the PDPL's requirements for data transfers. This includes implementing appropriate security measures, notifying data subjects of transfers, and obtaining written agreements from recipient organizations.

What are the principles of data collection and protection of personal data under the PDPL?

The PDPL establishes a number of principles for the lawful collection and protection of personal data, including:

• Transparency: Your business must be transparent about how they collect and process personal data
• Purpose limitation: Your business must collect and process personal data for a specific and legitimate purpose
• Data minimization: Your business must only collect and process the personal data that is necessary for the intended purpose
• Data accuracy: Your business must ensure that the personal data they hold is accurate and up-to-date
  

How can data subjects exercise their right of access to personal data?

Data subjects can exercise their right of access to personal data by submitting a written request to the data controller. The data controller must respond to the request within 30 days and provide the requested information free of charge.

The request should be clear and concise, and it should specify the personal data that the data subject is requesting access to. The data controller may request additional information from the data subject to verify their identity and to ensure that they are entitled to access the requested information.

The data controller must respond to the request within 30 days of receiving it. If the data controller is unable to respond within 30 days, they must provide the data subject with a reason for the delay and a new deadline for responding.

The data controller must provide the requested information in a clear and concise manner. The information must be provided in a format that is understandable to the data subject.

The data controller is not required to provide access to personal data if it is likely to cause harm to the data subject or to others. For example, the data controller may refuse to provide access to personal data if it is likely to reveal the identity of a law enforcement officer or if it is likely to jeopardize an investigation.

If the data controller refuses to provide access to personal data, they must provide the data subject with a reason for the refusal. The data subject may appeal the refusal to the SDAIA.

What are the implications for businesses?

The PDPL will have a significant impact on organizations that process personal data in the KSA. Your business will need to ensure compliance with the PDPL's implementing regulations and take necessary measures to protect personal data and facilitate secure data transfers.

• Increased compliance costs: Businesses will need to invest in resources and infrastructure to comply with the PDPL's requirements. This may include hiring data protection professionals, conducting data protection impact assessments, and implementing new technical and organizational security measures.
• Changes to business practices: Businesses may need to change their business practices to comply with the PDPL. For example, businesses may need to obtain explicit consent from data subjects before processing sensitive personal data or collecting personal data from children.
• Reduced risk of data breaches and reputational damage: By complying with the PDPL, businesses can reduce the risk of data breaches and reputational damage. This is because the PDPL requires businesses to implement appropriate security measures to protect personal data.
• Increased transparency and trust: By complying with the PDPL, businesses can demonstrate their commitment to protecting the privacy of their customers and employees. This can lead to increased transparency and trust, which can be beneficial for businesses in the long term.
  

How can your business prepare for the PDPL?

Your business can prepare for the PDPL by taking the following steps:

1. Conduct a data audit to identify all of the personal data that your business collects, processes, and stores.
2. Develop and implement data protection policies and procedures.
3. Conduct data protection impact assessments for high-risk processing activities.
4. Appoint a DPO (if required).
5. Register with the SDAIA.
6. Update data transfer agreements to comply with the PDPL.
7. Implement appropriate technical and organizational security measures.
8. Train employees on the PDPL and data protection best practices.

By taking these steps, your business can minimize the risk of non-compliance and protect the personal data of their customers and employees.

Final Thoughts

The enforcement of the PDPL in Saudi Arabia in September 2023 will bring significant changes to the data protection landscape in the country. Your business will need to ensure compliance with the PDPL's implementing regulations and take necessary measures to protect personal data and facilitate secure data transfers. It is important for both data controllers and processors to familiarize themselves with the provisions of the PDPL and establish robust data protection practices to safeguard personal data and maintain the trust of their customers.