Comply with Saudi Personal Data Protection Law (PDPL)
About PDPL
Saudi Arabia published its first comprehensive data protection law PDPL, "Personal Data Protection Law" on September 24, 2021, Which targets protecting individuals' personal data privacy, and regulating how organizations will collect, process, disclose, or retain personal data, in accordance with the Kingdom's Vision 2030 goals of creating a digital infrastructure and supporting innovation in order to grow the digital economy.
The final grace period to comply with PDPL is on 18 March 2023.
PDPL prevents data collection and processing without users’ consent. That means your websites should be explicitly granted approval from the visitor to collect his personal data.
The Main Step Organizations should start to comply with Saudi PDPL?
- Assign a data privacy protection officer.
- Inform data subjects about the purpose of processing their data and obtain their consent.
- Implement information security measures.
- Response to data subjects' requests regarding their personal data.
- Report data Leaks immediately.
- Protect personal data including when it is being transferred outside Saudi Arabia (many other details about data transfer should be considered)
- Control subcontractors and subprocessors.
To whom and in what scoops the PDPL will be applied?
As PDPL aims to protect “personal data”, which is any data that may directly or indirectly identify a person i.e. name, ID number, address, contact numbers, photos, or videos of the person.
PDPL is applied to any organization that interacts with Saudi residents’ personal data, whether that data is being processed inside or outside of Saudi Arabia by businesses or public entities for any purpose.
Penalties for Non-compliance with PDPL
- Data transfer rules violations may include detention for up to one year and/or a fine of not more than (1M SAR).
- Disclosing or sharing sensitive data may include detention for up to two years and/or a fine of not more than (3M SAR) for both individuals and organizations.
- Other violations of the PDPL could be penalized with a warning notice or a fine of not more than (5M SAR). The court may maximize the penalty to double if the violation is repeated.
- Offenses Affected parties can claim compensation.
What are the Data Subject Rights according to PDPL?
The Right to be Informed
Data subjects should know the data controller's contact details, in addition, they should know why and how the data is collected, and if the data will be shared or sold.
The Right to Access/Download
Data subjects should be able to access and see the data collected about themselves and be able to download a copy of it in a readable form for free.
The Right to Correct/Update
Data subjects should be able to request their data correction if there are any mistakes or to update if the data is old or incomplete.
The Right to Destroy/Erase
Data subjects should be able to request the erasure of their data if they don’t want their data to be stored anymore.
The Right to Not Process
In some cases, data subjects should be able to refuse the processing of their personal information for a limited period of time.
The Right to withdraw consent
Data subjects should be able to withdraw their approval of collecting some or all of their data.
How Can We Help You?
Daam Al-Arabia provides a platform that blends reliability, intelligence, and simplicity. We adopted Best-In-Class Privacy Management, DSR Automation, Cookie Consent & Preferences solution to assist you in complying with the PDPL and other international privacy laws
Note: Daam Doesn't provide Judicial services or Legal consultancy.
Ask an Expert Now