On September 14, 2023, Saudi Arabia’s Personal Data Protection Law officially came into force. Earlier in 2023, amendments to the PDPL were made published, and the associated Regulations were finalised in early September after undergoing a public consultation in July.
Key points to note include:
- Entry into force – The PDPL is now in force, although (as per the Royal Decree pursuant to which the PDPL was issued) Data Controllers have twelve months from the PDPL coming into effect within which to ensure that their processing activities are compliant. It is important to note that there may be other obligations that apply despite this ‘grace period’ (such as – potentially – data breach notification obligations, for example).
- Implementing regulations – The Regulations, referred to throughout the PDPL, set out considerable additional detail, including an entire section on data transfers. The Regulations also allude to further guidance to be issued by the Regulator on various topics.
- International data transfers – The data transfers section of the Regulations broadly contemplates transfers of personal data outside the Kingdom, although there is still some degree of ambiguity in the drafting meaning that close scrutiny will be required. The Regulations contemplate various typical transfer-related mechanisms, including adequacy decisions, Binding Corporate Rules, Standard Contractual Clauses; the details of these are subject to further action on the part of the Regulator.
- Consent – The consent of the Data Subject is an important legal basis for personal data processing in many situations, and the Regulations provide a definition of ‘explicit consent’ and circumstances where it is required. There are a variety of requirements that must be met where consent is the legal basis for processing, including a requirement to obtain independent consent in respect of each purpose of processing.
- Legitimate interest – A key development (relative to the PDPL as originally published in 2021) is the inclusion of the concept of ‘legitimate interest’ as a basis for personal data processing. While in many instances processing can be carried out where necessary to achieve a legitimate interest of the Data Controller (subject to data subject rights and interests), there are certain circumstances where Data Controllers will not be able to rely on legitimate interest as a basis for processing.
- DPIA – In certain circumstances, including when processing Sensitive Personal Data, there is a requirement to undertake a data protection impact assessment. The Regulations set out mandatory minimum requirements relating to what such an impact assessment must address.
- Sector-specific considerations – The PDPL provides specific data protection requirements for specific sectors and industries, including health data, credit data, advertising and direct marketing, and scientific research.
- Engaging processors – Data Controllers are required to ensure that any Data Processor engaged to process Personal Data provides sufficient guarantees to protect Personal Data, and the Regulations prescribe a number of mandatory requirements for data processing agreements.
- Data Protection Officers – In certain scenarios, Data Controllers are required to appoint Data Protection Officers; the specific responsibilities of DPOs are detailed in the Regulations.
- Data breach – There is a qualified requirement to notify the Regulator within 72 hours of becoming aware of a data breach incident. There is also a qualified requirement to notify affected data subjects without undue delay.
- ROPAs and National Register – Data Controllers are required to retain a record of Personal Data processing activities, and the Regulations prescribe the requirements of such records. The Regulations also provide that the Regulator shall issue rules relating to registration in a National Register of Data Controllers, including information on Data Controllers that are required to register.
The PDPL and its Regulations cover a variety of other topics. Now that the PDPL is in force, those subject to it should make haste on their compliance efforts. While the ‘grace period’ provides some comfort on many aspects, twelve months is not a particularly long time.
How can Al Tamim help?
Our Digital & Data (Tech | Media | Telecoms) team will be pleased to assist in providing advice on the revised Law and on compliance steps for business. If you have any specific queries, or would simply like to discuss some of these topics, please reach out to Nick.
Key Contact
Nick O’Connell
Partner, Head of Digital & Data - Saudi Arabia