INTRODUCTION:

In 2021, the Kingdom of Saudi Arabia (“Kingdom”) introduced a Personal

Data Protection Law (“PDPL”) with the aim of safeguarding personal
information and upholding privacy rights. The PDPL was published in the
Official Gazette on 24 September 2021. Amended in March 2023, the PDPL
came into effect on 14 September 2023 and is fully enforceable as of 14
September 2024. The Saudi Data & Artificial Intelligence Authority (“SDAIA”)
serves as the initial competent authority for supervising the implementation
of the PDPL

While the PDPL was already introduced in 2021, organisations were granted
a one-year grace period that started on 14 September 2023 to fully comply
with its broad scope of obligations. Following an amendment to the PDPL in
March 2023, a set of Implementing Regulations was released in September
2023.

The PDPL will require Controllers outside of Saudi Arabia to appoint a

personal representative in Saudi Arabia to fulfil the obligations under the law
(Data Privacy Q&A: Saudi Arabia - Privacy Protection - Privacy - Saudi Arabia)

Who are the relevant regulatory and enforcement authorities in Saudi Arabia
with regards to personal data protection?

The Saudi Data & Artificial Intelligence Authority ('SDAIA') is the competent
authority responsible for supervising and enforcing the implementation of
the PDPL for an initial two-year period, after which the supervisory role may
be transferred to the National Data Management Office, the SDAIA's
regulatory arm.

Obligations of Data Controllers

In Saudi Arabia, the obligations of data controllers are outlined by the

Personal Data Protection Law (PDPL), which aims to ensure the safe handling
of personal data. The primary responsibilities of data controllers include the
collection, storage, processing, and sharing of personal information in
accordance with the established legal framework. Data controllers must
obtain explicit consent from individuals before collecting their personal data,
ensuring that the purpose of collection is specific, legitimate, and disclosed
to the data subject at the outset.

Once collected, data controllers are responsible for implementing adequate

security measures to protect the personal data from unauthorized access,
loss, or alteration. This duty extends to maintaining the confidentiality and
integrity of the data throughout its lifecycle. Data controllers must also
ensure that personal data is accurate, complete, and kept up to date as
necessary. Ensuring the quality of the data processed is crucial for upholding
the rights of the individuals involved and maintaining their trust in the data
handling processes.

Transparency is another key principle that data controllers must adhere to.
They are required to provide clear and comprehensive information regarding
their data practices, including how data is stored, processed, and shared with
third parties. This not only reinforces the accountability of data controllers
but also empowers individuals to understand and manage their data privacy
rights better. Moreover, data controllers must conduct periodic assessments
and audits to evaluate compliance with the PDPL and make necessary
adjustments to their data handling processes.

The obligations imposed on data controllers in Saudi Arabia also emphasize

the importance of data subject rights, such as the right to access, rectify,
and delete their personal data.

Controller obligations: Organizations or individuals that determine the

purposes and means of processing personal data are considered
“controllers.” Controllers’ responsibilities include:

 Registration. Entities processing personal data must register with the

relevant authority, providing details about their data processing
activities.

 Maintenance of data processing records. Controllers must

maintain comprehensive records of their data processing activities for
the purposes of transparency and accountability.

What restrictions are there for cross-border transfer of personal

data?

Subject to certain exceptional circumstances detailed in the PDPL and further

conditions to be set out in the Executive Regulations, the Controller may not
transfer Personal Data outside of Saudi Arabia unless:-

1. The transfer or disclosure does not prejudice national security or the vital
interests of Saudi Arabia;
2. Sufficient guarantees are in place to protect the confidentiality of the
Personal Data to be transferred or disclosed, so that the standards of
Personal Data protection may not be less than the standards set forth in the
PDPL;
3. The transfer or disclosure must be limited to the minimum Personal Data
needed; and
4. the SDAIA approves the transfer or disclosure as determined by the
Regulations.

The SDAIA may also exempt the Controller, on a case-by-case basis, from
being bound by these conditions if the SDAIA believes the Personal Data will
have an acceptable level of protection outside of Saudi Arabia, and that such
data is not Sensitive Data.

Anyone who violates the cross-border provisions of the PDPL can be punished
by imprisonment for a period not exceeding one year and/or a fine not
exceeding US$260,000 (approximately).

Data Privacy Q&A: Saudi Arabia - Privacy Protection - Privacy - Saudi Arabia

DPO (Data Protection Officer)

NDMO requirements: if a company complies or follows this, then DPO has to

report to the Chief Data Officer.

If not governed by NDMO, then the DPO has the independence. Then they
report to BOD or Executive board

Rules for appointing DPO, by SDIA, in August 2024.

Article 4: Requirements for DPO Appointment

1- When appointing DPO, Controller shall ensure that the following

requirements are met: A. Having appropriate academic qualifications
and experience in the field of Personal Data protection. B. Sufficient
knowledge of risk management practices, including the management
and handling of personal data breach incidents. C. Having sufficient
knowledge of regulatory requirements for Personal Data protection and
other relevant regulatory requirements for performing DPO tasks. D.
Honesty and integrity, and not having been convicted of any offense
involving dishonesty or breach of trust.
2- DPO may be an executive, employee of Controller or an external
contractor.
Article 5: Cases of Appointing DPO

First: when they shall be appointed:

1- Controller is a Public Entity that provides services involving the

Processing of Personal Data on a large scale.
2- Controller core activities are based on processing operations that, by
their nature, require regular and systematic monitoring of Data
Subjects.
3- Core activities of Controller are based on processing of sensitive
Personal Data.

Second: The determination of whether the processing is on a large scale is

based on the following criteria:

1- Number of data subjects.

2- Volume of personal data.
3- Type of personal data.
4- Geographical scope of processing.
5- Different categories of data subjects.

Fourth: The following activities are examples of regular and systematic

monitoring:

1- Collecting personal health and fitness data through wearable devices.

2- Using behavioral analytics technologies for risk assessment purposes.
3- Location tracking, the use of cookies, and surveillance cameras.

Article 6: Documenting DPO Appointment

Article 7: DPO Contact Details

Article 8: DPO Roles & Tasks

The Rules Governing the National Register of Controllers Within the

Kingdom

(For Controllers)

Article 6: Circumstances for Appointing a Personal Data Protection Officer

The Controller shall appoint one or more individuals to be responsible for the
protection of personal data in accordance with the cases stipulated in Article
(32) of the Executive Regulations of the Personal Data Protection Law and
the rules for appointing a Personal Data Protection Officer.

Article 7: Information of the Personal Data Protection Officer

 1. If a Personal Data Protection Officer is appointed in accordance with
Article (6) of these rules, the representative shall fill in the Personal
Data Protection Officer's information on the Platform to create the
Controller’s account.
2. If the Personal Data Protection Officer is an employee of the Controller
or an external contractor, the representative must provide the
following information: A. National ID/residency number for data
retrieval purposes. B. Date of birth for verification of the entered
national ID/residency number. C. Official contact information (phone
number, email).
3. If the Personal Data Protection Officer is a contractor located outside
the Kingdom, the representative must provide the following
information: A. First and last name. B. Official email. C. Official contact
number.
4. The representative may appoint themselves as the Personal Data
Protection Officer if they are appointed by the Controller.

Article 10: Registration Certificate Issuance

1. The registration certificate shall be issued as soon as the registration

process, stipulated in Article (4( of these rules, is completed. The
certificate shall include the following information: A. Registration Serial
Number. B. Entity/Individual Name. C. Entity Logo. D. Entity Address. E.
Official Email of the Entity/Individual. F. Official Contact Number of the
Entity/Individual. G. The Date of Issue and End Date. H. QR code. 2.
The certificate will be valid for (5) years as maximum. 3. The
Competent Authority shall notify the Controller of the impending
expiration of their registration certificate no less than thirty (30) days
prior to the expiry date. Following the expiration of the certificate, the
Controller may continue to access Platform Services for a grace period
of up to five (5) days. However, access to services beyond this grace
period shall be contingent upon the Controller submitting a renewal
request

Article 11: Making Registration Certificate Available to the Public

Article 12: Services Provided on the Platform

The Platform offers a range of e-services aimed at protecting data as national

assets and safeguarding the rights of individuals from illegal violations.
These services include: 1. Personal Data Breach Notification Service: This
service enables Controllers to notify a personal data breach incident to the
Competent Authority immediately after its occurrence, within a period not
exceeding (72) hours of becoming aware of the incident, this reporting is
necessary if the incident would harm the personal data or the data subject or
if it conflicts with their rights or interests, as outlined in Article (24) of the
Executive Regulations of the Personal Data Protection Law. 2. Privacy Impact
Assessment Service: This tool analyzes the impact of processing personal
data on the products and services provided. It helps determine the scope and
objectives of the processing, identify regulatory justifications, and assess the
risks associated with processing personal data. 3. Legal Support Service: This
service provides support and guidance to assist public entities in
understanding the Personal Data Protection Law and its regulations. This
includes interpreting stipulated provisions and requirements as well as
offering guidance on relevant manuals and regulations, thereby contributing
to ensuring effective application and achieving desired goals. 4. Compliance
Assessment Service: This service involves periodically evaluating compliance
with specific standards and requirements to monitor the level of commitment
and ensure the effectiveness of actions taken to implement laws, regulations,
and policies. It also helps identify incorrect practices to address them and
improves business practices and procedures.

2. Data Retention Policies

 Retention Guidelines: Define data retention periods based on the

type of personal data:

o Employee Records: Retain for a minimum of 5 years after

termination of employment.

o Customer Data: Retain for the duration of the contractual

relationship and up to 3 years post-termination unless otherwise
required by law.

o Sensitive Data: Retain for the shortest period necessary for

processing purposes.

 Secure Deletion: Implement automated systems to purge expired

data securely. Confirm deletion with a documented audit trail.

3. Data Breach Response Plan

 Notification Timeline: Notify the Saudi Data & Artificial Intelligence

Authority (SDAIA) of any data breaches within 72 hours of becoming
aware of the incident.
  Response Team: Form a Data Breach Response Team (DBRT)
comprising legal, IT, and compliance personnel.

 Steps for Response:

1. Contain the breach immediately upon detection.

2. Conduct a preliminary investigation within 24 hours.

3. Notify affected individuals, if applicable, within 72 hours.

4. Submit a detailed incident report to SDAIA within 7 days.

 Post-Breach Actions: Conduct a root cause analysis and implement

preventive measures to avoid recurrence.

4. Privacy Notices and Consent Mechanisms

 Transparency Requirements: Ensure privacy notices clearly specify:

o Purpose of data collection.

o Categories of personal data collected.

o Rights of data subjects under PDPL.

o Details of cross-border transfers, if applicable.

 Consent Management:

o Obtain explicit consent for processing sensitive personal data.

o Maintain consent records for a minimum of 5 years.

o Implement mechanisms for withdrawal of consent and ensure

processing ceases immediately upon withdrawal.

5. Third-Party Vendor Assessments

 Due Diligence: Assess vendors before engagement and annually

thereafter to ensure compliance with PDPL standards.

 Contractual Safeguards: Include clauses in vendor agreements

specifying:

o Data protection obligations.

o Notification requirements in case of breaches.

o Right to audit vendor’s data protection measures.

  Vendor Audits: Conduct detailed audits every two years to evaluate
vendor adherence to data protection obligations.

6. Data Subject Rights Management

 Process Implementation:

o Develop online and offline channels for receiving data subject

requests.

o Provide acknowledgment of requests within 3 business days.

o Fulfill requests within 30 days, unless extended by SDAIA-

approved reasons.

 Tracking and Reporting:

o Maintain logs of all requests, actions taken, and timelines.

o Include this data in annual compliance reports submitted to

SDAIA.

7. Cross-Border Data Transfers

 Safeguards:

o Ensure sufficient guarantees are in place, such as encryption and

contractual clauses, before transferring data.

o Limit transfers to the minimum data necessary.

 Approval Process:

o Obtain SDAIA’s approval for transfers involving sensitive personal

data.

o Maintain documentation of transfer details and safeguards for 5

years.

 Key Requirements for Transfers:

o National Security and Vital Interests: The transfer or

disclosure of personal data must not prejudice the national
security or vital interests of Saudi Arabia.

o Comparable Protection Standards: Ensure that the recipient

country’s data protection laws or safeguards are at least
equivalent to those outlined in the PDPL.
 o Contractual Obligations: Include specific data protection
obligations in agreements with recipients to ensure the integrity
and confidentiality of the transferred data.

o Data Minimization: Transfer only the personal data strictly

necessary for the specified purpose.

 Exceptions and Exemptions:

o SDAIA may exempt a Controller from the cross-border data

transfer conditions on a case-by-case basis if it determines that
the receiving country or entity provides an adequate level of
protection and the data does not include sensitive personal data.

o Maintain records of such exemptions and the reasoning behind

them for a minimum of 5 years.

 Monitoring Transfers:

o Conduct annual reviews of all cross-border data transfer

arrangements to ensure compliance with PDPL standards.

o Implement mechanisms to track and audit data usage by

recipients in foreign jurisdictions.

8. Privacy Impact Assessments (PIAs)

 Scope of PIAs: Conduct PIAs for:

o Large-scale processing of sensitive data.

o Introduction of new technologies affecting personal data.

o Cross-border transfers.

 Timeline: Complete PIAs before initiating any high-risk processing

activities.

 Documentation: Retain PIA reports for a minimum of 5 years and

make them available for SDAIA audits upon request.

9. Technology and Security Enhancements

 Encryption Standards:

o Encrypt personal data at rest and in transit using industry-

standard protocols.

o Update encryption keys periodically (at least annually).

  Access Control: Implement role-based access controls to limit data
access to authorized personnel only.

 System Updates: Conduct monthly security patches and annual

penetration testing to identify vulnerabilities.

10. Audit and Compliance Checks

 Internal Audits: Conduct quarterly internal audits to assess

compliance with PDPL requirements.

 External Audits: Engage third-party auditors for annual compliance

checks and certifications.

 Reporting: Submit audit findings to senior management and

implement corrective actions within 30 days of identifying issues.