Saudi Arabia: Data Privacy Q&A: Saudi Arabia

To download the Data Privacy Q&A guide, please click here.

To see other released Data Privacy Q&A guides on separate jurisdictions, please click here.

Is there a data privacy law in the jurisdiction of Saudi Arabia? If yes, is it implemented? If no, what laws are relied on?

Saudi Arabia implemented the Personal Data Protection Law – Saudi Arabia Cabinet Decision No 98/1443 ('PDPL') on 17 September 2021. It was published in the Official Gazette on 24 September 2021 and comes into effect on 23 March 2022. There is a one year window from this date to achieve compliance.

What significant legal instruments relating to data protection are currently pending? If any, what are the timelines? 

The PDPL refers to 'Executive Regulations'. These are supplementary to the law and are expected to be published prior to 23 March 2022. These will help entities with their implementation of the PDPL.

Who does the PPD Law apply to?

The PDPL offers protection to natural persons who can be identified from their Personal Data, the Personal Data Owner. This also includes a representative or guardian.

The law places obligations mainly upon Controllers. A Controller is any entity that processes Personal Data. It can be an individual or an organisation. The Controller determines the purpose and manner of processing.

It applies to all Controllers located in Saudi Arabia processing Personal Data regardless of where the individual lives i.e. in Saudi Arabia or abroad.

It also applies extra-territorially to all Controllers located outside of Saudi Arabia who are processing Personal Data of Saudi Arabian residents. The PDPL will require Controllers outside of Saudi Arabia to appoint a personal representative in Saudi Arabia to fulfil the obligations under the law.

The PDPL also offers protection to a deceased person's Personal Data, if it would lead to identifying the Personal Data Owner or a family member.

Who are the relevant regulatory and enforcement authorities in Saudi Arabia with regards to personal data protection? 

The Saudi Data & Artificial Intelligence Authority ('SDAIA') is the competent authority responsible for supervising and enforcing the implementation of the PDPL for an initial two-year period, after which the supervisory role may be transferred to the National Data Management Office, the SDAIA's regulatory arm.

How is personal data defined in Saudi Arabia? 

Personal Data means any data that would lead to the identification of the individual specifically, or make it possible to identify the person directly or indirectly; including names, personal identification numbers, addresses, contact numbers, licence numbers, records, personal property, bank account and credit card numbers, images or recordings of the individual, and other data of a personal nature.

Is there a distinction between Personal Data and Sensitive Data under the laws? 

Yes, there is a distinction. Sensitive Data is defined as personal data which includes a reference to an individual's ethnic or tribal origin, or religious, intellectual or political belief, or indicates his membership in nongovernmental associations or institutions, as well as criminal and security data, biometric data, Genetic Data, Credit Data, Health Data, location data, and data that indicates that both parents of an individual or one of them is unknown.

The Executive Regulations will specify additional controls and procedures regarding the processing of Credit Data and Health Data. The highlighted terms are defined in the Glossary below.

Sensitive Data may not be processed for marketing purposes [nor transferred cross-border].

Penalties involving Sensitive Data are worth noting. Anyone who discloses or publishes Sensitive Data with the intent of harming the Personal Data Owner or to achieve a personal benefit, may face imprisonment for a period not exceeding two years and/or a fine not exceeding US$800,000.

What is the consent requirement in Saudi Arabia?

Subject to certain exceptions, Personal Data must be processed with the consent of the Personal Data Owner. The Executive Regulations will provide details of the conditions of consent and when consent must be in writing.

The Personal Data Owner may withdraw consent at any time.

What restrictions are there for cross-border transfer of personal data? 

Subject to certain exceptional circumstances detailed in the PDPL and further conditions to be set out in the Executive Regulations, the Controller may not transfer Personal Data outside of Saudi Arabia unless:-

1. The transfer or disclosure does not prejudice national security or the vital interests of Saudi Arabia;
2. Sufficient guarantees are in place to protect the confidentiality of the Personal Data to be transferred or disclosed, so that the standards of Personal Data protection may not be less than the standards set forth in the PDPL;
3. The transfer or disclosure must be limited to the minimum Personal Data needed; and
4. the SDAIA approves the transfer or disclosure as determined by the Regulations.

The SDAIA may also exempt the Controller, on a case-by-case basis, from being bound by these conditions if the SDAIA believes the Personal Data will have an acceptable level of protection outside
of Saudi Arabia, and that such data is not Sensitive Data.

Anyone who violates the cross-border provisions of the PDPL can be punished by imprisonment for a
period not exceeding one year and/or a fine not exceeding US$260,000 (approximately).

Further guidance on these provisions is expected.

Glossary of Terms

Defined terms under the PDPL:

Personal Data Owner: An individual to whom the personal data belongs, his representative, or whoever has legal guardianship over him.

Controller: Any public entity, and any person of private natural or legal capacity, that specifies the purpose and manner of processing personal data, whether they process the data by themselves or by a processing entity.

Processor: Any public entity, and any private natural or legal person; that processes personal data for the benefit of, and on behalf of, the controlling entity.

Genetic Data: all personal data related to the genetic or acquired characteristics of a natural person, uniquely identifying the physiological or health characteristics of such person, and extracted from the analysis of a biological sample of the person, such as the analysis of nucleic acids or the analysis of any other sample that leads to the extraction of genetic data.

Health Data: all personal data related to an individual's health status, whether physical, mental, psychological, or related to his health services.

Credit Data: all personal data relating to an individual's request for, or granting of, financing, whether for a personal or family purpose, from a finance entity, including any data relating to his ability to obtain credit, his ability to repay it, or his credit history.

Biometric data is not defined under the PDPL.