In this blog, we will get an understanding of Saudi Arabia’s PDPL, along with its key provisions and considerations for compliance The PDPL provides that it shall apply to the processing of personal data by companies or public entities, by any means, that (Article 2(1) of the PDPL):
- takes place in the Kingdom of Saudi Arabia; or
- relates to the personal data of residents of the kingdom by companies located outside the Kingdom.
The PDPL applies to companies and public entities processing personal data within Saudi Arabia or relating to the personal data of residents by companies outside the kingdom. Personal data includes any information that identifies an individual directly or indirectly, and the processing for personal or family use is exempt.
Key principles and accountability obligations under the PDPL:
- Accountability: Controllers must have measures in place to ensure conformity with data protection principles and regularly check the conformity of their means of processing with the law (Article 8).
- Purpose limitation: Personal data collected must be specific to the controller’s purposes and limited to what is required to satisfy such purposes (Article 11).
- Transparency: Controllers must put in place a privacy policy that sets out the purposes for collection, categories of personal data collected, means of collection, means of storage, processing, erasure, as well as data subject rights and how to exercise them (Article 12).
- Accuracy: Controllers must not process personal data without taking sufficient steps to ensure that it is up-to-date, accurate, complete, and specific to the purpose for which it was collected (Article 14).
- Data protection officer appointment: Controllers are required to appoint a person (or several persons) to be responsible for implementing the provisions of the law (Article 30).
- Records of processing activities: Controllers are required to keep records of their processing activities for a period determined by the executive regulations and register on an online portal where they must pay an annual fee not exceeding SAR 100,000 (Articles 31 and 32).
- Data Protection Impact Assessment: Controllers are required to assess the consequences of processing personal data for their processing activities (Article 22).
Processing of Health Data
- Article 23 of the PDPL specifically addresses the processing of health data.
- Health data should be processed in a way that ensures the confidentiality of data subjects and protects their rights.
- Access controls should be implemented to restrict access to individuals who need it.
- The executive regulations will provide further details on the requirements for processing health data.
Processing of Credit Data
- Article 24 of the PDPL provides requirements for the processing of credit data.
- The processing of credit data must comply with the principles of data protection set out in the PDPL.
- Additional measures for the processing of credit data will be included in the executive regulations.
Article 29 of the PDPL sets out strict conditions for the transfer of personal data outside of Saudi Arabia, except extreme cases where a threat to the life of the data subject exists. In general, data transfers must not prejudice national security or the Kingdom’s vital interests, and the transferring entity must provide adequate guarantees for protecting the personal data being transferred or disclosed. The transfer must be restricted to the minimum personal data necessary for its purpose, and the competent authority must approve the transfer.
Data residency has become a major challenge for multinational organizations and service providers in Saudi Arabia, particularly in light of the National Cybersecurity Authority’s Essential Cybersecurity Controls, which demand site hosting and storage of entity information inside the Kingdom for all cloud computing. The PDPL’s executive regulations, which are expected to provide further clarity on how organizations can obtain approval from SDAIA and best manage cross-border data transfers, will likely revolve around a government narrative about the impact to national security and local interests.
PDPL grants data subjects the right to object to the processing of their personal data for direct marketing purposes, as stated in Article 5(3). Controllers must respect such objections and stop the processing of personal data for such purposes.
Additionally, data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance from the original controller, as provided in Article 4(5) of the PDPL. This right is commonly referred to as the right to data portability.
Here are the main points highlighting the data subject rights under the PDPL:
- Right to be informed about how personal data is being processed
- Right to access personal data held by a controller
- Right to correct, complete, or update personal data
- Right to request erasure of personal data
- Right to object to processing or change in purpose of personal data without consent
- Right to withdraw consent at any time
- Right to make complaints to the competent authority for breaches of the PDPL
- Controllers must respond to data subject requests within the period determined by executive regulations
- Controllers may determine reasonable periods for exercising the right to access personal data, subject to approval by the competent authority
- Data subjects have the right to seek damages for material and non-material loss resulting from breaches of the PDPL or executive regulations.
Article 19 of the PDPL establishes a legal obligation on controllers to implement appropriate technical and organizational measures for the protection of personal data, including during the transfer of such data. In addition, the competent authority is required to consider the establishment of provisions and conditions relating to the technical and organizational measures for the storage of personal data, taking into account the nature and sensitivity of the data, when preparing the executive regulations supplementing the PDPL.
Furthermore, controllers are required to notify the competent authority in the event of a data security breach (as per Article 20(1) of the PDPL). The executive regulations shall determine the circumstances under which controllers must inform data subjects of a security breach involving their personal data. However, where a breach is likely to cause serious harm to the individual or their personal data, controllers must immediately inform them of the breach (as per Article 20(2) of the PDPL).
Under the PDPL, disclosure or publication of sensitive personal data may result in imprisonment for up to two years and/or a fine not exceeding SAR 3 million. Violations of the data transfer provision in Article 29 may result in imprisonment for up to one year and/or a fine not exceeding SAR 1,000,000. For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5,000,000.
It is important to note that the maximum fines for any of the aforementioned violations may be increased to double the stated maximums for repeat offenses. In addition, the court may order confiscation of funds gained from violations of the law and/or require publication of the judgment at the offender’s expense.
According to Article 43 of the PDPL, the law will become effective on 23 March 2022. However, data controllers will have an 18-month transition period from the date of the law’s publication in the Official Gazette to achieve compliance with the PDPL. Companies located outside of Saudi Arabia that process personal data of Saudi Arabian residents may have this deadline extended for up to five years, as determined by SDAIA.
The PDPL references the “executive regulations,” which are supplementary to the law and are expected to be published between the date of the PDPL’s publication and its effective date to assist organizations with compliance. The executive regulations may establish specific conditions, timeframes, and fees related to PDPL requirements.
One of the key challenges for organizations in Saudi Arabia and the region will be the lack of data protection program maturity levels, according to Waterman. This is a new start for most organizations, and it will take time to build the value of privacy into the organizational culture. It is relatively easy to update employment contracts or create a basic privacy policy, but operationalizing a privacy program to manage risk effectively is quite different and requires a cultural change.
Gaurav Mehta, founder at Concur, also emphasized that building a culture of privacy and trust goes beyond compliance with the new law. It is about building the organization’s brand, and reputation, and earning the trust of customers as personal data is collected and used to improve products and services. Organizations should not wait until the last minute to start working towards compliance, as rushing often results in building something that is not fit for purpose and may end up costing more. It is important to be planful, seek expert advice, agree on an appropriate ambition level, and start training leadership teams and staff as quickly as possible.
About Concur – Harmonizing Data Complaince
Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solution, and more. With a focus on innovation and use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.