Saudi Arabia Personal Data Protection Law (PDPL): An Overview

Saudi Arabia’s data protection law was published in the Official Gazette, the country’s online-only English language newspaper, on September 24, 2021. Amendments were confirmed in March 2023, and the law will take effect in September 2023.

The law targets organizations doing business in Saudi Arabia and the United Arab Emirates. It is extraterritorial, so applies to organizations both located in those regions and outside of them, if they process personal data of Saudi or UAE residents.

The Saudi Arabia Personal Data Protection Law (PDPL) is the country’s first consumer data privacy law, also covering the United Arab Emirates. It was passed by a royal decree in September 2021. The law was amended March 23, 2023, and will officially come into force September 14, 2023. Compliance enforcement will begin after a year, on September 13, 2024.

The purpose of the PDPL is to ensure the privacy of consumers’ personal data, prevent abuse of that data, and regulate sharing of it. The PDPL generally follows the European Union’s General Data Protection Regulation (GDPR) and aligns with the standards of other international privacy laws. It includes common key principles and requirements, like purpose limitation, data minimization, data controller responsibilities, data subjects’ rights, and penalties for violations.

Like many international privacy laws outside of the United States, the PDPL requires prior consent for data collection and use.

The PDPL uses fairly standard definitions of common terms found in other privacy regulations, though the specific terminology used may vary a bit from that found in other countries.

A list of countries prepared by the regulatory authority, which have been deemed to provide an adequate level of protection for personal data and data subjects’ rights. The list must be regularly reviewed and updated.

This refers to “removing any direct or indirect characteristics from the Personal Data, that may make the Personal Data Subject specifically identified.”

Any individual residing in Saudi Arabia or the UAE whose personal data may be collected and processed by organizations, and who has rights regarding the privacy, protection, and use of their data.

Refers to any person under the age of 13, on whose behalf consent for data processing must be obtained by a parent or legal guardian.

This refers to the “set of general rules and specific responsibilities approved by the Regulatory Authority, which Controllers and Processors are obligated to comply with, to face the challenges relating to protection of Personal Data in a specific sector, in order to establish a system of proper practices in that sector and to comply with that system.”

These are, in the language of the law’s text, the authorities responsible for regulation or oversight of the law. Regulatory authority refers to any government entity with an “independent public personality” and powers, duties, and responsibilities over a certain sector of the Saudi Kingdom.

These entities will be responsible for enforcing the PDPL, educating organizations about compliance, and levying penalties for violations. For at least the first two years once the law comes into force, the Saudi Data and Artificial Intelligence Authority (SDAIA) will be the specific relevant authority.

The Saudi law notes that consent must be obtained before or at the time of processing, and that it must be “clear and unambiguous”. The law also includes definitions for both implied and explicit consent.

Explicit consent: “Verbal or written consent that is express, specific and given freely by the Data Subject, proofing that the Data Subject agrees to process their Personal Data.”

The law specifies that the “Controller shall obtain consent by any appropriate means or in any appropriate form, including by means of written consent forms, electronic forms, settings in applications, verbal consent or Implied Consent if allowed.” It also includes conditions to be taken into account.

Somewhat unusually among other data privacy laws, the PDPL lists specific acceptable information for controller and data subject communication. Data subjects may change the preferred mode of communication, where possible. The acceptable means must be “valid and effective” and include:

• text messages sent to authenticated mobile phones
• accounts registered in government automated systems
• the post (postal mail)
• applications’ notifications and alerts
• any other electronic means designated for that purpose and recognized in the Saudi Kingdom

Personal data is defined as any information that can specifically identify a person or lead to their identification, alone or combined with other information (the standard definition of personally identifiable information). Some examples of personal data include name, driver’s license number, phone number, or email address.

Sensitive personal data refers to certain types of personal data, which, if misused, can cause considerable harm, which include information inferred from:

• ethnic or tribal origin
• religious, intellectual or political beliefs
• membership in civil associations or institutions
• criminal and security data
• credit data
• genetic data
• health data
• location data
• biometric data
• data indicating an individual is unknown to one or both parents

Profiling refers to the “Automated Processing of Personal Data and using such Personal Data to analyse and assess certain personal aspects of the Data Subject, and to forecast aspects relating to the Data Subject’s performance at work, financial status, health, personal preferences, interests, behaviour, location or movement, for the purpose of creating a profile of the Data Subject.”

This ties in to definitions of what qualifies as personal data, and refers to “processing personal data by an individual within their family or within their limited social circle taking part in any social or family activity.”

It excludes disclosing personal data publicly or using it for “professional, non-profit or commercial activity.”

The PDPL is extraterritorial, which means public or private organizations that process the personal data of Saudi Arabia’s or the UAE’s residents need to be in compliance with the law. It doesn’t matter if these organizations are located in Saudi Arabia and the UAE or outside.

Processing refers to collection, use, sharing, updating, transfer, or storage of personal data, whether automatic or manual. The category of sensitive personal data is also included, which requires special handling.

Within organizations, in many cases a Data Protection Officer will be appointed who will have responsibility for compliance operations, handling of data subjects’ requests, addressing data breaches, liaising with authorities, training of staff, and more.

The PDPL notes that it does not overrule any other provision or law that provides data subjects with even greater protection of their personal data and privacy rights. It is also interesting to note that the law covers the personal data of deceased persons, if that data could be used to identify them or any family members.

The Saudi law lists several specific rights for data subjects. The inclusion and level of detail in the rights relating to the use of emerging technologies is of note.

• Right to know: information about the controller and data processing, including:
  • name of controller
  • contact information for the controller
  • types of personal data to be processed
  • purposes of processing
  • legal justification or practical need for processing
  • period for which personal data collected will be kept
  • how the personal data will be collected and used
  • entities with which the data will be shared
  • data sources personal data will be collected from, if not publicly available
• Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
• Right to correction: or completion or update of any inaccurate or outdated information the controller has
• Right to deletion: or destruction of any personal data the controller has about or from the consumer, with some exceptions
• Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a legible and clear format, with some exceptions

Controllers can restrict a personal data subject’s request to exercise their rights if it is to protect the individual or others from harm, maintain security, or to fulfill another law or judicial requirements.

Consent is the main allowable legal basis for data processing under the PDPL. Legitimate interest has been added with the law’s amendment, but that does not apply for sensitive personal data processing.

The Saudi regulation requires the following conditions for data subject consent to be considered valid:

• notify the data subject why consent is being requested and the legal justification or practical need for it
• notify the data subject that data processing will be limited to the minimum amount of data necessary to fulfill the stated purpose (purpose limitation and data minimization)
• inform the data subject of all granular purposes for data processing and available consent options
• inform the data subject of their right to withdraw consent at any time
• establish procedures to enable withdrawal of consent (which must be as easy as those for obtaining consent)
• obtain and document explicit consent in a way that can be proven in the future
• obtain consent in writing if the personal data to be processed is sensitive
• obtain consent from a legal guardian for processing of personal data of a person who is a child, legally incompetent, or deceased

There are exemptions to the requirement for data subject consent, including if:

• the data processing serves the data subject’s “actual interests” (known as “legitimate interest” under the GDPR)
• the data processing is pursuant to another law, contract fulfillment, or implementation of an agreement
• the controller is a public entity and the processing is required for security or to fulfill judicial purposes or requirements
• the processing is necessary to achieve the controller’s lawful interest and the data is not considered sensitive

Consent for processing the personal data of children must be obtained from a parent or legal guardian.

Companies are responsible to comply with the PDPL if they process the personal data of Saudi Arabia or UAE residents. Data subjects must be notified about data to be processed, the purposes for processing, who the data may be shared with, what their rights are, and how to exercise them.

Controllers are required to store and process personal data within the geographical boundaries of the Saudi Kingdom. Under some circumstances data can be stored or processed outside of the Kingdom if doing so does not pose a security risk. Before that can happen, an impact assessment must be conducted, and written approval of the Regulatory Authority must be obtained. Regulatory authorities will liaise regarding approval on a case-by-case basis.

Entities abroad that are affiliated with the Saudi government are exempt from requirements regarding personal data transfers internationally.

Personal data transfers or disclosure to parties outside of the Saudi Kingdom are restricted, though are allowed in cases of:

• extreme necessity, e.g. lifesaving measures
• for purposes determined by the PDPL
• when governed by formal agreement that the Kingdom is party to or that serves its interests

For most data transfers or disclosures outside the Kingdom, the following conditions must be met:

• transfer or disclosure does not prejudice national security of the vital interests of the Kingdom
• there are sufficient guarantees to preserve the personal data and its confidentiality to the standards of the law and regulations
• Transfer or disclosure is limited to the minimum amount of data needed
• regulatory authority approval has been obtained

The regulatory authority can exempt a controller from one of these conditions if it’s assessed that the personal data involved is not sensitive data and will have an adequate level of protection outside the Kingdom. If personal data is to be transferred to a country not on the Adequacy List, a potential risk and impact assessment must be done and appropriate safeguards must be employed.

The PDPL is opt-in, so consent is required before the processing of personal data. Data subjects must also be able to withdraw consent at any time. If the stated purpose(s) for data processing change, the controller must obtain new consent from data subjects.

Controllers cannot make consent a condition of using a service, unless the processing directly relates to or enables the service.

Requiring data controllers to collect and use the minimum amount of personal data to fulfill only the stated and necessary purpose is a standard requirement in international privacy laws. The PDPL outlines what defines the minimum amount of data needed by the following means:

• appropriate and necessary for achieving the specified purpose and directly related to that purpose
• limited to what is actually necessary to achieve the purpose, without collecting any additional data
• exercising due care to reasonably benefit from the technological capabilities that help achieve the purpose without collecting unnecessary data
• documenting procedures to determine the content of the personal data in accordance with the law

Personal data should not be kept any longer than necessary, e.g. it should not be kept if the processing purpose has ended. Also, if the data is no longer necessary for the purpose for which it was collected, any further data collection should cease “without undue delay” and previously collected data should be destroyed.

Controllers processing data for marketing purposes must provide a clear mechanism for data subjects on their website to enable them to opt out of or withdraw consent at any time for processing of their data for marketing purposes.

Before a controller uses physical or electronic means to contact data subjects using their personal data for advertising purposes or “awareness-raising material”, controllers must obtain explicit consent from the target data subject. Implied consent or consent that cannot be documented—and thus verified—is not valid.

The controller must also follow these requirements:

• notify data subjects of the means of sending the advertisements
• explain and provide a clear and easily accessed mechanism to stop receiving such material and how to access it at any time
• stop sending advertising as soon as requested by the data subject
• data subjects cannot be charged to request and have advertising stopped; it must be free of charge
• obtain necessary licenses and adhere to the rules and requirements for advertising as relayed by authorities
• clearly state the sender’s name in every advertisement and do not conceal the sender’s identity in any manner
• keep records of times and methods of data subjects’ consent
• advertisements must be sent by the entity to which data subjects have given their consent, and not by a third party, with limited exceptions

Data controllers or data processors working on their behalf must supply an easy to read, accessible privacy notice on their website. This is often included on a privacy policy page. This notice must include the following information:

• legal basis for personal data collection
• purpose(s) of personal data collection, including which data is mandatory for the purpose
• identity of the person or organization (data controller) collecting personal data
• data subjects’ rights
• risks and consequences of not collecting the personal data
• address for the data controller’s representative

A privacy policy or notice must be regularly reviewed and updated, and data subjects must be notified about changes to the policy.

In many cases, controllers are required to appoint an employee (or more than one) as a Data Protection Officer, to be responsible for the controllers’ obligations to the law and the organization’s data privacy operations and compliance.

They will be the direct point of contact for the data protection authority and are responsible to carry out the authority’s decisions and instructions. They will also oversee and enable:

• responses to data breaches or other violations
• data subjects’ requests to enable them to exercise their rights
• arranging and maintaining training for employees
• spearheading data protection impact assessment procedures and audits

Data controllers must select vendors and partners to process data on their behalf with care, ensuring that such entities will provide the most guarantees of compliance with the law, including conducting risk assessments, reviews, and ensuring adequate security for personal data. Both entities must abide by conditions set by the regulatory authority.

There must be a contractual agreement outlining the rights and obligations of both parties and requirements for the work to be done. The subject matter and purpose of processing needs to be included, as well as the categories and types of personal data to be processed.

Processors must inform the controller immediately if there is a risk of or actual data breach or other unauthorized access or damage to personal data. A processor that is already engaged in data processing under contract with a controller must also obtain the current controller’s approval before entering into a new contract with any other party (controller) to process personal data.

Under the PDPL multiple entities are potentially responsible for receiving notifications of violations, investigating them, and taking action or levying penalties.

The Saudi Data and Artificial Intelligence Authority (SDAIA) will be primarily responsible for enforcing the PDPL within the borders of Saudi Arabia. In the law’s text, the enforcement authorities are referred to as the Competent Authority and Regulatory Authority. The Public Prosecution Office will have responsibility for investigation and prosecution of violations.

For two years the SDAIA will oversee the implementation of the law, advise organizations on operational compliance and keep track of data subjects rights requests, in addition to other duties like levying penalties for violations. After two years, a transfer of supervision to the National Data Management Office (NDMO) is planned.

The authorities will employ Violation Detection Officers for investigative purposes. Individuals can make reports or complaints of violations to these authorities. The authorities are required to ensure “speedy and quality” procedures to deal with communications and complaints, and can request evidence or additional information about issues.

Individuals’ complaints should be made within 60 days of the violation or when the data subject became aware of it. Either Authority may review cases and notify the complainant of the outcome.

Upon discovery of a personal data breach, the entity breached must immediately notify the regulatory authority. If the breach risks causing serious harm to affected individuals, those people also should be notified immediately. A breach can include a leak or illegal access to, or damage or destruction of personal data.

If a controller or other entity is found guilty of a PDPL violation by the Public Prosecution Office, the outcome can range from a warning to fines up to SAR 5 million (~€ 1.19 million or ~US $1.33 million). If there are repeated offenses, the court may double the fine, up to SAR 10 million.

Violations involving cross-border data transfer are subject to imprisonment for a maximum of one year and/or a fine up to SAR 1 million (~€ 237000 or ~US $266,000).

Any entity that publishes or otherwise discloses sensitive personal data is subject to imprisonment for up to two years and a fine of up to SAR 3 million (~€ 711000 or ~US $800,000) if the violation is committed with intent to cause damage to the data subject or to achieve personal benefit.

Organizations that have achieved GDPR compliance will have done most of the work to achieve PDPL compliance. However, all entities processing personal data of Saudi or UAE residents should ensure that they are familiar with the particulars of the law and consult qualified legal counsel and/or their own privacy expert, like a Data Protection Officer.

Enact standard best practices for data privacy and protection, including operations that include data inventories and audits, with accurate classification for various kinds of data, especially sensitive personal data. There should be formalized, regularly reviewed policies and training for personal data handling, managing data subject requests, and data breach response.

Ensure that explicit and valid consent is obtained from data subjects for data collected, and that data subjects are clearly informed about the processing and their rights, and have easy access to deny or revoke consent.

Map processes and data flow and know where cross-border data transfer occurs or may occur. Have an up to date adequacy list of countries.

Implement robust technical and organizational measures for security and data protection and conduct data protection impact assessments, vendor assessments, and other similar measures.

Determine if the organization needs to appoint a Data Protection Officer and/or a representative in Saudi Arabia if their operations are not located there. They should also register themselves within the Kingdom.

Provide notification to data subjects via a privacy policy or notice about their data processing activities and regularly review and update them. A consent management platform (CMP) can also help on websites and apps to manage cookie consent.

If you have questions about compliance with Saudi Arabia’s Personal Data Protection Law or interest in implementing a consent management platform to help achieve compliance with that regulation and others around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.