Saudi Arabia Personal Data Protection Law (PDPL): Updated Implementing Regulations

The Kingdom of Saudi Arabia (KSA) has enforced its Personal Data Protection Law (PDPL) on September 14, 2023. This law is the first comprehensive data privacy law in Saudi Arabia, and it aims to regulate the collection, processing, and transfer of personal data in the country. The PDPL gives individuals, known as data subjects, various rights regarding their personal data.

What is the Saudi Arabia Personal Data Protection Law (PDPL)?

The PDPL is a comprehensive law that applies to all organizations that process personal data in the KSA, regardless of whether they are located in the KSA or abroad. The law defines personal data as any information that relates to an identified or identifiable individual.

Who are implementing the regulations for PDPL?

The Saudi Data & Artificial Intelligence Authority (SDAIA) issued the Implementing Regulations to the PDPL on September 7, 2023. The Implementing Regulations provide further guidance on the application of the PDPL, including the following:

What are data subject rights under the PDPL?

Under the PDPL, data subjects have a number of rights, including the right to:

What are the lawful grounds for data processing under the PDPL?

Your business can only process personal data if they have a lawful ground to do so. The PDPL specifies the following lawful grounds for data processing:

What are the procedures for data controllers under PDPL?

Under the PDPL, data controllers have a number of obligations, including:

What are the requirements for data processors under PDPL?

Data processors are organizations who are in charge of processing of personal data on behalf of data controllers. Under the PDPL, data processors have a number of obligations, including:

Here are some additional tips for data processors to comply with the PDPL:

What are the requirements to transfer personal data under the PDPL?

The Saudi Arabia Personal Data Protection Law (PDPL) imposes specific data transfer regulations for personal data outside the Kingdom. Organizations must:

What are the additional requirements for processing sensitive personal data under the PDPL?

In addition to the general data transfer requirements under the PDPL, organizations must also comply with the following requirements for the transfer of sensitive data:

Examples of Sensitive Personal Data

Examples of sensitive personal data include:

Organizations that process sensitive personal data should take all necessary steps to ensure that they comply with the PDPL's requirements for data transfers. This includes implementing appropriate security measures, notifying data subjects of transfers, and obtaining written agreements from recipient organizations.

What are the principles of data collection and protection of personal data under the PDPL?

The PDPL establishes a number of principles for the lawful collection and protection of personal data, including:

How can data subjects exercise their right of access to personal data?

Data subjects can exercise their right of access to personal data by submitting a written request to the data controller. The data controller must respond to the request within 30 days and provide the requested information free of charge.

The request should be clear and concise, and it should specify the personal data that the data subject is requesting access to. The data controller may request additional information from the data subject to verify their identity and to ensure that they are entitled to access the requested information.

The data controller must respond to the request within 30 days of receiving it. If the data controller is unable to respond within 30 days, they must provide the data subject with a reason for the delay and a new deadline for responding.

The data controller must provide the requested information in a clear and concise manner. The information must be provided in a format that is understandable to the data subject.

The data controller is not required to provide access to personal data if it is likely to cause harm to the data subject or to others. For example, the data controller may refuse to provide access to personal data if it is likely to reveal the identity of a law enforcement officer or if it is likely to jeopardize an investigation.

If the data controller refuses to provide access to personal data, they must provide the data subject with a reason for the refusal. The data subject may appeal the refusal to the SDAIA.

What are the implications for businesses?

The PDPL will have a significant impact on organizations that process personal data in the KSA. Your business will need to ensure compliance with the PDPL's implementing regulations and take necessary measures to protect personal data and facilitate secure data transfers.

How can your business prepare for the PDPL?

Your business can prepare for the PDPL by taking the following steps:

By taking these steps, your business can minimize the risk of non-compliance and protect the personal data of their customers and employees.

How Secure Privacy can help you comply with Saudi Arabia PDPL?

Ensure your business is fully compliant with Saudi Arabia's Personal Data Protection Law with Secure Privacy—your trusted Consent Management Platform (CMP).

With the Implementing Regulations of the PDPL now in effect, organizations must adhere to strict data protection standards, including obtaining explicit consent, managing cross-border data transfers, and ensuring information security.

Secure Privacy simplifies these requirements by automating consent collection, providing transparency on data processing, and ensuring compliance with global and local data privacy laws. Stay ahead of regulatory requirements while building trust with your customers by implementing a seamless data protection solution today.

Sign up today with Secure Privacy to start your PDPL compliance journey!

Final Thoughts

The enforcement of the PDPL in Saudi Arabia in September 2023 will bring significant changes to the data protection landscape in the country. Your business will need to ensure compliance with the PDPL's implementing regulations and take necessary measures to protect personal data and facilitate secure data transfers. It is important for both data controllers and processors to familiarize themselves with the provisions of the PDPL and establish robust data protection practices to safeguard personal data and maintain the trust of their customers.

Updates on September 2024

On September 14, 2024, the updated Implementing Regulations of the Personal Data Protection Law (PDPL) came into effect. These regulations clarify key rights of data subjects, such as the right to be informed about the purpose of data collection, the ability to access, correct, delete personal data, and revoke consent. Additionally, the regulations define the lawful grounds for collecting and processing personal data and set forth the responsibilities and obligations of data controllers.

These latest updates to the Saudi Arabia Personal Data Protection Law bring a number of key changes and clarifications:

These updates are designed to align the PDPL with global data protection frameworks like the GDPR, ensuring a robust legal framework for protecting personal data in Saudi Arabia​.