Saudi Arabia Passes Personal Data Protection Law

Written by: Brett Lawrence, Esq.

On September 16, 2021 by Royal Decree, Saudi Arabia implemented the Personal Data Protection Law (“PDPL”). The PDPL becomes effective on March 23, 2022 and will be enforced by the Saudi Data and Artificial Intelligence Authority (“SDAIA”). Regulated businesses have until March 23, 2023 before the PDPL is enforced.

We outline key areas of the PDPL below:

1. Scope and Application

The PDPL applies to the processing of personal data of any Saudi Arabian residents (called “data owners”), regardless of their geographic location. “Processing” refers to the collection, storing, modifying, using, disclosing, transferring, blocking, and destroying personal data. The PDPL does not apply to the processing of personal data for personal or family use.

2. Data Owner Rights

All data owners have the right to:

    1. Be informed about the justification for the processing of their personal data
    2. Access and receive a copy of their collected personal data
    3. Rectify, correct, or supplemental the personal data held by a business
    4. Request that the business destroy the copy of their personal data held by the business

3. Lawful Basis for Processing

Businesses must receive consent from the data owner before processing their personal data, unless another legal basis is achieved. Other legal bases consist of: (1) a contract between the business and the data owner, (2) the processing would be a clear benefit and it is impossible or impractical to contact the data owner; (3) the business is a public entity and the processing is needed for security or legal purposes.

Business must also establish a privacy policy and make it available for the data owner to review before any processing begins. The policy must set out, at a minimum, the following:

    1. The purpose of collection;
    2. The type of personal data being collected;
    3. The method of processing and storage;
    4. How the personal data will be destroyed; and
    5. What rights data owners possess and how those rights can be effectuated.

Business must further register with the SDAIA, the government entity tasked with enforcing the PDPL.

4. Cross‑Border Transfers

The PDPL prohibits the transfer of personal data outside Saudi Arabia unless the transfer is either: (1) necessary to preserve someone’s health or life; (2) to combat a disease; (3) the business has an obligation that involves a transfer of personal date; (4) the transfer serves the government’s interest; or (5) other purposes to be disclosed by the implementing regulations.

When a transfer is authorized, the business must ensure that it satisfies all of the below requirements:

    1. The transfer will not adversely effect Saudi Arabia’s national security interests;
    2. Safeguards are put in place to protect the personal data’s confidentiality and that they meet the minimum criteria required under the law;
    3. The transfer is limited to the amount necessary; and
    4. The business must receive consent from the

Leave a comment