Saudi Arabia's Personal Data Protection Law (PDPL)
Saudi Arabia published its first comprehensive data protection law PDPL, Personal Data Protection Law, Which targets protecting individuals' personal data privacy, and regulating how organizations will collect, process, disclose, or retain personal data, in accordance with the Kingdom's Vision 2030 goals of creating a digital infrastructure and supporting innovation in order to grow the digital economy.
The final grace period to comply with PDPL is on 18 March 2023.
PDPL prevents data collection and processing without users’ consent. That means your websites should be explicitly granted approval from the visitor to collect his personal data.
How should Organizations start complying with Saudi PDPL?
In addition, they should:
- Assign a data privacy protection officer.
- Inform data subjects about the purpose of processing their data and obtain their consent.
- Implement information security measures.
- Response to data subjects' requests regarding their personal data.
- Report data Leaks immediately.
- Protect personal data including when it is being transferred outside Saudi Arabia (many other details about data transfer should be considered)
- Control subcontractors and subprocessors.
To whom and in what scoops the PDPL will be applied?
As PDPL aims to protect “personal data”, which is any data that may directly or indirectly identify a person i.e. name, ID number, address, contact numbers, photos, or videos of the person.
PDPL is applied to any organization that interacts with Saudi residents’ personal data, whether that data is being processed inside or outside of Saudi Arabia by businesses or public entities for any purpose.
Penalties for Non-compliance with PDPL
- Data transfer rules violations may include detention for up to one year and/or a fine of not more than (1M SAR).
- Disclosing or sharing sensitive data may include detention for up to two years and/or a fine of not more than (3M SAR) for both individuals and organizations.
- Other violations of the PDPL could be penalized with a warning notice or a fine of not more than (5M SAR). The court may maximize the penalty to double if the violation is repeated.
- Offenses Affected parties can claim compensation.
When does consent become not required?
- If the processing would result in a clear advantage and contacting the data subject would be impossible or impractical.
- If the law or a prior agreement with the data subject requires their information.
- If the controller is a public entity and the processing is necessary for security or legal reasons.
- If the controller is collecting data for scientific, research, or statistical purposes and has followed all of the legal requirements.
What are the Data Subject Rights according to PDPL?