Published: Sep 6, 2024

Saudi PDPL Latest Updates – Ahead of 14 September 2024, New Guidelines, Rules and Regulations

With September 14 right around the corner, the Saudi Data and Artificial Intelligence Authority (SDAIA) has been actively publishing much awaited guidance on the application of the Personal Data Protection Law (PDPL). Our Digital & Data team at Al Tamimi & Company has been busy tracking the recent developments and has summarised the new developments below.

  • Personal Data Disclosure Cases Guideline (PDDC Guideline) – The PDDC Guideline issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) provides guidance on the lawful disclosure of personal data under the PDPL. It outlines six key cases where data may be disclosed, including (i) with the consent of the data subject, (ii) from publicly available sources, (iii) at the request of public entities, (iv) to protect public health or safety, and (v) in cases where data is anonymised, or (vi) disclosure serves the legitimate interests of the controller. The PDDC Guideline also specifies restrictions on disclosure, such as when it threatens national security, violates privacy, or conflicts with legal obligations. Entities are encouraged to adopt best practices and maintain transparency by documenting all disclosure activities and complying with regulations regarding cross-border data transfers.
  • Minimum Personal Data Determination Guideline (MPDD Guideline) – The MPDG Guideline provides a framework to help entities comply with the PDPL by ensuring that only the minimum necessary personal data is collected for any specific purpose. It emphasises collecting data that is directly relevant and necessary, avoiding unnecessary or excessive information. The MPDD Guideline outlines key principles such as actual need, purpose, and destruction of data once its purpose is fulfilled. Controllers are required to regularly assess the relevance of the data they hold and delete any data that is no longer necessary. Additionally, the MPDD Guideline stresses the importance of ensuring that data collection methods are secure, appropriate, and compliant with regulations, while also ensuring that employees are trained in the principles of data minimisation.
  • Elaboration and Developing Privacy Policy Guideline (EDPP Guideline) – The EDPP Guideline assists entities in creating effective privacy policies. It covers key elements such as providing entity information, including the entity’s name, services, and target group, along with contact details. The EDPP Guideline outlines the need to define categories of personal data collected and to explain how such data is collected (i.e. whether directly or indirectly), for the purpose of ensuring compliance with the PDPL.
  • Rules for Appointing Personal Data Protection Officer (DPO Rules) – The DPO Rules clarify when controllers are required to appoint a DPO and defines the roles and responsibilities involved. It sets minimum requirements for DPO appointments, stating that the DPO should (i) provide advice on data protection policies, (ii) participate in training programs, (iii) review response plans for data breaches, and (iv) prepare compliance reports. The DPO is also responsible for supporting technological compliance with data protection regulations. The DPO Rules emphasise the need for written documentation of the DPO’s appointment, ensuring that data subjects can easily contact the DPO. It also calls for regular reviews of the DPO’s roles to ensure alignment with regulatory changes and requires controllers to avoid assigning conflicting tasks to the DPO while supporting their professional development.
  • Regulation on Personal Data Transfer Outside the Kingdom (Transfer Regulations) – The Transfer Regulations establish a legal framework for transferring personal data from the Kingdom to foreign entities. It applies to all international data transfers by controllers and processors within the Kingdom, ensuring that personal data is only transferred if the receiving entity provides a level of protection equivalent to the Kingdom standards. Safeguards such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) are required, with exemptions allowed in specific cases. Before any transfer, particularly those involving sensitive data, a comprehensive risk assessment must be conducted to ensure compliance with local standards, and SDAIA, being the competent authority, will regularly review and enforce these requirements.
  • The Binding Common Rules Guideline (BCR Guideline) – The BCR Guideline is designed to standardise and enhance personal data protection for international transfers within multinational groups. BCRs are legally binding internal rules applicable to controllers and processors, providing a framework to ensure consistent data protection. They must cover transparency, lawfulness, purpose limitation, data minimisation, storage limitations, and breach notification. BCRs also require cooperation with SDAIA, regular updates, and enforceability across all group members. Additional requirements include conducting risk and impact assessments and ensuring that all agreements and processing activities align with the BCRs.
  • Standard Contractual Clauses for Personal Data Transfer (SCCs) – The SCCs are predefined legal clauses ensuring that the transfer of personal data outside the Kingdom complies with the PDPL. SCCs apply to all entities involved in cross-border data transfers and provide a standardised approach for data exporters and importers to adhere to data protection standards. Similar to the EU’s GDPR, SCCs safeguard international transfers and mitigate risks like unauthorised access and data breaches. SCCs must not conflict with existing PDPL obligations, and any modifications beyond filling in required fields are not recognized by SADAIA. Templates are provided for various transfer scenarios (C2C, C2P, P2P, P2C), and personal data must be protected throughout all processing stages, ensuring security and compliance with the rights of data subjects.

We provide legal advice and assist in drafting agreements and policies to ensure your organisation complies with the latest guidelines, rules and regulations. Our services also include updating data protection policies, ensuring compliance with cross-border transfer requirements like SCCs and BCRs, and offering guidance on DPO-related regulations. Additionally, we may advise on the implementation of data minimisation practices, data breach protocols, and secure data processing measures. Kindly reach out to us for comprehensive support in aligning with Saudi Arabia’s regulatory framework.

Key Contacts

David Yates

Partner, Head of Digital & Data

d.yates@tamimi.com