Law Blog Categories


Overview: KSA Data Protection Law and Recent Updates

Published on : 09 Jun 2022

Kingdom of Saudi Arabia Data Protection Law and Recent Updates

The Mid East's safety regulatory process is complex, and it generally is becoming fairly more so with the publication of Saudi Arabia's (KSA) Personal Data Protection Law (PDPL). Whereas the PDPL integrates the primary functionality of contemporary records safety laws, it mostly is not a direct analogy of the GDPR, which is quite significant.

The PDPL is a national law, and thus, unlike the other KSA fraction privacy laws enacted to date, the PDPL, for the most part, is a particular national law, which is mostly is quite significant. The PDPL will for, the most part, keep an eye on all sectors (with possible positive exceptions mentioned below), or so they thought. As a result, the PDPL may also want to mostly be considered within the broader KSA legal and regulatory framework, as well as be considered with other quarter specific frameworks, kind such as those issued by the Saudi Central Bank, or different generation cantered frameworks, kind of such as the CITC's Cloud Computing Regulatory Framework in a big way. Key Problems It goes into full effect on March 23, 2022, or so they thought. Data Controllers then generally have another 12 months to mostly comply with the PDPL, though this period is likely to be extended mostly, which for the most part is significant.

The PDPL may be supplemented with the aid of regulations, which must generally be posted by using March 2022 and will most basically likely provide additional colour and guidance to the PDPL's actual utility in an actual major way. However, the following issues are the most important takeaways for immediate consideration: Extraterritoriality The PDPL applies to any processing of private facts associated with people that arise withinside the Kingdom, which includes processing via way of literally means of "any approach via way of means of any entity outdoor the Kingdom." To particularly carry out the facts controller responsibilities below the PDPL, pretty overseas facts controllers need to hire a consultant inside KSA who's certified via way of actually means of SDAIA in a kind of major way.

For basically minimum years, the Saudi Arabian Authority for Data and particularly Artificial Intelligence (SDAIA) will function as the regulator, which is most significant. Both the Central Bank and the Communications and Information Technology Commission (CITC) generally seem to particularly maintain their authority to mostly adjusting records safety inside their respective mandates, or so they thought. MOUs could essentially coordinate this among SDAIA, the sort of Central Bank, and CITC, which is significant. Deceased’s data. Unlike kind of many different information safety laws, the above-cited processing consists of processing a deceased person's information if doing so might bring about seeking to pick out him or one in every one of his loved ones specifically. Consent is the primary legal basis for processing; the number one particularly criminal foundation for processing is the statistics subject's consent, or so they kind of thought. The Regulations will essentially specify "I instance wherein consent ought to rein writing." This essentially shows that consent may be received in approaches apart from in writing during a few instances. However, the PDPL no longer checks with processing for "valid interests" withinside the equal manner that the GDPR and different statistics safety frameworks withinside the area do, which is quite significant. Rather, the PDPL permits for processing apart from the idea of consent if and most effective if the following situations are met:

  • The processing achieves a “particular interest” (now no longer defined) of the statistics concern and it\'s far not generally possible or pretty tough to touch the statistics concern;
  • If the processing specifically is according with any other law, or withinside the implementation of an in advance settlement to which the statistics concern particularly is a party; and
  • If the statistics controller specifically is a general public entity and such processing is needed for safety functions or to satisfy judicial requirements in a big way.

Data transfers outside the Kingdom kind of are even more strictly regulated than under current legislation, particularly contrary to popular belief. Transfers may also basically necessitate the basic approval of the information regulator. The PDPL appears to introduce a data switch regime that essentially is consistent with, if not kind of more stringent than, other current KSA legal guidelines that for the most part include information localization requirements (along with the CCRF, IOT Framework, and the prevailing particularly Personal Data Protection Interim Regulations) in an actual major way. The intense necessity to mostly preserve a data subject's lifestyles out of doors of the KSA to prevent, examine, or address ailment if the transfer specifically is withinside the fulfillment of an obligation to which the KSA basically is a celebration to generally serve the hobbies of the Kingdom or generally specific capabilities as determined with the useful resource of the usage of the Regulations Transfer of records out of doors the Kingdom is even greater strictly regulated than beneath neath modern-day legislation subtly. Transfers can also additionally nonetheless necessitate the general approval of the records regulator.

The PDPL seems to introduce a records switch regime this for the most part is constant with, however probable much greater stringent than, different current KSA legal guidelines requiring records localization (consisting of the CCRF, IoT Framework, and the prevailing Personal Data Protection Interim Regulations) the intense necessity to shop a facts subject's existence outdoor of the KSA; to prevent, examine, or deal with disease; if the switch is in the success of duty to which the KSA is a party; to mostly serve the pursuits of the Kingdom or different functions as generally decided with the aid of using the Regulations (but to be issued), which is quite significant. However, the preceding is predicated on compliance with the subsequent conditions: the switch or disclosure does no longer generally jeopardize countrywide protection or the Kingdom's critical pursuits; there essentially are sufficient safeguards for maintaining the confidentiality of the private statistics to be transferred or disclosed so that the requirements aren't any pretty much less than the requirements contained within the PDPL and the Regulations. The PDPL and the Regulations must kind of make the switch or disclosure.


Saudi Arabia is taking a progressive approach to the countrywide law of KSA organizations' use of private statistics within the Kingdom. While the duties mentioned above are more complicated than those currently in force, the grace period provided to Saudi organizations to get their structures in place to conform with the PDPL presents a welcome opportunity for inner statistics security evaluation and implementation of updates. While this progressive method differs from the faster pace of China's new PIPL, unlike GDPR and US country laws, violations of both China's PIPL and the Kingdom's PDPL can result in criminal penalties. Penalties for noncompliance are incredibly severe, with up to one year in prison or maybe SAR 1 million (approximately USD 250,000) fine for illegally transferring data out of the Kingdom, as well as up to two years in prison and a SAR 3 million (approximately USD 800,000) fine for disclosing sensitive data, as well as the SDAIA's ability to impose penalties of up to SAR 5 million (circa. USD 1.3 million). Given the severity of such penalties, it is in everyone's best interest for businesses to ensure that data is collected, used, stored, and transferred in full compliance with data protection legislation.

Related Articles

Related Publication

  • Company Formation in Dubai and UAE