Actualités • Membres
KSA approves New Personal Data Protection Law
On the 16th of September 2021, the Saudi Arabian Data & Al Authority announced that the Council of Ministers approved the Personal Data Protection Law
On the 16th of September 2021, the Saudi Arabian Data & Al Authority announced that the Council of Ministers approved the Personal Data Protection Law. This law aims to protect the collection & processing of personal data without an owner’s consent.
Although the use of personal data has already been partially regulated in several Saudi laws, this is the first time in the history of the Kingdom that a special data protection law (PDPL) has been enacted. The announcement triggered a deadline under which the law will take effect on 23rd of March 2022. From this date, the data controllers have one year to adapt the existing regulations to ensure compliance.
This new PDPL is also in line with the digitalization of the society and will boost the Kingdom’s digital transformation process according to the national Vision 2030 transformation plan. This law is expected to empower the economy and help to create a favorable regulatory environment for business growth and attracting foreign investments.
The Law defines personal data as data that enables a person to be identified, whether directly or indirectly. These data are mainly, but not limited to names, identification numbers, addresses, financial/ personal records, or pictures which are basically suitable for identification. The regulations are intended to prevent abuse or transfer of this data to other entities.
Under the new PDPL there are some main principles, such as the relevance of the collected data, accuracy, purpose limitation of the data and the principle that data should not be stored longer than necessary. According to the legal regulations, it will be illegal in the future to use personal data to send marketing or awareness-raising materials to individuals unless the consent has been obtained. There are exceptions to this rule, for example information material from public authorities.
The legislation provides various rights of data owners, including the right to withdraw the consent to the use of data at any time that is required in principle, to be informed of the legal basis for the contemplated personal data processing, to know the purpose of the data collection, to have inaccurate personal data updated and the right to have personal data destroyed if the purpose is fulfilled.
Last, there are certain obligations of controllers that apply after the one-year deadline like for example ensuring data security, record of processing, reporting data breaches and destroying personal data after the purpose has been achieved.
Violations of the PDPL carry stiff penalties, such as imprisonment of up to two years and/or a fine of up to SAR 3,000,000 for anyone who discloses or publishes sensitive data in violation of the law.
In the end, all the new rules will also lead to individuals being more willing to provide and share their data in the future, as the regulations clearly outline the limits of collection and processing, whereby the regulation will strengthen the sense of responsibility for individuals and entities and consolidate respect for privacy.
Author:
Sebastian Luermann
Legal Consultant – Attorney at Law (Germany) / Rechtsanwalt
Rödl & Partner (Dubai Branch)
sebastian.luermann@roedl.com