Overview:

The Saudi Personal Data Protection Law became effective on 14 September 2023, and organisations were given a grace period to fully align with the law by 14 September 2024. As this enforcement date fast approaches, the Saudi Data & Artificial Intelligence Authority has released a series of guidelines and rules to supplement the law, along with a revised version of the Data Transfer Regulation and an approved set of Standard Contractual Clauses. With clearer directions on matters such as data minimisation, the destruction of data, developing privacy policies, data transfers and the proper roles of Data Protection Officers, it is now imperative for organisations to take swift action and implement the necessary measures to ensure compliance with the PDPL.

Background:

The evolution of the Personal Data Protection Law (PDPL) has been rapid since its initial enactment in 2021, reflecting the Kingdom’s broader strategic vision under Vision 2030 to diversify its economy and embrace digital transformation. Amended in March 2023, the law officially came into force on 14 September 2023, with a one-year grace period granted to allow organisations to achieve compliance. This grace period will conclude on Saturday, 14 September 2024, after which the law will be fully enforceable by the Saudi Data & Artificial Intelligence Authority (SDAIA). Complementing the PDPL, a set of Executive Regulations, which included the Regulations on Transfers of Personal Data outside the Kingdom, was released in September 2023, providing further guidance on the law’s application. Our previous insight article includes more detailed information on the key requirements of the PDPL and its accompanying Regulations.

As the clock ticks towards the end of the grace period, SDAIA has introduced a set of new guidelines and amendments aimed at refining and expanding the implementation of the PDPL. The issuance of these documents marks a pivotal moment in Saudi Arabia’s data privacy landscape, as the country continues to position itself as a leader in data privacy within the Middle East. 

The rules and guidelines issued by SDAIA address crucial aspects of data protection, in line with both national priorities and international standards, such as the EU General Data Protection Regulation (GDPR). SDAIA’s recent releases address key issues for organisations, such as:

  • Cross border transfers
  • Controller registration requirements
  • Data protection officer appointments
  • Development of privacy policies
  • Records of processing activities

This article provides an overview of recent publications by SDAIA and the key aspects of SDAIA’s recent updates.

The update on cross border transfers:

  • Amended Data Transfer Regulation: SDAIA has streamlined the data transfer mechanism to align more closely with international standards, such as the GDPR. Organisations are required to implement appropriate safeguards when transferring personal data to countries that SDAIA has not deemed to provide an adequate level of data protection. As of the time of publication, a list of adequate countries is not yet available. However, SDAIA now has the authority to publish adequacy decisions directly on its website, eliminating the need for approval from the Prime Minister. This change is expected to expedite the process of assessing and approving countries for adequacy.  The number of available safeguards has been narrowed to three: standard contractual clauses (SCCs), binding corporate rules (BCRs), and certificates of accreditation. The obligation to conduct a risk assessment remains when using appropriate safeguards to transfer personal data outside Saudi Arabia or where sensitive data is transferred on a continuous or widespread basis.
  • SCCs: SDAIA has issued pre-approved agreements that bind both the data exporter (the sender) and the data importer (the recipient) to specific privacy and security obligations, ensuring compliance with the PDPL and its Implementing Regulations. The SCCs can be integrated into a broader agreement or used as a standalone contract. Parties may also add supplementary conditions to the SCCs, provided they do not conflict with the requirements in the SCCs. Any amendments beyond completing blank fields are considered invalid by SDAIA. The SCCs also govern onward transfers, requiring third parties to adhere to the same standards. Though similar to the EU SCCs, key differences mean organisations will need to incorporate SDAIA’s SCCs into their data transfer agreements, even if they already use EU SCCs. 
  • BCRs: SDAIA has also issued guidelines on implementing BCRs. BCRs are internal policies adopted by multinational organisations to govern cross-border transfers of personal data within their corporate group. They ensure compliance with the PDPL when transferring data from Saudi Arabia to countries that may not meet SDAIA’s adequacy standards. BCRs must address key data protection principles such as transparency, purpose limitation, data minimisation, and storage limitation. They should also include commitments to staff training, internal audits, compliance reviews, and appointing a Data Protection Officer to ensure accountability across the organisation.

Controller registration requirement:

SDAIA has issued the Rules Governing the National Register of Controllers, which mandate that the following entities must register with SDAIA: (i) public entities, (ii) controllers whose main activity involves personal data processing, and (iii) controllers processing sensitive personal data that poses a high risk to data subjects' rights (e.g., criminal or genetic data).

Registration procedures differ by entity type: public entities complete a form provided by SDAIA, while private entities register through the national platform. Registration can be carried out by a "delegate," presumably an employee, who is responsible for completing the registration and regularly updating it as needed. 

Upon registration, controllers receive a certificate, including a QR code, as proof of registration. Registration must be renewed to maintain access to the platform’s services. Certificates will be publicly accessible on the national register.

Appointing a Data Protection Officer:

SDAIA has issued the Rules for Appointing a Data Protection Officer, which outline the minimum requirements for appointing a Data Protection Officer (DPO), including the criteria, responsibilities, and when a DPO is required.

DPOs must possess appropriate academic qualifications, experience in data protection, and knowledge of risk management and security practices. They can be internal employees or external contractors. Controllers must ensure DPOs have the necessary resources, such as infrastructure, financial support, and training, and must allow them to act independently, avoiding conflict of interest in their tasks and duties.

A DPO is mandatory for organisations that, as part of their core activities, regularly monitor data subjects or process sensitive data, or that are public entities handling personal data on a large scale. "Core activities" are those essential to the organisation’s operations, such as health data processing for insurance firms or marketing companies' data handling.

DPOs must be formally appointed in writing, either via an internal appointment or external contract, and their contact details must be accessible to data subjects and SDAIA (for example, through a privacy policy).

The DPO’s tasks include raising awareness of the PDPL, supporting policy development, and overseeing technological systems. Controllers must also verify whether their processors have appointed a DPO.

PDPL Guidelines:

SDAIA has also issued the following useful guidelines providing organisations with practical guidance on key aspects of the PDPL:

  • Privacy Policy Guideline, which provides organisations with practical guidance on drafting privacy policies (also known as privacy notices), as required by the PDPL. These policies must include key details such as the types of personal data collected, the purpose and legal basis for processing, and the geographical scope of data use. Although not mandated by the PDPL, the guideline also recommends including details about the administrative, technical, and organisational measures taken to protect personal data.
  • Data Disclosure Guideline, which sets out the six legal bases for disclosing personal data under the PDPL. These include: (i) the data subject’s consent, (ii) collection from publicly available sources, (iii) requests from public entities for public interest, security, legal, or judicial purposes, (iv) safeguarding public health or safety, (v) where the data is anonymised, and (vi) for the legitimate interests of the controller. The guideline also highlights restrictions on disclosures, such as those that could hinder crime detection, breach professional obligations, or endanger individuals' safety or privacy.
  • Destruction, Anonymisation and Pseudonymisation Guideline, which specifies when data must be destroyed, such as at the request of the data subject or upon withdrawal of consent. Controllers must follow specific procedures, including ensuring all copies of the data—such as backups—are destroyed and requesting that any recipients also destroy the data. The guideline also provides examples of techniques for anonymisation and pseudonymisation, such as data masking, encryption, generalisation, and aggregation, which serve as effective safeguards for personal data.
  • ROPA Guideline, which outlines what controllers should consider when implementing and maintaining records of personal data processing. It also specifies the required content for a ROPA, including the controller’s and, if applicable, the DPO’s contact details, the purposes of processing, categories of recipients, retention periods, and a description of security measures used to protect the data. Additional mandatory information must be included in cases requiring a risk impact assessment, such sensitive data types or a description of automated processing. Note that ROPAs must be in written form, retained for five years after the processing activity end, and made available to SDAIA upon request.
  • Data Minimisation Guideline, which provides practical guidance on complying with the PDPL’s data minimisation requirement that requires collection to be limited to the personal data that is strictly necessary for a specific purpose, avoiding the collection of data for undefined future use. The guideline outlines key principles for controllers to follow, from collection to destruction, including ensuring a genuine need for the data, using clear and secure collection methods, and securely destroying data once it is no longer needed. It also requires controllers to regularly assess the data they hold and ensure their processing activities are designed to prevent the collection of unnecessary data. 

What this means for you: key actions to take in light of SDAIA’s updates:

It is important to emphasise that the PDPL extends its reach beyond Saudi borders, applying to non-Saudi organisations that handle the personal data of Saudi residents. This wide scope means that any entity, regardless of its geographic location, that processes personal data relating to individuals residing in Saudi must ensure compliance with the PDPL to avoid penalties. 

As the enforcement deadline nears, ensuring compliance is not only a legal obligation but a strategic necessity for businesses operating in or engaging with the Kingdom. Navigating the complexities of the PDPL—particularly in light of the recent amendments and new guidelines—can be challenging. 

The new regulations, including those on data protection officers, privacy policies, cross-border data transfers, and data minimisation, require businesses to reevaluate and update their data processing practices. With the enforcement date of 14 September 2024 rapidly approaching, organisations must act swiftly to ensure compliance.

Key practical steps organisations should consider:

  • Assess whether your organisation is required to appoint a DPO, and if so, appoint a qualified individual. 
  • Determine if your organisation must register on the National Register of Controllers. 
  • Ensure that data transfer mechanisms comply with the updated Data Transfer Regulation and incorporate SDAIA’s SCCs.
  • Implementing robust procedures for data retention, destruction, anonymisation, pseudonymisation, and data minimisation.  
  • Develop or update privacy policies to meet the PDPL’s requirements.
  • Document the personal data your organisation holds and maintain a comprehensive ROPA. 
  • Provide staff training on the PDPL and its Implementing Regulations to ensure compliance across all levels of the organisation. 

Given the broad applicability of the PDPL, businesses must conduct thorough assessments of their data flows, especially if they handle the personal data of Saudi residents. With enforcement imminent, failure to comply could lead to penalties, making it essential for organisations to urgently prioritise alignment with the PDPL framework.

Our data protection team is ready to assist your organisation in navigating the complexities of PDPL compliance. We offer tailored legal support to help you assess your current data practices, implement the necessary safeguards, and ensure that your operations meet the regulatory requirements. If you would like further information on how to create an effective privacy framework or advice on the PDPL, please contact Lamisse Bajunaid or Masha Ooijevaar.

Our dedicated Doing Business in Saudi Arabia Hub helps businesses stay informed and understand the latest developments and opportunities.