Understanding Saudi Arabia’s Personal Data Protection Law (PDPL): Implications for Businesses and Individuals

Saudi Arabia recently passed a new privacy law, the Personal Data Protection Law (PDPL), set to effect on July 30, 2021. This law is part of a broader initiative by the Saudi Arabian government to modernize its legal system and bring it in line with international standards. In this blog post, we will explore the key features of the PDPL and how it will impact individuals and businesses in Saudi Arabia.

What is the PDPL?

The Personal Data Protection Law (PDPL) is a new law that sets out rules for collecting, processing, and storing personal data in Saudi Arabia. It was introduced to protect individual’s privacy rights and ensure their personal data is processed fairly and transparently.

The PDPL is based on international best practices, including the EU’s General Data Protection Regulation (GDPR), widely regarded as one of the world’s most comprehensive and robust privacy laws. However, the PDPL has some key differences from the GDPR, which we will explore in more detail below.

Key Features of the PDPL

Scope of the Law

The PDPL applies to any individual or entity that processes personal data in Saudi Arabia, regardless of whether they are based there. This means that businesses operating in Saudi Arabia and international businesses that process personal data in Saudi Arabia will be subject to the law.

Definition of Personal Data

The PDPL defines personal data as “any information that relates to an identified or identifiable natural person.” This includes names, addresses, phone numbers, email addresses, identification numbers, and any other data that can be used to identify an individual.

Consent

One of the key principles of the PDPL is that individuals must consent before their personal data is collected, processed, or stored. This consent must be freely given, specific, informed, and unambiguous. It must also be revocable at any time.

Data Controller and Processor

The PDPL distinguishes between data controllers and data processors. A data controller is an individual or entity that determines the purposes and means of processing personal data. A data processor is an individual or entity that processes personal data on behalf of the data controller.

Rights of Individuals

The PDPL gives individuals several rights about their personal data, including the right to access their data, the right to rectify their data, the right to erasure (also known as the right to be forgotten), the right to restrict processing, the right to object to processing, and the right to data portability.

Data Breach Notification

The PDPL requires data controllers to notify the relevant authorities and affected individuals during a data breach. The notification must be made without undue delay and include information such as the nature of the breach, the categories of personal data affected, and the measures taken to mitigate the breach.

Cross-Border Data Transfers

The PDPL restricts the transfer of personal data outside of Saudi Arabia unless certain conditions are met. These conditions include obtaining the data subject’s consent, ensuring that the recipient country provides adequate protection for personal data, and implementing appropriate safeguards to protect the personal data.

Comparison with GDPR

While the PDPL is based on international best practices, it has some key differences from the GDPR. One of the main differences is that the PDPL does not require businesses to appoint a Data Protection Officer (DPO), a mandatory requirement under the GDPR for certain businesses. The PDPL does not include the GDPR’s “right to be forgotten” and “right to object to profiling” provisions.

However, the PDPL includes some provisions that go above and beyond the GDPR, such as the requirement for data controllers to obtain explicit consent from individuals before processing their personal data. The PDPL also includes more detailed provisions around the rights of individuals, including the right to data portability.

Another key difference between the PDPL and the GDPR is the approach to cross-border data transfers. While the GDPR restricts transfers of personal data to countries outside of the European Economic Area (EEA) unless certain conditions are met, the PDPL only requires businesses to ensure that the recipient country provides adequate protection for personal data. This means businesses in Saudi Arabia may have more flexibility when transferring personal data outside the country.

Impact on Individuals and Businesses

The PDPL will significantly impact both individuals and businesses in Saudi Arabia. For individuals, the law provides greater protection for their personal data and gives them more control over how their data is processed. This is particularly important in an era where businesses increasingly use personal data for targeted advertising.

For businesses, the PDPL will require significant effort to ensure compliance. Businesses must review their data processing practices, update their privacy policies, and implement new processes for obtaining consent and responding to data subject requests. Failure to comply with the PDPL could result in fines and other penalties, so businesses need to take the law seriously.

Conclusion

The Personal Data Protection Law (PDPL) is a significant development in Saudi Arabia’s legal system and will have a major impact on individuals and businesses in the country. The law is based on international best practices, including the EU’s General Data Protection Regulation (GDPR), and provides greater protections for personal data. While there are some key differences between the PDPL and the GDPR, businesses operating in Saudi Arabia must take steps to ensure compliance with the new law. Overall, the PDPL represents an important step forward for privacy rights in Saudi Arabia and will help to ensure that personal data is processed fairly and transparently.

Frequently Asked Questions (FAQs)