Saudi Arabia’s Personal Data Protection Law (PDPL) came into effect in September, requiring companies operating in the Kingdom of Saudi Arabia (KSA) to ensure the stringent data protection laws are strictly complied with. Widely based on the EU’s GDPR, the PDPL is designed to safeguard personal information and regulate data handling practices, reflecting Saudi Arabia’s commitment to embed robust data privacy best practices as part of its Vision 2030 goals. 

Under the new law, companies must secure explicit consent for data collection, maintain rigorous security protocols, and notify the Saudi Authority for Data and Artificial Intelligence (SDAIA) of any data breach within 72 hours.  

Global data protection officers should note that one of the requirements of the PDPL is the appointment of data protection officers (DPOs) and the implementation of data-centric security measures. The PDPL sets conditions under which a DPO must be appointed. These include instances where the controller: 

  • is a public entity engaged in large scale data processing as part of its services.  
  • where the controller’s primary operations involve regular and systematic monitoring of data subjects; and  
  • where the main activities revolve around processing sensitive data. 

Additionally, the PDPL totally prohibits the transfer of personal data outside Saudi Arabia if it is deemed capable of impacting the nation’s security or vital interests, or if it is in contravention with any other KSA laws. Aside from this, international data transfer is restricted unless the recipient country meets adequacy thresholds, including the use of standard contractual clauses. As at this time, the list of countries that will benefit from adequacy is yet to be published. The potential standard contractual clauses that businesses can use to transfer personal data lawfully outside Saudi Arabia are also yet to be established.  

DPOs advising businesses operating in Saudi Arabia should carefully review the privacy programme in place and ensure the policies, documentation and governance frameworks meet the strict regulatory requirements. 

With an experienced global team of data protection officers, HewardMills can help you navigate the finer points of the PDPL and many other global data protection laws. If you’re unsure how these regulations impact your business or need guidance on compliance, contact our team. 

 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.