Add a bookmark to get started

19 February 202410 minute read

Saudi Arabia's new Personal Data Protection Law in force

The much-anticipated Personal Data Protection Law (PDPL)1 came into effect on 14 September 2023 with data controllers given 12 months to comply (although that period may be further extended for certain entities). Accordingly, businesses within the scope of the PDPL have until 14 September 2024 to adjust their status to become compliant with the PDPL.

The Implementing Regulations are also now in force and provide further detail and guidance on various requirements in the PDPL. It consists of two connected regulations, with the first being the 'Implementing Regulations to the PDPL', and the second being the 'Regulations on Personal Data Transfers outside the Kingdom' (Transfer Regulations).

Organisations needing to comply with the PDPL should also take account of the broader legal and regulatory framework of the Kingdom of Saudi Arabia (KSA). Sector specific frameworks of relevance in this regard include those issued by the Saudi Central Bank, the National Cybersecurity Authority and the Communication, Space and Technology Commission.


Key highlights of the PDPL2
Extra-territorial effect The PDPL applies to any processing of personal data that takes place within KSA, including the processing of personal data related to individuals residing in KSA by an entity outside KSA.
Cross-border data transfers

There are detailed rules relating to the transfer of personal data outside of KSA. The PDPL allows for the transfer of personal data outside of KSA for several purposes (for example, if such action is taken to meet an obligation to which the data subject is a party) and subject to various conditions (for example, the transfer or disclosure must not compromise the national security or vital interests of KSA and must be limited to the minimum amount of personal data needed).

Subject to such requirements and conditions, the Transfer Regulations have introduced a number of circumstances where a cross border transfer of personal data is permissible. This includes to countries with appropriate levels of protection and no less than the protections afforded under the PDPL, based on an assessment and recommendations to be made to the Prime Minister by the Saudi Data & Artificial Intelligence Authority (SDAIA), including for the issuance of an adequacy decision or an international agreement with the relevant country.

However, transfers of personal data to countries which are not deemed as having an adequate level of protection may still be made based on "appropriate safeguards," such as adopting Business Common Rules, Standard Contractual Clauses, Certifications of Compliance and/or Binding Codes of Conduct. If the data controller is unable to use any of the appropriate safeguards, there are still limited cases where cross border transfers are permissible, such as if the transfer is necessary for the performance of an agreement to which the data subject is a party or if the transfer is necessary to protect the vital interests of a data subject that is unreachable. Such transfers are still however subject to various controls.

Transfer risk assessments Data controllers are required to conduct a transfer risk assessment for transfers of personal data outside of KSA when the transfer is based on "appropriate safeguards" or any of the limited cases where the data controller is unable to implement such measures (see above), or if there is continuous or large-scale transfers of sensitive data outside KSA.
Legitimate interests

The PDPL recognises the concept of "legitimate interest" as one of the legal bases for processing of personal data, although this does not extend to the processing of sensitive data.

Data controller registration requirements

The PDPL has introduced a potential requirement for data controllers to register with SDAIA. It is expected that SDAIA will issue rules regarding such registration and will specify which data controllers must register.

Data Protection Officers (DPO)

Data controllers are required to appoint a DPO in certain circumstances. This includes where the data controller is a public entity that provides services involving the processing of personal data on a large scale, where the primary activities of the data controller consist of processing operations that require regular and continuous monitoring of individuals on a large scale, and where the core activities of the data controller consist of processing sensitive data.

Data breach notifications

The PDPL imposes data breach notification requirements to both the regulator (i.e., SDAIA) and impacted data subjects, depending on the circumstances. Where a notification to SDAIA is required, the data controller must notify within 72 hours of becoming aware of the breach. Where a notification to impacted data subjects is required, this must be made without undue delay.

Penalties for breach

The PDPL imposes criminal penalties (imprisonment of up to 2 years and/or a fine of SAR3 million (∼USD800,000)) for disclosure or publication of sensitive personal data, if committed with the intention of causing damage to the data subject or achieving a personal benefit.

Separately, SDAIA has the power to issue administrative fines of up to SAR5 million for any other violation, which may be doubled for repeat violations, and is appealable. This would appear to apply to breaches around issues such as failing to obtain appropriate consent, failure to respect data subject rights, failure to provide adequate notice of processing and so on.

What's next

All businesses operating in, to, or with, KSA need to consider how the PDPL will affect them. To do this, businesses should at least consider the following:

  1. Confirming whether the business handles personal data and the types of personal data.
  2. Determining in which capacity the business handles the personal data i.e., is it a data controller, a data processor or both?
  3. Confirming where that personal data is stored, and who it is processed by. Is the personal data being transferred outside of KSA and if so, to which country?
  4. Confirming how data subjects' personal data has been processed and whether this is in accordance with a legal basis for processing as provided under the PDPL.
  5. Reviewing their existing personal data compliance framework and checking whether this aligns with the PDPL.

Answers to these questions will inform the actions needed for an organisation to become compliant with the PDPL.

It is anticipated that further guidelines will be issued in relation to various provisions of the PDPL in due course, and so developments in this area should continue to be monitored.

Our dedicated data protection team has in-depth experience in assisting regional and international businesses with their compliance requirements.

If you would like to discuss any element of the PDPL, or any other requirements pertaining to data protection in KSA, please contact the authors of this article.

This article was co-authored by Paul Allen, Partner, Global Co-Chair, Intellectual Property and Technology, DLA Piper, Lili Elenoglou, Legal Director, DLA Piper and Mohamed Moussallati, Legal Director, Alshahrani Law Firm.

1 The Personal Data Protection Law (issued pursuant to Royal Decree No. M/19 of 9/2/1443 H (corresponding to 16 September 2021), as amended by Royal Decree No. M/148 dated 5/9/1444H (corresponding to 27 March 2023)).
2 The below is not intended to be an exhaustive statement of all requirements under the PDPL.