PDPL: A new era is here on the treatment of personal data within the Kingdom.

New data protection regulations have been introduced in Saudi Arabia, affecting the processing and export of personal data. The updated Personal Data Protection Law (PDPL) became effective on 14 September 2023, with detailed regulations released on 6 September 2023. The law impacts not only local businesses but also foreign enterprises processing data of individuals in Saudi Arabia, indicating its extraterritorial reach.

Entities have until 14 September 2024 to ensure compliance with the PDPL and its regulations. After this date, the Saudi Data and Artificial Intelligence Authority (SDAIA) will oversee adherence. Unlike the prior focus on consent, businesses can now process data under ‘legitimate interests’ provided it doesn’t infringe upon individual rights or involve ‘sensitive data’ like health or religious beliefs.

The term ‘legitimate interests‘ is described as essential business interests demanding data processing, which shouldn’t negatively impact data subjects. The criteria for lawful processing under ‘legitimate interests’ include the necessity of data processing, assurance that the processing doesn’t breach Saudi law, non-involvement of sensitive data, and alignment with data subjects’ reasonable expectations. Controllers must meet several assessment and documentation duties and weigh the interests favourably against potential harms to data subjects.

The PDPL includes provisions similar to the EU’s General Data Protection Regulation (EU GDPR) about transferring personal data internationally. Saudi authorities can identify countries with adequate data protection measures, paralleling the EU GDPR’s adequacy assessments. Data transfers are allowed under specific safeguards, such as standard contracts issued by Saudi officials. Firms must also assess transfer risks, especially concerning sensitive data. Additionally, data can only be transferred for specified purposes, like offering a service to data subjects or operational requirements for the data controller.

Lastly, the regulations detail the need for appointing a data protection officer, reporting data breaches, and maintaining processing records for Saudi businesses.

We at ADALAH can help you comply with the PDPL and walk you through the steps you need to take as an organization to ensure you are complaint with the changes.