New Saudi Personal Data Protection Law comes into force

Saudi Arabia’s Personal Data Protection Law (PDPL) finally entered into force on 14 September. Businesses in Saudi now have one year from that date to comply with the updated legislation. Implementing Regulations and Personal Data Transfer Regulations were also issued on 7 September.

Originally approved and gazetted in 2021, the PDPL was scheduled to come into force on 23 March 2022, but implementation was postponed by the Saudi Data and Artificial Intelligence Authority (SDAIA) pending further consultation and amending legislation.

According to SDAIA, the PDPL is designed to safeguard the privacy of a legal individual’s personal information and to govern the acquisition, handling, sharing, and storage of such data by organisations. It is aligned with the objectives of Saudi Arabia’s Vision 2030 to enhance digital infrastructure and foster innovation for the advancement of a digital economy.

Notably, the prohibition on transfers of personal data outside Saudi Arabia (except under very limited circumstances) has been removed under the amended PDPL. International data transfers no longer require exceptional approval from SDAIA and are generally permitted provided they align with commitments of international agreements to which Saudi Arabia is a participant or they advance national interests and correspond to obligations that the data subject is engaged in.

The Personal Data Transfer Regulations introduce additional bases for transferring personal data outside of the KSA, including providing a service or benefit to the data subject and carrying out operational processes to enable the controller to carry out its activities.

Controllers can now rely on ‘legitimate interests’ as a legal basis to process and disclose personal data, although this exemption does not apply to sensitive personal data, or processing that contravenes with the rights granted under the PDPL and its executive regulations. This change will make the grounds for processing more consistent with the EU’s General Data Protection Regulation (GDPR) and similar legislation worldwide.

The Regulations require controllers to meet specific conditions when relying on ‘legitimate interests’, including balancing the rights and interests of the data subject against the legitimate interests of the controller. Controllers must also conduct a legitimate interest assessment when relying on this ground to process personal data.

The amended PDPL no longer requires controllers to establish an electronic portal but the SDAIA is authorised to issue the requirements for practicing activities related to data protection. The Regulations introduce the requirement for registering controllers. SDAIA will issue the rules for registration in the National Register and will specify which controllers will have to register.

The Regulations set out new requirements in respect of data subject rights and require that controllers respond to data subject requests within 30 days, which can be extended by an additional 30 days under certain circumstances. Controllers must also notify personal data breaches to SDAIA within 72 hours of becoming aware of the breach and must notify data subjects without undue delay.

The Regulations further specify that controllers must keep a Record of Processing Activities (ROPA) during the period they engage in the relevant processing activities and for a further five years after.

Criminal sanctions for violating the PDPL’s data transfer restrictions have been removed. There remains only one criminal offence in respect of violations in the disclosure or publication of sensitive personal data. Otherwise, the penalties for breaching the PDPL will be a warning or a fine of up to SAR5 million (USD1.33 million), which may be doubled for repeat offences.

“The addition of the PDPL to the KSA regulation system is clear indication that the regulatory landscape of the Kingdom is aligning itself with international best practices, creating a better framework for international business in KSA,” said Philip Gilboy, Legal Director of Sovereign PPG Saudi Arabia.

In-scope enterprises have been granted a transitional period of one year to bring their operations and practices into compliance with the new regime, as follows:

• Create/update existing data protection policies.
• Conduct training for employees on PDPL.
• Appoint or designate a Data Protection Officer, where applicable. Under the Regulations, this includes where the controller is a public entity that provides services that include large scale data processing, where the primary activities of the controller are based on processing operations that require regular and systematic monitoring of data subjects or and where the main activities of the controller are based on the processing of sensitive data.
• Conduct regular data protection audits.
• Implement privacy-by-design and privacy-by-default principles.
• Establish a process for handing data requests, access, rectification or deletion.
• Develop a procedure for reporting relevant PDPL breaches.
• Update, review and maintain these policies and procedures.

Sovereign PPG has a professional team with experience and knowledge in Saudi Arabia, providing a wide range of business services, designed to assist entry and enable our clients to succeed within the Saudi market.

Should you wish to establish a business in Saudi Arabia, require assistance with visas, accounting or any on-going business support services, we provide our clients high quality and cost-effective services for commercial success in the Kingdom.