Saudi Arabia Personal Data Protection Law (PDPL)

Saudi Arabia joined a growing number of countries that have enacted privacy and data protection laws with its Personal Data Protection Law (PDPL), which took effect on September 14th, 2023.

This article explains what the PDPL is, who it applies to, how to comply with the PDPL, and what happens if you don't abide by the PDPL.

What is the Personal Data Protection Law (PDPL)?

The Personal Data Protection Law (PDPL) is the Kingdom of Saudi Arabia's data privacy law. It was designed to protect the personal information of anyone who resides in Saudi Arabia and regulate how controllers (those who make decisions about how and why to process or use data) and processors (those who process data) treat personal data.

Personal data is any information that can be used (either directly or indirectly) to identify an individual.

Personal data under the PDPL can include the following:

• Names
• ID numbers
• Addresses (including email addresses)
• Phone numbers
• License numbers
• Records
• Financial information
• Photos or videos of an individual
• Opinions and inferences of an individual
• Certain data belonging to deceased persons

Here's how the PDPL defines personal data, as any information that can potentially identify an individual:

Who Does the Personal Data Protection Law (PDPL) Apply to?

The Personal Data Protection Law (PDPL) applies to any entities that process personal data within Saudi Arabia, as well as any entities located outside of Saudi Arabia that process personal data belonging to anyone who resides within the Kingdom (regardless of citizenship or residency status).

Article 2 of the PDPL explains that the law applies to anyone who processes personal data within Saudi Arabia or anyone who processes personal data belonging to individuals residing in Saudi Arabia:

Who is Exempt from the Personal Data Protection Law (PDPL)?

The Personal Data Protection Law (PDPL) does not apply to the processing of personal data that is done at an individual level and is only used for personal or family purposes, as long as the data subject (person to whom the data belongs) did not publish or disclose the data.

Article 2 of the Implementing Regulation of the PDPL explains that individuals processing personal data for personal or family use do not need to comply with the law:

What Does the Personal Data Protection Law (PDPL) Require?

The Personal Data Protection Law (PDPL) requires processors to fulfill the following duties:

• Inform individuals before collecting their personal data
• Get consent
• Provide a way for individuals to exercise their rights
• Limit data collection to that which is essential to fulfill their purposes
• Keep data secure
• Maintain data processing records
• Conduct data protection impact assessments
• Appoint a data protection officer (DPO)
• Maintain a Privacy Policy

How Do You Comply With the Personal Data Protection Law (PDPL)?

There are a few steps you can take to comply with the PDPL, including informing individuals and getting their consent before collecting personal data, keeping personal data secure, and maintaining a Privacy Policy.

Inform Individuals Before Collecting Their Personal Data

If you are collecting personal data directly from a data subject, you must inform them of the following at the point of collection:

• Your legal basis for collecting their personal information
• What you intend to do with their personal data and whether the data collection is mandatory or optional
• That their data will only be used for the purposes outlined
• Your identity and address (unless the data is being collected for security reasons)
• A list of any third parties you will share the personal data with (and whether the personal data will be transferred outside of Saudi Arabia)
• Any consequences or risks arising from not collecting their data
• A list of their rights under the PDPL

Article 13 of the Personal Data Protection Law (PDPL) explains that data controllers must identify themselves and notify individuals of why they are collecting personal data, among other information, at the time of data collection:

Jarir uses a Cookie Banner to inform users that it uses cookies to process personal data. It lets users know why it processes personal data and that users can withdraw their consent at any time. The Cookie Banner contains buttons that enable users to accept all cookies or change their cookie preferences, and includes links to its Terms and Conditions agreement and Legal Notice:

Get Consent

The Personal Data Protection Law (PDPL) requires organizations to get individuals' consent before sending advertising or awareness-raising materials via personal means of communication (such as email).

A mechanism that enables the recipient to request to opt out of receiving future materials must also be provided.

Article 25 of the Personal Data Protection Law (PDPL) explains that data controllers cannot use personal means of communication to send advertising or awareness-raising materials unless they get consent before sending the materials and provide the recipient a way to decline future correspondence:

Users who want to sign up for a Centrepoint account must first tick a checkbox stating that they consent to have their personal information processed:

Provide a Way for Individuals to Exercise Their Rights

Applicable organizations must give data subjects a way to exercise their rights.

The Personal Data Protection Law (PDPL) grants individuals the following rights:

• The right to be informed about how their personal data is used
• The right to access their personal data
• The right to request provision of their personal data
• The right to request their personal data be corrected
• The right to request their personal data be destroyed
• The right to withdraw their consent to have their personal data processed

You must enable data subjects to exercise their rights via the following methods:

• Email
• Text messages
• The national address
• Electronic applications
• Any communication method used for this purpose

Data controllers must respond to any requests they receive from data subjects regarding their rights within 30 days. If necessary, this time period may be extended for up to an additional 30 days.

Article 3 of the Implementing Regulation of the PDPL explains that data controllers must respond to data subject requests within 30 days of receiving their requests:

Limit Data Collection

You should limit personal data collection to that which fulfills your purposes. Once the data has fulfilled its purpose, you should stop collection and destroy the data.

Article 11 of the Personal Data Protection Law (PDPL) requires data controllers to only collect personal data that is directly related to their purposes:

Keep Data Secure

The Personal Data Protection Law (PDPL) requires data controllers to keep the personal data they collect and process secure.

To comply with the PDPL's data security requirements, data controllers should:

• Implement safety measures to ensure the security of personal data
• Notify data subjects of any data breaches that may affect them
• Only disclose personal data with data subject consent (or when legally required to do so)
• Ensure that data processors comply with the PDPL

Article 8 of the Personal Data Protection Law (PDPL) states that data controllers should only work with data processors that comply with the PDPL, and should monitor processors to ensure their compliance:

Take Special Precautions With Sensitive Data

The Personal Data Protection Law (PDPL) requires entities that process sensitive data to take additional precautions.

Businesses that use consent as their legal basis for processing sensitive data must get an individual's explicit consent before processing their sensitive data and are not allowed to process sensitive data for marketing purposes, even if they have obtained consent.

Sensitive data is a special category of personal data that can include the following types of information:

• Race
• Ethnicity
• Religious, philosophical, or political beliefs
• Previous criminal offenses or convictions
• Genetic data
• Health-related data
• Information on an individual's unknown parentage

Article 1 of the Personal Data Protection Law (PDPL) lists the categories of personal information that count as sensitive data under the law:

Maintain Data Processing Records

The Personal Data Protection Law (PDPL) requires data controllers to maintain records describing their data processing activities.

Your data processing records should contain the following information:

• Your contact information
• Your reason for processing personal data
• Categories of data subjects from whom you collect personal information
• Third parties that you disclose personal data to
• Whether you have transferred or disclosed personal data to anyone outside of Saudi Arabia
• How long you intend to retain the personal data you collect

Article 31 of the Personal Data Protection Law (PDPL) lists the information data controllers' data processing records should contain, including your reasons for processing personal data and any entities you share personal data with:

Conduct Data Impact Assessments

You will need to conduct data impact assessments to identify the potential risks involved with certain data processing activities.

Data processing activities that necessitate a data impact assessment include:

• Processing sensitive data
• Collecting, linking, or comparing sets of personal data from different sources
• Continuous or large-scale activity that involves processing data from data subjects who lack legal capacity
• Continuous or large-scale activity that by its nature requires continuous monitoring of data subjects
• Continuous or large-scale activity that involves making decisions based on automated data processing
• Providing a product or service that is likely to have a negative impact on the data subjects' privacy

Impact assessments should include the following information:

• Why you are processing the data and its legal basis
• The nature of the processing, categories and sources of the personal data to be processed, and any third parties the personal data will be shared with
• The geographical scope of the data processing
• A description of the relationship between the data subject, controller, and processors
• What measures will be taken to ensure minimal data processing
• What impact the data processing will likely have on data subjects
• What measures will be taken to limit or prevent risks

You should provide a copy of the impact assessment to any processors who process personal data on your behalf.

Article 25 of the Implementing Regulation of the PDPL describes the types of data processing activities that require an impact assessment, including the processing of sensitive data:

Appoint a Data Protection Officer

The Personal Data Protection Law (PDPL) requires certain data controllers to appoint a Data Protection Officer (DPO) to ensure the protection of personal data.

Data controllers who meet any of the following criteria should appoint a DPO:

• The controller is a public entity that offers services involving processing personal data on a large scale
• The controller's data processing activities require continuous monitoring of individuals on a large scale
• The controller's core activities are comprised of processing sensitive data

Article 32 of the Implementation Regulation of the PDPL lists the types of data processing activities that necessitate a DPO:

Maintain a Privacy Policy

You must maintain a Privacy Policy that data subjects can access before you collect their personal data.

A Privacy Policy is a legal document that explains how you handle users' personal information and how they can exercise their rights.

Your Privacy Policy should contain the following information:

• Your reasons for collecting personal data
• What categories of personal data you intend to collect
• How you will collect personal data
• How you will process, store, and destroy personal data
• A list of data subject rights and a description of how individuals can exercise those rights

Article 12 of the Personal Data Protection Law (PDPL) lists the types of information data controllers' Privacy Policies must contain:

Let's take a closer look at each of the clauses needed to create a PDPL-compliant Privacy Policy.

Why You Collect Personal Data

This clause describes your reasons for collecting personal data.

Jarir's Privacy Policy explains that it processes personal data to provide requested products and services and improve the customer experience, and for communication, marketing, and legal compliance purposes:

What Types of Personal Data You Collect

You should let users know the types of personal data you collect, such as names, email addresses, or shipping information.

Jarir's Privacy Policy lets users know that the personal data it collects includes names, contact and payment information, purchase history, and browsing activity:

How You Collect Personal Data

This clause explains how you collect personal data, such as directly from a user, or via cookies or a third party.

Namshi's Privacy Policy explains that it collects personal data directly, such as when users register or subscribe, and indirectly, such as through third-party vendors:

eXra's Privacy Policy explains that it collects information from users when they visit its website and use its service, when they provide information directly, and when they make financial transactions:

How You Process, Store, and Delete Personal Data

Your Privacy Policy should explain how you use, store, and destroy personal data.

Namshi's Privacy Policy lets users know that it only stores personal data as long as necessary to fulfill its purposes:

How Data Subjects Can Exercise Their Rights

This clause informs subjects of their rights and lets them know how they can exercise those rights.

Jarir's Privacy Policy lists users' rights concerning their personal data and explains how they can manage their personal data and exercise their rights:

Maintaining a Privacy Policy is an effective way to comply with many of the PDPL's requirements, as it can serve to inform users about your data practices, help you get consent, and provide a way for data subjects to exercise their rights.

What are the Penalties for Not Complying With the Personal Data Protection Law (PDPL)?

Anyone who discloses or publishes sensitive data with the intention of harming the data subject or securing personal gain faces up to two years of prison time, and/or a fine of up to three million Riyals. If they are a repeat offender, they may receive double the fine.

In other cases, individuals who violate the Personal Data Protection Law (PDPL) may receive a warning or a fine of up to five million dollars, the amount of which can be doubled for repeat offenders.

Article 35 of the Personal Data Protection Law (PDPL) details the punishments you can face if you break the law, including imprisonment and financial penalties:

Summary

The Personal Data Protection Law (PDPL) provides rules for anyone who processes personal data within Saudi Arabia or processes personal data belonging to anyone who resides in Saudi Arabia.

Individuals who use personal data for personal or family use are exempt from the PDPL.

The Personal Data Protection Law (PDPL) requires data controllers and processors to:

• Notify and get consent from individuals before collecting their personal data
• Provide a way for data subjects to exercise their rights
• Limit data collection
• Keep personal data safe
• Maintain data processing records
• Conduct data impact assessments
• Appoint a DPO (if applicable)
• Maintain a Privacy Policy

To comply with the Personal Data Protection Law (PDPL), your Privacy Policy should include the following clauses:

• Why you collect personal data
• What types of personal data you collect
• How you collect personal data
• How you process, store, and destroy personal data
• Data subject's privacy rights and how they can exercise them

Anyone who violates the Personal Data Protection Law (PDPL) can face imprisonment and financial penalties of up to five million Riyals.