Kingdom of Saudi Arabia’s New Personal Data Protection Law and Implementing Regulations—Key Obligations, Responsibilities and Rights
On September 7, 2023, the Saudi Authority for Data and Artificial Intelligence (SDAIA) issued the Implementing Regulations of the Personal Data Protection Law (the Implementing Regulations) and the Regulations on Personal Data Transfer outside the Geographical Boundaries of the Kingdom (the Data Transfer Regulations, together, the Regulations). The Regulations mark an important development in the Kingdom of Saudi Arabia’s (KSA) data protection landscape as they set out helpful clarity and significant detail supplementing the KSA Personal Data Protection Law (PDPL), the KSA’s first comprehensive national data protection legislation which is broadly modelled on the GDPR. The PDPL and the Regulations entered into force on September 14, 2023 (see our previous blog post here), although data controllers have a one-year grace period to comply with the PDPL (i.e., September 14, 2024). The legal framework applies across all industry sectors and prescribes strict obligations on almost anyone dealing with personal data, such as reporting data breaches within 72 hours, appointing a Data Protection Officer in certain circumstances, carrying out legitimate interest assessments and data protection impact assessments, and maintaining a record of processing activities. The international data transfer restrictions are to a degree stricter than the General Data Protection Regulations (GDPR), as the grounds on which transfers may be carried out are more limited, absent adequacy decisions or appropriate safeguards. As the PDPL and the Regulations have now entered into force, businesses should promptly implement compliance measures.
The Regulations (issued one week prior to the enforcement date of the PDPL) expand upon the provisions of the PDPL and outline additional compliance obligations. We set out below the key features of the Regulations.
1. Implementing Regulations
The PDPL regulates the processing of personal data relating to an individual in the KSA by any means, including where such processing is conducted by a party outside the KSA, and further establishes certain novel rights for individuals in relation to how their personal data is processed. The Implementing Regulations clarify and supplement the PDPL. Key features of the Implementing Regulations include:
Data Subject Rights: Data controllers are obligated to act on a request from a data subject within 30 days (except in certain instances in which this period may be extended by an additional 30 days, e.g., if the data controller receives multiple requests from the data subject) and to provide appropriate means for requests to be processed. While Article 4 of the PDPL outlines the various rights available to data subjects, the Implementing Regulations now provide further detail and clarity, including:
- Right to be Informed: The Implementing Regulations differentiate between instances in which data is collected (A) directly from a data subject and (B) from an individual other than the data subject. In respect of (A), a data controller is required to take the “necessary measures” to inform data subjects of prescribed information, including the legal basis and a “specific, clear, and explicit purpose” for the processing. The PDPL specifically requires that a data controller use a privacy policy to make certain information available to data subjects.
In respect of (B), a data controller shall “without undue delay” and within 30 days take steps to inform the data subject of the prescribed information, in addition to the source from which the data controller obtained the data. The Implementing Regulations impose additional obligations where the data controller’s activities require continuous and large-scale processing of personal data, continuous monitoring of data subjects, adoption of new technologies or making automated decisions based on personal data. However, the right to be informed does not apply in certain instances, such as where the relevant information is already available or the provision of the information conflicts with KSA laws. - Right of Access and to Request a Copy: The Implementing Regulations note that the right to access and to request a copy of personal data in a “readable and clear format” and a “commonly used electronic format” (although the data subject may request a printed hard copy if feasible) are subject to certain conditions, including that exercising the right should not negatively impact the rights of others. Data controllers are obligated to ensure that they do not disclose the identity of another individual when granting access to the data.
- Right to Restrict Processing: The Implementing Regulations stipulate that data subjects have a right to restrict the processing of their personal data when its accuracy is contested (for a period enabling the data controller to verify such accuracy), although the data controller may request supporting evidence.
- Right to Request Destruction: The Implementing Regulations set out circumstances in which a data controller shall be required to destroy personal data, such as upon the exercise of a data subject’s rights, where the personal data is no longer necessary to achieve the purpose for which it was collected, or if the data controller becomes aware that the data is being processed in violation of the PDPL. The Implementing Regulations also prescribe the steps a data controller must take when destroying personal data.
Anonymization: The Implementing Regulations impose obligations on data controllers when anonymizing personal data, including ensuring that it is “impossible” to re-identify a data subject after the anonymization and requiring that the data controller evaluate the impact and the effectiveness of the techniques applied for anonymization. The data controller must take the necessary organizational, administrative and technical measures to avoid risks identified and make the necessary adjustments to ensure re-identification is not possible. The Implementation Regulations further confirm that anonymized data shall not be considered personal data.
Consent: Consent is at the forefront of the PDPL. The Implementing Regulations confirm that consent for the processing of personal data can be in “any appropriate form or means, including written or verbal consent or by using electronic methods,” subject to certain conditions. For example, the consent must be documented in a manner that allows verification in the future and independent consent should be obtained for each processing purpose. Furthermore, consent must be explicit in certain instances, including where the processing involves sensitive data or credit data. The Implementing Regulations provide detail regarding the data subject’s right to withdraw consent, including specifying that a data controller shall cease processing data “without undue delay” if consent is withdrawn.
Legitimate Interest: The Implementation Regulations stipulate the conditions under which a data controller may process data on the basis of legitimate interests, including that the purpose must not violate any KSA laws, that there be a balance between the rights and interests of the data subject and the legitimate interests of the data controller, and that such processing be within the “reasonable expectation” of the data subject. Importantly, before processing data on the basis of legitimate interests, the Implementing Regulations require a data controller to conduct and document an assessment of the proposed processing and its impact on the rights and interests of data subjects. The Implementing Regulations set out further detail regarding what such an assessment must entail.
Data Processors: The Implementing Regulations provide helpful detail regarding the selection of data processors and sub-processors, including noting that any data processor chosen must provide sufficient guarantees to protect personal data. The Implementing Regulations further set out the information that must be contained in a data processing agreement, such as the purpose of processing and a clarification as to whether the data processor is subject to regulations in other countries that may impact their compliance with the PDPL. Furthermore, data controllers shall be responsible for periodically assessing a processor’s compliance with the PDPL and may appoint an independent third party to assist and monitor a processor’s compliance. Notably, if a processor violates the instructions issued by the data controller or the processing agreement, the processor shall be considered a data controller and held directly accountable.
Disclosure of Personal Data: The Implementing Regulations address data controllers’ obligations in response to a request from a public authority, including requiring that controllers document the request for disclosure. In addition, except as provided in the PDPL, when disclosing data to a third party, the Implementing Regulations require the data controller to take “necessary care and provide sufficient guarantees,” such as ensuring the pseudonymization of personal data.
Personal Data Breaches: The Implementing Regulations provide that data controllers must take the necessary organizational, administrative and technical measures to ensure the privacy of the data subject and the security of personal data. A data controller must notify the competent authority within 72 hours of becoming aware of a data breach if such incident potentially causes harm to the personal data or the data subject or conflicts with the data subject’s rights or interests. The Implementing Regulations specify the details that must be included in the notification, including a description of the breach and number of impacted data subjects. If a data controller is unable to provide the required information within 72 hours, it must do so “as soon as possible” together with a justification for the delay. Data controllers are further required to retain a copy of any reports submitted and document the corrective measures taken. In the event the breach causes damage to personal data or conflicts with the data subject’s rights or interests, the controller must also notify the data subject “without undue delay”; such notification must be in “simple and clear language” and include prescribed information.
Data Protection Impact Assessment (DPIA): The Implementing Regulations set out the circumstances in which a DPIA may be required, including in respect of the processing of sensitive personal data or where the data controller is providing a product or service that involves processing data likely to cause “serious harm” to the privacy of data subjects. The Implementing Regulations specify the minimum requirements of a DPIA and confirm that a controller must provide a copy of the DPIA to any processor acting on its behalf in relation to the relevant processing.
Advertising and Direct Marketing: The Implementing Regulations confirm that a data controller must obtain consent before sending advertising or awareness material (which is not further defined in the PDPL or the Regulations) in cases where there is no “prior interaction” between the data controller and the targeted recipient. There are also specific conditions for obtaining consent in these circumstances. Similarly, the Implementing Regulations require that a controller obtain consent from a data subject prior to processing data for direct marketing purposes.
Data Protection Officer (DPO): The Implementing Regulations stipulate that (i) a data controller must appoint one or more individuals to be responsible for the protection of personal data in certain circumstances (including where the primary activities of the data controller consist of processing that requires regular and continuous monitoring of individuals on a large scale or involve processing sensitive personal data) and (ii) such person may be an employee or an external contractor. The Implementing Regulations also clarify the responsibilities of a DPO.
Records of Processing Activities (ROPA): Under the Implementing Regulations, data controllers are required to keep a written, accurate and up to date ROPA during the period of its data processing activities in addition to five years from the date of completion of the processing. The Implementing Regulations outline the minimum information that must be included in the ROPA and further note that the competent authority shall provide a template ROPA.
Other Key Features: The Implementing Regulations contain specific provisions applicable to the processing of health data, the processing of credit data, the processing of data for scientific, research or statistical purposes, and the role and obligations of legal guardians. The Implementing Regulations state that the competent authority shall issue rules regarding registration in a National Register of Controllers and shall specify which data controllers are required to register. Data subjects may also file a complaint with the competent authority within 90 days from the date of an incident.
2. Data Transfer Regulations
The Data Transfer Regulations outline the circumstances in which a data controller may lawfully transfer personal data or disclose such data to a party outside the KSA. The regulations provide helpful clarity and additional detail to Article 29 of the PDPL.
Article 2 of the Data Transfer Regulations sets out certain overarching provisions, including that any transfer or disclosure of personal data outside the KSA should be limited to the minimum amount necessary to achieve the purpose of the transfer and requiring that the data controller ensure the transfer does not impact the privacy of data subjects or the level of protection guaranteed under the PDPL.
The Data Transfer Regulations provide for the competent authority (to be determined by a resolution of the Council of Ministers) to coordinate with the relevant authorities in the KSA to conduct an assessment of the level of protection for personal data in jurisdictions outside the KSA and to submit the results of the assessment to the Prime Minister. The competent authority also needs to submit their recommendation as to whether the Prime Minister ought to issue an adequacy decision, to enter into an international agreement with the relevant jurisdiction, or to do neither. The Data Transfer Regulations set out the criteria that the competent authority shall consider and notes that the assessment shall be reviewed every four years or as necessary.
Articles 5 through 7 of the Data Transfer Regulations clarify the circumstances in which a data controller may transfer personal data outside the KSA in the absence of an adequacy decision. Article 5 of the Data Transfer Regulations stipulates that in the absence of an adequacy decision, a data controller may transfer data outside the KSA if “appropriate safeguards” are in place (provided the regulatory requirements in the relevant country does not prejudice the privacy of data subjects or the ability to enforce appropriate safeguards). The Data Transfer Regulations state that “appropriate safeguards” may comprise (i) binding common rules, (ii) standard contractual clauses (in accordance with a standard form to be issued by the competent authority), (iii) certifications of compliance or (iv) binding codes of conduct. The Data Transfer Regulations provide further detail regarding each of these safeguards.
In the event that a data controller is unable to use any of the data transfer safeguards specified in Article 5 (and in the absence of an adequacy decision), Article 6 provides that the transfer of personal data outside the KSA may be permitted only (i) where the transfer is necessary for the performance of an agreement to which the data subject is party or (ii) if the transfer is necessary to protect the vital interests of a data subject that is “unreachable.” If the data controller is a public entity, it has two additional grounds on which it could rely: where the transfer is necessary for the protection of the KSA’s national security or for the public interest, or for the investigation or detection of crime.
Even if a data controller can transfer data in accordance with Article 5 or 6, the Data Transfer Regulations note that such transfers must “immediately” cease in certain circumstances, such as if the transfer affects the national security or vital interests of the KSA or the appropriate safeguards adopted are no longer applicable. Furthermore, a data controller is required to conduct a risk assessment of the cross-border transfer when the transfer occurs pursuant to Article 5 or 6 or involves continuous or large-scale transfers of sensitive data outside the KSA. The Data Transfer Regulations details the substance of such a risk assessment.
Both the Data Transfer Regulations and the Implementation Regulations entered into force from the date of the PDPL’s enforcement, namely September 14, 2023. As the PDPL is now in force, businesses that are required to comply with the PDPL should promptly start examining their data processing activities, including any cross-border data transfers, to ensure timely compliance with the PDPL. Please see our previous blog post regarding actions that businesses can take. If you need assistance with complying with the new PDPL, please do not hesitate to reach out to our team for support and guidance.