Saudi Arabia’s Personal Data Protection Law (PDPL)

The Personal Data Protection Law (PDPL) is the first of its kind to be passed in the Kingdom of Saudi Arabia (KSA). The data protection rules were published in the government’s Official Gazette on September 24, 2021, and comes into effect on March 17, 2023. It regulates how businesses collect, process, and store personal data about individuals residing in the country.

Effective from: 17 March 2023

Official text: PDPL (in Arabic)

The Personal Data Protection Law (PDPL) is the first data protection law in Saudi Arabia. The law aims to protect the rights of individuals (data subjects or users) concerning their personal data, while also ensuring compliance with the principles of effective and responsible data protection.

The PDPL will govern any kind of processing of personal data including collecting, using, storing, sharing, transferring, or updating of personal data of  Saudi Arabia residents.

The overall objective of PDPL is to ensure that all entities process personal data per the principles set out in PDPL. This includes ensuring that there is a legal basis for processing personal data, as well as ensuring that personal data is processed fairly, lawfully, transparently, and securely. In addition, safeguards should be put in place to protect personal data from loss, damage, or destruction.

The Saudi Data & Artificial Intelligence Authority (SDAIA) is tasked with the initial implementation and enforcement of the PDPL for its first two years, after which the National Data Management Office will take over as the supervisory authority.

The law was supposed to come into effect on March 23, 2022. However, the SDAIA postponed the full enforcement until March 17, 2023, in view of responses from its stakeholders.

The PDPL applies to entities (including public and private companies) and to their affiliates, that process the personal data of Saudi residents, to provide them goods or services. It also applies to entities operating outside Saudi Arabia, that process the personal data of Saudi residents.

The law protects personal data that includes information that can be used to identify a natural person including a deceased person or their family members, and excludes information used for household or personal proposes. 

The PDPL defines personal data as any information that identifies a person specifically or could lead to their identification, including (but not limited to): name, driver’s license number, phone number, email address, or social security numbers.  Personal data used for personal or household purposes are exempted from PDPL. The law also protects the personal data of deceased individuals if their information could lead to the identification of the deceased individual or their family members specifically.

Like GDPR, the PDPL also groups some types of personal data as “sensitive”. Sensitive personal data under PDPL is any information inferred from an individual’s “ethnic or tribal origin, religious, intellectual or political belief, or indicates his membership in civil associations or institutions.” It also includes criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that an individual is unknown to one or both parents.  

PDPL grants Saudi residents several rights over their personal data. Let’s have a look at them:

• Right to be informed: Any organization that processes the personal data of a user must inform the user about the legal basis for collecting their personal data and its purpose. The user also has the right to be informed that this data should not be processed later for a different purpose. 
• Right to access: Users have the right to access their personal data and to have it available to the control authority. Users also have the right to receive a copy of their personal data in an easily readable format, free of charge, per the law. 
• Right to correction: Users have the right to request businesses to correct, update, or complete personal data about them, within a reasonable time. The business must notify any other party to which they shared or transferred the data, and provide them the updated information.
• Right to deletion: Users have the right to request the deletion of personal data if it is no longer needed by a business.

Here are the key features and principles of PDPL rules that a business must follow:

Purpose limitation

The purpose of collecting personal data must be directly related to the purposes of the owner, direct, clear, secure, and free from methods of deception, misleading, or extortion.

Data minimization

Personal data collected must be appropriate and limited to what is necessary to achieve the primary purpose. If the collected data is no longer necessary, data controllers must stop collecting or storing it and immediately destroy it.

Privacy policy

Businesses must have a privacy policy. This policy should disclose the purpose of the data collection, the type of the collected data, the method of collection, and how they store, process, and how to destroy the data. It should also explain the user data rights and how to exercise them.

The privacy policy which should be made available to users before collecting their data must also include the identity of businesses and necessary contact details and the details of third-party sources with which it will share the personal data.

Relevance

Businesses must verify that personal data is accurate, complete, timely, and relevant for the purpose for which it is collected.

Disclosure

Businesses should not disclose personal data except

• when the user consents to it, 
• if the personal data is publicly available,
• to fulfill legal requirements,
• when it is in the vital interest of individuals, or
• when disclosing will not lead to the identification of individuals or anyone else.

The personal data must not be disclosed under any circumstances if:

• it will be a threat to national security and reputation,
• it affects KSA’s relationship with other countries,
• it prevents detection of a crime or affects any criminal proceedings,
• it endangers the safety of individuals,
• it violates user privacy,
• it will breach legal or professional obligations or procedures, and
• it will disclose confidential information.

Security

Businesses must take appropriate technical and organizational measures to maintain the security of personal data, including when it is transferred to another party.

Consent

Consent from users is necessary to process their personal data or to change the original purpose of processing. The individuals may withdraw their consent at any time. Businesses must ensure that consent is not a condition for offering goods and services. Consent for processing personal data is not necessary when:

• processing benefits an individual and they cannot be contacted;
• processing is required by law or by an agreement to which an individual is a party; or
• the controller is a public entity and such processing is required for security purposes or to satisfy judicial requirements.

Marketing

Businesses can process personal data, except sensitive personal data, for marketing purposes if it is collected directly from the individuals and with their consent. 

Cross-border data transfer

Except when the vital interest of an individual outside the Kingdom is at stake, or to prevent a disease or treat it, or in implementation of a Kingdom agreement, data transfer to parties outside the Kingdom cannot be done unless it serves the interests of the Kingdom. Even then, data transfer should meet the following conditions:

• It must not harm national security or the Kingdom’s vital interests.
• The data must be protected to prevent its leakage or disclosure.
• The transfer is limited to the minimum amount of data required.
• The approval of the competent authority, as determined by the regulation.

The business may be exempted from these conditions if the recipient country or business provides an adequate level of protection to personal data.

Record processing activities

Businesses must keep records of their personal data processing activities for a specified time (set by the government). These records must also be made available to the authorities when requested. The records should include:

• the contact details;
• the purpose for processing that personal data;
• the categories of individuals;
• any party to whom data has been (or will be) disclosed; and
• the duration during which the data is retained.

Data breach notification

When a business discovers that personal data has been breached, i.e. leaked, damaged, or illegally accessed, they must immediately notify the competent authority. If the breach would cause serious harm, they must notify the affected individual immediately.

Impact assessment

A business should always assess the impact of processing personal data, including the purpose for which it is being processed. If personal data is no longer needed, data collection should be stopped immediately.

Here is an 11-step checklist to comply with PDPL Saudi Arabia.

• Do not collect personal data without a legal purpose, and do not mislead users.
• Collect minimum personal data necessary for the primary purpose.
• Do not collect or disclose personal data without consent from users, unless specified for reasons stated.

• Have a privacy policy for your business to disclose details about how you handle personal data and how and why you share it with third-party sources.
• Keep personal data accurate and up-to-date.
• Do not disclose personal data to third parties unless specified for reasons stated.
• Do not transfer personal data outside the KSA without taking appropriate measures stated in the regulation.
• Keep personal data secure by taking appropriate measures.
• Record your personal data processing activities to share with authorities, when requested.
• Notify authorities about the data breaches as soon as possible and inform affected users immediately, if the risk is severe. 
• Conduct impact assessments of processing the personal data, especially sensitive type.

Anyone who discloses or publishes sensitive data in violation of the provisions of the law is subject to a maximum penalty of two years in prison and a fine not exceeding SAR 3 million (USD 800K), or either of these penalties. 

Anyone who violates the provisions of cross-border data transfer is subject to maximum imprisonment of one year and a fine not exceeding SAR 1 million (USD 267K), or one of these two penalties. 

For violations of all the other provisions, businesses will be issued a warning or a fine not exceeding SAR 5 million (USD 1.3 million). The imposed fine may be doubled for repeated violation (not exceeding SAR 10 million).

The Public Prosecution Office is responsible for the investigation and prosecution of the violations.

Does Saudi Arabia have a data protection law?

Saudi Arabia has a data protection law called Personal Data Protection Law (PDPL). The objective of the law, like many other data protection laws, is to protect the personal data of its people against breaches or privacy invasions. It gives the people rights to privacy by granting them several rights pertaining to their personal data. It applies to any entity that processes the personal data of individuals residing in the territory of the Kingdom of Saudi Arabia. within The law will become effective from 23 March 2022. 

Does GDPR apply to Saudi Arabia?

General Data Protection Regulation (GDPR) is applicable in KSA if an organization from the KSA is collecting or monitoring the personal data of EU residents and citizens for offering goods or services. Here is a GDPR checklist for your website if you want to be compliant.

What is personal data protection law?

KSA’s Personal Data Protection Law (PDPL) is a set of data protection rules for governing how businesses must handle personal data. It defines what right to privacy the people of Saudi Arabia have. Any company that processes personal data of KSA residents must meet the PDPL requirements, else face severe consequences. 

Can data leave Saudi Arabia?

Personal data of Saudi Arabians can leave the Kingdom when there is a risk to the vital interest of an individual outside the Kingdom, or to prevent or treat a disease, or to implement a Kingdom agreement. Data can leave KSA when it serves the interests of the Kingdom, but also if:

• does not harm the Kingdom’s security or vital interests;
• the data is secure from leakage or disclosure;
• the minimum amount of data required for the transfer;
• the competent authority has approved it;
• the recipient country or business adequate level of data protection.

What is a cookie banner?

A cookie banner is a cookie notification informing users about cookie usage on a website. It also discloses why the websites use cookie and how visitors can manage it by accepting or rejecting them.  A website that targets visitors from the KSA and uses cookies to collect or monitor their personal data will have to obtain consent before loading cookies.