Employee Data Privacy

Saudi Arabia - Employee Consent

 Download as a PDF

Do I have to obtain employees' consent in order to collect their personal data?

The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.

Saudi Arabia’s new Personal Data Protection Law (PDPL) only permits personal data collection directly from a data subject (such as an employee in the context of employment) and only for the intended purpose, except when:

  • the data subject consents to an alternative collection and purpose;
  • personal data is collected from a public source;
  • the entity requesting the disclosure is a public entity and the data is required for security purposes, to comply with another law or for judicial requirements;
  • collecting data only from the data subject would cause damage to the data subject or their essential interests;
  • the disclosure is necessary for public health, safety of lives or health of one or more individuals; or,
  • the data will be disclosed in a way that does not directly or indirectly disclose the identity of the data subject.

The purpose of the data collection cannot be changed without prior consent, except when:

  • processing would achieve a clear benefit to the data subject and it is impossible or impractical to contact the data subject;
  • processing is required by law or prior agreement to which the data subject is a party; or,
  • the controller is a public entity and processing is required for security or judicial purposes.

Consent cannot be a pre-requisite to offer a service or benefit (unless it is specifically related to the processing activity). Data subjects can withdraw their consent at any time.

katie-montgomery-96671

Controllers are required to provide a privacy policy or notice prior to processing personal data. The notice should include:

  • the purpose of processing;
  • categories of personal data to be processed;
  • method(s) of collection;
  • the means of storing personal data;
  • how personal data will be processed;
  • how personal data will be destroyed; and,
  • rights of the data subjects in relation to their personal data and how rights can be exercised.

Controllers must use adequate means to inform data subjects (such as employees) of the personal data collection, including:

  • the valid legal or practical justification for the collection;
  • the purpose of collecting personal data and whether all or some of the collection is mandatory or optional;
  • that the data will not be processed later in a manner that is inconsistent with the purpose of its collection or legal basis;
  • the identity of the person(s) collecting personal data and address (unless data collection is for security purposes);
  • the entities to whom personal data is disclosed and their “capacity” (i.e. role);
  • whether personal data is transferred, disclosed or processed outside the country;
  • possible effects/dangers of not completing the collection of personal data;
  • rights under the PDPL, Art. 4 (i.e., the right to be informed, to access personal data, to correct and destroy personal data); and,
  • other information as determined by the executive regulations.

Note that the PDPL requires a separate legal basis for the disclosure of personal data.

 

HR Best Practices: The executive regulations, which are still being developed, should provide more detailed information on how consent requirements would apply to personal data processing.

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk