Saudi Arabia's Personal Data Protection Law (PDPL)

Saudi Arabia's Personal Data Protection Law (PDPL)

About PDPL
Saudi Arabia published its first comprehensive data protection law PDPL, Personal Data Protection Law, Which targets protecting individuals' personal data privacy, and regulating how organizations will collect, process, disclose, or retain personal data, in accordance with the Kingdom's Vision 2030 goals of creating a digital infrastructure and supporting innovation in order to grow the digital economy.
The final grace period to comply with PDPL is on 18 March 2023.

PDPL prevents data collection and processing without users’ consent. That means your websites should be explicitly granted approval from the visitor to collect his personal data. 

How should Organizations start complying with Saudi PDPL?
Organizations should start showing their visitors a banner to inform them and to obtain their approval (opt-in/implicit consent) for collecting and processing their personal data using cookies and disclose the reason/purpose for collecting and processing data in the Privacy Policy and Cookie Policy. Great, this is the FIRST step!.

In addition, they should:

• Assign a data privacy protection officer.
• Inform data subjects about the purpose of processing their data and obtain their consent.
• Implement information security measures.
• Response to data subjects' requests regarding their personal data.
• Report data Leaks immediately.
• Protect personal data including when it is being transferred outside Saudi Arabia (many other details about data transfer should be considered)
• Control subcontractors and subprocessors.

To whom and in what scoops the PDPL will be applied?
As PDPL aims to protect “personal data”, which is any data that may directly or indirectly identify a person i.e. name, ID number, address, contact numbers, photos, or videos of the person.
PDPL is applied to any organization that interacts with Saudi residents’ personal data, whether that data is being processed inside or outside of Saudi Arabia by businesses or public entities for any purpose.
 

Penalties for Non-compliance with PDPL

• Data transfer rules violations may include detention for up to one year and/or a fine of not more than (1M SAR).
• Disclosing or sharing sensitive data may include detention for up to two years and/or a fine of not more than (3M SAR) for both individuals and organizations.
• Other violations of the PDPL could be penalized with a warning notice or a fine of not more than (5M SAR). The court may maximize the penalty to double if the violation is repeated.
• Offenses Affected parties can claim compensation.

When does consent become not required?

• If the processing would result in a clear advantage and contacting the data subject would be impossible or impractical.
• If the law or a prior agreement with the data subject requires their information.
• If the controller is a public entity and the processing is necessary for security or legal reasons.
• If the controller is collecting data for scientific, research, or statistical purposes and has followed all of the legal requirements.

What are the Data Subject Rights according to PDPL?

The Right to be Informed
Data subjects should know the data controller's contact details, in addition, they should know why and how the data is collected, and if the data will be shared or sold.

 

The Right to Access/Download
Data subjects should be able to access and see the data collected about themselves and be able to download a copy of it in a readable form for free.

 

The Right to Correct/Update
Data subjects should be able to request their data correction if there are any mistakes or to update if the data is old or incomplete.

 

The Right to Destroy/Erase
Data subjects should be able to request the erasure of their data if they don’t want their data to be stored anymore.

 

The Right to Not Process
In some cases, data subjects should be able to refuse the processing of their personal information for a limited period of time.

 

The Right to withdraw consent
Data subjects should be able to withdraw their approval of collecting some or all of their data.