The PDPL introduces GDPR-style processing obligations. Personal data must be processed on a lawful basis prescribed in the law such as consent or performance of a contract. There are also accountability obligations for controllers similar to the GDPR. There is no “legitimate interests” basis for processing.
Unauthorised access to private data is prohibited. Accordingly, consent of the individual to whom the personal data belongs should sought before collection or processing.
National Data Regulations
The National Data Regulations sets out principles for dealing with personal data, which include: the purpose of collection of personal data should be known, the data subject’s consent should be sought for collection and processing, collection of personal data shall be limited to what is necessary for the purpose, personal data should be used for the agreed purpose only, and data shall be protected against breach.
The Implementing Regulations of the Telecom Law of 2002 requires service providers to protect the personal information of their customers. Further, the Telecom Data Protection Principles require service providers to comply with the following principles:
- process customers’ personal data in a lawful and transparent manner;
- process customers’ personal data for specified and clear purposes;
- collect customers’ personal data that is necessary for the purposes of the processing;
- not keep customers’ personal data in a form that allows identification of the customer for longer than the period necessary to achieve the purposes of processing;
- secure customers’ personal data to ensure its privacy and prevent unauthorised access, breach, tampering or misuse.
Internet of Things
The IoT RF contains some basic provisions requiring equipment to comply with mandated standards and for the IoT system to be capable of allowing interrogation of data processed over it for not less than 12 months after the date of creation.
The Cloud Framework prohibits cloud service providers from (i) providing to any third party any subscriber content or subscriber data; and (ii) processing or using subscriber content or subscriber data for purposes other than those permitted by the cloud subscriber; except where (a) the same is required under KSA laws; or (b) the subscriber’s data is of non-governmental nature and is not received from any government entity, and the relevant cloud customer has given their express prior consent (whether in an opt-in or opt-out form).
The provisions of the Telecom Data Protection Principles will apply to cloud service providers in addition to the Cloud Framework.
The Ecommerce Law requires a service provider to only retain a customer's personal data or electronic communications for the period required by the nature of the electronic transaction, unless a different period is agreed upon.
A service provider is responsible for protecting customers electronic communications or personal data in its possession or in the possession of the entities or agents that it deals with, and is prohibited from using customers’ personal data or electronic communications for unauthorised or impermissible purposes and from disclosing the same to third parties, whether against or for no consideration, unless the consumer consents to such disclosure or the same is required by law.
Financial institutions licensed by the Saudi Central Bank are required to protect their customers’ personal data.
Medical practitioners are prohibited from disclosing any personal data of their patients without the prior consent of their patients.