Saudi Arabia’s Personal Data Protection Law — Tsaaro

The Kingdom of Saudi Arabia has passed its law on Personal Data Protection Law, but it had multiple questions regarding the date on which it will come into force and the inclusion of the proposed amendments.

Personal Data Protection Law Saudi Arabia (KSA) was recently amended under Royal Decree No. M/148 dated 05/09/1444H. (corresponding to 27 March 2023) (Amended PDPL). These amendments were preceded by a public consultation launched by the Saudi Data and Artificial Intelligence Authority (SDAIA) in late 2022, not all the proposals have been implemented.

Personal Data Protection Law Ksa amendments introduce several concepts that are more closely aligned with the international standard such as the EU General Data Protection Regulation (GDPR).

EFFECT OF PDPL KSA

The Personal Data Protection Law KSA will take effect 720 days after the publication of the original law in the Official Gazette, this means the effective date of 14 September 2023.

Further, an important thing to be noted by the Organizations that fall within the ambit of the PDPL will have a one-year grace period to comply with the PDPL from the date it comes into force.

THE PROPOSED AMENDMENTS TO PDPL

The following are the proposed amendments to the Personal Data Protection Law Saudi Arabia.

Definitions

The definition of “Sensitive Personal Data” has now been narrowed down, which now solely refers to Personal data relating to an individual’s ethnic or racial origin, religious, intellectual, or political belief, criminal and security data, biometrics data, genetic data, and health data.

The definition of “Owner of Personal Data” was also amended removing the previous extension to an individual’s legal representative or guardian which now refers only to the individual to whom the personal data relates.

Legitimate interest as a legal basis for processing data

Another significant amendment was the inclusion of legitimate interest as a lawful basis for processing data, but the term is not defined under the PDPL.

In the original published version of PDPL, in certain circumstances, the requirement of consent is not needed in limited circumstances, where it remained as a criticism but the revision permits the processing can be carried out when there is a necessity to achieve a legitimate or lawful interest of the controller that does not affect the data subject rights. In accordance with the sensitive data, this legal basis will not be applied.

And this legitimate interest remains the legal basis for the collection of personal data and also for the disclosure of personal data to third parties. The addition of legitimate interest seems to be beneficial.

Previously, the data controller could only disclose personal data in five prescribed circumstances, the amendments now also permit the disclosure if it is necessary to achieve the legitimate interests of the controller, provided such disclosure does not prejudice the rights of the owner of the data, conflict with the interests or constitute sensitive personal data.

International data transfers

Further, significant amendments were made pertaining to international data transfers. The amendments now include the requirement that there shall be an appropriate level of protection for personal data outside of the KSA (which must not be less than the level of protection stipulated in the PDPL and the associated regulations). The executive regulations supplementing the PDPL shall specify the provisions, standards, and procedures including determining the circumstances in which a controller may be exempt from compliance with any of the prescribed conditions.

Penalties in the case of non-compliance

A penalty of imprisonment for a period of 2 years and/or a fine not exceeding 3,000,000 Saudi Riyals where a person discloses or publishes sensitive personal data in violation of the PDPL. Administrative fines of up to 5,000,000 Saudi Riyals may also be issued for any other violation of PDPL.

Organizations must be aware of the proposed amendments to Saudi Arabia’s Personal Data Protection Law, and its effective date to comply to avoid the penalties.

Are you an organization that wanted to comply with Saudi’s PDPL, reach out to our team of experts at Tsaaro to get assistance and compliance services.

Click Here : Personal Data Protection Law Saudi Arabia (KSA)


tsaaro

30 Blog posts

Comments