Fully enforceable since September 14, 2024, the Personal Data Protection Law (PDPL) was originally issued by Royal Decree No. M/19 of 2021, and the later amended, Royal Decree No. M/148 of 2023; was introduced as Saudi Arabia’s first comprehensive federal data protection framework. It’s a significant step for Saudi Arabia towards securing personal information, building public trust, and aligning with international data privacy standards.
What is the Saudi PDPL?
The PDPL establishes a set rule for the collection, processing, storage, and transfer of personal data within the Saudi Arabia. Its main goal is to protect individuals’ privacy while requiring organizations to handle data responsibly and transparently.
Heavily inspired by global models like the EU’s GDPR, the PDPL reflects Saudi Arabia’s ambition to be a leader in the digital economy by promoting accountability and secure data practices.
Who Does the PDPL Apply To?
The PDPL has a wide scope, applies to:
- Any entity (public or private) located in Saudi Arabia that processes personal data.
- Any entity located outside Saudi Arabia that processes personal data related to individuals residing in Saudi Arabia.
This means even international businesses interacting with Saudi residents’ data need to comply with the PDPL.
Important Exemptions:
While comprehensive, the PDPL does include certain exemptions, such as personal data processed for purely personal or household purposes. It’s crucial for organizations to consult the law and its implementing regulations for a precise understanding of applicable exemptions.
Key Principles of Data Processing under PDPL:
The PDPL outlines six core principles that shape how data must be managed:
- Lawfulness, Fairness, and Transparency: Data must be processed legally, fairly, and in a clear, open manner.
- Purpose Limitation: Collect data only for specific, legitimate purposes and avoid using it for unrelated reasons.
- Data Minimization: Gather only the data that’s necessary and relevant for the intended purpose.
- Accuracy: Ensure personal data is correct and kept up to date.
- Storage Limitation: Don’t retain data longer than needed for its original purpose.
- Security and Confidentiality: Protect data with appropriate technical and organizational safeguards against unauthorized access, loss, or misuse
Rights of Data Subjects: Empowering Individuals
The law empowers individuals with several rights over their personal data, including:
- Right to Be Informed: Individuals must be told why their data is collected, the legal basis, who is collecting it, and who it will be shared with.
- Right to Access: Individuals can request a clear, accessible copy of their personal data.
- Right to Rectification: They can ask for their data to be corrected, updated, or completed.
- Right to Erasure: They may request deletion of data no longer needed, with some legal exceptions.
- Right to Data Portability: Individuals can request their data in a readable format and have it transferred to another controller.
- Right to Withdraw Consent: Consent can be withdrawn at any time, except where the law provides otherwise.
Obligations for Data Controllers and Processors:
To comply with the PDPL, organizations need to:
- Obtain Valid Consent: Consent must be explicit, purpose-specific, and freely given, unless exceptions in the regulations apply.
- Maintain Processing Records (RoPA): Controllers must keep detailed records of processing activities for at least five years after they end.
- Implement Security Measures: Strong technical and organizational safeguards are required, especially during data transfers.
- Conduct DPIAs: Risk assessments are required for processing activities, particularly when offering public-facing services.
- Report Data Breaches: Breaches must be reported to SDAIA within 72 hours. If there’s a high risk to individuals, they must also be informed promptly.
- Cross-Border Transfers: Data can only be transferred outside Saudi Arabia if the destination ensures adequate protection or approved safeguards are in place.
- Register with SDAIA: Controllers may need to register with SDAIA, as per upcoming regulatory requirements.
Penalties for Non-Compliance:
Non-compliance with the PDPL can lead to severe penalties:
- Financial Penalties: Fines can reach up to SAR 5,000,000 (approximately USD 1.3 million) for certain violations. These fines can be doubled for repeat offenses.
- Imprisonment: Unauthorized disclosure or publication of sensitive data with the intent to harm or for personal gain can result in imprisonment for up to two years and/or a fine of up to SAR 3,000,000. Violations related to cross-border data transfers can also lead to imprisonment for up to one year and/or a fine of up to SAR 1,000,000.
- Official Warnings: Issuance of official warnings.
- Confiscation of Illegally Obtained Funds: Confiscation of funds acquired through violations.
- Reputational Damage: Significant damage to an organization’s reputation and customer trust.
- Civil Lawsuits: Individuals can file civil lawsuits for compensation for damages incurred due to violations.
The Role of the Saudi Data and Artificial Intelligence Authority (SDAIA):
The SDAIA is the regulatory body responsible for enforcing the PDPL. SDAIA will issue additional guidelines and oversee complaints, registration, and enforcement.
Conclusion:
The Saudi PDPL marks a significant step in advancing data privacy in the Kingdom. Saudi Arabia’s Personal Data Protection Law (PDPL) aligns with international benchmarks, demonstrating the nation’s dedication to a secure and transparent digital landscape. For businesses, achieving compliance involves proactively managing data, implementing robust security measures, and continuously adapting to evolving requirements. Beyond simply meeting legal obligations, embracing the PDPL helps build trust, safeguards individual privacy, and supports the broader goals of Vision 2030 for a thriving digital economy. GoTrust is your go-to resource for understanding Saudi Arabia’s PDPL, acting as your compliance partner to translate complex privacy regulations into clear, actionable steps for your business.