ARTICLE
19 February 2025

The Personal Data Protection Law

ER
Eyad Reda Law Firm LLP

Contributor

Eyad Reda Law Firm LLP logo
Eyad Reda Law Firm LLP (ERLF) is a full-service legal practice in Saudi Arabia, with a diverse team and strong expertise in the country’s regulatory and cultural environment. We strive to be leaders in providing high-quality legal services, focusing on effective communication and collaborative relationships to ensure cost-effective, outstanding legal support.
Explore Firm Details
The digitization of data across most public and private entities following the advent of the internet and smart devices has made accessing, storing, and sharing data remarkably easy.
Saudi Arabia Privacy
Eyad Reda Law Firm LLP
Your Author LinkedIn Connections

1. Overview of the Personal Data Protection Law

The digitization of data across most public and private entities following the advent of the internet and smart devices has made accessing, storing, and sharing data remarkably easy. Digital data has become a highly valuable commodity that companies seek to acquire and use for informational and marketing purposes. This situation has created an urgent need for legal regulations to protect individuals' personal data. As a result, the Personal Data Protection Law was issued in the Kingdom of Saudi Arabia by Royal Decree No. (M/19) dated 1443/02/09H and Council of Ministers' Resolution No. (98) dated 1443/02/07H. This law aims to protect the rights related to the processing of personal data and regulate its sharing among entities, while also preventing its misuse, thereby supporting and fostering the growth of the Saudi economy by building trust in the data sector.

The law defines personal data as: "Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature." The law also defines the owner of personal data as: "The individual to whom the Personal Data relate "

The importance of this law primarily lies in its role in maintaining data privacy during its sharing and processing, contributing to the creation of a data-driven digital economy. It reinforces respect for personal life, fosters a vibrant and secure community, and prohibits the use of personal communication means for marketing or awareness purposes without the owner's consent, except for awareness materials sent by public entities.

2. Provisions for Processing Personal Data

The Law defines processing as "Any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data" It also defines the controlling entity as: "Any public entity or any private legal or natural person that determines the purpose and means of processing personal data, whether by itself or through a processing entity." The processing entity is defined as: "Any public entity or any private legal or natural person that processes personal data on behalf of and in the interest of the controlling entity."

The Law clarifies the relationship between the controlling entity and the processing entity as follows:

The data controller, when selecting a data processor, must choose an entity that provides the necessary guarantees for the implementation of the provisions of the law and regulations. The data controller must verify the compliance of the data processor with the provisions of the law and regulations. This does not affect the data controller's responsibilities towards the data subject or the relevant authority, as applicable. The regulations will specify the necessary provisions for this, including provisions related to any subsequent contracts made by the data processor.

The data controller may establish periods during which the data subject can exercise their right to access their personal data held by the data controller, in accordance with the controls and procedures specified by the regulations. The data controller may also restrict this right if it is necessary to protect the data subject or others from harm, according to the provisions specified by the regulations. If the data controller is a public authority, restrictions may be applied if required for security purposes, to implement another law, or to meet judicial requirements.

One of the key provisions for Processing of data or changing the purpose of its processing is that it may not be processed without the consent of the data owner. The data subject has the right to withdraw consent for data modification. Consent from the data owner cannot be made a condition for receiving a service unless the modification serves a recognized interest of the data owner, is required by another law, or fulfills a prior agreement with the data owner. If the data is held by a public entity, modifications for security purposes or to meet legal requirements do not require the data owner's consent.

Except in the following cases:

2.1 The information is already available to the Data Subject.

The provision of such information proves impossible or would involve a disproportionate effort.

he Controller collects data to fulfill a legal requirement.

The Controller is a Public Entity and the Collection of Personal Data is for security purposes, or to fulfill judicial requirements, or to achieve a Public Interest.

The Personal Data is subject to an obligation to a professional secrecy regulated by a law.

3. Provisions for Implementing the Personal Data Protection Law

The law applies to any processing of personal data related to individuals that takes place within the Kingdom of Saudi Arabia, by any means. This includes personal data related to residents of the Kingdom and deceased individuals if their data leads to the identification of them or any of their family members specifically However, the law does not apply to individuals who process personal data for purposes that do not exceed personal and family use, as long as the data is not published or disclosed to others.

The Personal Data Protection Law guarantees several rights for individuals concerning their personal data. The data owners has the right to access their data and understand the purpose of its collection and processing. They can also access the data, obtain a copy of it, and request its correction, updating, and destruction after the purpose of its collection is fulfilled. Additionally, they have the right to restrict the processing of personal data for specific cases and limited periods. The data owners may also object to the processing of their personal data or withdraw their consent in situations specified by the law.

4. Provisions for the Acquisition of Personal Data by the Controller

The Law stipulates that the default is that the controller is not permitted to acquire the data except directly from the owner and for the purposes for which they have been collected. However, an exception to this was made, allowing the controller to collect personal data from someone other than the owner, in the event that the data owner agrees, the data is publicly available, adhering to the prohibition would cause harm to the data owner, or if the data is not recorded or stored in a way that allows identifying the owner. The purpose of collecting the personal data must also be directly related to the controller.

Additionally, when a public entity is the controller and collects personal data not directly from the data subject, processes it for a purpose other than the one for which it was initially collected, or requests disclosure of such data to achieve a public interest, the public entity shall comply with the following:

Ensure that this is necessary to achieve a clearly defined public interest.

The public interest related to the public entity's mandate as specified in the regulation.

Take suitable measures to limit the damage that may result, including implementing necessary administrative and technical controls to ensure its agents commit to comply with the provisions of Article 41 of the law.

Record those operations in the records of personal data processing activities.

Collect and process the minimum necessary personal data to achieve the data processing purpose.

The Law has outlined a number of elements that the controller must inform the data owner of before beginning data collection. These include the parties to whom the data will be disclosed to, the legal justification for collecting it, the purpose of the collection, whether the collection of all the data is mandatory, the identity and address of the data collector (unless it is for security purposes), the potential effects and risks of not completing the data collection, and any other elements specified by The Personal Data Protection Law or its regulations.

5. Disclosure and Destruction of Personal Data

Although the Personal Data Protection Law has stipulated cases that allow the controlling entity to disclose personal data, it has also stipulated a number of cases in which the controlling entity must refrain from the disclosures. This includes:

Represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom.

the Kingdom's relations with any other state.

Prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures.

Compromises the safety of an individual.

Results in violating the privacy of an individual other than the Data Subject, as set out in the Regulations.

Conflicts with the interests of a person that fully or partially lacks legal capacity.

Violates legally established professional obligations.

Involves a violation of an obligation, procedure, or judicial decision.

Exposes the identity of a confidential source of information in a manner detrimental to the public interest.

The Law also obligates the controlling entity, to notify any other party to whom the data was previously disclosed, without delay, in the event of any corrections to the personal data

Regarding the destruction of personal data, the controlling entity must dispose of it without delay after the purpose of collecting the data has been fulfilled. However, it may retain the data after the purpose has been served, provided that all information leading to the identification of the data subject has been removed.

Nevertheless, the controlling entity must retain the personal data even after the expiration of the purpose for which it was collected if there is a legal justification that requires its retention for a specific period, after which it shall be destroyed, or if the personal data is closely related to a case pending before a judicial authority and its retention is required for that purpose, in which case it shall be destroyed after the completion of the judicial procedures related to the case.The Personal Data Protection Law

Commitment of the Controller to Preserve Personal Data

According to the executive regulations of the Personal Data Protection Law ("PDPL"), the data controller must take the necessary organizational, administrative, and technical measures to ensure the security of personal data and the privacy of its owners, and comply with the following:

Implement the necessary security and technical measures to mitigate the security risks of personal data breaches.

Adhere to the relevant controls, standards, and rules issued by the National Cybersecurity Authority ("NCA"), or to the best practices and recognized cybersecurity standards if the data controller is not obligated to apply the controls, standards, and rules issued by NCA

Also, in the event of a personal data breach, the data controller must 1 notify the competent authority within a period not exceeding (72) hours from the time it becomes aware of the incident, if the breach is likely to harm the personal data or the data subject, or if it conflicts with their rights or interests. The competent authority in this case is the Saudi Data and Artificial Intelligence Authority (SDAIA).

In addition, PDPL executive regulations have specified the processing of health and credit data in a manner that ensures the preservation of the privacy of its owners and the protection of their rights as follows:

Processing Health Data:

The Controller shall take the appropriate organizational, technical, and administrative measures to protect Health Data from any unauthorized Commitment of the Controller to Preserve Personal Data use, misuse, use for purposes other than for which it was collected, or breach, and any procedures or means that guarantee the preservation of the privacy of its owners, and it shall, in particular, take the following controls and procedures:

Adopt and implement the requirements and controls issued by the Ministry of Health, the Saudi Health Council, the Saudi Central Bank, the Council of Health Insurance, and other related entities involved in regulating Health Services and health insurance services, that specify the tasks and responsibilities of employees of health care providers, health insurance companies, health insurance claims management companies and those which are contracted by them carrying out the Processing of Health Data.

Adopt the provisions of the Law and its Regulations into the internal policies of the Controller.

Distribute tasks and responsibilities among employees or workers in a way that prevents overlapping specializations and diffusion of responsibility, and taking into account different level of access to data among employees or workers in a manner that guarantees the highest degree of Data Subjects privacy.

Document all stages of Health Data Processing and provide the means to identify the person in charge for each stage.

The agreement between the Controller and the Processors to conduct work or tasks related to Health Data Processing - shall include provisions that oblige them to abide by the procedures and measures stated in this Article.

Commitment of the Controller to Preserve Personal Data

Health Data Processing should be limited to the minimum necessary to provide healthcare services and products or health insurance programs.

Processing Credit Data:

Without prejudice to the provisions of the Credit Information Law, the Controller shall take organizational, technical, and administrative measures to protect Credit Data from any unauthorized use, misuse, access by unauthorized individuals, use for purposes other than for which it was collected, and Disclosure. The Controller shall adopt the following controls and procedures:

Adopt and implement requirements and controls issued by the Saudi Central Bank and other relevant authorities, which define the roles and responsibilities of employees of establishments providing credit information services and of the parties that have contracts with such establishments to process Credit Data

Controller shall obtain Data Subject consent and notify them of any request to disclose their Credit Data in accordance with the provisions of the Credit Information Law, while considering the provisions stated in subparagraph (d) of paragraph (1) of Article 11 of the Executive Regulations.

Provisions on the Use of Personal Data In Advertising or Awareness-Raising Materials

The Personal Data Protection Law has restricted the authority of the controller in using personal data to send advertising or awareness-raising materials. The controller is not allowed to use the personal communication means of the data subject for sending advertising or awareness-raising materials, except for the awareness-raising materials sent by public authorities. In this case, the consent of the targeted recipient must be obtained for sending such materials according to the conditions specified in the Personal Data Protection regulations as follows:

The consent must be given freely, and no misleading methods should be used to obtain it.

The recipient must be enabled to customize their preferences regarding the promotional or awareness materials subject to consent.

The recipient's consent must be documented using means that allow for future verification., and the sender must provide a clear mechanism that enables the targeted recipient to express their request to stop receiving them if they wish to do so.

However, except for sensitive data, personal data may be processed for marketing purposes if it was collected directly from the data subject. The Law defined sensitive data as "Personal Data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual's parents are unknown."

The law also allowed the collection and processing of personal data for scientific, research, or statistical purposes without the consent of the data owner, if the personal data does not contain any specific identification of the data subject.

Retention of Personal Data Records by the Controller

The controlling strong entity retaining personal data records is a complex matter addressed by the personal data protection Law. The Law allows the controlling entity to retain data records for a period determined by the regulations for personal data processing activities based on the nature of the activity the controller performs, provided that the records include a minimum of data, which are as follows:

Contact details of the Controller.

The purpose of the Personal Data Processing.

Description of the categories of Personal Data Subjects.

Any other entity to which Personal Data has been, or will be, disclosed.

Whether the Personal Data has been or will be transferred outside the Kingdom or disclosed to an entity outside the Kingdom.

The expected period for which Personal Data shall be retained.

As for photographing or copying official documents that determine the identity of the data owner, it is not permissible to photograph and copy the official documents that determine the identity of the data owner, except when this is in implementation of the provisions of the Law or when a competent public entity requests the photographing or copying of those documents, as determined by the regulations.

Penalties for Violating the Provisions of the Personal Data Protection Law

The Personal Data Protection Law stipulates the violations and penalties prescribed for each of them. In the event of a violation of the provisions of transferring data outside the Kingdom, the violator shall be punished by imprisonment for a period not exceeding (one year) and a fine not exceeding SAR (one million), or one of these two penalties. They shall be punished by imprisonment for a period not exceeding (two years) and a fine not exceeding SAR (three million), or one of these two penalties, if they disclose or publish sensitive data with the intent to harm the data owner or to achieve personal benefit.

The Public Prosecution is responsible for the investigation and prosecution before the competent court for the violations. The competent court may also double the penalty in case of recidivism, even if it results in exceeding the maximum limit, not exceed the double of the limit. In the absence of a specific provision, the competent authority (SDAIA) shall form a committee to consider the violations and impose penalties, either by warning or by a fine not exceeding SAR (five million), for each individual or an entity who has violated the provisions of the Personal Data Protection System and its Regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Eyad Reda Law Firm LLP
Eyad Reda Law Firm LLP
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More