ARTICLE
4 March 2025

Data Protection Regulations In Kingdom Of Saudi Arabia

SP
Sohaibani & Partners

Contributor

Sohaibani & Partners logo

Sohaibani & Partners was founded in 1988 by Abdulnasir Alsohaibani in the city of Riyadh, the heart of Saudi Arabia. The firm is one of the first law firms established in Saudi Arabia and a pioneer of legal service providers for more than three decades. Sohaibani & Partners’ is proud to be a successful partner for many businessmen and companies around the region contributing directly to their achievements. Sohaibani & Partners has offices and regional partners in Türkiye, UAE, USA, and Germany.

Sohaibani & Partners’ vision is to deliver outstanding legal expertise to our clients, adopting innovations and professional standards. Our mission is contributing effectively to achieving legal awareness in society and spreading it as a social behavior so that laws and regulations are looked upon with adequate respect and commitment.

Explore Firm Details
In today's digital world, protecting personal data has become crucial.
Saudi Arabia Privacy
Deniz Kozakci Alsohabani,Deniz Islekel Yucel, and Kardelen Kilic

In today's digital world, protecting personal data has become crucial.

Kingdom of Saudi Arabia ("KSA") government recognizes this importance and has put in place a comprehensive regulatory framework, regarding protection of personal data, to guide how personal data are managed for entities who data processing.

This article will explore some key questions about data protection regulations in the KSA.

1. What legislation governs data protection in KSA?

Data protection and privacy in the KSA are governed by several key regulations:

  • Royal Decree No. M/19, 1443 AH ("KSA Data Protection Law"): This primary legislation, issued by Royal Decree No. M/19, governs the protection and privacy of personal data in KSA. It establishes comprehensive rules for data processing, protection, and privacy, effective as of September 14, 2023.
  • Cabinet Decision No. 98, 1443 AH: This decision supplements the Data Protection Law, providing additional directives to data controllers. It includes a one-year grace period from the effective date of the law to help organizations achieve compliance
  • Administrative Decision No. 1516, 1445 AH ("Implementing Regulation"): This administrative decision implements the regulations required by the Personal Data Protection Law. It provides detailed procedural guidelines to support compliance and enforcement, in effect from September 14, 2023.
  • Royal Decree No. M/37, 1429 AH Credit Information Law: This law, along with its implementing regulations under Royal Decree No. M/37 and Cabinet Decision No. 188/1429, governs the processing, sharing, and protection of credit information in KSA, ensuring confidentiality and security for individual and corporate credit data.
  • Decree No. M/12, 1422 AH Telecommunications Act: This legislation oversees telecommunications service providers in KSA, including provisions for customer data protection, confidentiality, and procedures for accessing and amending telecommunications data.

2. Where Does the KSA Protection Law Apply?

The territorial scope of the KSA Data Protection Law is addressed in two parts: within KSA and outside of KSA.

  • Within KSA: KSA Data Protection Law applies to the processing of personal data across all territories under the Kingdom's jurisdiction. This includes not only the geographical boundaries of KSA but also extends to its embassies in foreign countries.
  • Outside of KSA: KSA Data Protection Law also has extraterritorial application, meaning it governs the processing of personal data belonging to KSA residents even when processed outside the Kingdom. This covers KSA citizens as well as other individuals residing in KSA on a temporary or permanent basis.

This framework ensures that the privacy rights of KSA residents are protected, both domestically and internationally.

3. What are the main principles in KSA Data Protection?

KSA Data Protection Law is based on core principles similar to those in international regulations for data protection and privacy. These include fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

According to KSA Data Protection Law, controllers must adhere to the following key principles:

  • Lawfulness, Fairness, and Transparency: The data controller must process data on a fair, lawful basis and in a transparent manner.
  • Data Minimization: Only data that is necessary for the specific purpose should be collected and processed, avoiding the processing of unnecessary data.
  • Storage Limitation: The data controller must not retain data longer than needed; once the purpose is fulfilled, the data should be deleted.
  • Purpose Limitation: The data controller should only process personal data for specified and lawful purposes.
  • Accountability: Data controllers must be accountable for their data processing activities and implement appropriate measures to ensure compliance.
  • Integrity and Confidentiality: The data controller should protect the integrity and confidentiality of data by implementing security measures to prevent unauthorized access.

These principles are designed to ensure that data controllers handle personal data securely, transparently, and in compliance with legal standards.

4. What is Personal Data according to Saudi Personal Data Protection Law?

Saudi Data Protection Law defines personal data as "every data, of whatever source or form, that would lead to the identification of the individual specifically, or make it possible to identify them directly or indirectly, including their name, personal identification number, addresses, contact numbers, license numbers, records, personal property, bank account and credit card numbers, fixed or moving pictures of the individual, and other data of natural person."

Non-personal data consists of information that does not reveal an individual's identity, such as a company's registration number, corporate address, or generic email addresses like info@companyname.com.

5. What is Sensitive Personal Data according to Saudi Personal Data Protection Law?

Sensitive Data is any personal data related to the individual's ethnic or tribal origin, or religious, intellectual or political belief, as well as criminal and security data, identifying biometric data, genetic data, health data, and data that indicates that one or both parents of the individual are unknown.

It is important to be aware of the difference between sensitive data and non-sensitive personal data because processing of sensitive data is associated with more restrictions and strict rules under the the KSA Personal Data Protection Law.

6. What are the key differences in responsibilities between Data Controllers and Data Processors under the KSA Personal Data Protection Law?

6.1. Definitions:

Data Controller: A natural or legal person, public authority, agency, or other body that, either alone or jointly with others, determines the purposes and means of processing personal data.

Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller.

6.2. Obligations of the Data Controller:

Under the Saudi Data Protection Law, the Data Controller must:

  • Ensure the accuracy, completeness, and relevance of personal data before processing it.
  • Maintain a record of processing activities for a period prescribed by Implementing Regulation.
  • Train all staff in the company on data protection rules.
  • Present a privacy policy to data subjects and ensure its availability.
  • Evaluate the impact of personal data processing.
  • Verify the Data Processor's compliance with its instructions related to data protection.
  • Notify the relevant supervisory authority immediately upon discovering any data breach, leakage, or unauthorized access to personal data.
  • Comply with additional requirements that may vary based on the industry.

6.3. Obligations of the Data Processor:

Under the KSA Data Protection Law, the Data Processor must:

  • Handle personal data in accordance with a Data Processing Agreement established between the Data Controller and the Processor.
  • Follow the Controller's instructions regarding the processing of personal data.
  • Assist the Controller by implementing necessary organizational, administrative, and technical safeguards to protect the data.

Ensure that if engaging sub-processors:

  • Contracts with sub-processors do not diminish the level of protection for the personal data.
  • Sub-processors provide adequate guarantees to comply with the KSA Data Protection Law and applicable regulations.
  • Notify the Controller of any engagement of sub-processors, allowing the Controller the right to object within an agreed-upon timeframe.

7. What are the Requirements for a Controller to Transfer Personal Data Outside of KSA?

A data controller may transfer or disclose personal data to an external party outside of the KSA for specific purposes, including:

  • To fulfill an obligation under an agreement in which KSA is involved.
  • To serve the interests of KSA.
  • To perform an obligation to which the data subject is a party.
  • To meet other objectives as outlined in Implementing Regulation.

If personal data is transferred for any of these reasons, the following conditions must be met:

  • The transfer or disclosure should not negatively impact KSA's national security or vital interests.
  • Adequate safeguards must be in place to protect the confidentiality of the data, meeting the minimum standards specified in Royal Decree No. M19/1443 (Cabinet Decision No. 98/1443).
  • The amount of personal data transferred should be limited to only what is necessary.
  • Approval for the transfer or disclosure must be obtained from the relevant data authority.

These requirements ensure that data transfers outside of KSA are conducted responsibly and securely, with the necessary protections in place.

8. What are the lawful bases for personal data processing?

General lawful bases lay out article 5 and article 6 of Saudi Data Protection Law. According to articles, lawful bases follow:

  • Consent: data subject has given consent to the processing of his or her personal data.
  • Vital interests: processing serves actual interests of the data subject, but communicating with the data subject is impossible or difficult for instance the processing is necessary to protect someone's life.
  • Performance of contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law but not including contractual obligations.
  • Public interest: if the Controller is a public entity and the processing is required for security purposes or to satisfy judicial requirements
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. Sensitive data cannot be processed based on this basis.

Consent requirements are detailed in the Implementing Regulation. According to the Implementing Regulation, consent must be given freely, obtained through transparent methods, and provided in writing. The purposes of processing must be clear, specific, and explained to the data subject before or at the time consent is requested. Separate consent must be obtained for each purpose. Additionally, it must be easy for the data subject to withdraw consent if they choose. If consent is withdrawn, the Controller must stop processing without undue delay following the request.

Explicit consent means that the person clearly agrees to the use of their personal data, leaving no room for misunderstanding. This consent must be clear and provable, showing that the person knowingly accepted it. For instance, the data subject must take a clear action, such as clicking a consent box, to approve the processing.

9. What are the criteria for processing personal data based on legitimate interest ?

According to the Implementing Regulation under Article 16, controllers may process personal data based on legitimate interest, provided they adhere to specific criteria. Processing must not violate local laws, and there should be a balance between the controller's interests and the rights of the data subject. Sensitive data cannot be processed under this basis, and the data subject's reasonable expectations must be met. Legitimate interests include fraud detection, network security, and similar purposes. Prior to processing, an impact assessment must be conducted to ensure compliance and minimize risks to data subjects, with adjustments made if any potential harm or legal infringement is identified.

10. What is a Data Processing Impact Assessment, and when is it required?

A Data Processing Impact Assessment ("DPIA") is a structured evaluation that data controllers must perform to identify and mitigate risks associated with personal data processing activities. Required in cases involving sensitive data, data linking, large-scale or continuous processing, and emerging technologies, a DPIA examines the purpose, scope, and context of data processing. It ensures that processing is limited to what is necessary and proportionate, with a strong focus on minimizing any negative impact on data subjects. Key elements include an analysis of the processing's impact on individuals, any potential physical, psychological, social, or financial harm, and the likelihood of these risks. The DPIA also details preventive measures to reduce identified risks and ensures that processors are informed. If a DPIA identifies significant privacy risks, the controller must address them and reassess to ensure compliance with data protection standards.

11. What are the requirements for maintaining records of personal data processing activities ?

According to the Implementing Regulation Under Article 33, controllers are required to maintain detailed records of all personal data processing activities throughout the processing period and for up to five years after processing ends. This record must include the controller's name and relevant contract details, as well as the following minimum elements: information about the Data Protection Officer (if applicable), processing purposes, categories of data and data subjects, retention periods, and categories of recipients. Additionally, it must document any international data transfers, including legal justifications and recipient details, as well as security measures to protect personal data. These records must be kept accurate, regularly updated, and accessible to the Competent Authority upon request. The Competent Authority will also provide templates to help standardize record-keeping practices across controllers.

12. What are the rights of data subjects?

Data subjects entitled to certain rights regarding processing of their personal data. Saudi Data Protection Law Article 4,5 and 34 lay out data subject rights.

Certain rights are follow:

  • Right to be informed: Data subjects have the right to be informed about the lawful basis and the purpose of collection of their personal data. For instance an e-commerce website has to present its members how their personal data are processing.
  • Right to access personal data: Data subjects have the right to access the personal data.
  • Right to obtain personal data: Data subjects have the right to request their personal data to be provided to them in a understandable and clear format.
  • Right to rectification of personal data: Data subjects can request to have their personal data corrected, completed or updated
  • Right to request destruction of personal data: Data subjects can request destruction of their personal data.
  • Right to withdraw consent: Data subjects can at any time withdraw their consent to processing of their personal data.
  • Right to submit a complaint to the Competent Authority: Data subjects can submit to the Competent Authority a complaint

The Data Controller must address data subject requests concerning their rights under the Saudi Data Protection Law within a 30-day timeframe and without unnecessary delay. If responding requires excessive effort or if multiple requests are submitted, this period may be extended by an additional 30 days.

In such instances, the data subject should be informed in advance, including an explanation for the delay.

To facilitate these responses, the Controller should implement the following:

  • A policy and procedure for handling data subject rights;
  • A form for submitting requests through various channels;
  • A trained data privacy team dedicated to managing requests efficiently;
  • Technology tools to assist the team in processing requests.

Also, the implementing regulations outline how data subjects can submit a complaint to the Competent Authority. They specify that a complaint must be filed within 90 days of the incident or from when the data subject became aware of it. Additionally, the regulations describe what information the complaint should contain and the key steps the Competent Authority must take in addressing it.

13. What are the key requirements and responsibilities of a Data Protection Officer ?

The Implementing Regulation mandates that a Data Protection Officer ("DPO") must be appointed by the Controller in specific cases, including when:

  • the Controller is a public entity handling large-scale personal data processing,
  • the Controller's main operations involve regular, continuous monitoring of individuals, or
  • the Controller's core processing activities involve processing sensitive personal data.

The DPO's primary responsibilities, as outlined in the Implementing Regulation, include:

  • serving as the main contact for the Competent Authority and implementing its directives,
  • overseeing impact assessments, audit reports, and evaluations, and documenting these findings,
  • maintaining and updating the records of personal data processing activities,
  • enabling data subjects to exercise their rights,
  • handling data subjects' requests and complaints,
  • notifying the Competent Authority and data subjects of any data breaches, when required, and
  • addressing and rectifying any data-related violations by the Controller.

14. What are the penalties for non-compliance?

Saudi Data Protection law penalties for data privacy violations include:

  • Up to SAR 3 million fine or two years' imprisonment for disclosing sensitive data.
  • Up to SAR 1 million fine or one year's imprisonment for data transfer violations.
  • Fines up to SAR 5 million for other breaches, with potential doubling for repeat offenses.

The Implementing Regulation outlines further penalties, including:

  • Up to SAR 500,000 fine or one year's imprisonment for unauthorized data access or privacy invasion.
  • Up to SAR 2 million fine or three years' imprisonment for identity fraud and illegal credit data access.
  • Up to SAR 5 million fine or ten years' imprisonment for terrorism-related online activities.

Additional sanctions may apply under insurance, banking, and healthcare regulations, with fines, license revocation, and professional disqualification.

15. What should companies do to comply with Data Protection Regulations in KSA?

Companies must first determine their role as either a data controller or processor, as each has specific obligations. They should provide clear privacy notices, obtain consent, and allow data subjects access to their data. Also, it's important to set up a data breach response plan, regularly review policies, and conduct Data Protection Impact Assessments (DPIAs) for high-risk activities. Employee training on data protection principles will further ensure compliance and secure data handling, which can help companies avoid penalties or reduce fines if a violation is unavoidable.

Originally published November 2024

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Deniz Kozakci Alsohabani
Deniz Kozakci Alsohabani
Photo of Deniz Islekel Yucel
Deniz Islekel Yucel
Photo of Kardelen Kilic
Kardelen Kilic
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More