2. Introduction
Scope and Application of PDPL
Structure
Provisions of PDPL
Key Considerations
Comparison with GDPR
Challenges for organisations
1
TABLE OF CONTENTS
2
3
4
5
6
7
Tsaaro | KSA Personal Data Protection Law 01
8 Conclusion
3. 02
Privacy and data protection have emerged to be one of the
most critical issues of an era that is characterised by the
technological revolution and a paradigm shift in our
interaction with each other and the digital world in general.
Data protection is an essential element in protecting the
rights of individuals, which is intrinsically tied to the Human
Rights of Individuals. Privacy and data protection are not just
the responsibility of a nation state, but the onus to have a
robust privacy structure is the responsibility of organizations
too. Privacy and data protection constitute the core values
of efficient legislation. The challenges of data collection,
management and processing of personal data of individuals
is one that can be effectively regulated by a robust data
protection statute. Implementation and operation of a
legislation can be arduous and precarious ordeal, but once
in action it becomes the bedrock for a regimented and
vigorous privacy protecting statute.
In this White Paper we will enumerate and elucidate the
various provisions of PDPL, the core principles of the
legislation and what challenges the legislation will pose to
businesses and organisations. In addition to the above the
European regime of data protection and privacy laws have
been the benchmark for many national legislations to
protect the rights of individuals and the pragmatic
implementation of the data protection laws in everyday
businesses. Thus, it is essential to look at the new laws by
Kingdom of Saudi Arabia in light of the General Data
Protection Regulation (GDPR). The key considerations of the
legislation, its principles and obligations will be the bedrock
for smooth implementation and functioning of the law in
Saudi Arabia.
INTRODUCTION
Tsaaro | KSA Personal Data Protection Law
4. The Anti-Cyber Crime Law of 2007 (Royal Decree No. M/17),
The E-commerce Law of 2019, and other sectoral regulations
contain privacy provisions.
General rules for maintaining the privacy of personal data of users
in the telecommunications and information technology sector;
The privacy guide for assessment of risk for telecommunications
services providers and
Criteria for determining the need to carry out privacy risk
assessments.
The Personal Data Protection Law (PDPL) is designed to systematically
protect “personal data” of individuals. It was implemented by Royal
Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution
No. 98 dated 7/2/1443H (14 September 2021). After a period of 180
from the date of publication, the law will come into effect on 23
March 2022., and thus data controllers would have to ensure
compliance to the law.
Vision 2030 programme in the Kingdom of Saudi Arabia brought
about significant changes in the telecommunication, media and
technology regulatory landscape. PDPL is not the first law that defines
privacy for the Kingdom of Saudi Arabia, the Basic Law of Governance
of 1992 (Royal Order No. A/91 of 1992) ('the Basic Law') defines
privacy as a right related to the dignity of an individual, guarantees
the privacy of communication, and generally prohibits surveillance
unless an exception applies.It also includes Shari'ah principles against
the invasion of privacy or disclosure of secrets.
Other acts that speak about privacy are :
These laws give regulatory powers to the National Cybersecurity
Authority and the Communications and Information Technology
Commission ('CITC') in their respective sectors. The CITC has been
responsible for publishing regulations on :
DATA PROTECTION AND
KINGDOM OF SAUDI ARABIA
03 02
Tsaaro | KSA Personal Data Protection Law
5. Once PDPL is implemented it will become imperative for entities/
organisations to comply with the personal data protection laws, by
appointing a representative in the Kingdom. This provision has to be
complied with within 5 years from the effective date of
implementation of the law. Saudi Data & Artificial Intelligence
Authority (“SDAIA”) will be coordinating with the Central bank and
other Information Technology ministries for the implementation of
PDPL.Though, the supervisory role will be handed over National Data
Management Authority (“NDMO”) an authority under SDAIA.
Any processing by business or public entities of personal data of
citizens of Saudi Arabia by any means, including processing of
personal data of the residents of Saudi Arabia outside, including
where the businesses have a foreign data controller, it is required by
law to have a representative appointed and licensed by SDAIA in
order to perform the data controller obligations under the law.
In an age where data has become or is to become the most valuable
commodity, the need for a robust data protection regime becomes
imperative. Countries around the world have realised the importance
of such a regime not only to protect the rights of its citizens, but also
to showcase its economic prowess. Most countries in the middle east
are realising the need for data protection and laws that prevent illegal
personal data processing. The Kingdom of Saudi Arabia has taken a
step towards establishing a comprehensive data protection
mechanism for its citizens and cross border data processing
DATA PROTECTION AND
KINGDOM OF SAUDI ARABIA
04 02
Tsaaro | KSA Personal Data Protection Law
6. AIM OF PDPL
Privacy of personal data of residents of Saudi Arabia
Streamline various sector-specific privacy laws under one single
statute
Regulate data sharing
Prevent the abuse of personal data
Develop digital Infrastructure
Support innovation to grow a digital economy
Place Saudi Arabia aligned with the international standards
The PDPL bill aims to encapsulate the following:
SCOPE AND APPLICATION OF
PDPL
Article 1(4) oF "PDPL" defines “personal data”- as:
"any information, in whatever form, through which a person may be
directly or indirectly identified. This expressly includes an individual’s
name, identification number, addresses and contact numbers,
photographs and video recordings of the person.”
Thus, the legislation makes it clear for appointment of a controller in
Kingdom of Saudi Arabia for processing of personal data of
individuals who are citizens of the country, irrespective of where the
business operates or where there is a foreign data controller.
Article 2(2) of PDPL states that PDPL is not applicable for processing of
personal data for family matters.
01
05
Tsaaro | KSA Personal Data Protection Law
7. STRUCTURE
Below enumerated are the topics that will be covered by this
white paper taking into consideration the problem statement:-
Preliminary Questions
#
Applicability of the PDPL law and what is
needed for processing of personal data?
What are the key considerations in PDPL?
What are the core principles of PDPL ?
Can cross border transfers take place under
PDPL?
what are the obligations of a controller under
the law?
What are the rights of data subjects under
PDPL?
Who will be accountable for data breach and
will they be penalized?
How is PDPL different from GDPR?
What are the challenges that an organization
will face when complying with PDPL?
What are the future expectations from PDPL?
06
Tsaaro | KSA Personal Data Protection Law
8. Definite interest
In accordance with another law or implementation
of a pre-existing agreement
The controller is a public entity and processing is
essential to meet security requirements
Primary legal basis for processing to be obtained in
writing, subject to further requirements. Processing
without consent is only applicable under the following
conditions:
PROVISIONS OF PDPL
This section will elucidate various provisions in PDPL that are
established to preserve the privacy of individuals
Does not adversely affect the national security of
the kingdom
Guarantees are provided to safeguard the data
transferred or disclosed
Only limited, necessary data is transferred
Consent of the SDAIA has been obtained in
respect of the transfer/disclosure
Transfers of data outside of the Kingdom of Saudi
Arabia may be made for limited purposes. Even if the
transfer falls into a permitted category, it should
further align with the following conditions for cross
border transfer of data to take place lawfully'.
07
CONSENT
1
CROSS BORDER TRANSFERS
2
Tsaaro | KSA Personal Data Protection Law
9. PENALTIES
5
Fines of up to SAR 3m for disclosure or publication of sensitive
data in breach of PDPL.
Up to SAR 1m for breaches of data transfer rules,
Offenders under the PDPL can be criminally prosecuted for a
prison term not exceeding 2 years where sensitive data is
disclosed or published contrary to the PDPL.
General fine of SAR 5m for any violation of the PDPL.
Right to be informed
Right to access
Right to rectification
Right to destruction
Rights of the Data Subjects have been enumerated, inclusive of;
08
Controller must adopt a data privacy policy, and the policy should
be available to individuals to view before collecting their data.
If the Controller is collecting data directly from the data owner, it
must inform him or her of: a) the legal basis for collecting data b)
the purpose of collecting data, c) the information of those who
collect it, d) informing the data subjects and e) decision of cross
border transfer of data
Data controllers must prepare, maintain and register data
processing activities with SDAIA.
In case of a breach incident, it has to be notified ‘immediately’ to
the SDAIA and data subjects.)
Controllers must appoint or assign at least one of their employees
to be responsible for achieving compliance with the Law.
Controllers must conduct an evaluation of the effects of processing
associated with any product or service provided to the public, in
accordance with the requirements of the Regulations.
OBLIGATIONS OF CONTROLLERS
3
DATA SUBJECT RIGHTS
4
Tsaaro | KSA Personal Data Protection Law
10. The key considerations of the data protection legislation are
listed below:
KEY CONSIDERATIONS IN
PDPL
01
ACCOUNTABILITY
The data controller when processing personal data, should have
measures that abide by the provisions of law that is in place and do
regular checks so that the means of processing data is approved by
PDPL principles (Article 8)
01
01
PURPOSE LIMITATION
The collection of personal data should have a direct link to the
controller's purpose to process it. The purpose should be specific
and limited to only what is required to satisfy the purpose (Article
11, 11(2), 11(3))
02
02
TRANSPARENCY
A privacy policy must be in place that can be viewed by the data
subjects before collection of their personal data setting the
purposes for collection, the categories of personal data collected,
the means of collection, means of storage, processing, erasure, as
well as data subject rights and how to exercise them. ( Article 12)
03
03
ACCURACY
Data should be up to date, complete, and specific to the purpose
for which it was collected ( Article 14 )
The Data Subjects had Right to erasure which the controller has to
abide by. (Article 18, exceptions to right to erasure under Article
18(2))
04
04
09
Tsaaro | KSA Personal Data Protection Law
11. 01
1974
APPOINTMENT OF DATA
PROTECTION OFFICER
Controllers are required to appoint a person (or several persons) to
be responsible for implementing PDPL. A local representative
should be appointed for controllers that operate outside the
Kingdom and process personal data of Saudi Citizens. This is done
for compliance of the applicable laws. the applicable laws (Article
33(2) of the PDPL).
05
05
RECORDS OF PROCESSING
ACTIVITY
The organisation/ company needs to keep records of processing
activities for a time period determined by executive regulations
(Article 31). The competent authority will establish an online portal
to build a national database of controllers, to which each controller
must register to and pay an annual fee not exceeding SAR 100,000 (
Article 32)
06
06
DATA PROTECTION IMPACT
ASSESSMENT
The organisation/ company needs to keep records of processing
activities for a time period determined by executive regulations
(Article 31). The competent authority will establish an online portal
to build a national database of controllers, to which each controller
must register to and pay an annual fee not exceeding SAR 100,000
(Article 32)
07
07
10
KEY CONSIDERATIONS IN
PDPL
Tsaaro | KSA Personal Data Protection Law
The key considerations of the data protection legislation are
enumerated below:
KEY CONSIDERATIONS IN
PDPL
12. Deceased
Person
PDPL also applies to the data
of deceased persons if it can
lead to the specific
identification of the deceased
person or his or her family.
‘Deceased persons’ included
in the definition of data
subjects.
Recital 27 confirms that the GDPR does
not apply to the personal data of
deceased persons – only natural living
persons.
(Art 4(1), Rec. 27)
The term is defined in Art. 4 (12).
Personal data breach is "breach of
security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to,
personal data transmitted, stored or
otherwise processed"
Personal Data
Breach
Any element of data, alone or
in connection with other
available data, that would
enable the identification of a
Saudi citizen.
Comparison between the
Personal Data Protection Law
and The General Data
Protection Regulation
11
Category GDPR
PDPL
Breach
Notifications
Breach must be notified
“immediately” rather than
within a specified period.
Under Article 33 of GDPR, controller
must notify the supervisory authority
within 72 hours of being aware of the
breach.
Caveat to
Disclosure of
personal data
There is a caveat to the usual
permitted disclosures of
personal data by the
controller if the disclosure
could pose a security risk,
damage the reputation of the
Kingdom or impact Saudi
Arabia’s relationship with
other countries.
Under Article 49 of GDPR states that
personal data shall be transferred to a
third country or international
organization with an adequate
protection level as determined by the
EU Commission.
Suppose there is no decision on an
adequate protection level. In that case,
a transfer is only permitted when the
data controller or data processor
provides appropriate safeguards that
ensure data subject rights.
Tsaaro | KSA Personal Data Protection Law
13. 12
Caveat to
Disclosure of
personal data
There is a caveat to the usual
permitted disclosures of
personal data by the
controller if the disclosure
could pose a security risk,
damage the reputation of the
Kingdom or impact Saudi
Arabia’s relationship with
other countries.
Appropriate safeguards include:
BCRs with specific requirements (e.g., a
legal basis for processing, a retention
period, and complaint procedures)
Standard data protection clauses
adopted by the EU Commission or by a
supervisory authority
An approved code of conduct or an
approved certification mechanism.
(Articles: 44-50,
Recitals: 101, 112, Chapter V)
Category GDPR
PDPL
Cross Boarder
Transfer
Controllers will not be able to
transfer personal data outside
Saudi Arabia unless required
to comply with an agreement
to which the Kingdom is a
party, (this is to serve Saudi
interests or for other purposes
that will be set out in the
executive regulations).
There are requirements to
ensure that the data transfer
or disclosure to a party
outside the Kingdom does not
impact national security or
Saudi interests and to obtain
the approval of SDAIA ie. Saudi
Data & Artificial Intelligence
Authority.
GDPR states that personal data shall be
transferred to a third country or
international organization with an
adequate protection level as
determined by the EU Commission.
In a case of no adequate protection
level transfer is only permitted when
the data controller or data processor
provides appropriate safeguards that
ensure data subject rights.
Appropriate safeguards include:
BCRs with specific requirements (e.g., a
legal basis for processing, a retention
period, and complaint procedures)
Standard data protection clauses
adopted by the EU Commission or by a
supervisory authority
An approved code of conduct; or
An approved certification mechanism.
(Articles: 44-50,
Recitals: 101, 112, Chapter V)
Registration
and RoPA
Data Controllers must
register with SDAIA. There will
be a fixed fee for private
entities that are data
controllers, which is yet to be
published in the Regulations.
Records of Processing Activity
(RoPA) must also registered
with SDAIA.
Article 30 of GDPR requires to have a
record of processing activities. On
demand of the authority the data
controller or the data processor
provides the record of processing
activities. But there is no obligation
under GDPR to notify about RoPA or
register data controllers with the data
protection authority .
Tsaaro | KSA Personal Data Protection Law
14. 13
Category GDPR
PDPL
Registration
Official
documents
must not be
photocopied
It is a common practice in the
region for official documents
such as passports or ID cards to
be photocopied. The PDPL
prohibits this unless it is for the
implementation of the
provisions of a law, or if a
competent public authority
requests these, in accordance
with the PDPL regulations.
No such condition laid down.
No “directing
services” or
“monitoring”
test for foreign
business
PDPL applies to any entity
located outside of KSA who is
processing the personal data of
individuals residing in KSA. No
particular quantitative threshold
or qualitative tests are set out.
Authority.
Only applies to non-EU established
entities who are engaged in targeting,
offering goods or services to or
monitoring EU individuals.
Exceptions to
Consent
achieves a definite or certain
interest for the data owner
and it is impossible or
difficult to contact them;
As required by law or in
application of a prior
agreement to which the
data owner is a party]; or
Is done by a public entity
and such processing is
required for security
purposes or to meet judicial
requirements
Data owner consent is not
required where the processing:
Processing is necessary to satisfy a
contract to which the data subject is
a party:
You need to process the data to
comply with a legal obligation.
You need to process the data to
save somebody’s life.
Processing is necessary to perform
a task in the public interest or to
carry out some official function.
You have a legitimate interest to
process someone’s personal data.
(Art. 6)
GDPR does not explicitly mention
exceptions to consent to process
personal data of individuals, rather it
states the lawful basis for processing of
personal data of individuals other than
consent. Following are the lawful basis
for processing of personal data of
individuals :
Tsaaro | KSA Personal Data Protection Law
15. 14
Category GDPR
PDPL
Need to obtain
a license or
appoint
licensed
representative
Article 33 of the PDPL provides
that the Authority shall be
responsible for issuing licenses
to commercial, professional or
non-profit businesses under the
PDPL, however it does not
expressly state what, if any,
additional licenses a business
will need to obtain in order to
process personal data.
Non-KSA based data processing
entities which process personal
data related to individuals
residing in KSA will have to
appoint a representative in KSA,
licensed by the Authority, to
carry out its obligations under
the law.
Similar to the requirement under GDPR
for non-European established
businesses which are subject to GDPR
to appoint a representative in the
union.
Data
protection
Officer
The Entity shall identify and
appoint a Chief Data Officer to
lead the Data Management and
Personal Data Protection
agenda. The Chief Data Officer's
(CDO) responsibilities shall be
highlighted in a job description
and aligned with the
responsibilities defined in the
“Organizational Manual”
published by NDMO.
Appoint a DPO (Article 37) and a
representative under certain
conditions.
Under Article 4(21) of GDPR: "
‘representative’ means a natural or
legal person established in the Union
who, designated by the controller or
processor in writing pursuant to Article
27, represents the controller or
processor with regard to their
respective obligations under this
Regulation"
Penalties Fines of up to SAR 3m (approx.
GBP 590,000) for disclosure or
publication of sensitive data in
breach of PDPL
-up to SAR 1m (approx. GBP
200,000) for breaches of data
transfer rules,
-Offenders under the PDPL can
be criminally prosecuted for a
prison term not exceeding 2
years where sensitive data is
disclosed or published contrary
to the PDPL.
-General fine of SAR 5m
(approx. GBP 1,000,000) for any
violation of the PDPL.
GDPR has an upper cap on its monetary
penalties, either: 2% of global annual
turnover or €10 million, whichever is
higher, or 4% of global annual turnover
or €20 million, whichever is higher. This
depends on the level of violation, which
is decided by the member states and
public authorities.
(Articles: 83, 84
Recitals: 158, 149)
Tsaaro | KSA Personal Data Protection Law
16. CHALLENGES FOR ORGANISATIONS
15
Compliance of data sovereignty
regulations in cross boarder transfer of
data
Compliance with sever other sectorial
stakeholders and regulations (Eg. CITC,
SAMA)
Operationalization and classification of
data to mitigate any identified data
sovereignty risks
The concepts of privacy and data
protection have to be embedded in the
approach of an organization
Vendor management
Compliance with international
standardizations
Establishing robust Cybersecurity and
Privacy management
Tsaaro | KSA Personal Data Protection Law
17. CONCLUSION
The vision behind PDPL is commendable and will usher
in more countries to establish a data protection and
privacy regime. The Kingdom has long-term goals to
facilitate an emerging data driven economy. In the
coming months there will further details and guidance
on the law and its implementation. The business models
that are set up in the Kingdom will have to ensure
compliance and work towards establishing a privacy
aware and protecting mechanism in functioning of their
organisations.
In addition to establishing a data protection law that
protects the rights of individuals it is essential to
understand the challenges that an organisation/
company will face in an effort to accelerate the drive
towards an information based society. The
organisations/ companies have to take into
consideration compliance audit, gap analysis,
governance, training and development, and compliance
programme so that they are not in breach of PDPL.
In conclusion the steps taken by Kingdom of Saudi
Arabia is a welcome change which aligns the need of a
robust privacy and data mechanism around the world.
This will only lead to strengthening the basic Human
Rights of Individuals. The kingdom of Saudi Arabia has
paved the way for many other middle - eastern countries
to move towards providing a system where personal
data of individuals is of primary importance and
protection of it is essential.
16
Tsaaro | KSA Personal Data Protection Law
18. Tsaaro Netherlands Office
Regus Schiphol Rijk
Beech Avenue 54-62,
Het Poortgebouw,
Amsterdam, 1119 PW,
Netherlands
P: +31-686053719
Akarsh Singh
(CEO & Co-Founder, Tsaaro)
Akarsh is a fellow in Information Privacy by
IAPP, the highest certification in the field of
privacy. His expertise lies in Data Privacy and
Information Security Compliance.
Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory
requirements while maintaining a robust security infrastructure.
Our industry-standard privacy services include Privacy compliance, DPO-as-a-service,
Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few,
delivered by our expert privacy professionals recognized by IAPP.
WHY TSAARO?
CONTACT US
You can assess risk with respect to
personal data and strengthen your
data security by contacting Tsaaro.
Email us
info@tsaaro.com
Tsaaro India Office
Manyata Embassy Business
Park, Ground Floor, E1 Block,
Beech Building, Outer
RingRoad,
Bangalore- 560045
India
P: +91-0522–3581
Krishna Srivastava
(Co-Founder & Head of Cyber Security,
Tsaaro)
Krishna is a xKPMG data security consultant.
He has vast experience in Information
Security and Data Privacy Compliance.
Srishti Tripathy
(Senior Data Protection Consultant,
Tsaaro)
Srishti is a privacy professional with a
Masters degree from Tilburg University in
Law and Technology.
Reviewer
Anselmo Diaz Valiente
(Senior Consultant|NCC Group)
Anselmo is an experienced consultant
involved in a variety of projects, requiring the
application of expert knowledge in
Information Security and Data Protection.
Ample of experience in auditing and
providing consultancy to organisations
across diverse sectors.
Our Team