Saudi Arabia recently implemented a Personal Data Protection Law – Saudi Arabia Cabinet Decision No 98/1443 (‘PDPL’) which will come into effect on 23 March 2022. Data Controllers do have a one year window from this date to ensure they are complying and we are expecting Executive Regulations to be published soon to provide further details on the steps needed. Until then we thought it would be helpful to highlight some of the key provisions of the law and discuss some of the issues which Controllers should be thinking about now.
Who does the PDPL apply to?
The PDPL places obligations upon Controllers, any entity that determines the purpose and manner of processing the Personal Data. This can be an individual or an organisation. The terms Processing and Personal Data, like international data protection principles, capture almost any action relating to information about an identifiable individual, the Personal Data Owner. The highlighted terms are defined in the Glossary.
The location of the Controller and the Personal Data Owner is key. The PDPL applies to all Controllers located in Saudi Arabia processing Personal Data regardless of where the individual lives i.e. in Saudi Arabia or abroad.
It also applies to all Controllers located outside of Saudi Arabia processing Personal Data of Saudi Arabian residents. Controllers will, therefore, need to carry out a detailed review of where employees, third party service providers, customers, clients etc are residing. On top of the obligations to process the Personal Data of Saudi Arabian residents in compliance with the PDPL, there are also administrative requirements which will be triggered, and these are looked at below. It is not yet clear what that trigger will be. Must a Controller comply if it has one Saudi Arabian resident employee, one customer? It is expected that the Executive Regulations will offer guidance. The administrative headache or fear of PDPL penalties could result in companies outside Saudi Arabia excluding Saudi Arabian residents from their business. Regardless of how this is implemented in practice, the key point for businesses is they must have mechanisms in place to know where the data is coming from.
What are a Controller’s obligations under the PDPL?
1. Ensure Personal Data is obtained lawfully.
Subject to certain limited exceptions, Personal Data must be processed with the consent of the Personal Data Owner. The Executive Regulations will detail the conditions of consent including when consent must be in writing. The Personal Data Owner may withdraw consent at any time.
Consent is not required if the processing (1) achieves a “definite interest” for the Personal Data Owner and it is impossible or difficult to contact the Personal Data Owner, (2) if it is required by another law or an earlier agreement to which the Personal Data Owner is a party, or (3) if the Controller is a public entity and the processing is required for security or judicial purposes.
Once further clarity is provided by the Executive Regulations, Controllers will need to carefully review their consent mechanisms to ensure they are fully compliant.
2. Data Owner Rights
Personal Data Owners have been granted certain rights in respect of their Personal Data:
the right to be informed of the reason for collecting the Personal Data and the purpose behind the processing;
the right to access their Personal Data;
the right to request correction, completion, updating or destruction of their Personal Data;
the right to withdraw consent to processing at any time; and
the right to make complaints to the Data Protection Authority arising from any breaches.
These rights create obligations upon Controllers and Controllers new to data protection laws must put in place internal procedures and train staff to ensure that these administrative requests for information, access, updates and deletions can be met. This requires an ongoing and active commitment to the priority attached to all Personal Data within an organisation.
At the time of collecting Personal Data directly from a Personal Data Owner, the Controller must take adequate steps to provide the Personal Data Owner with the justification and purpose for collecting the Personal Data; the identity and address of the person collecting the Personal Data; the entity(ies) to which the Personal Data will be disclosed; if the Personal Data will be transferred outside of Saudi Arabia and notify the Data Owner’s of their rights under the PDPL (as set out above).
The Controller must also take sufficient steps to verify the Personal Data’s accuracy, completeness and relevance prior to processing.
the method of collection,
the means of storage,
how it will be processed,
how it will be destroyed,
the rights of its owner in relation to it, and how these rights can be exercised.
Controllers will need to carefully think through their data collection procedure but also their future plans for the data before they approach the individual. It is not enough to rely on consent for a vague, undefined purpose. If plans change, any consent provided at the time of collection may no longer be valid. Controllers should know which Processors or group companies will require to have access to the Personal Data and where those Processors or companies are located. They also should consider international transfers of information.
4. Review cross-border transfers of Personal Data?
If Personal Data is transferred outside of Saudi Arabia, the Controller must be aware of the obligations surrounding that transfer.
Subject to certain exceptional circumstances detailed in the PDPL and further conditions to be set out in the Executive Regulations, the Controller may not transfer Personal Data outside of Saudi Arabia unless:-
The transfer or disclosure does not prejudice national security or the vital interests of Saudi Arabia;
Sufficient guarantees are in place to protect the confidentiality of the Personal Data to be transferred or disclosed, so that the standards of Personal Data protection may not be less than the standards set forth in the PDPL;
The transfer or disclosure must be limited to the minimum Personal Data needed; and
The SDAIA approves the transfer or disclosure as determined by the Executive Regulations.
The Data Protection Authority also may exempt the Controller, on a case-by-case basis, from being bound by these conditions if the Data Protection Authority believes the Personal Data will have an acceptable level of protection outside of Saudi Arabia, and that such data is not Sensitive Data (see Glossary). Most international data protection laws have issued “safe lists” of countries which meet the adequate protection requirement and allow cross border transfers. Due to the impracticalities of seeking SDAIA approval, we expect the Executive Regulations to set out approved circumstances to allow international transfers.
Controllers must not only notify Data Subject Owners of any cross-border transfers at the time of data collection but they must also implement procedures to ensure that such transfers are compliant with the conditions set out by the PDPL.
5. Breaches / Security
The Controller must notify the Data Protection Authority as soon as it becomes aware of a leak or damage or if there is illegal access to Personal Data.
The Executive Regulations will specify when the Personal Data Owner must be notified but it does stipulate that notification must be immediate if the breach could cause serious harm to the Personal Data Owner.
The PDPL also requires the Controller to implement organisational, administrative and technical measures to protect the Personal Data. The provisions and controls will be specified by the Executive Regulations taking into account the nature and degree of sensitivity of the Personal Data.
The Controller must carry out an evaluation of the consequences of its processing for any product or service offered to the public. No further details have been provided at this stage and we await the Executive Regulations. We envisage it will be aligned with the EU’s General Data Protection Regulation (GDPR) requirement for a Data Protection Impact Assessment which is needed if the processing is likely to involve in high risk to Data Protection Owners.
6. Data Processor
If the Controller is required to disclose information to a Data Processor (see Glossary) there is a requirement that the Controller must be committed to choosing an entity which provides the necessary guarantees for enforcing the provisions of the PDPL and must constantly ensure that the Data Processor complies with its instructions in all matters relating.
The Controller is also required to notify updates to Data Processors, to ensure the Personal Data is always accurate, complete and up to date.
Further guidance in relation to Data Processors, including whether there must be a written contract between Controllers and Processors, is expected from the Executive Regulations.
7. Administrative set up
The Saudi Data & Artificial Intelligence Authority ('SDAIA') is the competent authority responsible for supervising and enforcing the implementation of the PDPL for an initial two-year period, after which the supervisory role may be transferred to the National Data Management Office, the SDAIA's regulatory arm. The SDAIA will be responsible for conducting an awareness campaign for Personal Data Owners and Controller employees to ensure they know their rights and obligations.
There is an obligation on Controllers to appoint a Data Protection Officer and carry out employee training to ensure that their staff understand the principles protected by the new legislation and the practical impact upon their business.
Controllers must register with the SDAIA and pay an annual fee.
There are record keeping obligations on Controllers and a requirement to make the records available to the SDAIA. This will include the purpose of the processing activities, the description of the categories of the Data Subject Owners, the identity of any entity to which Personal Data is disclosed, cross border transfers and Personal Data retention timeframes.
The PDPL requires Controllers outside Saudi Arabia to appoint a personal representative in Saudi Arabia (licensed by the SDAIA) to fulfil the obligations under the law. Compliance with this shall, however, be delayed for a period of up to five years from March 2022. As mentioned earlier, further clarification will be needed to establish what triggers this requirement. It is envisaged that, in line with the GDPR, there might be SDAIA administrative exemptions for organisations with fewer than 250 employees.
The penalties which can be imposed under the PDPL are worth noting.
Anyone who violates the cross-border provisions of the PDPL can be punished by imprisonment for a period not exceeding one year and/or a fine not exceeding US$260,000.
The penalty in relation to disclosure or publication of Sensitive Data (see Glossary) can be punished by imprisonment not exceeding two years and/or a fine not exceeding US$800,000.
For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding US1,300,000. Repeat offences can face up to double that limit.
All organisations operating in Saudi Arabia will need to review their activities and begin to make the required changes during the transition period to ensure compliance with the PDPL. Although the Executive Regulations will provide some necessary clarification on the topics discussed above, the PDPL has provided the framework to get started. Please contact us if you have any questions or would like to discuss how the PDPL applies to your business. We would be happy to assist you with any compliance issues.
Glossary of Terms
Some of the defined terms under the PDPL:
Personal Data: Any data that would lead to the identification of the individual
specifically, or make it possible to identify the person directly or indirectly. This includes names, personal identification numbers, addresses, contact numbers, licence numbers, records, personal property, bank account and credit card numbers, images or recordings of the individual, and other data of a personal nature.
Sensitive Data: Personal data which includes a reference to an individual's ethnic or tribal origin, or religious, intellectual or political belief, or indicates his membership in nongovernmental associations or institutions, as well as criminal and security data, biometric data, Genetic Data, Credit Data, Health Data, location data, and data that indicates that both parents of an individual or one of them is unknown.
Processing: Any process performed on Personal Data by any means, whether manual or automated, including processes of collection, recording, archiving, indexing, arranging, formatting, storing, modifying, updating, merging, retrieving, using, disclosing, transferring, publishing, data sharing or interconnecting, blocking, erasing and destroying.
Personal Data Owner: Any natural person who can be identified from their Personal Data. This also includes a representative or guardian and a deceased person, if it would lead to identifying the Personal Data Owner or a family member.
Controller: Any public entity, and any person of private natural or legal capacity, that specifies the purpose and manner of processing personal data, whether they process the data by themselves or by a processing entity.
Data Processor: Any public entity, and any private natural or legal person, that processes personal data for the benefit of, and on behalf of, the controlling entity.
Genetic Data: All personal data related to the genetic or acquired characteristics of a natural person, uniquely identifying the physiological or health characteristics of such person, and extracted from the analysis of a biological sample of the person, such as the analysis of nucleic acids or the analysis of any other sample that leads to the extraction of genetic data.
Health Data: All personal data related to an individual's health status, whether physical, mental, psychological, or related to his health services.
Credit Data: All personal data relating to an individual's request for, or granting of, financing, whether for a personal or family purpose, from a finance entity, including any data relating to his ability to obtain credit, his ability to repay it, or his credit history.
To read our Data Privacy Q&A guide on Saudi Arabia, please click here.
To see other released Data Privacy Q&A guides on separate jurisdictions, please click here.