An Overview of Saudi Arabia’s Personal Data Protection Act (PDPL)

Saudi Arabia’s Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (September 16, 2021), which approved Resolution No. 98 of 7/2/1443 H (September 14, 2021). It was published in the Republic Journal on September 24, 2021.

The Saudi Data and Artificial Intelligence Authority (SDAIA) will oversee the implementation of the new legislation for the first two years, after which a transfer of oversight to the National Data Management Office (NDMO) will be considered. The NDMO is the regulatory arm of SDAIA and had already published interim data governance regulations in 2020, which have now been superseded by the PDPL with regard to the protection of personal data.

According to the SDAIA announcement, the PDPL is intended to ensure the privacy of personal data, regulate data sharing and prevent abuse of personal data in line with the goals of the Saudi Vision 2030 to develop digital infrastructure and support the innovation to grow a digital economy.

PDPL Enforcement Scope

The Personal Data Protection Law (PDPL), as well as other legislation on the subject, is designed to protect personal data, that is, any information, in any form, through which a person can be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses and contact numbers, pictures, and video recordings of the person.

The PDPL applies to any personal data processing by companies or public entities carried out in Saudi Arabia by any means, including the processing of personal data of Saudi residents by entities located outside the Kingdom.

The PDPL does not apply to the processing of personal data for personal and family use.

The PDPL Pillars

Many of the features of the Personal Data Protection Law (PDPL) are consistent with the concepts and principles contained in other international data protection laws, such as:

• Data Subject Rights: Individuals (data subjects) shall, with some exceptions, have the right to be informed about the processing of personal data and the legal basis for such processing, the right to access their personal data (including to obtain a free copy thereof), the right to correct or update their personal data, and the right to request their destruction if they are no longer necessary. Data subjects can also file complaints related to the PDPL enforcement with the regulatory authority.
• Registration of Controllers: Organizations that collect personal data and determine the purpose for which they are used and the method of processing (controllers) must register with an electronic portal that will form a national register of controllers. There will be an annual fee payable for registration, to be determined in executive regulations (which will be issued in due course).
• Controller Obligations: Controllers will be obliged to ensure the accuracy, integrity, and relevance of personal data before processing them, to keep a record of the processing for a period that will be defined by the executive regulations, and to ensure their team is properly trained in the PDPL and data protection principles.
• Consent: Data subjects may withdraw their consent to the processing of personal data at any time, and consent shall not be a prerequisite for the controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).
• Processing not Based on Consent: Notwithstanding the provisions on withdrawal of consent, the PDPL makes it clear that data processing does not always require consent from the data subject. Consent is not required if processing achieves a clear benefit and it is impossible or impractical to contact the data subject, if required by law or prior agreement to which the data subject is a party, or if the controller is an entity and processing is required for security or legal purposes.
• Privacy Policy: Controllers must implement a privacy policy and make it available to data subjects before the collection of their personal data. The Personal Data Protection Law (PDPL) establishes the minimum information that must be included in the privacy policy, including when personal data is collected directly from the data subject.
• Purpose Limitation and Data Minimization: Organizations must make clear the purpose for which personal data is collected and used. Personal data must also be relevant and controllers must limit collection to the minimum necessary to achieve the intended purpose.
• Impact Assessments: Controllers must assess the impact of processing personal data and, if personal data is no longer needed to achieve the intended purpose, the controller must stop collecting such data.
• Marketing: Personal data may not be used for marketing purposes without the recipient’s consent or the use of opt-out mechanisms.
• Breach Notification: Data breaches, leaks, or unauthorized access to personal data must be notified to the supervisory authority, and incidents that cause material damage to the data subject must be notified to the data subjects.