Saudi Arabia Personal Data Protection Law (PDPL)

The Personal Data Protection Law (PDPL) is Saudi Arabia's first major data protection legislation. Announced on September 24, 2021, and effective from March 17, 2023, businesses have until September 14, 2024, to ensure they meet all compliance requirements.

Here, we'll reveal what the Personal Data Protection Law in Saudi Arabia is, who it applies to, and what you need to do to ensure compliance.

What is the Personal Data Protection Law?

The Personal Data Protection Law (PDPL) sets out the main guidelines for managing personal data in Saudi Arabia. The comprehensive regulation aims to protect individuals' privacy and ensure that data is handled transparently and securely. It applies to all types of businesses and organizations, whether they are in the public or private sector.

Who Does the Personal Data Protection Law Apply to?

The Personal Data Protection Law (PDPL) applies to:

Businesses/Organizations

All types of businesses that process the personal data of Saudi residents to provide goods or services. This includes public (like government agencies), and private organizations (like corporations and small businesses).

Affiliates

These are partners or subsidiaries of a business that may also handle personal data. For example, if you have a marketing agency working for you, that agency would be considered an Affiliate.

The term "residents" includes anyone living in Saudi Arabia, regardless of their citizenship. This is important because it means the law protects the data of anyone residing in the country.

Where data processing or handling is mentioned, it relates to any action taken with personal data, such as collecting, storing, using, or sharing it.

The law covers any personal data that can identify an individual, including information about someone who has passed away, and their family members. However, it does not apply to data used solely for household or personal activities.

Who is Exempt from the Personal Data Protection Law?

As well as excluding household and personal data, the Personal Data Protection Law has certain cases where you don't need to get consent.

Let's briefly run through the main exemptions:

When it's in the person's best interest

You won't need to comply with the Personal Data Protection Law if you are processing data that is in the best interest of the person. This is like the "legitimate interest" idea under GDPR, where you can process data if it benefits the individual.

For example, using data to provide critical health services or to prevent fraud, would fit this exemption.

Legal or Contractual Obligations

You don't need consent to process data if it's necessary for legal reasons, fulfilling a contract, or implementing an agreement. This includes things like processing payroll to comply with tax laws or using data to meet the terms of a service contract. It helps ensure important administrative and legal tasks aren't interrupted.

Government Body Operations

Government Bodies can process data without consent if it's needed for security purposes or legal requirements. For example, police processing data for national security, or courts handling personal data for legal proceedings.

This exemption lets these organizations perform their essential duties effectively and securely.

Business Interests

You won't need consent if the data is necessary for your business's legitimate interests, provided the data isn't sensitive. This enables you to use data to improve your services, improve security, or conduct market analysis.

What Does the Personal Data Protection Law Require?

The Personal Data Protection Law requires businesses to:

  • Notify data subjects about the data being processed
  • Follow a strict international data transfer process
  • Provide opt in and opt out options
  • Understand the purpose limitation and data minimization for data processing
  • Not keep personal data longer than necessary
  • Appoint a data protection officer
  • Have a dedicated contract with data processors

How to Comply with the Personal Data Protection Law

From notifying users about the data being processed, to placing a Privacy Notice on your website, here's a step-by-step guide to what you need to do to comply with the Personal Data Protection Law:

Notify users about the data being processed

It's essential to let users know about the data you collect, why you're collecting it, who it might be shared with, and their rights regarding this data.

This notification should be clear and easily accessible. It's best to have a comprehensive Privacy Policy on your website which fully explains:

Legal Basis for Data Collection

Clearly state the legal grounds for collecting personal data. For example, "We collect your email address to send you our newsletter, based on your consent. Additionally, we process your payment information to fulfill our contractual obligations when you purchase a product from us."

Purpose of Data Collection

Explain why the data is being collected and which data is mandatory for these purposes. For example, "We collect your name and shipping address to deliver your purchases. Your email is collected to send order confirmations and updates. Providing your phone number is optional and used for delivery notifications."

Identity of Data Controller

Will you be processing the data or do you have a marketing agency doing it for you? Identify the person or organization responsible for collecting the data. For example, "The data controller is XYZ Corp, responsible for managing your personal data. If you have any questions, you can contact our Data Protection Officer."

Data Subjects' Rights

Inform users of their rights regarding their personal data. For example, "You have the right to access, correct, or delete your personal data. You can also object to or restrict how your data is processed. To exercise these rights, contact us at (insert email address/phone number)."

Data Subject Rights can be found in Article 4 of the Personal Data Protection Law.

Consequences of Not Providing Data

Outline the potential risks and consequences if personal data is not collected. For example, "If you do not provide your email address, we will be unable to send you order confirmations and updates. Not providing your shipping address means we cannot deliver your purchases."

Contact Information

Provide the address and contact information for the person in charge of data. For example, "For any inquiries regarding your personal data, please contact our Data Protection Officer at: XYZ Corp, 123 Privacy Lane, Data City, DC 45678, Email: [email protected]."

Follow a strict International Data Transfer process

You need to keep personal data within Saudi Arabia unless specific conditions are met. If you must transfer data outside the country, you will need to do an impact assessment and get approval from the Regulatory Authority.

There are exceptions, like if you're part of the Saudi government working abroad. Data transfers are also allowed in urgent situations, for legal reasons, or under agreements that benefit Saudi Arabia.

Make sure these transfers don't risk national security and that you have strong measures to protect data privacy.

Provide opt in and opt out options

You need to get explicit consent before processing any personal data.

According to Article 5 of The Personal Data Protection Law, people should also be able to withdraw their consent at any time.

If the reason for processing the data changes, you need to get new consent from the individual. Consent also shouldn't be a condition for using your service unless it is absolutely necessary for that service. Always ensure that opting in and out is straightforward for your users.

Implementing a Clickwrap method, where users click "I agree" to give explicit consent, can help ensure compliance.

With this method, the user needs to manually click the checkbox to give their consent. You can also see that it mentions being able to opt out at any time.

Understand the Purpose Limitation and Data Minimization for Data Processing

You need to make sure your business only collects the personal data necessary for a specific purpose. This means data collection should directly relate to that purpose, and no extra data should be gathered.

For example, if you're running an online store and need to ship products to customers, you'll need their name, address, and payment details. However, you don't need to collect extra information like their social security number or unrelated personal preferences. Only gather the data you need to complete the sale and delivery.

Don't keep personal data longer than necessary

Only keep personal data for as long as you need it to fulfill its purpose. Once you've finished using it, stop collecting more data and quickly delete any that you already have.

This helps reduce the risk of data breaches and ensures you're following data minimization principles.

Appoint a data protection officer

Many businesses need to appoint a Data Protection Officer (DPO). The DPO ensures that your company complies with data protection laws and oversees all data privacy operations. Their duties include:

  • Handling Data Breaches
  • Managing Data Subjects' Requests
  • Employee Training
  • Conducting Assessments and Audits

A Data Protection Officer is essential for ensuring compliance with data protection laws. They maintain high standards of data privacy and security within the organization. They also act as the main contact for the data protection authority, implementing its decisions and instructions.

If you are unsure whether your business needs to appoint a Data Protection Officer, you can read the Draft Rules published by the Saudi Data & Artificial Intelligence Authority (SDAIA).

Have a dedicated contract with data processors

Your business needs to carefully choose vendors and partners to handle data on your behalf, ensuring they offer strong compliance guarantees. This means conducting risk assessments, regular reviews, and making sure they have adequate security for personal data.

For example, if you use a third-party payment processor, make sure they have strict security measures in place to protect customer payment information.

There must be a contractual agreement outlining:

  • Rights and Obligations: Clearly defined responsibilities for both parties
  • Purpose and Scope of Processing: Detailed descriptions of the processing activities, including the types of data and categories involved
  • Notification of Breaches: Processors must immediately inform your business of any potential or actual data breaches or unauthorized access
  • Approval for Subcontracting: Processors must get approval from your business before entering new contracts with other parties for data processing

A contract ensures everyone involved in data processing understands and complies with their responsibilities under the law.

Penalties for Not Complying with the Personal Data Protection Law

Failing to adhere to the Personal Data Protection Law can lead to severe consequences, including:

  • Substantial fines
  • Imprisonment
  • Official warnings
  • Confiscation of profits gained from the violation
  • Potential compensation claims from affected individuals

You also need to consider the impact on your business's reputation and the risk of contractual disputes.

If you deliberately disclose or publish sensitive data to harm the data subject, or for personal gain, you can face serious legal consequences. You may be prosecuted and face up to two years in prison, fines up to SAR 3,000,000 (about USD 800,000), or both.

If you repeatedly break the law, penalties can double, leading to up to four years in prison, fines reaching SAR 6,000,000 (about USD 1,600,000), or both.

For other types of breaches, penalties are generally less severe and may include warnings or fines up to SAR 5,000,000 (about USD 1,333,200). Repeat offenses can again result in these fines being doubled.

Courts can also confiscate any funds you obtained through violations and may publish details of the penalties in local newspapers.

Summary

The Saudi Arabia Personal Data Protection Law is meant to protect the personal data of people living in Saudi Arabia. It applies to all businesses, both inside and outside Saudi Arabia, that handle this data. There are some exemptions, such as data used for personal or household activities and data needed for public interest, legal obligations, or fulfilling contracts.

To comply with the law, you need to provide a clear privacy policy, get explicit consent for data processing, and ensure people can access their data. You also need to follow strict rules for international data transfers, limit how long you keep data, appoint a Data Protection Officer if required, and set up contracts with data processors.

Non-compliance can lead to severe penalties, including large fines, possible jail time for unauthorized disclosures, and damage to your reputation. The law focuses on transparency, security, and accountability in handling personal data, aligning with global standards.