Saudi Arabia’s amended Personal Data Protection Law

The long-awaited revisions to Saudi Arabia’s Personal Data Protection Law (PDPL) have recently been published. The changes are welcome, but much of the detail will be contained in the as yet unpublished Regulations.

We will be providing a fuller briefing in due course. In the meantime, key revisions to PDPL include:

• Entry into force and grace period – the PDPL will now enter into force in September 2023 with a further grace period of a year for those subject to the PDPL to ensure their processing activities are compliant.
• Executive Regulations – the Regulations are referred to throughout the PDPL and will add additional detail; these are supposed to be issued by the time the PDPL comes into force in September 2023.
• International data transfers – subject to certain criteria being met, no prior regulatory approval will be required where personal data is transferred from Saudi Arabia to a country which offers an appropriate level of protection no less than the level of data protection as the Kingdom.
• Addition of legitimate interests as a legal basis for data processing – consent will no longer be the only primary ground for processing personal data; with some exceptions, processing can also be carried out where it is necessary to achieve a legitimate interest of the controller (subject to data subject rights and interests).
• Data Protection Officers – these will need to be appointed by data controllers where specified by the Regulations.
• Offshore entities not specifically required to appoint an in-country representative – the express requirement for entities outside Saudi Arabia that process the personal data of individuals in Saudi Arabia to appoint a representative in the Kingdom has been removed – but there will still be compliance implications.
• Data Breaches – the requirements around notifying the regulator, and data subjects, of data breaches will be set out in the Regulations.
• National Register – there is no longer specific mention of controllers registering their processing in an ‘electronic portal’, although there is reference to the establishment of a National Register of data controllers.

Other areas addressed by the revisions to the PDPL include: clarifying the powers and functions of the KSA data protection regulator, revisions to the provisions dealing with data processors and also privacy policies, modifications to some of the penalties for breach of the law, and amendments that potentially make it easier for a controller to appoint a data processor.  The amendments also tidy-up the drafting and address unclear language.

The changes are welcome, but much of the detail will be contained in the, as yet unpublished, Regulations.  So how these new provisions will operate in practice remains to be seen.

How can we help?

Our Digital & Data team would be pleased to assist in providing advice on the revised Law and on compliance steps for business. Please reach out to Nick or Simon if you have any specific queries.