What is PDPL?
The Personal Data Protection Law, or PDPL, is the data protection law of the Kingdom of Saudi Arabia (“KSA”), issued in September 2021 and effective as of September 14, 2023. This law has similarities to other privacy laws in the world, aiming at protecting personal data, within a digital transformation context for the country. In addition to the text of the law, the regulatory authority, the SDAIA, has also published 'The Implementing Regulation of the Personal Data Protection Law,' which further clarifies controller obligations and the 'Regulation on Personal Data Transfer outside the Kingdom.'
One significant difference between the GDPR and, similar data protection laws, is that PDPL protects the personal information of deceased persons and of individuals residing in the KSA and that international data transfers are more strictly regulated. Another is that PDPL includes imprisonment in the sanctions imposed for violations of the privacy law, for certain types of violations.
What is Personal Information and what are other key definitions?
The PDPL defines 'personal data' as “any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.” This includes “the data of a deceased person, if such data would lead to his/ her identification or a family member's identification.”
'The law defines sensitive personal data as "personal data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual’s parents are unknown."
'Processing' means “any operation which is performed on personal data, whether manual or automated, including, collection, recording, keeping, indexing, arranging, formatting, storage, modification, updating, merging, retrieval, use, disclosure, transfer, publishing, sharing, blocking, erasure, or destruction.”
There is no definition for the legal age of consent for minors, nor any mention of the sale of personal information.
Who has to comply with the PDPL?
The PDPL applies "to any processing of personal data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom. This includes the data of the deceased if it would lead to them or a member of their family being identified specifically."
The takeaway, then, is that under the PDPL, any entity, whether public or private, that processes personal information of KSA residents has to comply. This means that whether your business is located in the KSA, or you operate outside but process the personal information of KSA residents, the law applies to you. For example, if your business is located outside of the KSA but sells goods or services to KSA residents and collects information from those residents, you must comply with this regulation.
Who is excluded from PDPL compliance?
The PDPL does not apply to personal data being processed for personal or family use and there is no mention of revenue thresholds or business size in connection with it.
Explicit consent is required for the processing of personal data, however, there are some exceptions to this, such as:
- when processing is in the interest of the data subject and contact with them is impossible or difficult to achieve;
- if the processing is part of another system or of an implementation of some previous agreement to which the data subject is a party; or
- if you are a public entity that is required to perform processing either for security purposes or to satisfy judicial requirements.
This means that, in general, you must obtain consent from a KSA resident prior to collecting, processing and/or storing their data.
How can I keep my organization PDPL compliant?
In order to be compliant with the PDPL, you have to meet a series of requirements, as follows:
- Ensure that before processing personal data, said data is complete, accurate and relevant. In addition, you have to keep processing records and ensure proper training for all staff regarding PDPL compliance.
- Appoint a data protection officer if any of the following cases apply to you:
- you are a public entity "that provides services involving Processing of Personal Data on a large scale";
- your primary activities "are based on processing operations that, by their nature, require regular and systematic monitoring of Data Subjects";
- your core activity is based on processing sensitive personal data.
- To be able to demonstrate compliance, you shall keep a record of personal data processing activities during the processing and for at least five years after the end of any personal data processing activities.
- Obtain consent prior to data processing unless an exception applies, as this is the main legal basis for processing under the PDPL.
- Conduct data protection impact assessments (DPIAs) to determine any risks posed to individuals.
- Report data breaches immediately to the regulatory authorities but no later than 72 hours after becoming aware of the breach, "if such incident potentially causes harm to the Personal Data, or to Data Subject or conflict with their rights or interests." If you are unable to report the data breach within 72 hours, you have an obligation to report it "as soon as possible, along with justifications for the delay."
- Restrict international data transfers unless one of the following applies:
- "If this is relating to performing an obligation under an agreement, to which the Kingdom is a party.
If it is to serve the interests of the Kingdom.
If this is to the performance of an obligation to which the Data Subject is a party.
If this is to fulfill other purposes as set out in the Regulations."
What data access rights does PDPL grant?
- Right to access: data subjects have the right to access their personal data, and obtain a copy of it in a clear format and free of charge.
- Right to be informed: data subjects have the right to be informed about their data collection, the legal justification for this, and the purposes for which it is being collected.
- Right to delete: data subjects can request that their personal data be deleted once its purposes have been exhausted.
- Right to rectification: data subjects have the right to request corrections of their personal data.
- Right to object/withdraw consent to the processing of personal data: data subjects have the right to object to their personal data being processed and can withdraw their consent.
How to address data subject access requests under PDPL?
Data subject access requests have to be replied to within a period of 30 days with the possibility of extending this to an additional 30 days if the request requires unusual efforts or you receive multiple requests from the same data subject.
A record of the requests received has to be kept and be made available upon request.
Enforcement and penalties
The PDPL mandates that for the first two years the Saudi Data & Artificial Intelligence Authority (SDAIA) will be the regulatory authority that will implement the law, and thereafter the National Data Management Office (NDMO) will have the authority to regulate the PDPL.
Regarding penalties, unlike other privacy regulations, the PDPL sets out three categories of penalties, including confiscation of funds gained following a violation of the law and potentially requesting that the judgment be made public at the expense of the offender.
The three categories are as follows:
- For disclosing sensitive personal information: up to SAR 3 million (approx. $798,000) and/or imprisonment for 2 years. In case of repeated violation, the fine penalty can be doubled "even if it results in exceeding its maximum limit, provided that it does not exceed double this limit;"
- For other violations of the provisions: a warning notice or a fine up to SAR 5 million (approx. $1,331,000). In case of repeated violation, the fine penalty can be doubled "even if it results in exceeding its maximum limit, provided that it does not exceed double this limit;"
As you can see above, PDPL differs from other major privacy regulations as it imposes criminal liability for certain infractions. For repeated violations the fines may be increased up to double the maximums.
Data Subject Rights - GDPR vs. PDPL Saudi Arabia
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
PDPL Saudi Arabia
- Right to access
- Right to be informed
- Right to delete
- Right to rectification
- Right to object/withdraw consent to the processing of personal data
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.