Written by Tamer Eloguiel for KnowledgeX
The Kingdom of Saudi Arabia Council of Ministers has approved a series of amendments to the articles of the Kingdom’s Personal Data Protection Law known also as the PDPL. The first ever personal data protection was issued on 16 Sep. 2021 (09/02/1443 Hijri) with a Royal Decree No. (M/19) and was originally enforced on 23 March 2022 then the enforcement has been postponed.
The PDPL has been amended by Royal Decree No. (M/148) dated 3 Dec. 2022 (9/5/1444 AH) which also pushed the effective date of the enforcement to 14 September 2023 and organisations have up till then to comply.
This amendment has taken into consideration some of the recommendations of the consultation paper issued by the Saudi Data & Artificial Intelligence Authority (SDAIA) in November 2022.
The amendments have introduced several changes that align the Kingdom’s PDPL more closely to the international standards such as the EU General Data Protection Regulation (GDPR).
Where can I access an English copy of the PDPL?
As of the date of this article, there is no official English copy issued by the government. Despite saying that, we asked our team to provide us with an English legal translation of the PDPL to assist non-Arabic speakers professionals globally online. You can access this in the link below. This is up to date with the new amendments of the PDPL law to the day of releasing this article, and Knowledge X holds no responsibility to maintain the updating of this document or its content.
Click here to read the full law “Personal Data Protection Law – PDPL”
Who needs to comply with the PDPL Law?
The PDPL applies to any data processing of personal or sensitive data related to individuals residing in Saudi Arabia (including the deceased’s personal data), and its application scope excludes the processing of personal data for domestic purposes.
It applies to public and private organisations that process personal data related to individuals in Saudi Arabia by any means, that include any foreign (offshore) organisation processing personal data related to individuals residing in Saudi Arabia
What are the key changes to the PDPL in the new amendment?
Some of the most important law articles changes and amendments introduced by the newly updated decree include:
· Easing out the data transferring mechanisms: the restriction and prohibition of the transfer personal data transfer outside Saudi Arabia have been amended to create a more international business-friendly environment. The international transfer of personal data no longer requires exceptional approvals from SDAIA. International transfer of personal data is now generally permitted on these bases:
- They are in the implementation of obligations under international agreements to which Saudi Arabia is a party if it serves national interests if they are in the implementation of any obligations to which the data subject is a party, or any other purposes determined by the executive regulations once they issue it.
- Data Controllers will need a specific purpose to transfer or disclose data outside the Kingdom and transfers appear to be limited to territories that SDAIA determines as having an appropriate level of protection for personal data, which will be further clarified once they issue evaluation criteria for this purpose.
- However, the pending executive regulations to be issued under the law should set out cases where controllers may be exempt from this condition.
· Setting new grounds for processing: Controllers may now rely on “legitimate interests” as a lawful basis to process and disclose personal data, although, this does not apply to sensitive personal data or processing that contravenes the rights granted under the PDPL and its executive regulations. This change makes the grounds for processing more consistent with GDPR and similar legislations.
· Removal of the registration requirement for controllers: The amended law no longer refers to the creation of an electronic portal or any requirement for a controller to register their processing activities. However, SDAIA has been authorised to issue the requirements for practising activities related to data protection, in cooperation with any other relevant authorities. SDAIA also has the mandate to license auditors and accreditation entities and create a national register if it determines that it would be an appropriate tool and mechanism for monitoring the compliance of controllers.
· Data breach notification timeline eased: Notifications of a personal data breach to SDAIA no longer have to be made ‘immediately’. Further detail is again expected to be added in the pending regulations, which could include specific deadlines for notifying data breaches or materiality thresholds. A new requirement has been added for controllers to notify data subjects where a breach would cause damage to personal data or contravenes the data subject’s rights or interests.
Reducing the number of criminal offences: Criminal sanctions for violating the PDPL’s data transfer restrictions have been removed. Only one criminal offence concerning the disclosure or publication of sensitive personal data in violation of the law remains in still in effect. Otherwise, the penalties for breaching the PDPL will be a warning or a fine of up to SAR 5,000,000 (USD 1,333,000) that may be doubled for repeat offences.
What are the timelines for compliance?
The amended PDPL states that it will take effect 720 days after the publication of the original law in the Official Gazette, which means that it should be formally effective from 14 September 2023. The executive regulations supplementing the PDPL will be issued before this date.
The preamble to the PDPL provides controllers with a one-year grace period to comply with the PDPL from the date it comes into force. Accordingly, organisations within the scope of the law will have until 14 September 2024 to adjust their status under the provisions of the PDPL.
What should companies do next?
While further details are expected to be provided in the regulations (for example, conditions for consent, timelines for complying with data subject access requests, procedures for notifying breaches and mechanisms for exporting personal data), there are steps that organisations can take ahead of time to prepare for compliance:
- All businesses operating in Saudi Arabia or processing any data of Saudi residents should start assessing their data processing activities, including any international data transfers, to understand the impact on their operations and any changes that will be necessary to align with the PDPL.
- Policies and processes will need to be developed or amended, and contracts reviewed or updated to take account of new rights and obligations.
- Controllers will be required to train staff on the terms and principles of the PDPL and will need time to embed data protection within the culture of their organisations.
Background for first-time readers
What is Saudi Arabia’s Personal Data Protection Law (PDPL)?
The Personal Data Protection Law (PDPL) is the first data protection law in Saudi Arabia. The law aims to protect the rights of individuals (data subjects or users) concerning their Personal Data, while also ensuring compliance with the principles of effective and responsible data protection.
The PDPL will govern any kind of processing of personal data including collecting, using, storing, sharing, transferring, or updating of personal data of Saudi Arabia residents.
The overall objective of PDPL is to ensure that all entities process personal data per the principles set out in PDPL. This includes ensuring that there is a legal basis for processing personal data, as well as ensuring that personal data is processed fairly, lawfully, transparently, and securely. In addition, safeguards should be put in place to protect personal data from loss, damage, or destruction.
The Saudi Data & Artificial Intelligence Authority (SDAIA) is tasked with the initial implementation and enforcement of the PDPL for its first two years, after which the National Data Management Office will take over as the supervisory authority.
The law was supposed to come into effect on 23 March 2022. However, the new PDPL amendment Royal Decree postponed the full enforcement until 14 September 2023.
our team is happy to assist you with the designing and implementation of the PDPL. contact us on info@theknowledgex.com
Tamer Elogueil says:
Quite informative. Thanks a lot. and thanks for the work on providing a full translation the law.