Saudi Data Protection Law 2021

• Saudi Arabia

• Privacy, data protection and cybersecurity

30-09-2021

On September 24, 2021, Saudi Arabia enacted its first comprehensive data protection law ^[1]. It is also expected that the Regulations will provide further details on the implementation of the Personal Data Protection Law (the “PDPL”). The PDPL applies to any processing of personal data related to individuals in the Kingdom by any means, including processing personal data related to individuals residing in the Kingdom from any party outside the Kingdom.

The PDPL will come into effect on 23 March 2022, and the executive regulations supplementing the PDPL should also be issued within this period.

The competent authority responsible for the implementation of the PDPL is the Saudi Data & Artificial Intelligence Authority known as “SDAIA”. The PDPL states that the supervisory function will eventually shift to the National Data Management Office, which falls under SDAIA.

In a nutshell, the PDPL is intended to (i) prohibit the processing of personal data without the owner’s consent, except in specific circumstances, (ii) prevent that data from being misused by third parties (iii) ensure privacy of personal data, and (iv) regulate data sharing. In the event of a data breach incident, there is an obligation to notify the competent authority.

How are "Personal Data" and "Sensitive Data" defined under the PDPL?

“Personal Data” is defined under the PDPL as all data, regardless of the source or form - that would lead to the identification of the individual specifically, or make it possible to identify the individual directly or indirectly, including his/her: name, personal identification number, addresses, contact numbers, license numbers, records and personal property, bank account and credit card numbers, still or moving photos of an individual, and other data of a personal nature.

“Sensitive Data” is defined as all data which includes a reference to an individual's ethnic or tribal origin, religious, intellectual or political belief, or indicates his membership in civil associations or institutions. Forensic and security data, bio-identifying data, genetic data, credit data, health data, location data, and data that indicates that the individual is unknown to one or both parents, is also considered to be sensitive data.

Who are the owners of Personal Data?

According to the PDPL owners of data are individuals to whom the Personal Data relates, their representatives, of their legal guardians.

How is data processed?

Similar to most data protection laws currently in force in other jurisdictions, the PDPL provides that “Processing” is any operation performed on personal data by any means, manual or automated, including but not limited to collection, registration, preservation, indexing, storage, modification, transfer, publication, etc. Except for limited circumstances, Processing is not permitted under the PDPL without consent of its owner. For instance, consent is not required if the Processing would achieve a clear benefit and it is impossible or impractical to contact the data subject, if it is required by law or prior agreement to which the data subject is a party, or if the controller is a public entity and the Processing is required for security or judicial purposes. Additionally “Processing” must only be undertaken with reference to the purpose by which it was collected for.

What is the timeline to maintain and keep data?

Data must be maintained only for as long as necessary, otherwise if it turns out that the personal data collected is no longer necessary to achieve the purpose of its collection, the “Controlling Entity” must stop collecting it and destroy what it previously collected immediately.

When can data be disclosed?

Data can only be disclosed in very limited circumstances:

• when the owner consents to disclosure
• if the Personal Data was collected from a public source
• if disclosure was requested by a public entity, for compliance with a security, statutory or judicial order
• if the disclosure is necessary to protect the public interest or safety, or to protect an individual or a few individuals
• if disclosure is limited to processing the data later in a manner which would not reveal the identity of the data owner or any other individual

Can the party processing data use them as marketing materials or for awareness purposes?

With the exception of "Sensitive Data", Personal Data may be "Processed" for marketing purposes if it was collected directly from its owner and with their consent to do so in accordance with the provisions of the PDPL. Personal Data may also be collected or processed for scientific, research or statistical purposes without the consent of its owner if it does not include indications of the identity of its owner specifically.

What are the applicable penalties and sanctions in case of a breach?

Breaching the PDPL will result in a warning or a fine of maximum of 5 million Saudi riyals (equivalent to around USD1,350,000) for anyone who violates any provision of the PDPL or its executive regulations (to be issued).

What is the penalty for disclosing or publishing Sensitive Data?

Publishing Sensitive Data will result in a prison sentence for a maximum of 2 years and/or a fine of a maximum of 3 million Saudi riyals (equivalent to around USD 800,000) (or one of these penalties) for anyone who discloses or publishes sensitive data in violation of the provisions of PDPL.

Given the ambiguity around the implementation of the PDPL and timescales, it is expected that further guidance will be published, in addition to the executive regulations describing the mechanisms and procedures for obtaining regulatory consent or notifying breaches.

The PDPL grants SDAIA the right to review and suggest amendments within the first year and over a longer five-year timeline from the effective date. There are also provisions suggesting that further details will be issued in respect of the processing of health and credit data and that SDAIA will liaise with the relevant regulators in the Kingdom.

Going forward, entities operating in Saudi Arabia or processing the data related to Saudi residents will have to assess their activities and operations to ensure compliance with the PDPL. We have previously assisted a number of companies for creating and implementing the required processes and policies for compliance.

---

[1] The law was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 of 7/2/1443H (14 September 2021)