Saudi Arabia’s Personal Data Protection Law (PDPL), was implemented by Royal Decree M/19 of 17 September 2021 and published in the Official Gazette on 24 September 2021. A draft of the executive regulations that supplement the PDPL was issued on 10 March 2022, and further details were added to the law. In this blog, we will learn more about the State of Personal Data Protection Law (PDPL), Saudi Arabia
Although the PDPL was initially expected to take effect from 23 March 2022, its implementation has been postponed to 17 March 2023. For entities outside Saudi Arabia that process the personal data of Saudi residents, the implementation period may be further delayed for up to five years.
The Saudi Data & Artificial Intelligence Authority (SDAIA) is responsible for enforcing the implementation of the PDPL for an initial two-year period. Thereafter, the supervisory role may be transferred to the National Data Management Office (NDMO), which is the regulatory arm of the SDAIA. The PDPL aims to bring Saudi Arabia in line with both regional and international data protection standards.
The PDPL requires organizations to appoint a data protection officer, maintain records of processing, and conduct risk assessments in certain circumstances. The law also includes strict provisions on data transfers, technical and organizational measures to safeguard data, as well as several data subject rights.
Moreover, the Executive Regulations complement the PDPL by providing further information on key terms, transparency requirements, controller-processor contracts, and data breach notification, among other things. The public consultation on the Executive Regulations ended on 25 March 2022.
The implementation of Saudi Arabia’s PDPL is uncertain, as the Saudi Data & Artificial Intelligence Authority held a public consultation on proposed changes to the PDPL, and it is unclear when the results will be released. Additionally, executive regulations implementing the PDPL are yet to be issued. Despite the uncertainty, the proposed changes to the PDPL will likely be welcomed by businesses operating in Saudi Arabia or processing personal data of individuals residing in the country.
The implementation of Saudi Arabia’s PDPL is currently in question as the SDAIA recently held a public consultation on proposed changes to the law. The consultation ended on 20 December 2022, and it is unclear when the results will be made public, and a revised version of the PDPL will be released.
Furthermore, the PDPL requires executive regulations to implement it, and a draft of these regulations was published for consultation in 2022 but was withdrawn within a few days when the PDPL itself was postponed. It is expected that a new set of regulations reflecting the amended PDPL will be issued at some point in the future, but this adds to the uncertainty around the implementation of the law.
Despite the uncertainty, the proposed changes to the PDPL will likely be welcomed by businesses operating in Saudi Arabia or processing the personal data of individuals residing in the country. Some of the more significant proposed changes include changes to the definition of personal data, the introduction of a “legitimate interest” legal basis for processing personal data, and an exemption for small and medium-sized enterprises from certain provisions of the law.
The revisions to the PDPL permit the processing of personal data where it is necessary to achieve a legitimate/lawful interest of the controller or another person and this does not prejudice the data subject’s rights. This legal basis will not apply to sensitive personal data. The addition of legitimate interests as a legal basis for processing brings the PDPL closer to global data protection laws, and it enables organizations to avoid relying solely on consent for data processing.
The new Article 28 of the PDPL deals with international transfers of personal data. It provides that a controller may transfer personal data outside the KSA if the country to which the personal data is transferred protects personal data to at least the same standard as the KSA, the transfer does not adversely affect national security or vital interests of the KSA, and the transfer is limited to the minimum amount of personal data required. However, there is still some uncertainty as to what criteria will be used to determine ‘adequate’ jurisdictions and whether personal data can be transferred to jurisdictions not considered ‘adequate.’ Additionally, businesses involved in processing government data will be looking for clarity on when national security or similar considerations mean personal data cannot be transferred.
It seems that the proposed amendments to Saudi Arabia’s PDPL address several key areas of concern and bring the law more in line with global data protection standards. The addition of legitimate interests as a legal basis for data processing is a significant change that will give organizations more flexibility in how they process personal data, provided they can demonstrate a legitimate interest that does not prejudice the rights of the data subject. The revised Article 28 on international data transfers is also a welcome change, although there is still some uncertainty around how ‘adequacy’ will be assessed and whether other transfer mechanisms will be available. The removal of the requirement for offshore entities to appoint a representative in the KSA is another notable change, although the data protection authority will still have the power to monitor compliance and implement the law outside of the KSA. Overall, these changes should make it easier for organizations to comply with the PDPL while still protecting the privacy rights of individuals.
About Concur – Harmonizing Data Compliance
Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solutions, and more. With a focus on innovation and the use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.