Personal Data Protection Law (Saudi Arabia)
Saudi Arabia's PDPL is the Kingdom's first comprehensive data protection law, supervised by SDAIA and effective from 2023 with compliance required by September 2024. It requires lawful bases, data subject rights, breach notification, and controlled cross-border transfers.
The Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia is the country's first comprehensive data protection law. It was issued in 2021 and, after amendments, took effect on September 14, 2023, with a one-year grace period for compliance that ran to September 2024. It is supervised by the Saudi Data and Artificial Intelligence Authority (SDAIA), which issued implementing regulations and regulations on cross-border transfers. The PDPL draws on GDPR concepts while reflecting local legal and cultural considerations.
The PDPL regulates the processing of personal data by any means and applies broadly to controllers operating in the Kingdom and to certain foreign controllers handling Saudi residents' data.
Who It Applies To
The PDPL applies to any processing of personal data related to individuals that takes place in Saudi Arabia by any controller, including public and private entities. It also applies to controllers located outside the Kingdom that process the personal data of individuals residing in Saudi Arabia. It covers personal data in any form, including data of deceased persons where it could identify them or a family member.
Key Requirements
Processing generally requires the consent of the data subject, subject to exceptions such as legitimate interests, legal obligations, and protection of the data subject's vital interests. Controllers must provide a privacy notice, limit collection and use to stated purposes, and maintain records of processing activities. Data subjects have rights to be informed, to access their data, to obtain a copy, to request correction, and to request destruction. Controllers must implement security measures and notify SDAIA of personal data breaches, and notify affected data subjects where there may be harm. The law and its regulations restrict cross-border transfers, which are permitted under conditions such as an adequate level of protection or specified safeguards. Marketing and the processing of sensitive and health data carry additional conditions.
Penalties for Non-Compliance
The PDPL provides for warnings and fines. Unlawful disclosure or transfer of sensitive data with intent to harm or for personal benefit can lead to imprisonment of up to two years and a fine of up to SAR 3 million. Other violations can attract fines of up to SAR 5 million, which can be doubled for repeat offences. Courts can also order confiscation and publication of judgments.
How to Comply
Identify a legal basis for each processing activity and obtain consent where required. Publish privacy notices and maintain records of processing. Build processes for access, correction, and destruction requests. Implement security measures and a breach notification process to SDAIA. Apply additional safeguards to sensitive and health data and to marketing. Review cross-border transfers against the transfer regulations and apply an approved mechanism.