Support Centre

Saudi Arabia

Summary

Law: The Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021, and amended on 21 March 2023 (available here) (PDPL, as amended)

Regulator: The Saudi Data & Artificial Intelligence Authority (SDAIA).

Summary: The PDPL was published in the Official Gazette on 24 September 2021 and marks the introduction of Saudi Arabia's first data protection law. The PDPL aims to ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data. Notably, the PDPL covers key principles such as purpose limitation and data minimization, controller obligations, including registration and maintenance of data processing records, data subject rights, and penalties for breach of provisions.

The PDPL will bring Saudi Arabia into closer alignment with both its Middle East counterparts as well as international standards. In the meantime, the National Data Management Office has developed the National Data Governance Interim Regulations, encompassing the Personal Data Protection Interim Regulations (the Data Protection Interim Regulations) and the Data Sharing Interim Regulations (the Data Sharing Interim Regulations). The Data Protection Interim Regulations cover key principles such as accountability, transparency, data disclosure, and data subject rights. In contrast, the Data Sharing Interim Regulations address data security, legal basis, and ethical data use.

At the end of November 2022, SDAIA launched a public consultation on proposed amendments to the PDPL, which were approved by the Saudi Council of Ministers on 21 March 2023 and thereafter by the Bureau of Experts at the Saudi Council of Ministers. According to Article 43 of the PDPL, as amended, the same shall enter into force 720 days from the date of publication in the Official Gazette (i.e. 24 September 2021), namely on 14 September 2023. In addition, according to the preamble of the PDPL, as amended, entities will have a one-year transition period from such date to bring their operations into compliance.

On September 7, 2023, the PDPL Implementing Regulation of the Personal Data Protection Law and the Regulations on personal data transfers (only available in Arabic here) were published in the Official Gazette of Saudi Arabia, after a public consultation launched by SDAIA in July 2023. Both sets of regulations will enter into force with the PDPL on September 14, 2023.

News

Insights

September 2024

Saudi Arabia: Navigating SDAIA's rules and guidelines for PDPL compliance – part two

As the September 14, 2024, deadline approaches, entities must prepare compliance with the Saudi Arabia Personal Data Protection Law (as amended) (the PDPL) and the Implementing Regulation of the Personal Data Protection Law (only available in Arabic here) (the Implementing Regulations).

In part two of this Insight series, OneTrust DataGuidance outlines the rules and regulations the Saudi Data and Artificial Intelligence Authority (SDAIA) has released on controller registration, disclosures, anonymization/pseudonymization, processing records, and data minimization.

September 2024

Saudi Arabia: Navigating SDAIA's rules and guidelines for PDPL compliance – part one

The Saudi Arabia Personal Data Protection Law (as amended) (the PDPL) came into effect on September 14, 2023. However, Royal Decree No. M/19 of 9/2/1443H (16 September 2021) provides that entities have until September 14, 2024, to comply with the new provisions. The Saudi Data and Artificial Intelligence Authority (SDAIA) has recently published a set of rules and guidelines to support entities in their compliance with the PDPL and its Regulations, which OneTrust DataGuidance will summarize in parts one and two of this Insight series.

August 2024

Saudi Arabia: Guide to generative AI - an overview and practical considerations for businesses

In this Insight article, Randall Walker, Partner at Hogan Lovells, discusses Saudi Arabia's ambitious Vision 2030, which aims to diversify the economy and improve citizens' quality of life through technological advancements. A key part of this vision is the development of generative artificial intelligence (GenAI), which, despite its potential, raises significant regulatory and ethical challenges.

October 2023

Saudi Arabia: Final Implementing Regulations and Transfer Regulations - what you need to know

With the entry into force of the Personal Data Protection Law (PDPL), the Implementing Regulations of the PDPL (Implementing Regulations) (only available in Arabic here), and the Regulation on Personal Data Transfer (Transfer Regulations) (only available in Arabic here), the Kingdom of Saudi Arabia has adopted a comprehensive regulatory framework governing the processing of personal data.

Overall, the regulatory framework is a successful accomplishment for the Kingdom. Although formal guidelines and opinions are expected from the competent authorities, the enacted framework projects the Kingdom among those jurisdictions equipped with advanced data protection legislation, which resonates with most of the key principles and best practices adopted in other key jurisdictions. 

In this Insight article, Gianluca de Feo, Lawyer at AX Law, highlights some of the most significant practical aspects and key takeaways from the Implementing Regulations and the Transfer Regulations.

October 2023

Saudia Arabia: Updates telecommunications law and regulatory regime

The Kingdom of Saudi Arabia (KSA) has revamped its regulatory regime for telecommunications with the issuance of a new Telecommunications and Information Technology Act1 (the Telecoms Act) and the publication of implementing regulations to support the new law. Dino Wilkinson, Masha Ooijevaar, Shamma Sied, and Ken Wong, from Clyde & Co, take a look at the provisions of the Telecoms Act, how it differs from previous legislation, and what companies need to consider.

August 2023

Saudi Arabia: Draft PDPL regulations - what you need to know

With the Personal Data Protection Law (PDPL), in the recently amended version, set to enter into force on September 14, 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) issued for public consultation, on July 11, 2023, draft PDPL Implementing Regulations and draft Regulations on Personal Data Transfers. Both sets of regulations serve the purpose of providing further details regarding the application of the PDPL.

In this Insight article, OneTrust DataGuidance highlights some of the most significant aspects and key takeaways from the draft Implementing Regulations and the draft Data Transfer Regulations, featuring comments from Gianluca de Feo, Lawyer at AX Law.

June 2023

Saudi Arabia: Overview of the amended PDPL and key differences to the GDPR

An amended version of the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. Brian Meenagh and Lucy Tucker, from Latham & Watkins, LLP, discuss the amendments and draw comparisons between the PDPL and the General Data Protection Regulation (GDPR), with concluding thoughts on next steps.

April 2023

Saudi Arabia: New Personal Data Protection Law - What you need to know

Following a series of data protection developments in the Middle East, the latest marks Saudi Arabia's first data protection law, namely the Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 dated 14 September 2021 ('PDPL'), which was published in the Official Gazette on 24 September 2021.

Although the PDPL's original entry into force date was set for 23 March 2022, and later postponed until 17 March 2023, that date now stands at 14 September 2023, following the recent approval of amendments to the PDPL (reference to the 'PDPL' henceforth refers to the PDPL as amended).

In this Insight article, OneTrust DataGuidance Research summarises key provisions of the PDPL, as well as key considerations and challenges for practitioners to build and progress their privacy programs towards compliance with the law.

January 2023

Saudi Arabia: Why the amendments proposed to the PDPL are good news for business

Saudi Arabia's much awaited Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No.98 dated 14 September 2021 ('PDPL') was issued in September 2021. Originally it was due to come into force on 23 March 2022. Following amendments published in March 2023, the PDPL is now expected to come into effect on 14 September 2023. Simon Stokes and Nick O'Connell, from Al Tamimi & Company, provide a brief overview of the proposed amendments and how businesses can prepare.

This Insight article was updated in May 2023.

September 2022

Saudi Arabia: New cybersecurity controls

The Kingdom of Saudi Arabia ('KSA') has focused on digital transformation as part of its Vision 2030 plan to develop its infrastructure and support the transition away from reliance on oil towards a knowledge-based economy. In keeping with this increased focus on technology in the economy, there has been an associated rise in regulation of digital activity. Dino Wilkinson, Masha Ooijevaar, Adwa Aljebreen, and Zahra Laher, from Clyde & Co., discuss how cybersecurity has evolved in the KSA as well as recent guidelines, controls, frameworks, and regulations.

November 2021

Saudi Arabia: Data residency under the PDPL - Part 2: Key steps to Article 29 compliance

Saudi Arabia's new Personal Data Protection Law1 ('PDPL') was recently published in the Official Gazette, triggering a 180-day period that will require the publication of additional Executive Regulations and see the PDPL come into effect on 23 March 2022. Controlling entities will then have one year from this date to achieve compliance. Article 29 of the PDPL provides that a controlling entity may only transfer personal data outside the Kingdom, or disclose it to a party outside of the Kingdom, in specific circumstances and after certain conditions are met. In Part 12 of this two-part Insight article series, Dale Waterman, Managing Director for the Middle East & North Africa at Breakwater Solutions, shared his initial observations on the interpretation and potential operationalisation of Article 29. In Part 2, Dale seeks to offer newly appointed compliance stakeholders in the region a few suggestions on how they might consider ways to begin preparing for future data sovereignty obligations in advance of receiving the Executive Regulations and the PDPL coming into effect.

November 2021

Saudi Arabia: Data residency under the PDPL - Part 1: Dissecting Article 29

Saudi Arabia's new Personal Data Protection Law1 ('PDPL') was recently published in the Official Gazette. This triggered a 180-day period that will require the publication of additional Executive Regulations and see the PDPL come into effect on 23 March 2022. Controlling entities will then have one year from this date to achieve compliance. Whilst setting out many familiar data protection principles and obligations, the PDPL notably lays down obligations with respect to data sovereignty, which have garnered significant attention and may present operational challenges for organisations subject to the PDPL. In this two-part Insight article series, Dale Waterman, Managing Director for the Middle East & North Africa at Breakwater Solutions, takes a deep dive into these provisions and the evolving data sovereignty landscape in Saudi Arabia. In Part 1, Dale shares his initial observations on the interpretation and potential operationalisation of the data localisation provisions under the PDPL, before offering newly appointed compliance stakeholders in the region a few suggestions on how they might consider preparing to effectively manage future data sovereignty obligations while they await the release of the Executive Regulations and the launch of PDPL in Part 22.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.