Saudi data protection reform to take effect in March 2022

The Personal Data Protection Law (PDPL), published in the Official Gazette in KSA on 24 September 2021, sets out conditions around the processing of personal data as well as a series of rights that ‘personal data owners’ will enjoy.

Businesses will be unable to process personal data if they do not have a lawful basis for doing so. Obtaining the consent of personal data owners is the main basis on which businesses will be able to process personal data, though tightly proscribed alternatives are set out in the legislation.

Businesses will be obliged to develop and share a privacy policy, setting out details of their personal data processing – including the purpose for which the data is collected and how the data might be processed. The outsourcing of data processing to a ‘processing entity’ is governed by the legislation.

The principle of data minimisation is enshrined in the new law, and businesses will further be obliged to destroy the data it has collected “if it becomes clear that it is no longer necessary for achieving the purpose of its collection”.

The law contains further obligations around the notification of personal data breaches and conditions around the transfer of personal data from the KSA to other jurisdictions.

Personal data owners – this being individuals to whom personal data belongs, their representative or legal guardian – will enjoy a ‘right to be informed’, which includes of the valid legal or practical justification for collecting their personal data, and the purpose thereof. They will also enjoy a right to access the data collected about them, as well a right to request correction, completion or updating of their personal data, and a further right to request the destruction of their data.

Further regulations are to be published to supplement the new law. These are expected to include specific rules relating to the processing of health data and credit data.

The Saudi Data and Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new legislation for the first two years. The long-term supervisory role could be transferred to National Data Management Office (NDMO) after this period.

Dubai-based Tom Bicknell of Pinsent Masons, the law firm behind Out-Law, said: “The NDMO is the regulatory arm of the SDAIA and had previously published interim data governance regulations in 2020, which we assume have now been superseded by the PDPL insofar as they relate to personal data protection. The PDPL is stated to take effect 180 days after its publication in the Official Gazette, which means that it will be effective from 23 March 2022. The executive regulations supplementing the law should also be issued within this period.”

Co-written by Barkha Doshi of Pinsent Masons.