The Saudi PDPL, which came into effect on September 14, 2023, grants a one-year transition period for businesses to align their operations with its provisions. Given the PDPL’s broad extraterritorial reach, it is essential for companies worldwide to understand its applicability and take necessary steps to comply.

The PDPL’s Regulatory Framework

The PDPL, enacted by Royal Decree M/19 on September 16, 2021, is designed to protect personal data across Saudi Arabia. It applies not only to businesses within the Kingdom but also to those processing the personal data of Saudi residents, regardless of their location. Businesses must familiarize themselves with the regulatory framework set by the Saudi Data & Artificial Intelligence Authority (SDAIA) to understand the law’s full scope and the specific measures required for compliance.

Personal Data and Sensitive Personal Data

Under the PDPL, personal data is any information that can identify an individual. This includes a wide range of data points such as names, contact details, and identification numbers. Sensitive personal data, such as health, genetic, and biometric information, is subject to stricter processing rules. For instance, sensitive data cannot be used for marketing purposes under the law.

Key Principles of the PDPL

The PDPL is rooted in fundamental principles designed to protect individual privacy and ensure responsible data handling:

• Lawfulness and Transparency: Data processing must be conducted lawfully and transparently, with clear explanations provided to data subjects about how their data is being used.
• Purpose Limitation: Personal data should only be processed for the purposes for which it was collected.
• Data Minimization: Businesses should only collect and process data that is necessary for their operations.
• Storage Limitation: Personal data should not be kept longer than needed.
• Confidentiality: Data controllers must implement measures to keep personal data secure and confidential.

Compliance Measures

To ensure compliance with the Saudi PDPL, businesses must take various organizational, technical, and administrative actions. Key steps include:

1. Registering as a Data Controller: Companies must register with the appropriate authority as a data controller when applicable.
2. Appointing a Data Protection Officer (DPO): Some businesses must appoint a DPO to oversee data protection practices.
3. Privacy Policy: A comprehensive privacy policy must be created to inform individuals about how their data is processed and protected.
4. Data Impact Assessments: Businesses must assess the risks of their data processing activities, especially when transferring data across borders or processing sensitive data.
5. Data Processing Agreements: Agreements must be in place with third-party data processors to ensure their compliance with the PDPL.
6. Cross-Border Data Transfers: Businesses must ensure that personal data is transferred outside of Saudi Arabia in compliance with the PDPL’s safeguards.

Legal Grounds for Processing Personal Data

The PDPL outlines several legal grounds under which personal data may be processed. These include:

• Consent: Obtaining explicit consent from individuals for processing their data.
• Contractual Necessity: Processing data to fulfill a contract with the data subject.
• Legal Obligation: Processing data to comply with legal requirements.
• Public Interest: Processing data for security or judicial purposes.
• Legitimate Interests: Processing data based on a business’s legitimate interest, though this cannot apply to sensitive data.

Recent Amendments and Regulations

The PDPL has been supplemented with new regulations that further clarify its provisions:

1. Executive Regulations: These regulations provide specific guidance on DPO appointments, data subject requests, and data impact assessments.
2. Data Transfer Regulations: Effective September 1, 2024, the updated regulations allow cross-border data transfers to jurisdictions with adequate data protection or when appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).
3. DPO Appointment Rules: New rules specify when a DPO is required, such as when personal data is processed on a large scale or involves sensitive data.

Appointing a Data Protection Officer (DPO)

The PDPL mandates the appointment of a DPO in certain circumstances, including when:

• The business processes personal data on a large scale.
• The core activities involve regular and systematic monitoring of individuals.
• The core activities involve processing sensitive personal data.

The DPO must have the necessary qualifications, knowledge, and experience in data protection and risk management. Once appointed, the DPO’s details must be submitted to the National Data Governance Platform.

Registration on the National Data Governance Platform

Businesses must register as data controllers on the National Data Governance Platform if they are public entities, process personal data as a core activity, or handle sensitive data. This registration is mandatory for many businesses to remain in compliance with the PDPL.

Conclusion

The PDPL marks a significant milestone in data protection within Saudi Arabia. By understanding the law’s core principles and implementing the necessary measures, businesses can secure personal data, build consumer trust, and avoid legal pitfalls. Now is the time to ensure your business is ready for full compliance with the Saudi PDPL.

Download Saudi PDPL PDF Here