In September 2021, the Kingdom of Saudi Arabia (KSA) introduced their first data protection law, the Personal Data Protection Law (PDPL) in the government’s Official Gazette.
Three years later, The KSA becomes the latest nation to join the list of countries with regulations on personal data use. On 13th September 2024, this law becomes fully enforceable.
So, what is included in this law? Who does it apply to? How does it compare with existing data protection legislation such as the General Data Protection Regulation (GDPR)?
Who and what will the PDPL apply to?
The PDPL will be applicable to the processing of personal data by companies or public entities which take place in the Kingdom of Saudi Arabia, or relate to the personal data of residents of the Kingdom by companies located outside the Kingdom.
How is personal data defined in the PDPL?
There are clear similarities between the PDPL and GDPR in how personal data is defined.
In Article 1(4) of the PDPL, the definition of personal data is any information through which an individual may be directly or indirectly identified. This includes their name, social security number, phone numbers, addresses, bank account and credit card details, and pictures.
The PDPL also provides that “personal data” includes the data of a deceased person, if such data would lead to their identification or a family member’s identification.
What obligations on controllers does the PDPL introduce?
There are, as expected, obligations on controllers under the PDPL. These obligations range from choosing a processor who also gives effect to the provision of the PDPL, to provisions governing the engagement of any sub-processors.
Article 11(1) of the PDPL states that there must be a direct link to the controllers processing purposes for collecting data, so therefore, there is a purpose limitation imposed. If the purpose for collecting the personal data no longer persists, then the controller must stop collecting such data and dispose of any that it has without delay.
Like the GDPR, the PDPL provides a need for transparency. Controllers are required to put a privacy notice in place for data subjects to view prior to collection of their data. Likewise, controllers shall not process personal data without taking steps to check the accuracy, completeness and ensuring that it is purpose-specific. The PDPL also states that controllers are required to be aware of the consequences of their processing which means a Data Protection Impact Assessment (DPIA) is needed to evidence the processing of personal data.
The appointment of DPOs in the PDPL
The PDPL specifies that controllers are required to appoint a person or persons to implement the provisions of the PDPL which means the creation of a Data Protection Officer (DPO) if one does not already exist. This, of course, is very similar to the GDPR’s provisions.
(If your organisation requires a DPO, you can outsource this role to us here at DPAS. Click to learn more about our outsourced DPO services.)
What data subject rights does the PDPL provide?
Again, much like the GDPR, the PDPL provides rights for data subjects. It provides that requests from data subjects be responded to in a time period determined by the regulations. However, the controller may determine periods for exercising the right of access in accordance with what the competent authority deems as a reasonable period.
Additionally, damages are available to data subjects for material and non-material loss in relation to breaches of the PDPL and/or the regulations.
What does the PDPL provide relating to data security?
There are security and incident response measures in the PDPL – echoing the GDPR – as well as the requirement for controllers to inform a competent authority when they become aware of a data security breach.
What are the penalties for non-compliance and how do they compare to the GDPR?
The penalty in relation to the disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million, or approximately €728,800 (Article 35(1) of the PDPL).
Penalties under the PDPL are limited to a warning notice or a fine not exceeding SAR 5 million (approx. €1,214,958). Any of the fines may be increased to up to double the stated maximums for repeat offences (Articles 35(4) and 36(1) of the PDPL). The court may also order confiscation of funds gained as a result of violations of the law and/or require publication of the judgement at the offender’s expense.
Under the GDPR, there are two tiers of fines. The less severe infringements could result in a fine of up to €10 million, or 2% of the worldwide annual revenue from the preceding financial year, whichever amount is higher. If the infringement is more serious, this could reach a fine of up to €20 million, or 4% of the worldwide annual revenue from the preceding financial year, whichever amount is higher.
Complying with data protection law builds trust
Privacy law in the UK has long been seen as a way of earning trust of customers and others whose personal data is being processed. The PDPL aims to foster trust in the citizens of Saudi Arabia by ensuring that personal data is processed responsibly and securely.
By aligning with international standards, the PDPL provides robust safeguards for personal data, benefiting both individuals and organisations. As the enforcement date approaches, businesses must ensure compliance to avoid penalties and build trust with their stakeholders.
Looking for support with compliance?
For further information or assistance with compliance with the PDPL (or any other data protection legislation), contact our experts today. Our team of professionals have years of experience working internationally with multinational organisations, and are happy to help you achieve your compliance goals.
Get in touch with us by calling 0203 3013384, emailing us at info@dataprivacyadvisory.com, or by filling in a contact form. Our team will get back to you as soon as possible.
Navigating your data protection obligations can be complicated, so let us make it simple for you.