Saudi Personal Data Protection Law

The Personal Data Protection Law (“PDPL”) is effective from 23 March 2022 but provides for a one-year implementation window, during which data controllers must become compliant.

Businesses have around 18 months to design and implement their compliance programme. Compliance programmes require cross-organisational input and are not something a legal function can put together in isolation, so don’t leave it too late.

Article 2(1) states the PDPL applies to all processing of personal data in KSA but also processing of personal data of individuals residing in KSA by foreign entities. This is a very broad provision – much broader than the analogous GDPR provision, for example, because there is not test threshold relating to targeting the KSA market for the offering goods or services or the monitoring of individuals in KSA. 
 

You could be caught by PDPL even if you are not established in the KSA.

Any business selling goods or services to KSA-based customers is, on the face of this Article, likely to be considered within scope. Foreign businesses will need to consider how to comply with the PDPL or whether to cease trading to KSA customers.

Individuals will have rights to know about the way their data is being processed, to access data, to request correction, to request destruction and other potential rights that may be defined in implementing regulations.

Businesses will need to have a process for responding to and complying with data subject rights requests, or face action for violation.

With very limited exceptions, personal data cannot be processed, or the purpose of the processing be changed, without the consent of the data subject. A consent requirement also attaches to onward disclosure of personal data (which presumably includes the appointment of a processor). With little option but to use consent, controlling entities should be aware that the PDPL sets a number of conditions for valid consent (which are, for the most part, similar to those contained in the GDPR, but which may be further modified by implementing regulations). The only exception that appears to be routinely available to businesses as a non-consent basis for processing is where the processing is required in application of a prior agreement to which the data subject is a party (i.e., it is necessary to perform a contract with the data subject).
 

Businesses will need robust consent mechanisms in place at the point of data ingestion, and will need to be able to demonstrate appropriate consents have been obtained.

Other than for medical necessity, Article 29 prohibits the transfer or disclosure of personal data outside of KSA except in very limited circumstances. The law suggests that certain controllers may be granted exemptions by the “competent authority” (Saudi Authority for Data and Artificial Intelligence for the first two years of PDPL) and that the implementing regulations may provide further routes for transfer. Article 29 infringements attract criminal sanction – see below.

KSA businesses will need to assess any current cross-border data transfers. It may become increasingly difficult (either through illegality or administrative burden) to use overseas processors so procurement of, for example, cloud services should be conducted with this in mind.

Similar to the GDPR, controlling entities will have to register with, and pay a fee to, the competent authority (up to SAR 100k) but, unlike GDPR, controlling entities will be required to upload their record of data processing activities and other necessary documents or information related to the processing of personal data to an electronic portal maintained by the competent authority. 

Businesses will need to conduct a data mapping exercise and ensure processes are in place to capture changes (i.e., through procurements, new processes and so on).

Along with fines, non-compliance under the PDPL can result in criminal prosecution with prison terms of up to two years where sensitive data is disclosed or published contrary to the PDPL and up to one year for unlawful cross-border transfers. 

PDPL compliance requires attention at boardroom level within businesses. The criminal sanction for unlawful cross-border compliance reinforces the message that procurement of domestic-based services creates less risk than the use of overseas cloud services.