Saudi Arabia PDPL

Who is excluded from PDPL compliance? 

The PDPL does not apply to personal data being processed for personal or family use and there is no mention of revenue thresholds or business size in connection with it. 

Explicit consent is required for the processing of personal data, however, there are some exceptions to this, such as: 

• when processing is in the interest of the data subject and contact with them is impossible or difficult to achieve;
• if the processing is part of another system or of an implementation of some previous agreement to which the data subject is a party; or 
• if you are a public entity that is required to perform processing either for security purposes or to satisfy judicial requirements.  

This means that, in general, you must obtain consent from a KSA resident prior to collecting, processing and/or storing their data.

How can I keep my organization PDPL compliant?

In order to be compliant with the PDPL, you have to meet a series of requirements, as follows: 

• Ensure that before processing personal data, said data is complete, accurate and relevant. In addition, you have to keep processing records and ensure proper training for all staff regarding PDPL compliance. 
• Display a privacy policy on your website, outlining how data will be processed.
• Appoint a data protection officer if any of the following cases apply to you: 
  • you are a public entity "that provides services involving Processing of Personal Data on a large scale";
  • your primary activities "are based on processing operations that, by their nature, require regular and systematic monitoring of Data Subjects";
  • your core activity is based on processing sensitive personal data.
• To be able to demonstrate compliance, you shall keep a record of personal data processing activities during the processing and for at least five years after the end of any personal data processing activities.
• Obtain consent prior to data processing unless an exception applies, as this is the main legal basis for processing under the PDPL.
• Conduct data protection impact assessments (DPIAs) to determine any risks posed to individuals. 
• Report data breaches immediately to the regulatory authorities but no later than 72 hours after becoming aware of the breach, "if such incident potentially causes harm to the Personal Data, or to Data Subject or conflict with their rights or interests." If you are unable to report the data breach within 72 hours, you have an obligation to report it "as soon as possible, along with justifications for the delay."
• Restrict international data transfers unless one of the following applies:
  • "If this is relating to performing an obligation under an agreement, to which the Kingdom is a party.

  • If it is to serve the interests of the Kingdom.

  • If this is to the performance of an obligation to which the Data Subject is a party. 

    If this is to fulfill other purposes as set out in the Regulations."

What data access rights does PDPL grant? 

• Right to access: data subjects have the right to access their personal data, and obtain a copy of it in a clear format and free of charge.
• Right to be informed: data subjects have the right to be informed about their data collection, the legal justification for this, and the purposes for which it is being collected. 
• Right to delete: data subjects can request that their personal data be deleted once its purposes have been exhausted.
• Right to rectification: data subjects have the right to request corrections of their personal data. 
• Right to object/withdraw consent to the processing of personal data: data subjects have the right to object to their personal data being processed and can withdraw their consent.

How to address data subject access requests under PDPL?

Data subject access requests have to be replied to within a period of 30 days with the possibility of extending this to an additional 30 days if the request requires unusual efforts or you receive multiple requests from the same data subject. 

A record of the requests received has to be kept and be made available upon request. 

Enforcement and penalties

The PDPL mandates that for the first two years the Saudi Data & Artificial Intelligence Authority (SDAIA) will be the regulatory authority that will implement the law, and thereafter the National Data Management Office (NDMO) will have the  authority to regulate the PDPL. 

Regarding penalties, unlike other privacy regulations, the PDPL sets out three categories of penalties, including confiscation of funds gained following a violation of the law and potentially requesting that the judgment be made public at the expense of the offender.

The three categories are as follows: 

• For disclosing sensitive personal information: up to SAR 3 million (approx. $798,000) and/or imprisonment for 2 years. In case of repeated violation, the fine penalty can be doubled "even if it results in exceeding its maximum limit, provided that it does not exceed double this limit;"
• For other violations of the provisions: a warning notice or a fine up to SAR 5 million (approx. $1,331,000). In case of repeated violation, the fine penalty can be doubled "even if it results in exceeding its maximum limit, provided that it does not exceed double this limit;"

As you can see above, PDPL differs from other major privacy regulations as it imposes criminal liability for certain infractions. For repeated violations the fines may be increased up to double the maximums.

Data Subject Rights - GDPR vs. PDPL Saudi Arabia