The one-year transition period granted to bring businesses’ activities into compliance with the Personal Data Protection Law of the Kingdom of Saudi Arabia is about to end on September 14, 2024. Given the law’s extraterritorial reach, it is crucial to consider its applicability and the data protection measures implemented.
The Personal Data Protection Law of the Kingdom of Saudi Arabia, issued by Royal Decree M/19 on September 16, 2021 and further amended on March 27, 2023 (the PD Law), came into force on September 14, 2023. The one-year transition period will end on September 14, 2024.
To assess the applicability of the PD Law to commercial activities, as well as the scope of requirements and steps necessary for compliance, businesses should familiarize themselves with the data protection framework developed by the Saudi Data & Artificial Intelligence Authority (SDAIA). This framework is centered around the PD Law.
The PD Law has extraterritorial effect, applying not only to controllers located within Saudi Arabia but also those processing the personal data of Saudi Arabia residents. The PD Law differentiates between personal data and sensitive personal data, the latter of which includes health, genetic, and biometric information. It imposes additional requirements for processing sensitive personal data, such as prohibiting its use for marketing purposes.
The PD Law establishes principles of lawfulness, fairness, transparency, purpose and storage limitation, data minimization, and confidentiality. To uphold these principles, it mandates that controllers (and by extension data processors) implement organizational, administrative, and technical measures to safeguard processed personal data.
These measures include registering as a controller, appointing a data protection officer (DPO) where necessary, adopting a clear and comprehensive privacy policy, conducting impact assessments on data processing (such as data transfer impact assessments or legitimate interest assessments), entering into appropriate data processing agreements with data processors, ensuring proper cross-border transfers, and notifying SDAIA of personal data breaches.
In the context of legal grounds for processing personal data, similarly to the General Data Protection Regulation (GDPR), the PD Law provides the following grounds:
Just recently, the PD Law has been supplemented by the following regulations, which expand and detail its provisions:
Executive Regulations
The Executive Regulations specify requirements for (1) appointment of DPOs and their responsibilities, (2) management of data subject requests, (3) different legal grounds such as consent and legitimate interest, and (4) data impact assessments and records of processing activities.
Regulation on Personal Data Transfer Outside of Saudi Arabia, Along with Approved SCCs and BCRs
On September 1, 2024, the regulator amended the previous requirements on data transfers and published the updated Data Transfer Regulation. Similar to the GDPR, the current Data Transfer Regulation allows cross-border data transfers (1) to recipients in jurisdictions that provide an adequate level of data protection (the list of such countries is still pending but the approach of SDAIA is reasonably expected to be similar to the EU approach) or (2) if appropriate safeguards are implemented.
The number of available safeguards has now been reduced, with codes of conduct removed from the list. The remaining safeguards are as follows:
The regulator has also published guidelines and templates for both SCCs and BCRs to encourage controllers to adopt these measures where appropriate.
Notably, the Data Transfer Regulation specifies that the PD Law and the Executive Regulations will continue to apply to any subsequent transfers of personal data once it has been transferred outside Saudi Arabia.
Rules for Appointing Personal Data Protection Officer
Under the PD Law, a controller must appoint a DPO in any of the following cases:
The recently published rules require that the DPO have appropriate academic qualifications, knowledge of risk management practices and data protection requirements, experience in the field of personal data protection, and no convictions for dishonesty or breach of trust offenses. The controller may appoint either an employee or an external contractor as the DPO. Once appointed, the DPO’s details must be submitted through the National Data Governance Platform (the Platform).
Rules Governing the National Register of Controllers within Saudi Arabia
Initially, the draft rules published for consultation sparked debates on whether registration on the Platform as a controller is mandatory for all controllers without exception. The recently published criteria is broad enough that many controllers will likely need to be registered.
In particular, a controller must be registered on the Platform if such controller
In addition to the above rules and regulations, SDAIA prepared several guidelines to assist entities with building a compliant system for data protection in Saudi Arabia, namely:
Businesses should follow a consistent and structured approach to identify the applicability of the PD Law and the scope of applicable legal requirements. Some of the key practical steps businesses should take including the following:
By thoroughly evaluating all these elements, businesses can define a comprehensive set of organizational, administrative, and technical measures that need to be implemented to safeguard personal data. Additionally, it will aid in creating and maintaining a detailed record of processing activities as required by the PD Law.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: