The Kingdom of Saudi Arabia has enacted a new comprehensive data protection law (the PDPL), which comes into force on 23 March. The first standalone data protection law of its kind in KSA, the PDPL is a significant development and seeks to develop the Kingdom’s legislative landscape in a way consistent with its 2030 Vision to develop a digital infrastructure and grow a digital economy.
Supplementary regulations, some yet to be published, will provide additional guidance in respect of the practical application of the PDPL, including specific rules relating to the lawful transfer of data outside of KSA. I have set out below an overview of the key practical takeaways for employers in the Kingdom from the new law.
Territorial Scope
The PDPL applies to any processing by businesses of personal data performed in KSA by any means whatsoever, including the processing of the personal data of KSA residents by entities outside the Kingdom. In practice, a company can therefore be caught by the PDPL even if it is not established in KSA but is selling goods or services to KSA-based customers, or if data relating to employees within the Kingdom is processed outside it, for example at a corporate HQ in another country. As below, it is currently unclear how far this will be permitted anyway – there has been mention of a permit that will allow employers to process data elsewhere but how and when this will be formalised remains to be seen.
Action: Foreign companies will need to consider how to comply with the PDPL if they have KSA-based employees.and process data relating to them anywhere else.
Rights of Data Owners
The PDPL grants certain rights to data owners in respect of their personal data, including a right to be informed, a right to access the data collected about them, a right to request correction, completion or updating of their personal data, and a right (within limits) to request the destruction of it. Data subjects have the ability to file complaints relating to the application of the PDPL with the “competent authority” ( the “SDAIA” for the first two years of the PDPL).
Action: Companies will need a process for responding to and complying with data subject rights requests.
Consent
The main basis for the lawful processing of personal data under the PDPL by the consent of the data owner/subject. Data owners may withdraw their consent to the processing of personal data at any time. Please note, consent is not required if (i) the processing would achieve a clear benefit and it is impossible or impracticable to contact the data subject to obtain consent within a reasonable time; (ii) if it is required by law or prior agreement to which the data subject is a party (e.g. an employment or individual consultancy contract), or (iii) if the controller is a public entity and the processing is required for security or judicial purposes. As far as is known at this stage, the PDPL will not reflect the same hesitations about relying on employee consent as does the GDPR. That Regulation assumes that consent given within the context of an employment relationship Is not freely given in the majority of cases and so does not represent a valid basis for processing, but the PDLP itself makes no reference to this. It still remains possible that this issue will surface in the supplementary regulations in due course.
Action: Companies will need to put in place robust collection mechanisms to demonstrate that the requisite informed consents have been obtained from the start of the relationship.
Cross-border Personal Data Transfers
Unless required to comply with an agreement to which the Kingdom is a party, to serve KSA interests or for other purposes to be set out in the Regulations, the PDPL prohibits data controllers from transferring personal data to an entity outside of KSA. The law suggests that certain controllers may be granted exemptions by the SDAIA and that the supplementary regulations may provide further bases for lawful transfers of personal data out of the jurisdiction.
Action: Companies with staff in KSA will need to review any cross-border data transfers currently being undertaken and consider whether continued overseas processing is feasible (both legally and administratively). The law appears to imply that companies could be required to obtain a permit from the competent authority for any cross-border personal data transfers, although how this will work in practice remains to be seen. Clear guidance from the supporting regulations will be key in this regard.
Privacy Policy
Data controllers must adopt and present a privacy policy to their job candidates and staff for their review before collecting their personal data.and seeking their consent to its use in specific ways and for specific purposes.
Action: Companies will be obliged to develop and share a privacy policy , setting out details of their personal data processing, including the purpose for which the data is collected and how the data may be processed. In broad terms, the more information which this contains about the intended processing (by whom, for what, over how long, subject to which security precautions, what happens when it ends, how to access it, etc.), the better.
Record Keeping/Awareness
The competent authority intends to establish a national registry of controllers and employers will be required to register and pay a fee to the SDAIA (up to SAR100,000) depending on certain criteria to be specified in the supplementary regulations. In addition, they will be required to upload a detailed record of their processing activities to a new online portal that must include the purpose of the processing, entities to which the personal data was or will be disclosed, whether the personal data was or will be transferred outside the KSA and the expected retention period.
Action: Companies will need to undertake a detailed mapping exercise to track where and by whom data is held and processed and ensure that the PDPL is being complied with. This may involve obtaining information from third parties with whom personal data about staff is or has been shared, such as benefits providers..
It will also be important for companies to arrange for relevant staff to be trained on the PDPL and to raise awareness of personal data protection issues such as the rights of individuals and breach notification/cyber-security threat procedures.
Next Steps
Although the PDPL will be effective from 23 March, I anticipate a transitional period of 12 – 18 months before it is fully enforceable nationally (and potentially longer for companies based outside of KSA). The supplementary regulations are expected to provide further clarification on the various aspects of the new law; with penalties for breaches of the PDPL reaching up to SAR5,000,000 (US$1,333,000) and in certain cases even imprisonment, they will be essential reading for employers. We recommend that all companies operating in KSA or processing the data of individuals based in KSA, review their data processing activities as soon as possible and consider the changes likely to be needed to ensure compliance with the PDPL.