Navigating Saudi Arabia’s Personal Data Protection Law and Regulatory Framework
Saudi Arabia’s Personal Data Protection Law (PDPL), effective September 14, 2024, emphasizes data privacy and mandates organizations to adopt comprehensive guidelines from the Saudi Data and Artificial Intelligence Authority (SDAIA) to ensure compliance. Businesses must appoint Data Protection Officers, manage cross-border data transfers, and limit data collection to essential information, enhancing trust and aligning with international standards.
By Giulia Interesse
The Kingdom of Saudi Arabia has successfully implemented its Personal Data Protection Law (PDPL), which took effect on September 14, 2024. In this new regulatory landscape, the Saudi Data and Artificial Intelligence Authority (SDAIA) is actively guiding businesses to navigate the requirements of the law. The PDPL underscores the significance of data privacy and positions Saudi Arabia alongside other nations that prioritize individual rights concerning personal information.
Along with the PDPL’s enforcement, SDAIA has released a set of comprehensive rules and guidelines designed to help organizations understand their responsibilities under this legislation. These provisions clarify the obligations for data controllers and processors, detailing critical measures for responsible data handling and legal compliance. Key areas covered include the appointment of Data Protection Officers (DPOs), management of cross-border data transfers, and accurate record-keeping of personal data processing activities.
This article focuses on key priority areas for entities handling the personal data of Saudi residents, providing insights into how these regulations will affect businesses and outlining necessary steps for compliance with the PDPL.
Saudi Arabia’s personal data protection framework
As of this publication, SDAIA has issued several important rules and guidelines to support the PDPL and its Implementing Regulations, including updates on the transfer of personal data outside the Kingdom. These include the following:
Saudi Arabia’s Personal Data Protection Framework |
|
Rules | Guidelines |
Regulations for Appointing Data Protection Officers
Guidelines for the National Register of Controllers Within the Kingdom Standard Contractual Clauses for Personal Data Transfer
|
Developing a Privacy Policy: Elaboration Guidelines
Comprehensive Guide to the PDPL for Controllers and Processors Guidelines for Binding Corporate Rules (BCR) on Data Transfer Guidelines for Determining Minimum Personal Data Requirements Guidelines for the Destruction, Anonymization, and Pseudonymization of Personal Data Guidelines for Cases of Personal Data Disclosure Records Guidelines for Personal Data Processing Activities Self-Assessment Guidelines |
Scope and application of Saudi Arabia’s personal data protection framework
The PDPL, along with its associated regulations and guidelines, governs all processing of personal data related to individuals within Saudi Arabia, regardless of the methods employed. This scope extends to processing activities conducted by organizations or entities located outside the Kingdom if the data pertains to individuals residing in Saudi Arabia.
Additionally, these regulations encompass the personal data of deceased individuals, provided such data can identify them or their family members.
However, the law does not cover personal data processing carried out exclusively for personal or family purposes, as long as the data remains undisclosed to others. The implementing regulations further clarify the criteria for defining what constitutes personal or family use.
Furthermore, the PDPL includes specific definitions for key terms used in its implementation, ensuring a clear understanding of the law’s provisions. These include:
- Personal data: Any information that can directly or indirectly identify an individual, such as names, identification numbers, addresses, contact details, photos, videos, bank information, and more.
- Processing: Refers to any operation performed on personal data, whether manually or automatically. This can involve collecting, recording, organizing, storing, modifying, retrieving, using, sharing, or even destroying data.
- Sensitive data: Personal information revealing racial or ethnic origin, religious, political, or intellectual beliefs, criminal records, biometric or genetic data, or health-related data.
- Controller: The entity, whether public or private, that determines the purpose and means of processing personal data.
- Processor: An entity that processes personal data on behalf of a controller, following their instructions.
Regulation on personal data transfer outside the Kingdom of Saudi Arabia
According to Saudi Arabia’s personal data protection framework, the following “other purposes” may justify transferring or disclosing personal data outside the Kingdom:
- Central processing operations: Necessary operations that enable the Controller to effectively conduct its activities.
- Provision of services: Activities aimed at delivering services or benefits to the individuals whose personal data is being processed.
- Scientific research and studies: Conducting research and studies that require access to personal data.
Exemptions and safeguards
Controllers who wish to transfer or disclose personal data outside KSA may be exempt from the obligations outlined in Articles 29(b) and (c) of the PDPL, which require ensuring an appropriate level of data protection in the destination country and transferring only the minimum necessary personal data. To qualify for this exemption, Controllers must implement appropriate safeguards, which may include:
- Standard contractual clauses (SCCs): Legal agreements that stipulate the terms of data processing.
- Binding common rules: Established practices that govern data protection.
- Certificates of accreditation: Recognition that validate the compliance of data handling practices with international standards.
These safeguards must ensure the protection of personal data subjects’ rights, including the right to file complaints and seek damages for any violations.
Risk assessment requirements
Prior to transferring or disclosing personal data outside Saudi Arabia, Controllers are required to conduct a thorough risk assessment under certain conditions. This requirement applies in the following scenarios:
- When using the exemption outlined in Article 4 of the PDPL; and
- When transferring or disclosing sensitive data on a continuous or widespread basis.
The risk assessment must encompass the following elements:
- Purpose and legal basis: Clearly defined reasons for the transfer.
- Description of data: Details regarding the type of personal data being transferred.
- Assessment of safeguards: Evaluation of the measures in place to protect the data during transfer.
- Assessment of measures: Review of the methods employed to achieve the intended purpose.
- Potential effects: Analysis of the possible material or moral implications of the data transfer.
- Mitigating measures: Strategies implemented to address and prevent potential risks associated with the transfer.
Rules for the National Register of Controllers in Saudi Arabia
In line with the PDPL, SDAIA has established a framework for registering Controllers on the National Data Governance Platform. This initiative aims to improve transparency and accountability regarding personal data handling within Saudi Arabia.
Who must register?
The following entities are required to register:
- Public entities: All governmental organizations that manage personal data are obligated to register.
- Data-focused organizations: Entities whose core operations revolve around processing personal data must comply with registration.
- Sensitive data handlers: Organizations that deal with sensitive personal data are also required to register.
- Individuals with broader use: Those processing personal data for purposes beyond personal or family use must register.
Appointment and replacement of representatives
The process for appointing Representatives varies by entity type:
- Public sector: Representatives for public entities must be designated through a form submitted to SDAIA.
- Private sector: Private entities need to appoint their Representatives via the National Data Governance Platform.
- Individuals: Individuals acting as Controllers serve as their own Representatives and cannot delegate this role.
Representatives can also serve as their own DPO upon appointment by the Controller.
Moreover, the Representative is required to provide specific information on the Platform, including:
- Controller entity details: This encompasses the entity’s logo, official email, contact number, and headquarters address.
- Representative details: The official email and contact number of the Representative.
Individuals must ensure that all necessary fields, including contact information, are accurately filled out.
In case when a Representative needs replacement, Controllers must notify SDAIA using the prescribed methods:
- Public controllers: Use the official communication channels on the Platform.
- Private controllers: Complete the available form on the Platform for notifications.
Registration certificate details
Upon successful registration, a Registration Certificate will be issued, valid for up to five years. This certificate must be made publicly accessible. SDAIA will inform Controllers at least 30 days before the certificate’s expiration.
After it expires, Controllers may use the Platform for an additional five-day grace period, after which any further extension requests must be made formally.
Rules for appointing personal data protection officer (DPO)
One of the core requirements of the PDPL is the appointment of DPO for organizations that process personal data. This obligation is aimed at ensuring that entities maintain robust data protection measures. The guidelines outlined by SDAIA specify the criteria for determining which organizations must appoint a DPO, with the decision based primarily on the scope and volume of personal data being processed. For instance, any organization involved in large-scale personal data processing, or whose core activities involve regular monitoring of data subjects, is required to have a DPO. Additionally, organizations that handle sensitive personal data, such as health, genetic, or credit information, must appoint a DPO to oversee the protection of this data.
In terms of qualifications, the SDAIA mandates that DPOs must meet several criteria, ensuring they are both academically qualified and professionally experienced in the field of data protection. A DPO must have a comprehensive understanding of privacy laws and regulations, along with sufficient expertise in managing data protection programs and responding to incidents such as data breaches. Their role involves developing internal data protection policies, providing training and support to employees, and ensuring regulatory compliance across all aspects of personal data handling within the organization.
The DPO’s responsibilities are not limited to internal tasks but extend to interacting with external stakeholders, including SDAIA. For instance, once a DPO is appointed, the organization must ensure that the officer’s contact information is promptly shared with SDAIA and made accessible to data subjects. Additionally, controllers must guarantee that any data processor they engage also appoints a DPO, if required by law. This ensures continuity in compliance across different levels of data processing, reinforcing the integrity of personal data protection under the PDPL.
The independence of the DPO is also a key factor, and organizations are encouraged to avoid assigning tasks that may create a conflict of interest. Support and training are essential for the DPO to perform effectively, further emphasizing the critical nature of the role in safeguarding personal data and ensuring compliance with evolving regulatory requirements.
Minimum personal data determination guidelines
Data Controllers and Processors are obligated to limit the collection of personal data to only what is essential for their intended purpose. They should take into account the following factors:
- The necessity of collecting personal data;
- The specific purpose for which the data is collected;
- The methods used for data collection;
- The type of data being gathered;
- Processes for data destruction; and
- Data retention periods.
While the PDPL does not specify what qualifies as ‘minimum,’ it is advisable to adhere to Article 11 of the law. Controllers must perform regular evaluations to ascertain which personal data they are required to keep, including assessing any data that can be safely destroyed.
Conclusion
The implementation of the PDPL marks a significant shift towards enhancing data privacy and protection within Saudi Arabia, requiring businesses to reassess their data handling practices.
With clear guidelines from SDAIA on the roles of DPOs, data transfer protocols, and minimum data collection standards, organizations must take proactive measures to ensure compliance. By prioritizing data privacy, businesses can build trust with consumers and align themselves with international best practices, paving the way for responsible data stewardship in the Kingdom.
About Us
Middle East Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Dubai (UAE), China, India, Vietnam, Singapore, Indonesia, Italy, Germany, and USA. We also have partner firms in Malaysia, Bangladesh, the Philippines, Thailand, and Australia.
For support with establishing a business in the Middle East, or for assistance in analyzing and entering markets elsewhere in Asia, please contact us at dubai@dezshira.com or visit us at www.dezshira.com. To subscribe for content products from the Middle East Briefing, please click here.