What is PDPL?
The Personal Data Protection Law, or PDPL, is the data protection law of the Kingdom of Saudi Arabia (“KSA”), issued in September 2021 and set to become effective as of March 2023. This law has similarities to other privacy laws in the world, aiming at protecting personal data, within a digital transformation context for the country.
One significant difference is that PDPL protects the personal information of deceased persons and of individuals residing in the KSA, and that international data transfers are prohibited under the PDPL, with some limited exceptions. Another is that PDPL imposes criminal, rather than simply monetary, liability for certain infractions.
What is Personal Information and what are other key definitions?
The PDPL defines 'personal data' as “any information through which an individual may be directly or indirectly identified, including name, social security number, numbers, addresses, bank account and credit card details, and pictures.” This includes “the data of a deceased person, if such data would lead to his/ her identification or a family member's identification.”
'Processing' means “any operation which is performed on personal data, whether manual or automated, including, collection, recording, keeping, indexing, arranging, formatting, storage, modification, updating, merging, retrieval, use, disclosure, transfer, publishing, sharing, blocking, erasure, or destruction.”
Last but not least, it also includes special categories of data defined as “personal data relating to a person's ethnic or tribal origin, or religious, intellectual, or political belief, or indicates his/her membership in non-governmental associations or institutions, as well as criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates a person's parent or parents are unknown.” The key takeaway here is that unlike other regulations, PDPL includes tribal origin, credit data or data related to one’s biological parents.
There is no definition for the legal age of consent for children, nor any mention of the sale of personal information.
Who has to comply with the PDPL?
Under the PDPL, any entity, whether public or private, that processes personal information of KSA residents has to comply. This means that whether your business is located in the KSA, or you operate outside but process personal information of KSA residents, the law applies to you. For example, if your business is located outside of the KSA but sells goods or services to KSA residents and collects information from those residents, you must comply with this regulation.
Who is excluded from PDPL compliance?
The PDPL does not apply to personal data being processed for family or personal use and there is no mention of revenue thresholds or business size in connection with it.
Explicit consent is required for the processing of personal data, however, there are some exceptions to this, such as:
- when processing is in the interest of the data subject and contact with them is impossible or difficult to achieve;
- if the processing is part of another system or of an implementation of some previous agreement to which the data subject is a party; or
- if you are a public entity that is required to perform processing either for security purposes or to satisfy judicial requirements.
This means that in general, you must obtain consent from a KSA resident prior to collecting, processing and/or storing their data.
How can I keep my organization PDPL compliant?
In order to be compliant with the PDPL you have to meet a series of requirements. There are as of yet a series of executive regulations still pending issuance which would clarify compliance but as of Q3 2022 you are required to :
- Register via an electronic portal and pay an annual registration fee if you are a data controller.
- Ensure that before processing personal data, said data is complete, accurate and relevant. In addition to this, you have to keep processing records and ensure proper training to all staff as regards PDPL compliance.
- Appoint a local representative if your business operates but is not located in the KSA. In addition to this, you will need to appoint a data protection officer.
- Obtain consent prior to data processing, as this is the main legal basis for processing under the PDPL.
- Conduct data protection impact assessments (DPIAs) to determine any risks posed to individuals.
- Report data breaches immediately to the regulatory authorities.
- Restrict international data transfers unless one of the following applies:
- there is an extreme necessity that relates to a threat against the life of the data subject in question;
- there is an agreement that the KSA is party to;
- the data transfer serves Saudi interests.
What data access rights does PDPL grant?
- Right to access: data subjects have the right to access their personal data, obtain a copy of it in a clear format, and free of charge.
- Right to be informed: data subjects have the right to be informed about the collection of their data, of the legal justification for this, and the purposes for which it is being collected.
- Right to delete: data subjects can request that their personal data be deleted once its purposes have been exhausted.
- Right to rectification: data subjects have the right to request corrections of their personal data.
- Right to object/withdraw consent to the processing of personal data: data subjects have the right to object to their personal data being processed and can withdraw their consent.
How to address data subject access requests under PDPL?
Data subject access requests have to be replied to within a period of 30 days with the possibility of extending this to an additional 30 days if the request requires unusual efforts or you receive multiple requests from the same data subject.
A record of the requests received has to be kept and be made available upon request.
Enforcement and penalties
The PDPL mandates that for the first two years the Saudi Data & Artificial Intelligence Authority (SDAIA) will be the regulatory authority that will implement the law, and thereafter the National Data Management Office (NDMO) will have the authority to regulate the PDPL.
Regarding penalties, unlike other privacy regulations, the PDPL sets out three categories of penalties, including confiscation of funds gained following a violation of the law and potentially requesting that the judgment be made public at the expense of the offender.
The three categories are as follows:
- For disclosing sensitive personal information: up to SAR 3 million (approx. $798,000) and/or imprisonment for 2 years;
- For violating the data transfer provision: up to SAR 1 million (approx. $267,000) and/or imprisonment for 1 year;
- For other violations of the provisions: a warning notice or a fine up to SAR 5 million (approx. $1,331,000).
As you can see above, PDPL differs from other major privacy regulations as it imposes criminal liability for certain infractions. For repeated violations the fines may be increased up to double the maximums.
Data Subject Rights - GDPR vs. PDPL Saudi Arabia
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
PDPL Saudi Arabia
- Right to access
- Right to be informed
- Right to delete
- Right to rectification
- Right to object/withdraw consent to the processing of personal data
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.