The Kingdom of Saudi Arabia has recently issued its first comprehensive national data protection law. The Personal Data Protection Law will enter into force on March 23, 2022 and regulates the collection, processing and use of personal data in the Kingdom.
Organizations with operations in the Kingdom or those processing data of Saudi residents will have one year to comply with the new requirements.
The Saudi Data & Artificial Intelligence Authority (“SDAIA”), the supervisory authority for the law’s application, will issue implementing regulations supplementing most aspects of the law by March 2022. There have been no further regulatory developments at this stage – but businesses should note several important requirements contained in the new law:
- Residency: The law applies to the personal data of all Saudi residents – both citizens and non-citizens.
- Extraterritoriality: Any processing of Saudi resident data performed in the Kingdom or by entities located outside the Kingdom is subject to the law’s requirements.
- Restrictions on Cross-Border Transfers: Transfers of data outside of the Kingdom may be made for limited explicit purposes, as set out in the law, or for “other purposes” subject to the forthcoming regulations. Even if the transfer falls into a permitted category, further conditions must be satisfied, including approval by the competent government authority, with exceptions granted on a case-by-case basis only.
- Registration: Data controllers must register with SDAIA and pay an annual fee.
- Consent: Consent is the primary legal basis for processing personal data, and must be obtained in writing (subject to further requirements in the forthcoming regulations). Personal data may only be processed without consent in very limited circumstances.
- Local Representative: Any foreign company without a legal presence in the Kingdom that processes the personal data of Saudi residents must appoint a local representative, licensed for that purpose. SDAIA will determine when this requirement will come into effect.
- Sensitive Data: All sensitive personal data, which includes genetic, health, and credit and financial data, will now be governed under the new law, but will also be subject to further regulation. The law contemplates a process of “reconciliation” with existing data regimes implemented by other regulators in the Kingdom.
- Breach Notification: Breaches, leakages, or other unauthorized access to personal data must be notified to SDAIA “immediately,” as well as to data subjects.
- Records of Processing Activities: Data controllers must prepare and register data processing activities with SDAIA.
- Criminal Penalties: The law contains criminal penalties, including up to two years’ imprisonment and fines of up to SAR 3 million (approximately USD $800,000). Administrative penalties may be imposed with higher fines.
All businesses operating in the Kingdom or processing the data of Saudi residents should start assessing their activities and security systems in preparation of the law’s implementation.
We are monitoring further developments regarding the new law, and will post updates on Inside Privacy.