Table of Contents
Overview of the Saudi Personal Data Protection Law
Introduction:
To protect personal data and leverage its economic value in a rapidly digitizing world, Saudi Arabia, through the Saudi Data and Artificial Intelligence (SDAIA), launched the Personal Data Protection Law (PDPL) which entered into full force on September 14, 2024 after the expiration date of the corrective period which is designated for compliance.
Two years after its publication, regulations are now in force to govern how websites collect user data. These regulations aim to build trust in online transactions, create a safer digital environment, and support Saudi Arabia’s Vision 2030 goal of bolstering the digital economy.
This article will cover seven key aspects of the personal data protection system: its definition, its objectives, the rights it guarantees, its scope, the circumstances for appointing a data protection officer, the requirements for appointing the data protection officer, and the penalties for violations.
What is personal data?
The SDAIA defines personal data as: “Any data, regardless of its source or form, that directly or indirectly identifies an individual, including names, ID numbers, addresses, contact information, licenses’ numbers, records, personal property details, bank account and credit card numbers, fixed or moving images of the individuals, and other personal data.”
Objectives of the Saudi Personal Data Protection Law (PDPL):
The Saudi Personal Data Protection Law (PDPL) seeks to:
- Safeguard privacy: The personal data protection system guarantees the privacy of individuals and protects their personal information. It requires companies to obtain explicit consent from the data owners before they use the data.
- Govern data collection: The law establishes a clear legal framework for how personal data is collected and processed.
- Foster inter-company collaboration: The law encourages companies to work together on data protection solutions, building trust and strengthening international partnerships.
- Mandate data deletion: Companies are required to delete data no longer needed for their intended purpose.
- Empower individuals: By raising awareness of individual data rights, the law promotes trust in electronic transactions and discourages harmful practices.
The Rights and Guarantees of the Saudi Personal Data Protection Law (PDPL):
- Right to be informed: Individuals must be informed about the legal basis and purpose of data collection, the collector’s identity and contact information, who the data will be shared with (including if it will be transferred, disclosed or processed outside the Kingdom of Saudi Arabia), the potential risks of not providing the data, and their own rights as data subjects.
- Right of access: Individuals can request a clear and readable copy of their personal data held by the data controller.
- Right to rectification: Individuals can request corrections, additions, or updates to their personal data held by the controller.
- Right to erasure (destruction): Individuals can request the deletion of their personal data that is no longer needed by the controller.
- Right to withdraw consent: Individuals can withdraw their consent for data processing at any time, except in specific cases outlined in this law and its regulations.
The Scope of Application of the Saudi Personal Data Protection Law (PDPL):
The Saudi Personal Data Protection Law applies to all personal data processing within Saudi Arabia, regardless of the processing method. This includes the processing of data belonging to individuals in the Kingdom by entities located inside or outside the country. The law also covers data of deceased individuals if it could lead to the identification of the deceased or a specific family member.
Circumstances for Appointing a Personal Data Protection Officer (DPO):
Data controllers are required to appoint one or more Data Protection Officers (DPOs) if any of the following apply:
- The controller is a public entity providing large-scale personal data processing services.
- The controller’s core business activities inherently involve regular and systematic monitoring of data subjects.
- The controller’s core business activities involve processing sensitive data.
Requirements for Appointing Personal Data Protection Officer (DPO):
When appointing a Data Protection Officer (DPO), the data controller must ensure that the following requirements are met:
- Appropriate educational qualifications and experience in personal data protection.
- Sufficient knowledge of risk management practices, including managing and responding to data breaches.
- Sufficient understanding of data protection laws and other relevant regulations necessary to fulfill their DPO responsibilities.
- A demonstrated record of honesty and integrity, with no prior convictions for crimes involving moral turpitude or dishonesty.
The Penalties for the Violation of the Saudi Personal Data Protection Law:
Saudi Arabia’s Personal Data Protection Law (PDPL) imposes significant penalties in the event of violations or non-compliance by private natural or legal persons. These penalties are categorized as follows:
a) Penalties for Disclosing or Publishing Sensitive Data:
The personal data protection law specifies penalties for violations of its provisions. Any person discloses or publishes sensitive data in violation of the Law, with the intent to harm the data subject or for personal gain is punishable by up to two years in prison and/or a fine of up to 3 million riyals. Courts may double the fine for repeat offenses.
b) Penalties for Violating the PDPL Provisions:
Any individual or entity violating the PDPL or its regulations may face a warning or a fine of up to 5 million riyals. This fine may also be doubled for repeat offenses.
c) Additional Potential Penalties (Applicable to Both a and b):
In addition to the penalties above, responsible parties may also face:
- Official warnings.
- Confiscation of illegally obtained funds.
- Civil lawsuits seeking compensation for material or moral damages suffered as a result of the violation.
Conclusion:
In conclusion, the Saudi Data and Artificial Intelligence Authority’s initiatives are crucial for raising awareness about personal data protection and empowering individuals to make informed decisions about their data. This strengthens trust in Saudi Arabia’s digital environment, contributing to Vision 2030, supporting the digital economy, and building confidence in the global digital landscape.
For legal guidance, Shura Law Firm for Advocacy and Arbitration specializes in company registration and all procedures related to the Saudi Personal Data Protection System, offering legal support to ensure your compliance.