Saudi Arabia’s Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (September 16, 2021), which approved Resolution No. 98 of 7/2/1443 H (September 14, 2021). It was published in the Republic Journal on September 24, 2021.
The Saudi Data and Artificial Intelligence Authority (SDAIA) will oversee the implementation of the new legislation for the first two years, after which a transfer of oversight to the National Data Management Office (NDMO) will be considered. The NDMO is the regulatory arm of SDAIA and had already published interim data governance regulations in 2020, which have now been superseded by the PDPL with regard to the protection of personal data.
According to the SDAIA announcement, the PDPL is intended to ensure the privacy of personal data, regulate data sharing and prevent abuse of personal data in line with the goals of the Saudi Vision 2030 to develop digital infrastructure and support the innovation to grow a digital economy.
PDPL Enforcement Scope
The Personal Data Protection Law (PDPL), as well as other legislation on the subject, is designed to protect personal data, that is, any information, in any form, through which a person can be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses and contact numbers, pictures, and video recordings of the person.
The PDPL applies to any personal data processing by companies or public entities carried out in Saudi Arabia by any means, including the processing of personal data of Saudi residents by entities located outside the Kingdom.
The PDPL does not apply to the processing of personal data for personal and family use.
The PDPL Pillars
Many of the features of the Personal Data Protection Law (PDPL) are consistent with the concepts and principles contained in other international data protection laws, such as:
- Data Subject Rights: Individuals (data subjects) shall, with some exceptions, have the right to be informed about the processing of personal data and the legal basis for such processing, the right to access their personal data (including to obtain a free copy thereof), the right to correct or update their personal data, and the right to request their destruction if they are no longer necessary. Data subjects can also file complaints related to the PDPL enforcement with the regulatory authority.
- Registration of Controllers: Organizations that collect personal data and determine the purpose for which they are used and the method of processing (controllers) must register with an electronic portal that will form a national register of controllers. There will be an annual fee payable for registration, to be determined in executive regulations (which will be issued in due course).
- Controller Obligations: Controllers will be obliged to ensure the accuracy, integrity, and relevance of personal data before processing them, to keep a record of the processing for a period that will be defined by the executive regulations, and to ensure their team is properly trained in the PDPL and data protection principles.
- Consent: Data subjects may withdraw their consent to the processing of personal data at any time, and consent shall not be a prerequisite for the controller to offer a service or benefit (unless the service or benefit is specifically related to the processing activity for which consent is obtained).
- Processing not Based on Consent: Notwithstanding the provisions on withdrawal of consent, the PDPL makes it clear that data processing does not always require consent from the data subject. Consent is not required if processing achieves a clear benefit and it is impossible or impractical to contact the data subject, if required by law or prior agreement to which the data subject is a party, or if the controller is an entity and processing is required for security or legal purposes.
- Purpose Limitation and Data Minimization: Organizations must make clear the purpose for which personal data is collected and used. Personal data must also be relevant and controllers must limit collection to the minimum necessary to achieve the intended purpose.
- Impact Assessments: Controllers must assess the impact of processing personal data and, if personal data is no longer needed to achieve the intended purpose, the controller must stop collecting such data.
- Marketing: Personal data may not be used for marketing purposes without the recipient’s consent or the use of opt-out mechanisms.
- Breach Notification: Data breaches, leaks, or unauthorized access to personal data must be notified to the supervisory authority, and incidents that cause material damage to the data subject must be notified to the data subjects.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.