Saudi Arabia Data Protection Law to take effect from March 23, 2022

The new Data Protection Law in Saudi Arabia, Royal Decree M/19 of 9/2/1443H (16 September 2021); Cabinet Resolution No. 98 of 7/2/1443H (14 September 2021), has been published in the Official Gazette, initiating a 180-day period before the Law takes effect on March 23, 2022. Data controllers may have a year from that date to make changes to their arrangements in order to guarantee compliance.

While the related Regulations will provide more information, the Law seems to be a big step in the right direction. We present a broad summary of the law in this article, as well as some notes on areas that might create stumbling blocks.

The PDPL is intended to safeguard “personal data,” which is defined as any information, in any form, that may be used to identify a person directly or indirectly. This specifically includes a person’s name, identity number, addresses and phone numbers, as well as images and video recordings.

The PDPL applies to any processing of personal data in Saudi Arabia by enterprises or public organizations using any method, including processing of personal data of Saudi citizens by entities based outside the Kingdom.

The PDPL does not apply to personal data processing for personal or family purposes.

The new legislation has numerous significant standards that all businesses should be aware of:

Personal data of all Saudi inhabitants, including citizens and non-citizens, is covered by the legislation.

Extraterritoriality: The legislation applies to any processing of Saudi resident data carried out in the Kingdom or by companies situated outside the Kingdom.

Cross-Border Data Transfers: Data transfers outside of the Kingdom are only permitted for certain, express reasons set forth in the legislation, or for “other purposes” subject to future restrictions. Even if the transfer falls into one of the approved categories, additional requirements must be met, including permission by the appropriate government body, with exceptions given only on a case-by-case basis. Data controllers are required to register with SDAIA and pay an annual fee.

Consent: The basic legal foundation for processing personal data is consent, which must be given in writing (subject to further requirements in the forthcoming regulations). Only in extremely restricted instances may personal data be handled without authorization.

Local Presence: Any international corporation that handles the personal data of Saudi citizens without a legal presence in the Kingdom must select a local representative who is licensed for that purpose. The SDAIA will decide when this requirement takes effect.

Sensitive Data: Under the new legislation, all sensitive personal data, such as genetic, health, credit, and financial data, will be controlled, but will also be subject to additional regulation. The statute envisions a “reconciliation” approach with current data regimes in place by other Kingdom authorities.

Breach Notification: Any breaches, leaks, or other unauthorized access to personal data must be reported to SDAIA and data subjects “immediately.”

Records: Data controllers must plan and register data processing operations with SDAIA in order to comply with the law.

Criminal Penalties: The legislation imposes criminal penalties that include up to two years in jail and fines of up to SAR 3 million ($800,000 USD). Administrative penalties with heavier fines may be applied.

It is highly recommended that businesses based in Saudi Arabia consult with law firms in Saudi Arabia to understand the extent and applicability of the new data protection law and penalties for non-compliance, breach or violations.

Disclaimer: As one of the leading law firms in Saudi Arabia operating in technology and telecommunication, we have put out this note for informational purposes only, it is not intended as legal advice. Specialist advice is to be sought with regard to your specific circumstance.