Saudi Arabia Personal Data Protection Law: Transition Period Ends September 14

The one-year transition period granted to bring businesses’ activities into compliance with the Personal Data Protection Law of the Kingdom of Saudi Arabia is about to end on September 14, 2024. Given the law’s extraterritorial reach, it is crucial to consider its applicability and the data protection measures implemented.

The Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree M/19 on September 16, 2021 and further amended on March 27, 2023 (the PD Law), came into force on September 14, 2023. The one-year transition period will end on September 14, 2024.

REGULATORY FRAMEWORK

To assess the applicability of the PD Law to commercial activities, as well as the scope of requirements and steps necessary for compliance, businesses should familiarize themselves with the data protection framework developed by the Saudi Data & Artificial Intelligence Authority (SDAIA). This framework is centered around the PD Law.

The PD Law has extraterritorial effect, applying not only to controllers located within Saudi Arabia but also those processing the personal data of Saudi Arabia residents. The PD Law differentiates between personal data and sensitive personal data, the latter of which includes health, genetic, and biometric information. It imposes additional requirements for processing sensitive personal data, such as prohibiting its use for marketing purposes.

The PD Law establishes principles of lawfulness, fairness, transparency, purpose and storage limitation, data minimization, and confidentiality. To uphold these principles, it mandates that controllers (and by extension data processors) implement organizational, administrative, and technical measures to safeguard processed personal data.

These measures include registering as a controller, appointing a data protection officer (DPO) where necessary, adopting a clear and comprehensive privacy policy, conducting impact assessments on data processing (such as data transfer impact assessments or legitimate interest assessments), entering into appropriate data processing agreements with data processors, ensuring proper cross-border transfers, and notifying SDAIA of personal data breaches.

In the context of legal grounds for processing personal data, similarly to the General Data Protection Regulation (GDPR), the PD Law provides the following grounds:

• Consent
• Actual interests of data subjects when communication is difficult or impossible
• Public interest (security purposes or judicial requirements)
• Legal obligations
• Contractual arrangement with a data subject
• Legitimate interest (though no sensitive data can be processed based on this ground)

Just recently, the PD Law has been supplemented by the following regulations, which expand and detail its provisions:

Executive Regulations

The Executive Regulations specify requirements for (1) appointment of DPOs and their responsibilities, (2) management of data subject requests, (3) different legal grounds such as consent and legitimate interest, and (4) data impact assessments and records of processing activities.

Regulation on Personal Data Transfer Outside of Saudi Arabia, Along with Approved SCCs and BCRs

On September 1, 2024, the regulator amended the previous requirements on data transfers and published the updated Data Transfer Regulation. Similar to the GDPR, the current Data Transfer Regulation allows cross-border data transfers (1) to recipients in jurisdictions that provide an adequate level of data protection (the list of such countries is still pending but the approach of SDAIA is reasonably expected to be similar to the EU approach) or (2) if appropriate safeguards are implemented.

The number of available safeguards has now been reduced, with codes of conduct removed from the list. The remaining safeguards are as follows:

• Standard Contractual Clauses (SCCs)
• Binding Common Rules (BCRs)
• Certificate of Accreditation

The regulator has also published guidelines and templates for both SCCs and BCRs to encourage controllers to adopt these measures where appropriate.

Notably, the Data Transfer Regulation specifies that the PD Law and the Executive Regulations will continue to apply to any subsequent transfers of personal data once it has been transferred outside Saudi Arabia.

Rules for Appointing Personal Data Protection Officer

Under the PD Law, a controller must appoint a DPO in any of the following cases:

• The controller is a public entity that provides services involving the processing of personal data on a large scale, determined by the number and categories of individuals, the volume and type of data, and the geographical scope of processing.
• The controller’s primary activities involve processing operations that require regular and systematic monitoring of individuals (e.g., through tracking, other technological means, or as part of a data collection strategy conducted at specific intervals or periodically). The regulation specifies that location tracking, the use of cookies, and surveillance cameras are considered regular and systematic monitoring, so in practice the number of businesses that are falling under this requirement is significant.
• The controller’s core activities involve processing sensitive personal data (e.g., health institutions).

The recently published rules require that the DPO have appropriate academic qualifications, knowledge of risk management practices and data protection requirements, experience in the field of personal data protection, and no convictions for dishonesty or breach of trust offenses. The controller may appoint either an employee or an external contractor as the DPO. Once appointed, the DPO’s details must be submitted through the National Data Governance Platform (the Platform).

Rules Governing the National Register of Controllers within Saudi Arabia

Initially, the draft rules published for consultation sparked debates on whether registration on the Platform as a controller is mandatory for all controllers without exception. The recently published criteria is broad enough that many controllers will likely need to be registered.

In particular, a controller must be registered on the Platform if such controller

• is a public entity,
• processes personal data as it main activity, or
• processes sensitive data. (Note that the PD Law does not differentiate between controllers that systematically process sensitive data and those that do not as seen in many other jurisdictions. Instead, it requires all data controllers that process sensitive data to be registered.)

NONBINDING GUIDELINES

In addition to the above rules and regulations, SDAIA prepared several guidelines to assist entities with building a compliant system for data protection in Saudi Arabia, namely:

• Elaboration and Developing Privacy Policy Guidelines
• Minimum Personal Data Determination Guidelines
• Personal Data Destruction, Anonymization and Pseudonymization Guidelines
• Personal Data Disclosure Cases Guidelines
• Personal Data Processing Activities Records Guidelines

KEY STEPS FOR COMPLIANCE

Businesses should follow a consistent and structured approach to identify the applicability of the PD Law and the scope of applicable legal requirements. Some of the key practical steps businesses should take including the following:

• Evaluate the geographical scope of commercial activities and customers’ location. It is essential to determine whether the PD Law applies, considering its extraterritorial reach, and assess the extent of its applicability.
• Review commercial and data processing activities. Businesses should assess a list of their commercial activities, mainly focusing on those that involve data processing as a core, inherent, and necessary part of operations. This step will help determine if the business qualifies as a controller and requires registration on the Platform, if a DPO must be appointed, and what, if any, data protection impact assessments are required.
• Define the scope of processing activities. Businesses should define the categories of data subjects, types of personal data processed, and purposes for which personal data is processed. This will enable them to select appropriate legal grounds for data processing (e.g., consent, legitimate interest) and draft a clear privacy policy.
• Map data processing flows. Mapping out how personal data is obtained, the sources from which it is collected, and the means through which it is processed or transferred is crucial to determine appropriate transfer mechanisms (e.g., SCCs or BCRs). Businesses should also identify third-party data processors and evaluate whether data processing agreements include the necessary data protection clauses.

By thoroughly evaluating all these elements, businesses can define a comprehensive set of organizational, administrative, and technical measures that need to be implemented to safeguard personal data. Additionally, it will aid in creating and maintaining a detailed record of processing activities as required by the PD Law.