SlideShare a Scribd company logo

KSA PDPL - Personal Data Protection Law.pdf

D
DaviesParker

Learn all about Saudi Personal Data Protection Law

Law
1 of 18
Download to read offline
PERSONAL DATA PROTECTION LAW Kingdom of Saudi Arabia © 2022 Tsaaro. All rights reserved. © 2022 Tsaaro. All rights reserved.
Introduction Scope and Application of PDPL Structure Provisions of PDPL Key Considerations Comparison with GDPR Challenges for organisations 1 TABLE OF CONTENTS 2 3 4 5 6 7 Tsaaro | KSA Personal Data Protection Law 01 8 Conclusion
02 Privacy and data protection have emerged to be one of the most critical issues of an era that is characterised by the technological revolution and a paradigm shift in our interaction with each other and the digital world in general. Data protection is an essential element in protecting the rights of individuals, which is intrinsically tied to the Human Rights of Individuals. Privacy and data protection are not just the responsibility of a nation state, but the onus to have a robust privacy structure is the responsibility of organizations too. Privacy and data protection constitute the core values of efficient legislation. The challenges of data collection, management and processing of personal data of individuals is one that can be effectively regulated by a robust data protection statute. Implementation and operation of a legislation can be arduous and precarious ordeal, but once in action it becomes the bedrock for a regimented and vigorous privacy protecting statute. In this White Paper we will enumerate and elucidate the various provisions of PDPL, the core principles of the legislation and what challenges the legislation will pose to businesses and organisations. In addition to the above the European regime of data protection and privacy laws have been the benchmark for many national legislations to protect the rights of individuals and the pragmatic implementation of the data protection laws in everyday businesses. Thus, it is essential to look at the new laws by Kingdom of Saudi Arabia in light of the General Data Protection Regulation (GDPR). The key considerations of the legislation, its principles and obligations will be the bedrock for smooth implementation and functioning of the law in Saudi Arabia. INTRODUCTION Tsaaro | KSA Personal Data Protection Law
The Anti-Cyber Crime Law of 2007 (Royal Decree No. M/17), The E-commerce Law of 2019, and other sectoral regulations contain privacy provisions. General rules for maintaining the privacy of personal data of users in the telecommunications and information technology sector; The privacy guide for assessment of risk for telecommunications services providers and Criteria for determining the need to carry out privacy risk assessments. The Personal Data Protection Law (PDPL) is designed to systematically protect “personal data” of individuals. It was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021). After a period of 180 from the date of publication, the law will come into effect on 23 March 2022., and thus data controllers would have to ensure compliance to the law. Vision 2030 programme in the Kingdom of Saudi Arabia brought about significant changes in the telecommunication, media and technology regulatory landscape. PDPL is not the first law that defines privacy for the Kingdom of Saudi Arabia, the Basic Law of Governance of 1992 (Royal Order No. A/91 of 1992) ('the Basic Law') defines privacy as a right related to the dignity of an individual, guarantees the privacy of communication, and generally prohibits surveillance unless an exception applies.It also includes Shari'ah principles against the invasion of privacy or disclosure of secrets. Other acts that speak about privacy are : These laws give regulatory powers to the National Cybersecurity Authority and the Communications and Information Technology Commission ('CITC') in their respective sectors. The CITC has been responsible for publishing regulations on : DATA PROTECTION AND KINGDOM OF SAUDI ARABIA 03 02 Tsaaro | KSA Personal Data Protection Law
Once PDPL is implemented it will become imperative for entities/ organisations to comply with the personal data protection laws, by appointing a representative in the Kingdom. This provision has to be complied with within 5 years from the effective date of implementation of the law. Saudi Data & Artificial Intelligence Authority (“SDAIA”) will be coordinating with the Central bank and other Information Technology ministries for the implementation of PDPL.Though, the supervisory role will be handed over National Data Management Authority (“NDMO”) an authority under SDAIA. Any processing by business or public entities of personal data of citizens of Saudi Arabia by any means, including processing of personal data of the residents of Saudi Arabia outside, including where the businesses have a foreign data controller, it is required by law to have a representative appointed and licensed by SDAIA in order to perform the data controller obligations under the law. In an age where data has become or is to become the most valuable commodity, the need for a robust data protection regime becomes imperative. Countries around the world have realised the importance of such a regime not only to protect the rights of its citizens, but also to showcase its economic prowess. Most countries in the middle east are realising the need for data protection and laws that prevent illegal personal data processing. The Kingdom of Saudi Arabia has taken a step towards establishing a comprehensive data protection mechanism for its citizens and cross border data processing DATA PROTECTION AND KINGDOM OF SAUDI ARABIA 04 02 Tsaaro | KSA Personal Data Protection Law
AIM OF PDPL Privacy of personal data of residents of Saudi Arabia Streamline various sector-specific privacy laws under one single statute Regulate data sharing Prevent the abuse of personal data Develop digital Infrastructure Support innovation to grow a digital economy Place Saudi Arabia aligned with the international standards The PDPL bill aims to encapsulate the following: SCOPE AND APPLICATION OF PDPL Article 1(4) oF "PDPL" defines “personal data”- as: "any information, in whatever form, through which a person may be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses and contact numbers, photographs and video recordings of the person.” Thus, the legislation makes it clear for appointment of a controller in Kingdom of Saudi Arabia for processing of personal data of individuals who are citizens of the country, irrespective of where the business operates or where there is a foreign data controller. Article 2(2) of PDPL states that PDPL is not applicable for processing of personal data for family matters. 01 05 Tsaaro | KSA Personal Data Protection Law
STRUCTURE Below enumerated are the topics that will be covered by this white paper taking into consideration the problem statement:- Preliminary Questions # Applicability of the PDPL law and what is needed for processing of personal data? What are the key considerations in PDPL? What are the core principles of PDPL ? Can cross border transfers take place under PDPL? what are the obligations of a controller under the law? What are the rights of data subjects under PDPL? Who will be accountable for data breach and will they be penalized? How is PDPL different from GDPR? What are the challenges that an organization will face when complying with PDPL? What are the future expectations from PDPL? 06 Tsaaro | KSA Personal Data Protection Law
Definite interest In accordance with another law or implementation of a pre-existing agreement The controller is a public entity and processing is essential to meet security requirements Primary legal basis for processing to be obtained in writing, subject to further requirements. Processing without consent is only applicable under the following conditions: PROVISIONS OF PDPL This section will elucidate various provisions in PDPL that are established to preserve the privacy of individuals Does not adversely affect the national security of the kingdom Guarantees are provided to safeguard the data transferred or disclosed Only limited, necessary data is transferred Consent of the SDAIA has been obtained in respect of the transfer/disclosure Transfers of data outside of the Kingdom of Saudi Arabia may be made for limited purposes. Even if the transfer falls into a permitted category, it should further align with the following conditions for cross border transfer of data to take place lawfully'. 07 CONSENT 1 CROSS BORDER TRANSFERS 2 Tsaaro | KSA Personal Data Protection Law
PENALTIES 5 Fines of up to SAR 3m for disclosure or publication of sensitive data in breach of PDPL. Up to SAR 1m for breaches of data transfer rules, Offenders under the PDPL can be criminally prosecuted for a prison term not exceeding 2 years where sensitive data is disclosed or published contrary to the PDPL. General fine of SAR 5m for any violation of the PDPL. Right to be informed Right to access Right to rectification Right to destruction Rights of the Data Subjects have been enumerated, inclusive of; 08 Controller must adopt a data privacy policy, and the policy should be available to individuals to view before collecting their data. If the Controller is collecting data directly from the data owner, it must inform him or her of: a) the legal basis for collecting data b) the purpose of collecting data, c) the information of those who collect it, d) informing the data subjects and e) decision of cross border transfer of data Data controllers must prepare, maintain and register data processing activities with SDAIA. In case of a breach incident, it has to be notified ‘immediately’ to the SDAIA and data subjects.) Controllers must appoint or assign at least one of their employees to be responsible for achieving compliance with the Law. Controllers must conduct an evaluation of the effects of processing associated with any product or service provided to the public, in accordance with the requirements of the Regulations. OBLIGATIONS OF CONTROLLERS 3 DATA SUBJECT RIGHTS 4 Tsaaro | KSA Personal Data Protection Law
The key considerations of the data protection legislation are listed below: KEY CONSIDERATIONS IN PDPL 01 ACCOUNTABILITY The data controller when processing personal data, should have measures that abide by the provisions of law that is in place and do regular checks so that the means of processing data is approved by PDPL principles (Article 8) 01 01 PURPOSE LIMITATION The collection of personal data should have a direct link to the controller's purpose to process it. The purpose should be specific and limited to only what is required to satisfy the purpose (Article 11, 11(2), 11(3)) 02 02 TRANSPARENCY A privacy policy must be in place that can be viewed by the data subjects before collection of their personal data setting the purposes for collection, the categories of personal data collected, the means of collection, means of storage, processing, erasure, as well as data subject rights and how to exercise them. ( Article 12) 03 03 ACCURACY Data should be up to date, complete, and specific to the purpose for which it was collected ( Article 14 ) The Data Subjects had Right to erasure which the controller has to abide by. (Article 18, exceptions to right to erasure under Article 18(2)) 04 04 09 Tsaaro | KSA Personal Data Protection Law
01 1974 APPOINTMENT OF DATA PROTECTION OFFICER Controllers are required to appoint a person (or several persons) to be responsible for implementing PDPL. A local representative should be appointed for controllers that operate outside the Kingdom and process personal data of Saudi Citizens. This is done for compliance of the applicable laws. the applicable laws (Article 33(2) of the PDPL). 05 05 RECORDS OF PROCESSING ACTIVITY The organisation/ company needs to keep records of processing activities for a time period determined by executive regulations (Article 31). The competent authority will establish an online portal to build a national database of controllers, to which each controller must register to and pay an annual fee not exceeding SAR 100,000 ( Article 32) 06 06 DATA PROTECTION IMPACT ASSESSMENT The organisation/ company needs to keep records of processing activities for a time period determined by executive regulations (Article 31). The competent authority will establish an online portal to build a national database of controllers, to which each controller must register to and pay an annual fee not exceeding SAR 100,000 (Article 32) 07 07 10 KEY CONSIDERATIONS IN PDPL Tsaaro | KSA Personal Data Protection Law The key considerations of the data protection legislation are enumerated below: KEY CONSIDERATIONS IN PDPL
Deceased Person PDPL also applies to the data of deceased persons if it can lead to the specific identification of the deceased person or his or her family. ‘Deceased persons’ included in the definition of data subjects. Recital 27 confirms that the GDPR does not apply to the personal data of deceased persons – only natural living persons. (Art 4(1), Rec. 27) The term is defined in Art. 4 (12). Personal data breach is "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" Personal Data Breach Any element of data, alone or in connection with other available data, that would enable the identification of a Saudi citizen. Comparison between the Personal Data Protection Law and The General Data Protection Regulation 11 Category GDPR PDPL Breach Notifications Breach must be notified “immediately” rather than within a specified period. Under Article 33 of GDPR, controller must notify the supervisory authority within 72 hours of being aware of the breach. Caveat to Disclosure of personal data There is a caveat to the usual permitted disclosures of personal data by the controller if the disclosure could pose a security risk, damage the reputation of the Kingdom or impact Saudi Arabia’s relationship with other countries. Under Article 49 of GDPR states that personal data shall be transferred to a third country or international organization with an adequate protection level as determined by the EU Commission. Suppose there is no decision on an adequate protection level. In that case, a transfer is only permitted when the data controller or data processor provides appropriate safeguards that ensure data subject rights. Tsaaro | KSA Personal Data Protection Law
12 Caveat to Disclosure of personal data There is a caveat to the usual permitted disclosures of personal data by the controller if the disclosure could pose a security risk, damage the reputation of the Kingdom or impact Saudi Arabia’s relationship with other countries. Appropriate safeguards include: BCRs with specific requirements (e.g., a legal basis for processing, a retention period, and complaint procedures) Standard data protection clauses adopted by the EU Commission or by a supervisory authority An approved code of conduct or an approved certification mechanism. (Articles: 44-50, Recitals: 101, 112, Chapter V) Category GDPR PDPL Cross Boarder Transfer Controllers will not be able to transfer personal data outside Saudi Arabia unless required to comply with an agreement to which the Kingdom is a party, (this is to serve Saudi interests or for other purposes that will be set out in the executive regulations). There are requirements to ensure that the data transfer or disclosure to a party outside the Kingdom does not impact national security or Saudi interests and to obtain the approval of SDAIA ie. Saudi Data & Artificial Intelligence Authority. GDPR states that personal data shall be transferred to a third country or international organization with an adequate protection level as determined by the EU Commission. In a case of no adequate protection level transfer is only permitted when the data controller or data processor provides appropriate safeguards that ensure data subject rights. Appropriate safeguards include: BCRs with specific requirements (e.g., a legal basis for processing, a retention period, and complaint procedures) Standard data protection clauses adopted by the EU Commission or by a supervisory authority An approved code of conduct; or An approved certification mechanism. (Articles: 44-50, Recitals: 101, 112, Chapter V) Registration and RoPA Data Controllers must register with SDAIA. There will be a fixed fee for private entities that are data controllers, which is yet to be published in the Regulations. Records of Processing Activity (RoPA) must also registered with SDAIA. Article 30 of GDPR requires to have a record of processing activities. On demand of the authority the data controller or the data processor provides the record of processing activities. But there is no obligation under GDPR to notify about RoPA or register data controllers with the data protection authority . Tsaaro | KSA Personal Data Protection Law
13 Category GDPR PDPL Registration Official documents must not be photocopied It is a common practice in the region for official documents such as passports or ID cards to be photocopied. The PDPL prohibits this unless it is for the implementation of the provisions of a law, or if a competent public authority requests these, in accordance with the PDPL regulations. No such condition laid down. No “directing services” or “monitoring” test for foreign business PDPL applies to any entity located outside of KSA who is processing the personal data of individuals residing in KSA. No particular quantitative threshold or qualitative tests are set out. Authority. Only applies to non-EU established entities who are engaged in targeting, offering goods or services to or monitoring EU individuals. Exceptions to Consent achieves a definite or certain interest for the data owner and it is impossible or difficult to contact them; As required by law or in application of a prior agreement to which the data owner is a party]; or Is done by a public entity and such processing is required for security purposes or to meet judicial requirements Data owner consent is not required where the processing: Processing is necessary to satisfy a contract to which the data subject is a party: You need to process the data to comply with a legal obligation. You need to process the data to save somebody’s life. Processing is necessary to perform a task in the public interest or to carry out some official function. You have a legitimate interest to process someone’s personal data. (Art. 6) GDPR does not explicitly mention exceptions to consent to process personal data of individuals, rather it states the lawful basis for processing of personal data of individuals other than consent. Following are the lawful basis for processing of personal data of individuals : Tsaaro | KSA Personal Data Protection Law
14 Category GDPR PDPL Need to obtain a license or appoint licensed representative Article 33 of the PDPL provides that the Authority shall be responsible for issuing licenses to commercial, professional or non-profit businesses under the PDPL, however it does not expressly state what, if any, additional licenses a business will need to obtain in order to process personal data. Non-KSA based data processing entities which process personal data related to individuals residing in KSA will have to appoint a representative in KSA, licensed by the Authority, to carry out its obligations under the law. Similar to the requirement under GDPR for non-European established businesses which are subject to GDPR to appoint a representative in the union. Data protection Officer The Entity shall identify and appoint a Chief Data Officer to lead the Data Management and Personal Data Protection agenda. The Chief Data Officer's (CDO) responsibilities shall be highlighted in a job description and aligned with the responsibilities defined in the “Organizational Manual” published by NDMO. Appoint a DPO (Article 37) and a representative under certain conditions. Under Article 4(21) of GDPR: " ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation" Penalties Fines of up to SAR 3m (approx. GBP 590,000) for disclosure or publication of sensitive data in breach of PDPL -up to SAR 1m (approx. GBP 200,000) for breaches of data transfer rules, -Offenders under the PDPL can be criminally prosecuted for a prison term not exceeding 2 years where sensitive data is disclosed or published contrary to the PDPL. -General fine of SAR 5m (approx. GBP 1,000,000) for any violation of the PDPL. GDPR has an upper cap on its monetary penalties, either: 2% of global annual turnover or €10 million, whichever is higher, or 4% of global annual turnover or €20 million, whichever is higher. This depends on the level of violation, which is decided by the member states and public authorities. (Articles: 83, 84 Recitals: 158, 149) Tsaaro | KSA Personal Data Protection Law
CHALLENGES FOR ORGANISATIONS 15 Compliance of data sovereignty regulations in cross boarder transfer of data Compliance with sever other sectorial stakeholders and regulations (Eg. CITC, SAMA) Operationalization and classification of data to mitigate any identified data sovereignty risks The concepts of privacy and data protection have to be embedded in the approach of an organization Vendor management Compliance with international standardizations Establishing robust Cybersecurity and Privacy management Tsaaro | KSA Personal Data Protection Law
CONCLUSION The vision behind PDPL is commendable and will usher in more countries to establish a data protection and privacy regime. The Kingdom has long-term goals to facilitate an emerging data driven economy. In the coming months there will further details and guidance on the law and its implementation. The business models that are set up in the Kingdom will have to ensure compliance and work towards establishing a privacy aware and protecting mechanism in functioning of their organisations. In addition to establishing a data protection law that protects the rights of individuals it is essential to understand the challenges that an organisation/ company will face in an effort to accelerate the drive towards an information based society. The organisations/ companies have to take into consideration compliance audit, gap analysis, governance, training and development, and compliance programme so that they are not in breach of PDPL. In conclusion the steps taken by Kingdom of Saudi Arabia is a welcome change which aligns the need of a robust privacy and data mechanism around the world. This will only lead to strengthening the basic Human Rights of Individuals. The kingdom of Saudi Arabia has paved the way for many other middle - eastern countries to move towards providing a system where personal data of individuals is of primary importance and protection of it is essential. 16 Tsaaro | KSA Personal Data Protection Law
Tsaaro Netherlands Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognized by IAPP. WHY TSAARO? CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. Email us info@tsaaro.com Tsaaro India Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 India P: +91-0522–3581 Krishna Srivastava (Co-Founder & Head of Cyber Security, Tsaaro) Krishna is a xKPMG data security consultant. He has vast experience in Information Security and Data Privacy Compliance. Srishti Tripathy (Senior Data Protection Consultant, Tsaaro) Srishti is a privacy professional with a Masters degree from Tilburg University in Law and Technology. Reviewer Anselmo Diaz Valiente (Senior Consultant|NCC Group) Anselmo is an experienced consultant involved in a variety of projects, requiring the application of expert knowledge in Information Security and Data Protection. Ample of experience in auditing and providing consultancy to organisations across diverse sectors. Our Team

Recommended

Data Protection Act 1998 (amended 2000)
Data Protection Act 1998 (amended 2000)Data Protection Act 1998 (amended 2000)
Data Protection Act 1998 (amended 2000)The Pathway Group
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIEryk Budi Pratama
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiEryk Budi Pratama
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
 
Melihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiMelihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiICT Watch
 

Recommended

Data Protection Act 1998 (amended 2000)
Data Protection Act 1998 (amended 2000)Data Protection Act 1998 (amended 2000)
Data Protection Act 1998 (amended 2000)The Pathway Group
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIRingkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTI
Ringkasan Standar Kompetensi Data Protection Officer | Agustus 2023 | IODTIEryk Budi Pratama
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiEryk Budi Pratama
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
 
Melihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiMelihat RUU Pelindungan Data Pribadi
Melihat RUU Pelindungan Data PribadiICT Watch
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
LGPD | CICLO DE PALESTRAS
LGPD | CICLO DE PALESTRASLGPD | CICLO DE PALESTRAS
LGPD | CICLO DE PALESTRASWellington Monaco
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationWatchful Software
 
Checklist lgpd
Checklist lgpdChecklist lgpd
Checklist lgpdanselmo333
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure IslandsSecure Islands - Data Security Policy
 
Privacidade By Design
Privacidade By DesignPrivacidade By Design
Privacidade By DesignDouglas Siviotti
 
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...Wellington Monaco
 
LGPD e Segurança da Informação
LGPD e Segurança da InformaçãoLGPD e Segurança da Informação
LGPD e Segurança da InformaçãoRicardoCrdobaBaptist
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Eryk Budi Pratama
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 

More Related Content

What's hot

Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationWatchful Software
 
Checklist lgpd
Checklist lgpdChecklist lgpd
Checklist lgpdanselmo333
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...Wellington Monaco
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Eryk Budi Pratama
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 

What's hot (20)

Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
LGPD | CICLO DE PALESTRAS
LGPD | CICLO DE PALESTRASLGPD | CICLO DE PALESTRAS
LGPD | CICLO DE PALESTRAS
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data Classification
 
Checklist lgpd
Checklist lgpdChecklist lgpd
Checklist lgpd
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands
 
Privacidade By Design
Privacidade By DesignPrivacidade By Design
Privacidade By Design
 
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
LGPD - LEI GERAL DE PROTEÇÃO DE DADOS - SGPD - SISTEMA DE GESTÃO DE PROTEÇÃO ...
 
LGPD e Segurança da Informação
LGPD e Segurança da InformaçãoLGPD e Segurança da Informação
LGPD e Segurança da Informação
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 

Similar to KSA PDPL - Personal Data Protection Law.pdf

Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfEconomic Laws Practice
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...Nzeih Chukwuemeka
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx
OVERVIEW OF DATA PROTECTION AND PRIVACY.pptxOVERVIEW OF DATA PROTECTION AND PRIVACY.pptx
OVERVIEW OF DATA PROTECTION AND PRIVACY.pptxUsmanMAmeer
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Faidepro
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONTHE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONIJNSA Journal
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDaviesParker
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 

Similar to KSA PDPL - Personal Data Protection Law.pdf (20)

Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdfOverview of the Digital Personal Data Protection DPDP Bill 2023.pdf
Overview of the Digital Personal Data Protection DPDP Bill 2023.pdf
 
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx
OVERVIEW OF DATA PROTECTION AND PRIVACY.pptxOVERVIEW OF DATA PROTECTION AND PRIVACY.pptx
OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
 
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTIONTHE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
THE BRAZILIAN LAW ON PERSONAL DATA PROTECTION
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
 
Note on data protection
Note on data protectionNote on data protection
Note on data protection
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protection
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
 

More from DaviesParker

Annual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfAnnual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfDaviesParker
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfDaviesParker
 
Privacy as a Career
Privacy as a CareerPrivacy as a Career
Privacy as a CareerDaviesParker
 
Responsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdfResponsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdfDaviesParker
 
Privacy-in-the-Metaverse
Privacy-in-the-MetaversePrivacy-in-the-Metaverse
Privacy-in-the-MetaverseDaviesParker
 
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...DaviesParker
 
California-Privacy-Right-Act.pdf
California-Privacy-Right-Act.pdfCalifornia-Privacy-Right-Act.pdf
California-Privacy-Right-Act.pdfDaviesParker
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdfDaviesParker
 
FISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdfFISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdfDaviesParker
 
What Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdfWhat Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdfDaviesParker
 
External Network PT - Tsaaro
External Network PT - TsaaroExternal Network PT - Tsaaro
External Network PT - TsaaroDaviesParker
 

More from DaviesParker (13)

Annual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfAnnual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdf
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdf
 
Privacy as a Career
Privacy as a CareerPrivacy as a Career
Privacy as a Career
 
Responsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdfResponsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdf
 
Privacy-in-the-Metaverse
Privacy-in-the-MetaversePrivacy-in-the-Metaverse
Privacy-in-the-Metaverse
 
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdf
 
California-Privacy-Right-Act.pdf
California-Privacy-Right-Act.pdfCalifornia-Privacy-Right-Act.pdf
California-Privacy-Right-Act.pdf
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdf
 
FISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdfFISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdf
 
What Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdfWhat Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdf
 
Sarvekshan.pdf
Sarvekshan.pdfSarvekshan.pdf
Sarvekshan.pdf
 
External Network PT - Tsaaro
External Network PT - TsaaroExternal Network PT - Tsaaro
External Network PT - Tsaaro
 

Recently uploaded

John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix
 
如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书Fir L
 
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书SD DS
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfMilind Agarwal
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceMichael Cicero
 
Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxsrikarna235
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxKUHANARASARATNAM1
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝soniya singh
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书Sir Lt
 
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书Fs Las
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书FS LS
 
如何办理(CQU毕业证书)中央昆士兰大学毕业证学位证书
如何办理(CQU毕业证书)中央昆士兰大学毕业证学位证书如何办理(CQU毕业证书)中央昆士兰大学毕业证学位证书
如何办理(CQU毕业证书)中央昆士兰大学毕业证学位证书SD DS
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesHome Tax Saver
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSDr. Oliver Massmann
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书SD DS
 
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书SD DS
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionNilamPadekar1
 

Recently uploaded (20)

John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A History
 
如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书
 
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
如何办理(ISU毕业证书)爱荷华州立大学毕业证学位证书
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
 
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
 
Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptx
 
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptxAn Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
 
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
 
如何办理(CQU毕业证书)中央昆士兰大学毕业证学位证书
如何办理(CQU毕业证书)中央昆士兰大学毕业证学位证书如何办理(CQU毕业证书)中央昆士兰大学毕业证学位证书
如何办理(CQU毕业证书)中央昆士兰大学毕业证学位证书
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax Rates
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
如何办理(UCD毕业证书)加州大学戴维斯分校毕业证学位证书
 
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 sedition
 
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Serviceyoung Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
 

KSA PDPL - Personal Data Protection Law.pdf

  • 1. PERSONAL DATA PROTECTION LAW Kingdom of Saudi Arabia © 2022 Tsaaro. All rights reserved. © 2022 Tsaaro. All rights reserved.
  • 2. Introduction Scope and Application of PDPL Structure Provisions of PDPL Key Considerations Comparison with GDPR Challenges for organisations 1 TABLE OF CONTENTS 2 3 4 5 6 7 Tsaaro | KSA Personal Data Protection Law 01 8 Conclusion
  • 3. 02 Privacy and data protection have emerged to be one of the most critical issues of an era that is characterised by the technological revolution and a paradigm shift in our interaction with each other and the digital world in general. Data protection is an essential element in protecting the rights of individuals, which is intrinsically tied to the Human Rights of Individuals. Privacy and data protection are not just the responsibility of a nation state, but the onus to have a robust privacy structure is the responsibility of organizations too. Privacy and data protection constitute the core values of efficient legislation. The challenges of data collection, management and processing of personal data of individuals is one that can be effectively regulated by a robust data protection statute. Implementation and operation of a legislation can be arduous and precarious ordeal, but once in action it becomes the bedrock for a regimented and vigorous privacy protecting statute. In this White Paper we will enumerate and elucidate the various provisions of PDPL, the core principles of the legislation and what challenges the legislation will pose to businesses and organisations. In addition to the above the European regime of data protection and privacy laws have been the benchmark for many national legislations to protect the rights of individuals and the pragmatic implementation of the data protection laws in everyday businesses. Thus, it is essential to look at the new laws by Kingdom of Saudi Arabia in light of the General Data Protection Regulation (GDPR). The key considerations of the legislation, its principles and obligations will be the bedrock for smooth implementation and functioning of the law in Saudi Arabia. INTRODUCTION Tsaaro | KSA Personal Data Protection Law
  • 4. The Anti-Cyber Crime Law of 2007 (Royal Decree No. M/17), The E-commerce Law of 2019, and other sectoral regulations contain privacy provisions. General rules for maintaining the privacy of personal data of users in the telecommunications and information technology sector; The privacy guide for assessment of risk for telecommunications services providers and Criteria for determining the need to carry out privacy risk assessments. The Personal Data Protection Law (PDPL) is designed to systematically protect “personal data” of individuals. It was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021). After a period of 180 from the date of publication, the law will come into effect on 23 March 2022., and thus data controllers would have to ensure compliance to the law. Vision 2030 programme in the Kingdom of Saudi Arabia brought about significant changes in the telecommunication, media and technology regulatory landscape. PDPL is not the first law that defines privacy for the Kingdom of Saudi Arabia, the Basic Law of Governance of 1992 (Royal Order No. A/91 of 1992) ('the Basic Law') defines privacy as a right related to the dignity of an individual, guarantees the privacy of communication, and generally prohibits surveillance unless an exception applies.It also includes Shari'ah principles against the invasion of privacy or disclosure of secrets. Other acts that speak about privacy are : These laws give regulatory powers to the National Cybersecurity Authority and the Communications and Information Technology Commission ('CITC') in their respective sectors. The CITC has been responsible for publishing regulations on : DATA PROTECTION AND KINGDOM OF SAUDI ARABIA 03 02 Tsaaro | KSA Personal Data Protection Law
  • 5. Once PDPL is implemented it will become imperative for entities/ organisations to comply with the personal data protection laws, by appointing a representative in the Kingdom. This provision has to be complied with within 5 years from the effective date of implementation of the law. Saudi Data & Artificial Intelligence Authority (“SDAIA”) will be coordinating with the Central bank and other Information Technology ministries for the implementation of PDPL.Though, the supervisory role will be handed over National Data Management Authority (“NDMO”) an authority under SDAIA. Any processing by business or public entities of personal data of citizens of Saudi Arabia by any means, including processing of personal data of the residents of Saudi Arabia outside, including where the businesses have a foreign data controller, it is required by law to have a representative appointed and licensed by SDAIA in order to perform the data controller obligations under the law. In an age where data has become or is to become the most valuable commodity, the need for a robust data protection regime becomes imperative. Countries around the world have realised the importance of such a regime not only to protect the rights of its citizens, but also to showcase its economic prowess. Most countries in the middle east are realising the need for data protection and laws that prevent illegal personal data processing. The Kingdom of Saudi Arabia has taken a step towards establishing a comprehensive data protection mechanism for its citizens and cross border data processing DATA PROTECTION AND KINGDOM OF SAUDI ARABIA 04 02 Tsaaro | KSA Personal Data Protection Law
  • 6. AIM OF PDPL Privacy of personal data of residents of Saudi Arabia Streamline various sector-specific privacy laws under one single statute Regulate data sharing Prevent the abuse of personal data Develop digital Infrastructure Support innovation to grow a digital economy Place Saudi Arabia aligned with the international standards The PDPL bill aims to encapsulate the following: SCOPE AND APPLICATION OF PDPL Article 1(4) oF "PDPL" defines “personal data”- as: "any information, in whatever form, through which a person may be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses and contact numbers, photographs and video recordings of the person.” Thus, the legislation makes it clear for appointment of a controller in Kingdom of Saudi Arabia for processing of personal data of individuals who are citizens of the country, irrespective of where the business operates or where there is a foreign data controller. Article 2(2) of PDPL states that PDPL is not applicable for processing of personal data for family matters. 01 05 Tsaaro | KSA Personal Data Protection Law
  • 7. STRUCTURE Below enumerated are the topics that will be covered by this white paper taking into consideration the problem statement:- Preliminary Questions # Applicability of the PDPL law and what is needed for processing of personal data? What are the key considerations in PDPL? What are the core principles of PDPL ? Can cross border transfers take place under PDPL? what are the obligations of a controller under the law? What are the rights of data subjects under PDPL? Who will be accountable for data breach and will they be penalized? How is PDPL different from GDPR? What are the challenges that an organization will face when complying with PDPL? What are the future expectations from PDPL? 06 Tsaaro | KSA Personal Data Protection Law
  • 8. Definite interest In accordance with another law or implementation of a pre-existing agreement The controller is a public entity and processing is essential to meet security requirements Primary legal basis for processing to be obtained in writing, subject to further requirements. Processing without consent is only applicable under the following conditions: PROVISIONS OF PDPL This section will elucidate various provisions in PDPL that are established to preserve the privacy of individuals Does not adversely affect the national security of the kingdom Guarantees are provided to safeguard the data transferred or disclosed Only limited, necessary data is transferred Consent of the SDAIA has been obtained in respect of the transfer/disclosure Transfers of data outside of the Kingdom of Saudi Arabia may be made for limited purposes. Even if the transfer falls into a permitted category, it should further align with the following conditions for cross border transfer of data to take place lawfully'. 07 CONSENT 1 CROSS BORDER TRANSFERS 2 Tsaaro | KSA Personal Data Protection Law
  • 9. PENALTIES 5 Fines of up to SAR 3m for disclosure or publication of sensitive data in breach of PDPL. Up to SAR 1m for breaches of data transfer rules, Offenders under the PDPL can be criminally prosecuted for a prison term not exceeding 2 years where sensitive data is disclosed or published contrary to the PDPL. General fine of SAR 5m for any violation of the PDPL. Right to be informed Right to access Right to rectification Right to destruction Rights of the Data Subjects have been enumerated, inclusive of; 08 Controller must adopt a data privacy policy, and the policy should be available to individuals to view before collecting their data. If the Controller is collecting data directly from the data owner, it must inform him or her of: a) the legal basis for collecting data b) the purpose of collecting data, c) the information of those who collect it, d) informing the data subjects and e) decision of cross border transfer of data Data controllers must prepare, maintain and register data processing activities with SDAIA. In case of a breach incident, it has to be notified ‘immediately’ to the SDAIA and data subjects.) Controllers must appoint or assign at least one of their employees to be responsible for achieving compliance with the Law. Controllers must conduct an evaluation of the effects of processing associated with any product or service provided to the public, in accordance with the requirements of the Regulations. OBLIGATIONS OF CONTROLLERS 3 DATA SUBJECT RIGHTS 4 Tsaaro | KSA Personal Data Protection Law
  • 10. The key considerations of the data protection legislation are listed below: KEY CONSIDERATIONS IN PDPL 01 ACCOUNTABILITY The data controller when processing personal data, should have measures that abide by the provisions of law that is in place and do regular checks so that the means of processing data is approved by PDPL principles (Article 8) 01 01 PURPOSE LIMITATION The collection of personal data should have a direct link to the controller's purpose to process it. The purpose should be specific and limited to only what is required to satisfy the purpose (Article 11, 11(2), 11(3)) 02 02 TRANSPARENCY A privacy policy must be in place that can be viewed by the data subjects before collection of their personal data setting the purposes for collection, the categories of personal data collected, the means of collection, means of storage, processing, erasure, as well as data subject rights and how to exercise them. ( Article 12) 03 03 ACCURACY Data should be up to date, complete, and specific to the purpose for which it was collected ( Article 14 ) The Data Subjects had Right to erasure which the controller has to abide by. (Article 18, exceptions to right to erasure under Article 18(2)) 04 04 09 Tsaaro | KSA Personal Data Protection Law
  • 11. 01 1974 APPOINTMENT OF DATA PROTECTION OFFICER Controllers are required to appoint a person (or several persons) to be responsible for implementing PDPL. A local representative should be appointed for controllers that operate outside the Kingdom and process personal data of Saudi Citizens. This is done for compliance of the applicable laws. the applicable laws (Article 33(2) of the PDPL). 05 05 RECORDS OF PROCESSING ACTIVITY The organisation/ company needs to keep records of processing activities for a time period determined by executive regulations (Article 31). The competent authority will establish an online portal to build a national database of controllers, to which each controller must register to and pay an annual fee not exceeding SAR 100,000 ( Article 32) 06 06 DATA PROTECTION IMPACT ASSESSMENT The organisation/ company needs to keep records of processing activities for a time period determined by executive regulations (Article 31). The competent authority will establish an online portal to build a national database of controllers, to which each controller must register to and pay an annual fee not exceeding SAR 100,000 (Article 32) 07 07 10 KEY CONSIDERATIONS IN PDPL Tsaaro | KSA Personal Data Protection Law The key considerations of the data protection legislation are enumerated below: KEY CONSIDERATIONS IN PDPL
  • 12. Deceased Person PDPL also applies to the data of deceased persons if it can lead to the specific identification of the deceased person or his or her family. ‘Deceased persons’ included in the definition of data subjects. Recital 27 confirms that the GDPR does not apply to the personal data of deceased persons – only natural living persons. (Art 4(1), Rec. 27) The term is defined in Art. 4 (12). Personal data breach is "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" Personal Data Breach Any element of data, alone or in connection with other available data, that would enable the identification of a Saudi citizen. Comparison between the Personal Data Protection Law and The General Data Protection Regulation 11 Category GDPR PDPL Breach Notifications Breach must be notified “immediately” rather than within a specified period. Under Article 33 of GDPR, controller must notify the supervisory authority within 72 hours of being aware of the breach. Caveat to Disclosure of personal data There is a caveat to the usual permitted disclosures of personal data by the controller if the disclosure could pose a security risk, damage the reputation of the Kingdom or impact Saudi Arabia’s relationship with other countries. Under Article 49 of GDPR states that personal data shall be transferred to a third country or international organization with an adequate protection level as determined by the EU Commission. Suppose there is no decision on an adequate protection level. In that case, a transfer is only permitted when the data controller or data processor provides appropriate safeguards that ensure data subject rights. Tsaaro | KSA Personal Data Protection Law
  • 13. 12 Caveat to Disclosure of personal data There is a caveat to the usual permitted disclosures of personal data by the controller if the disclosure could pose a security risk, damage the reputation of the Kingdom or impact Saudi Arabia’s relationship with other countries. Appropriate safeguards include: BCRs with specific requirements (e.g., a legal basis for processing, a retention period, and complaint procedures) Standard data protection clauses adopted by the EU Commission or by a supervisory authority An approved code of conduct or an approved certification mechanism. (Articles: 44-50, Recitals: 101, 112, Chapter V) Category GDPR PDPL Cross Boarder Transfer Controllers will not be able to transfer personal data outside Saudi Arabia unless required to comply with an agreement to which the Kingdom is a party, (this is to serve Saudi interests or for other purposes that will be set out in the executive regulations). There are requirements to ensure that the data transfer or disclosure to a party outside the Kingdom does not impact national security or Saudi interests and to obtain the approval of SDAIA ie. Saudi Data & Artificial Intelligence Authority. GDPR states that personal data shall be transferred to a third country or international organization with an adequate protection level as determined by the EU Commission. In a case of no adequate protection level transfer is only permitted when the data controller or data processor provides appropriate safeguards that ensure data subject rights. Appropriate safeguards include: BCRs with specific requirements (e.g., a legal basis for processing, a retention period, and complaint procedures) Standard data protection clauses adopted by the EU Commission or by a supervisory authority An approved code of conduct; or An approved certification mechanism. (Articles: 44-50, Recitals: 101, 112, Chapter V) Registration and RoPA Data Controllers must register with SDAIA. There will be a fixed fee for private entities that are data controllers, which is yet to be published in the Regulations. Records of Processing Activity (RoPA) must also registered with SDAIA. Article 30 of GDPR requires to have a record of processing activities. On demand of the authority the data controller or the data processor provides the record of processing activities. But there is no obligation under GDPR to notify about RoPA or register data controllers with the data protection authority . Tsaaro | KSA Personal Data Protection Law
  • 14. 13 Category GDPR PDPL Registration Official documents must not be photocopied It is a common practice in the region for official documents such as passports or ID cards to be photocopied. The PDPL prohibits this unless it is for the implementation of the provisions of a law, or if a competent public authority requests these, in accordance with the PDPL regulations. No such condition laid down. No “directing services” or “monitoring” test for foreign business PDPL applies to any entity located outside of KSA who is processing the personal data of individuals residing in KSA. No particular quantitative threshold or qualitative tests are set out. Authority. Only applies to non-EU established entities who are engaged in targeting, offering goods or services to or monitoring EU individuals. Exceptions to Consent achieves a definite or certain interest for the data owner and it is impossible or difficult to contact them; As required by law or in application of a prior agreement to which the data owner is a party]; or Is done by a public entity and such processing is required for security purposes or to meet judicial requirements Data owner consent is not required where the processing: Processing is necessary to satisfy a contract to which the data subject is a party: You need to process the data to comply with a legal obligation. You need to process the data to save somebody’s life. Processing is necessary to perform a task in the public interest or to carry out some official function. You have a legitimate interest to process someone’s personal data. (Art. 6) GDPR does not explicitly mention exceptions to consent to process personal data of individuals, rather it states the lawful basis for processing of personal data of individuals other than consent. Following are the lawful basis for processing of personal data of individuals : Tsaaro | KSA Personal Data Protection Law
  • 15. 14 Category GDPR PDPL Need to obtain a license or appoint licensed representative Article 33 of the PDPL provides that the Authority shall be responsible for issuing licenses to commercial, professional or non-profit businesses under the PDPL, however it does not expressly state what, if any, additional licenses a business will need to obtain in order to process personal data. Non-KSA based data processing entities which process personal data related to individuals residing in KSA will have to appoint a representative in KSA, licensed by the Authority, to carry out its obligations under the law. Similar to the requirement under GDPR for non-European established businesses which are subject to GDPR to appoint a representative in the union. Data protection Officer The Entity shall identify and appoint a Chief Data Officer to lead the Data Management and Personal Data Protection agenda. The Chief Data Officer's (CDO) responsibilities shall be highlighted in a job description and aligned with the responsibilities defined in the “Organizational Manual” published by NDMO. Appoint a DPO (Article 37) and a representative under certain conditions. Under Article 4(21) of GDPR: " ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation" Penalties Fines of up to SAR 3m (approx. GBP 590,000) for disclosure or publication of sensitive data in breach of PDPL -up to SAR 1m (approx. GBP 200,000) for breaches of data transfer rules, -Offenders under the PDPL can be criminally prosecuted for a prison term not exceeding 2 years where sensitive data is disclosed or published contrary to the PDPL. -General fine of SAR 5m (approx. GBP 1,000,000) for any violation of the PDPL. GDPR has an upper cap on its monetary penalties, either: 2% of global annual turnover or €10 million, whichever is higher, or 4% of global annual turnover or €20 million, whichever is higher. This depends on the level of violation, which is decided by the member states and public authorities. (Articles: 83, 84 Recitals: 158, 149) Tsaaro | KSA Personal Data Protection Law
  • 16. CHALLENGES FOR ORGANISATIONS 15 Compliance of data sovereignty regulations in cross boarder transfer of data Compliance with sever other sectorial stakeholders and regulations (Eg. CITC, SAMA) Operationalization and classification of data to mitigate any identified data sovereignty risks The concepts of privacy and data protection have to be embedded in the approach of an organization Vendor management Compliance with international standardizations Establishing robust Cybersecurity and Privacy management Tsaaro | KSA Personal Data Protection Law
  • 17. CONCLUSION The vision behind PDPL is commendable and will usher in more countries to establish a data protection and privacy regime. The Kingdom has long-term goals to facilitate an emerging data driven economy. In the coming months there will further details and guidance on the law and its implementation. The business models that are set up in the Kingdom will have to ensure compliance and work towards establishing a privacy aware and protecting mechanism in functioning of their organisations. In addition to establishing a data protection law that protects the rights of individuals it is essential to understand the challenges that an organisation/ company will face in an effort to accelerate the drive towards an information based society. The organisations/ companies have to take into consideration compliance audit, gap analysis, governance, training and development, and compliance programme so that they are not in breach of PDPL. In conclusion the steps taken by Kingdom of Saudi Arabia is a welcome change which aligns the need of a robust privacy and data mechanism around the world. This will only lead to strengthening the basic Human Rights of Individuals. The kingdom of Saudi Arabia has paved the way for many other middle - eastern countries to move towards providing a system where personal data of individuals is of primary importance and protection of it is essential. 16 Tsaaro | KSA Personal Data Protection Law
  • 18. Tsaaro Netherlands Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognized by IAPP. WHY TSAARO? CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. Email us info@tsaaro.com Tsaaro India Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 India P: +91-0522–3581 Krishna Srivastava (Co-Founder & Head of Cyber Security, Tsaaro) Krishna is a xKPMG data security consultant. He has vast experience in Information Security and Data Privacy Compliance. Srishti Tripathy (Senior Data Protection Consultant, Tsaaro) Srishti is a privacy professional with a Masters degree from Tilburg University in Law and Technology. Reviewer Anselmo Diaz Valiente (Senior Consultant|NCC Group) Anselmo is an experienced consultant involved in a variety of projects, requiring the application of expert knowledge in Information Security and Data Protection. Ample of experience in auditing and providing consultancy to organisations across diverse sectors. Our Team