Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The Personal Data Protection Law
Saudi Arabia’s new Personal Data Protection Law (PDPL), effective March 17, 2023, is the first national data protection law in the country. The PDPL applies to the processing of personal data in Saudi Arabia by both private and public entities by any means, as well as the processing of Saudi resident personal data by entities outside the country.
At this time, controllers (such as employers) will be required to comply within one year from the law going into effect. This transitional period may be extended for certain entities. Entities located outside of Saudi Arabia which process the personal data of Saudi residents, potentially have up to five years from the effective date, but this is still to be determined by the Saudi Data & Artificial Intelligence Authority. The timeline of when the PDPL is fully enforceable will be further clarified in government communications.
Under the new law, “personal data” includes any information, in any form, through which a person may be directly or indirectly identified, and expressly includes an individual’s name, identification number, address and contact numbers, photographs and video recordings. Note that the PDPL also applies to the data of deceased persons if the processing can lead to the identification of the deceased person or their family.
The executive regulations to supplement the PDPL are being developed and will include more specific guidelines.
The Saudi Cloud Computing Regulatory Framework (CCRF) applies to cloud computing services in Saudi Arabia (where the cloud infrastructure is in Saudi Arabia or, a Saudi business is the provider) or procured by Saudi businesses and imposes security requirements on the provider.
____________________________________
The Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the PDPL. After implementation, supervision may be transferred to the National Data Management Office (NDMO).
