New Personal Data Protection Law in Saudi Arabia
A new Personal Data Protection Law ("PDP Law"), promulgated by Royal Decree M/19 of 9/2/1443H, corresponding to 16 September 2021, is due to come into force in the Kingdom from 23 March 2022 (the "Effective Date") and will require most businesses to make significant changes to the way they collect, store and process personal data. Businesses will also need to establish compliant procedures and policies and to stop certain practices.
The PDP Law applies to the processing of personal data related to individuals that takes place in the Kingdom, including processing of personal data of KSA residents by any party outside the Kingdom. "Processing" for these purposes includes collection of, storing, modifying, using, disclosing, transferring, blocking and destroying personal data.
The main obligations under the PDP Law apply to any public entity, business or individual that specifies the purpose and manner of processing personal data (the "Controlling Party"), whether that party processes it by themselves or has it processed by others. The Controlling Party is distinguished from the "Processing Party", which includes any public entity, business, or individual that processes personal data for the Controlling Party.
As an example of the distinction, if a company asks another company (the "Payroll Provider") to pay the wages of its employees, tells the Payroll Provider when the wages should be paid, and provides the Payroll Provider with all relevant details, then the first company is the Controlling Party and the Payroll Provider is the Processing Party. Processing of personal data by individuals for purposes that do not exceed personal or family use is excluded from the scope of the PDP Law.
Controlling Parties must register with the responsible authority (initially the Saudi Data and Artificial Intelligence Authority (SDAIA)). Personal data owners' rights to access, to seek correction of and require destruction of their personal data must be respected and they must be informed of the grounds, purpose and other aspects of the processing of their personal data. The Controlling Party must adopt a personal data privacy policy and keep records of processing, minimise data collected and report data breaches. Entities outside the Kingdom that are subject to the PDP Law must appoint a representative in the Kingdom (although the authority may defer this obligation for up to five years).
Processing will generally require the consent of the personal data owner unless it relates to the implementation of an agreement with the personal data owner, or to a specific interest of the personal data owner, where it is impossible or difficult to contact them.
The Controlling Party may not transfer personal data outside the Kingdom or disclose it to a party outside the Kingdom, other than in implementation of a convention to which the Kingdom is a party, to serve the interests of the Kingdom, to preserve the life of the personal data owner (or their vital interests), or to prevent, examine or treat an infection.
The Executive Regulations, which must be issued by the Effective Date, will specify important details regarding the new regime, and could in certain areas introduce further exceptions to the restrictions contained in the PDP Law, including other circumstances in which personal data can be transferred outside the Kingdom.
Controlling Parties have one year from the Effective Date to comply with the PDP Law.
The main obligations under the PDP Law apply to any public entity, business or individual that specifies the purpose and manner of processing personal data (the "Controlling Party"), whether that party processes it by themselves or has it processed by others. The Controlling Party is distinguished from the "Processing Party", which includes any public entity, business, or individual that processes personal data for the Controlling Party.
As an example of the distinction, if a company asks another company (the "Payroll Provider") to pay the wages of its employees, tells the Payroll Provider when the wages should be paid, and provides the Payroll Provider with all relevant details, then the first company is the Controlling Party and the Payroll Provider is the Processing Party. Processing of personal data by individuals for purposes that do not exceed personal or family use is excluded from the scope of the PDP Law.
Controlling Parties must register with the responsible authority (initially the Saudi Data and Artificial Intelligence Authority (SDAIA)). Personal data owners' rights to access, to seek correction of and require destruction of their personal data must be respected and they must be informed of the grounds, purpose and other aspects of the processing of their personal data. The Controlling Party must adopt a personal data privacy policy and keep records of processing, minimise data collected and report data breaches. Entities outside the Kingdom that are subject to the PDP Law must appoint a representative in the Kingdom (although the authority may defer this obligation for up to five years).
Processing will generally require the consent of the personal data owner unless it relates to the implementation of an agreement with the personal data owner, or to a specific interest of the personal data owner, where it is impossible or difficult to contact them.
The Controlling Party may not transfer personal data outside the Kingdom or disclose it to a party outside the Kingdom, other than in implementation of a convention to which the Kingdom is a party, to serve the interests of the Kingdom, to preserve the life of the personal data owner (or their vital interests), or to prevent, examine or treat an infection.
The Executive Regulations, which must be issued by the Effective Date, will specify important details regarding the new regime, and could in certain areas introduce further exceptions to the restrictions contained in the PDP Law, including other circumstances in which personal data can be transferred outside the Kingdom.
Controlling Parties have one year from the Effective Date to comply with the PDP Law.