Saudi Arabia has taken a momentous stride towards safeguarding individual privacy by passing the new amendments to the Personal Data Protection Law (“PDPL”). In a rapidly evolving digital landscape, privacy regulations have become crucial in ensuring personal data’s secure collection, processing, and storage.
This article delves into the key revisions introduced by the new amendments to the PDPL in Saudi Arabia and their potential implications for businesses and individuals. The Saudi Council of Ministers recently approved the amendments to the PDPL pursuant to Royal Decree No. M147 dated 05/09/1444H corresponding to 27/03/2023G. The PDPL was originally issued in September 2021 and was planned to come into effect during March 2023 due to it being revised and subject to public consultation which has seen some changes made to the original PDPL. The amended PDPL will now come into effect 720 days following its publication in the official gazette, which will be by 14/09/2023, where those who are subject to the PDPL being granted a one-year grace period to comply with the PDPL.
The PDPL brings about significant changes to the existing legal framework for data protection, aimed at aligning the country’s data protection practices with international standards. The key factors and changes introduced by the PDPL and its amendments include:
The PDPL applies to the processing of personal data of individuals in the Kingdom of Saudi Arabia (“KSA”), including if such processing of data occurs from outside of KSA. An exception to this is where the processing of personal data is done by an individual for personal or family use, so long as such personal data is not published or disclosed to others. It should be further noted that the upcoming Implementing Regulations should clarify the meaning of ‘personal or family use’.
Legitimate interests for processing:
Controllers may now process and disclose personal data on the basis of legitimate interest, as long as it does not breach the data subject’s rights or interest under the PDPL and that such data is not regarded as ‘sensitive data’. The forthcoming Implementing Regulations are expected to provide further guidance with respect to what constitutes ‘legitimate interest’.
Unlike the previous PDPL, controllers are now relieved from the obligation to immediately notify the competent authority upon discovering a data breach, including unauthorized access or loss of personal data. The Implementing Regulations are expected to provide the deadline for such notifications in case any personal data has been leaked or damaged.
International data transfers:
The amendments have brought about one of the most significant changes to the original PDPL. Under the old framework, controllers were prohibited from transferring personal data outside of KSA or disclosing it to any entity outside KSA, except under extreme circumstances, which typically required the approval of the competent authority. However, under the recent amendments, controllers are no longer required to obtain approval from the competent authority prior to transferring or disclosing personal data to an entity outside KSA. The transfer or disclosure of personal data is generally allowed (with certain conditions) under the amendments for specific purposes, including obligations under international agreements in which KSA is a party, serving national interests, performing obligations to which the data subject is a party, or for any other purpose as determined by the Implementing Regulations.
However, controllers must comply with certain conditions when transferring or disclosing personal data outside the Kingdom for any of the aforementioned purposes. These conditions include ensuring that the transfer or disclosure does not adversely affect the national security or vital interests of KSA and ensuring that the jurisdiction to which the personal data is transferred or disclosed has protection measures that are no less than those provided under the PDPL and its Implementing Regulations. The Implementing Regulations may exempt controllers from these conditions under certain circumstances as specified by SDAIA.
Registration requirement and appointing local representative:
Prior to the amendments, the original PDPL mandated controllers to register through SDAIA’s electronic portal and pay an annual fee not exceeding SAR 100,000. However, the amendments have removed this obligation. Nevertheless, the Implementing Regulations will outline situations where controllers are required to designate one or more personal data protection officers and define their responsibilities in accordance with the provisions of the PDPL.
Penalties and criminal sanctions:
The amended PDPL has now removed the restrictions and penalties relating to the transfer of personal data outside of KSA which were imposed by the original PDPL, as the criminal sanctions under the amended PDPL have now been somewhat limited. Such sanctions under the amended PDPL would be applicable in the event of unlawful publishing or disclosure of sensitive personal data in breach of the provisions of the PDPL if it was done with the intention of harming the personal data subject or for the purpose of personal gains. Such penalties include a fine not exceeding SAR 3,000,000 and/or imprisonment for a period not exceeding two (2) years. Further sanctions may be imposed in case of violating the PDPL including issuing a warning or a fine not exceeding SAR 5,000,000 which may be doubled in case of repeat violations.
Compliance Checklist: Essential Steps for Companies to Comply with the PDPL:
Organizations and businesses subject to the PDPL are required to take necessary steps to ensure compliance with the law upon its commencement on September 14th, 2023. In order to comply with the PDPL, businesses are advised to:
- Conduct staff training on the PDPL and integrate data protection policies and measures in the business.
- Revise internal and external policies, such as privacy notices, to ensure compliance with the PDPL.
- Identify the types of data collected and the purpose of collection.
- Implement data minimization procedures to limit personal data processing and collection.
- Monitor internal data flow to ensure transparent storage and transfer of personal data.
- Develop and amend policies and procedures, including contracts, to reflect individual data rights and obligations.
- Implement technical and organizational procedures to safeguard and protect personal data.
The data privacy landscape in KSA is changing rapidly, requiring companies to adopt effective privacy practices. To ensure compliance with the PDPL, local and international businesses should conduct a privacy audit assessment and follow the steps outlined above. Developing and implementing a clear privacy framework will help inform employees and consumers about internal processes that keep information secure and the individuals responsible for managing the program. It is important to note that privacy frameworks can and should be tailored to a business’s specific needs, resulting in an appropriate privacy governance framework that meets the necessary standard under the PDPL.
If you need further support or information regarding the PDPL or require assistance with your privacy policies, please do not hesitate to contact us.