The Personal Data Protection Law (PDP) publication in the Saudi Official Gazette is among the top developments in the Saudi Arabia legal spectrum. The law was published on September 24th in 2021 and is expected to take effect from March 23rd, 2022. The Saudi Data and Artificial Intelligence Authority (SDAIA) is responsible for formulating this law. Promulgation of the PDP law was done by Royal Decree M/19/02/1443H. According to the authorities responsible, the law seeks to regulate the flow and usage of personal data belonging to residents of the Kingdom.

The PDP law affects a wide scope of individuals and businesses inside and out of the Kingdom. Data controllers and processors are expected to comply with new regulations on how data is shared and processed. The affected parties, including international law firms in Riyadh, are expected to be fully compliant with the law within one year from when the law takes effect.

What is in the PDP Law for residents of Saudi Arabia

Upon taking effect, the PDP Law will grant data owners certain benefits and access to information except for specified occasions. The law mandates that data owners be informed of the collection and processing of their personal data. It also allows data owners to access a copy of the collected and processed data for free. As a data owner, the law allows one to edit or update personal data when necessary. It also gives liberty to data owners to demand the destruction of personal data if it is no longer needed. Personal data will only be processed with the consent of the data owner and best through a Saudi lawyer. The law forbids data controllers from using data owners’ consent as a prerequisite for access to services.

The PDP Law requires that all data controllers be registered on an electronic platform; this will form a national record for data controllers. As part of the registration process, controllers must specify the purpose of data collection and processing methods to be used. Additionally, controllers will pay an annual registration fee to the government. The law requires that all data controllers within the Kingdom ensure the accuracy, completeness, and relevance of personal data collected before processing. Training staff to operate in accordance with the PDP Law is also required of data controllers under the new law.

How the PDP Law affects foreign investors

Transfer of data outside the Kingdom is restricted under the PDP Law. Data controllers can only transfer data outside the Kingdom in the implementation of processes associated with and authorized by the Kingdom. Other than serving the interests of the Kingdom, data can be transferred outside the Kingdom to preserve the life of a data owner. This includes prevention, examination, and treatment of infections. Foreign businesses in need of personal data will have to establish bases within the Kingdom for compliance.

Elements to note about the PDP Law

The PDP Law does not apply to personal data processing for personal or family use. The law exempts the need for consent when the goal of data processing is clear and it’s impractical to contact the data owner. Personal data processing by state entities for security or judicial purposes is also exempted from the PDP Law.

Sanctions for breach of the PDP Law

Law firms in Riyadh are preparing for the implementation of the PDP Law since breaching it attracts heavy fines and could lead to imprisonment. Disclosure of personal data contrary to the PDP Law provisions attracts a fine of US$800,000. The fines could be doubled in case of repeated offenses.