October 2024

1. Governing Texts

Saudi Arabia issued its first comprehensive and unified national data protection law in September 2021 to regulate the collection and processing of personal data. The Saudi Arabia Personal Data Protection Law (as amended) (the PDPL) has been implemented by Royal Decree No. M/19 of 9/2/1443H (16 September 2021) approving Resolution No.98 of 7/2/1443H (14 September 2021) and amended by Royal Decree No. M/147 of 5/9/1444H (21 March 2023), and came into effect on September 14, 2023.

1.1. Key acts, regulations, directives, bills

The PDPL was published in the Official Gazette on September 24, 2021. It was originally stated to take effect 180 days after its publication in the Official Gazette, which meant it was intended to be effective from March 23, 2022. Draft executive regulations were issued for public consultation within this period.

On March 22, 2022, the Saudi Data & Artificial Intelligence Authority (SDAIA), which is the current competent authority of the PDPL announced the postponement of the enforcement of the PDPL until March 17, 2023, in light of responses the SDAIA received from a range of stakeholders to the draft executive regulations.

This was followed by the issuance of draft amendments to the PDPL for public consultation in November 2022, and in March 2023, an amended version of the PDPL was implemented via Royal Decree No. M/147 of 5/9/1444H (21 March 2023), which pushed the effective date of the PDPL to 720 days after the initial publication date: the PDPL was therefore effective from September 14, 2023.

The implementing decree of the PDPL provided that controllers had to adjust their status in accordance with the provisions of the PDPL within a period not exceeding one year from the date that it becomes effective, i.e. by September 14, 2024. As of the date of this overview, the PDPL is fully effective and enforceable.

The Implementing Regulation of the Personal Data Protection Law (the Implementing Regulations) and the Regulation on Personal Data Transfer outside the Kingdom ((Data Transfer Regulations) (collectively, the Regulations) were published for public consultation on July 11, 2023, and were formally issued on September 7, 2023, with the Data Transfer Regulations being updated in September 2024. The Regulations expand on the general principles and obligations outlined in the PDPL and introduce new compliance requirements for organizations.

Prior to the enactment of the PDPL, the privacy of data was considered under general Shari'ah principles, in addition to a number of provisions in sector-specific laws such as finance, insurance, and telecommunication:

The Cybercrimes Law: The right to privacy is reflected in Article 6(1) of Cabinet Decision No. 79/1428 on the Approval of the Anti-Cyber Crime Law (the Cybercrimes Law), which criminalizes the 'production, preparation, transmission, or storage of material impinging on public order, religious values, public morals, and privacy, through the information network or computers.' The offense carries a fine of SAR 3 million (approx. $800,000) and/or up to four years imprisonment. In particular, the Cybercrimes Law stipulates that an individual's consent must be obtained to process their personal information, including disclosing any documents obtained by such processing.

E-commerce Law: Under Article 5 of Cabinet Decision No. 628/1440 On the Approval of the E-Commerce Law (the E-commerce Law), a service provider falling within the scope of the E-commerce Law is restricted from storing the consumer's personal or contact information for a period exceeding the period required by the nature of its activity, and this extends to its agents or affiliates unless agreed otherwise with the consumer (for example, through obtaining the customer's explicit consent). Furthermore, regulated service providers are required to take the necessary measures to protect the consumer's information and are liable for the protection of any information under their possession or control. These service providers are also prohibited from using the consumer's information for any purpose other than the purpose for which the information was disclosed, whether such use is for profit or not, unless they obtain the consumer's consent.

Financial Services and Privacy: The Saudi Arabian Monetary Agency's (SAMA) Financial Consumer Protection Principles and Rules refer to the protection of data and information as one of the 10 core principles of consumer protection applicable to all financial institutions. Financial institutions must develop appropriate mechanisms according to relevant applicable regulations, instructions, and policies to protect the privacy of consumers' financial, credit, insurance, and/or personal information, and the rights set out in the PDPL are referred to as a minimum standard. The SAMA has also issued regulations intended to govern the data exchanged between creditors and borrowers. Article 3 of the Credit Rating Agencies Regulations (CRA Regulations) requires the personal data of consumers to be kept confidential, to be processed solely for credit borrowing purposes, and to consult the Saudi Credit Bureau to verify any information exchanged. Regulation No. 4/1434 Implementing the Regulation of the Finance Companies Control Law (FCC Law) also protects the privacy of the financial information of individuals under Article 88: 'The finance company and its employees shall maintain the confidentiality of clients' data and transactions, and shall not disclose or pass such information to other parties, except in accordance with relevant laws and instructions.'

Insurance and Privacy: Several regulations governing the insurance sector include privacy and data protection obligations. For example, the Outsourcing Regulation for Insurance And Reinsurance Companies and Insurance Service Providers (Outsourcing Regulations) issued by the SAMA, requires insurers and insurance service providers to establish proper safeguards to protect the integrity and confidentiality of policyholder data and financial data including by (Article 33 of the Outsourcing Regulations):

• entering into non-disclosure agreements;
• providing financial data and data of the insured to a third party on a need-to-know basis only; and
• requiring the third party to segregate their data from other data pools.

The SAMA has also issued the Insurance Market Code of Conduct Regulation (the Insurance Code), in which Section 17 deals with data confidentiality. The Insurance Code provides that companies must, at all times, ensure that customer personal data is protected. This means that the data:

• must be obtained and used only for specified and lawful purposes;
• must be kept by the company in Saudi Arabia;
• must be kept secure and up to date for a period of 10 years;
• must be provided to the customer upon their written request; and
• must not be disclosed to a third party without the prior authorization of the SAMA (other than the companies' auditors, actuaries, reinsurers, and co-insurers).

NDMO Regulations: The National Data Management Office (NDMO), the regulatory arm of the SDAIA, issued the National Data Governance Regulations on June 1, 2020, which include the Personal Data Protection Regulations (PDPR). The PDPR includes requirements relating to the principles of transparency, purpose limitation, and data minimization, as well as data collection and disclosures and data subject rights. The PDPR has not been formally repealed as of the date of this publication.

NCA Cybersecurity Controls: The National Cybersecurity Agency (NCA) has issued a number of cybersecurity controls to regulate Saudi Arabia's cyberspace which apply to government organizations (including private companies that provide services to such organizations). For example, the Essential Cybersecurity Controls contain minimum measures that organizations need to implement to detect, prevent, or address security risks and to manage threats to information and technology assets. The Data Cybersecurity Controls aim to support organizations' cybersecurity through the data life cycle in order to protect data and information assets from cybersecurity threats and risks. It includes controls relating to data and information protection and secure data disposal, and classifies data into four categories: public, confidential, secret, and top secret.

Telecommunications and Privacy: Provisions on data protection and cybersecurity are also available in the Telecommunications and Information Technology Act approved pursuant to Royal Decree No. M/106 dated 02/11/1443 AH (1 June 2022) (the Telecoms Act), which apply to digital service providers. The Telecoms Act requires service providers to comply with the provisions of the PDPL when using, controlling, or processing any user's personal data. User data cannot be disclosed without the consent of the user. Additionally, service providers have a duty to notify users and the Communications, Space & Technology Commission (CST) in the case of a breach of users' personal data and to take appropriate measures to protect personal data, including those contemplated under the General Principles for Personal Data Protection in the Telecommunications, Information Technology and Postal Sectors.

Cloud Computing and Privacy: the Cloud Computing Services Provisioning Regulations (the Cloud Regulations), issued as a fourth version in October 2023 by the CST, applies to cloud service providers (CSPs) that provide cloud services to cloud computing subscribers (i.e., any person to whom a CSP agrees to provide its services under a cloud computing contract or other commercial relationship between the CSP and such person) that reside or have a subscribers address in Saudi Arabia. The Cloud Regulations address the issue of protection of personal data in a cloud context and introduce a set of minimum data protection rights that CSPs need to respect. The scope of these data protection rules in the Cloud Regulations is not limited to the personal data of individuals but covers all types of cloud computing subscriber data, including business information that would not normally qualify as 'personal data.' The Cloud Regulations explicitly prohibit the transfer of any content of Saudi government agencies outside Saudi Arabia for any purpose, or in any form, whether permanently or temporarily, unless it is expressly stated that it is permitted according to the laws or regulations in Saudi Arabia. Additionally, cloud computing subscribers may not transfer, store, or process such content of Saudi government agencies to any cloud system unless the CSP is registered with the CST. CSPs must inform subscribers and the CST without delay of any breaches of user information or documents, and the CST will notify the NDMO if these breaches affect or are likely to affect government agencies or a large number of people in Saudi Arabia due to the reliance on the services of one or more cloud computing subscribers that have been affected by the breach.

Article 3 of the PDPL expressly stipulates that the PDPL does not intend to prejudice any sector-specific regulations, including the ones highlighted above, to the extent that they grant any rights to data subjects or confer better protection to personal data.

However, the implementing decree to the PDPL specifies that the SDAIA will coordinate with the SAMA and the CST to prepare a Memorandum of Understanding to regulate some of the aspects related to the application of the provisions of the PDPL and the Regulations on the entities regulated by the SAMA and the CST. This suggests that there will be some element of transition from the prior state of sector-specific regulation towards the PDPL as the overarching data legislation in Saudi Arabia.

1.2. Guidelines

The NDMO published the self-assessment for public and private entities regarding the key requirements of the PDPL. In addition to the Implementing Regulations and Data Transfer Regulations, SDAIA published in August 2024 guidance on the following topics:

1. The Rules Governing the National Register of Controllers within the Kingdom;
2. Rules for Appointing Personal Data Protection Officer (the DPO Rules);
3. Elaboration and Developing Privacy Policy Guideline;
4. Personal Data Processing Activities Records Guideline;
5. Minimum Personal Data Determination Guideline;
6. Personal Data Destruction, Anonymization, and Pseudonymization Guideline (the Pseudonymization Guideline); and
7. Personal Data Disclosure Cases Guideline.

In addition to updating the Data Transfer Regulations, SDAIA issued the Standard Contractual Clauses (SCCs) for Personal Data Transfers and Guidelines for Binding Common Rules (BCR) for Personal Data Transfers, aligning the data transfer mechanisms more closely with international standards.

1.3. Case law

There is no known case law pertaining to the data protection provisions of the PDPL at the time of publication.

2. Scope of Application

2.1. Personal scope

Article 2 of the PDPL applies to any processing of personal data that is performed in Saudi Arabia by any means whatsoever, including any processing of personal data of individuals who are residing in Saudi Arabia carried out in any manner whatsoever by an entity located outside Saudi Arabia.

Unlike other data protection laws, the PDPL includes the processing of personal data of deceased persons if the personal data leads to the identification of the deceased person or their family members specifically.

The provisions, requirements, and conditions set forth in the PDPL do not apply to the processing of personal data by an individual for personal or family use, as long as the personal data is not published or disclosed to others. Article 2 of the Implementing Regulations clarify that personal or family use means that the individual processes personal data within their family or limited social circle within any social or family activity. The following is not considered to be 'personal or family use':

• the individual publishes personal data to the public or discloses it to any person outside the scope specified above; and
• using personal data for purposes of a professional, commercial, or non-profit nature. 

2.2. Territorial scope

The PDPL applies to Saudi entities that perform personal data processing activities in the Kingdom of Saudi Arabia (KSA).

The PDPL also applies extra-territorially to non-Saudi entities that process the personal data of individuals residing in Saudi Arabia.

2.3. Material scope

The provisions of the PDPL apply to any processing of personal data by any means. The PDPL also applies to the processing of sensitive data (which includes health and genetic data), subject to a limited scope and/or added protection and controls.

Note that the PDPL does not apply to the processing of corporate, government, technical, or any other data if it does not identify natural persons.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The SDAIA will supervise the implementation of the new legislation for the first two years, following which a transfer of supervision to the NDMO will be considered.

3.2. Main powers, duties and responsibilities

The SDAIA is the competent authority in Saudi Arabia concerned with data and artificial intelligence (AI) including big data. The SDAIA is also the national reference in all matters related to the organization, development, and handling of data and AI. Additionally, it has competence in all matters related to operation, research, and innovation in the field of data and AI.

The SDAIA is responsible for implementing the data and AI agenda at a national level, including enforcing the PDPL.

4. Key Definitions

Data controller: Any public authority or any natural or legal person which determines the purpose and method of processing personal data, whether such processing is performed by it or by the processor.

Data processor: Any public authority or any natural or legal person that processes personal data for or on behalf of a controller.

Personal data: Any data, whatever its source or form, through which a person can be specifically identified either directly or indirectly, including the name, ID number, addresses, contact numbers, license numbers, registration numbers, property, bank account numbers, credit cards numbers, still and moving images of the person, and other personal data.

Sensitive data: Any personal data that includes a reference to a person's ethnic or tribal origin, their religious, intellectual, or political beliefs, their security and criminal data, biometric data that identifies identity, genetic data, health data, or data indicating that a person has an unknown parent/parents.

Health data: Any personal data that is related to the health condition of a person, whether physical, mental, psychological, or related to the provision of health services to them.

Biometric data: The PDPL does not provide a definition of biometric data. However, though slightly different, the PDPL does define genetic data as any personal data related to the genetic or gained features of a natural person that uniquely determines the physical or health features of such a person. Such data is extracted by analyzing a biological sample such as an analysis of DNA or any other analysis which results in extracting genetic information.

Pseudonymization: Conversion of the main identifiers that indicate the identity of a person into codes that make it difficult to directly identify them without using additional data or information. Pseudonymization is further defined in the Pseudonymization Guideline as the process of transforming primary identifiers that reveal the identity of the data subject into codes that render the direct identification of the data subject infeasible without the use of additional data or information.

Anonymization: The removal of direct and indirect identifiers that indicate the identity of a person in a way that permanently makes it impossible to identify them. The Pseudonymisation Guideline sets out a variety of anonymization examples and commonly used techniques.

5. Legal Bases

Article 6 of the PDPL, as amended, provides that the processing of personal data is not subject to consent if any of the following circumstances apply:

• the processing serves actual interests of the data subject, but communicating with the data subject is impossible or difficult;
• the processing is pursuant to another law (i.e., legal obligation);
• the processing is pursuant to the implementation of a previous agreement to which the data subject is a party;
• the controller is a public entity, and the processing is required for security purposes or to fulfill judicial requirements; or
• the processing is necessary to achieve a legitimate interest of the controller, without prejudice to the rights and interests of the data subject and provided the personal data is not sensitive data, in accordance with the rules and provisions set out in the Regulations.

Additionally, Article 10 of the PDPL, as amended, specifies that controllers may collect personal data from the data subject, and any processing of such data must be done for the purpose for which the personal data was collected. In the following cases, however, a controller may collect personal data from another source (other than the data subject) or process personal data for another purpose:

• the data subject consents to the collection of the personal data or the processing for a new purpose;
• the personal data is publicly available or collected from publicly available sources;
• the controller is a public entity, and the personal data was not directly received from the data subject or was processed for a purpose other than that for which it was collected, as required for public interest objectives, security purposes, or to implement another law or to fulfill judicial requirements;
• compliance with this restriction may cause harm to the data subject or affect the vital interests of the data subject;
• the collection or processing of personal data is necessary to protect the public health, public safety, or to protect the life or health of a specific individual;
• the personal data will not be recorded or stored in a form that makes it possible to directly or indirectly identify the data subject (i.e., anonymization); and
• the collection or processing of the personal data is necessary to achieve legitimate interests of the controller or any other party, without prejudice to the rights or interests of the data subject, and provided that the personal data is not sensitive data.

5.1. Consent

The general rule is that consent is required unless an express exception stipulates otherwise in the PDPL, as amended. Consent, therefore, is one of the main legal bases for processing personal data for collecting personal data indirectly from a data subject, or using the data for any purpose other than the purpose for which the data was originally collected and for disclosures.

Consent may not form a condition of providing a service or benefit unless such service or benefit is related to the processing of personal data for which consent is given (Article 7 of the PDPL, as amended).

According to Article 11 of the Implementing Regulations, the controller must obtain the data subject's consent for processing their personal data in any appropriate form or means, including written or verbal consent or by using electronic methods, subject to the following conditions:

• consent must be given freely and not obtained through misleading methods. Consent must be obtained by taking into account the provision in Article 7 of the PDPL, as amended (i.e., consent should not be a prerequisite for offering a service or a benefit, unless such a service or benefit is related to the personal data processing for which consent is granted);
• the purposes of processing must be clear and specific, and those purposes must be made clear to the data subject before or at the time of requesting consent;
• consent must be given by a person who has full legal capacity;
• consent must be documented in a way that allows verification in the future, including keeping records that include the consent of data subjects, indicating the time and means of consent; and
• independent consent must be obtained for each purpose of processing.

A data subject's consent must be 'explicit' in the following cases:

• when the processing involves sensitive data;
• when the processing involves credit data; or
• if decisions will be taken based entirely on automated processing of personal data.

According to Article 12 of the Implementing Regulations, data subjects have the right to withdraw their consent for processing at any time, and they may inform the controller of their withdrawal by any of the available means in accordance with Article 4 of the Implementing Regulations (the right to be informed).

Additionally, consent is the legal basis for processing personal data for advertising and direct marketing purposes. In line with Articles 25 and 26 of the PDPL, as amended, except for educational materials sent by public authorities, a controller may not use personal contacts (including postal and electronic mail addresses) of the data subject to send them advertising or educational materials, unless it satisfies the following conditions:

• the target recipient (i.e., individual) consents to receiving such material; and
• the sender of the material (e.g., the controller), as set out in the Implementing Regulations, provides a clear way that enables the target recipient to express their wish to stop receiving such material.

Except for sensitive data, personal data may be processed for marketing purposes if:

• the data is collected directly from a data subject; and
• the data subject consents to such processing in accordance with the PDPL, as amended.

In addition, Article 28(1) of the Implementing Regulations states that controllers must obtain consent from the targeted recipient before sending 'advertising or awareness materials' in case there is no prior interaction between the controller and the targeted recipient. Article 28(2) of the Implementing Regulations provides the conditions for obtaining the targeted recipient's consent for advertising or awareness materials.

Furthermore, before processing personal data for 'direct marketing' purposes, the controller must:

• obtain consent from the data subject (as per Article 11 of the Implementing Regulations);
• provide a mechanism that allows the data subject to stop receiving marketing materials whenever they desire, and such procedures must be easy, simplified, and similar or easier than the procedures for obtaining consent to receive such materials;
• when direct marketing materials are sent to the data subject, the name of the sending party must be mentioned clearly without any concealment of its identity; and
• if the data subject withdraws their consent to direct marketing, the controller must stop sending direct marketing materials to them without undue delay.

5.2. Contract with the data subject

Article 6(2) of the PDPL, as amended, provides that the processing of personal data is not subject to consent in certain circumstances, which include the case where the processing is pursuant to the implementation of a previous agreement to which the data subject is a party. However, this appears to be based on a 'previous agreement' to which the data subject is party rather than 'for the performance of a contract' as under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

5.3. Legal obligations

Pursuant to Article 6(2) of the PDPL, as amended, the processing of personal data is not subject to consent if the processing is pursuant to another law (i.e., legal obligation).

Under Article 20(3) of the Implementing Regulations, when disclosing personal data in response to a request from a public authority for security purposes, to implement another law, to satisfy legal requirements, or if the disclosure is necessary to protect public health, public safety, or the life or specific individuals' health, the following measures shall be taken:

• the request for disclosure should be documented; and
• the type of personal data required to be disclosed should be accurately defined.

5.4. Interests of the data subject

Under Article 6(1) of the PDPL, as amended, the processing of personal data is not subject to consent if the processing serves the 'actual interests' of the data subject but communicating with the data subject is impossible or difficult. Article 1 of the Implementing Regulations defines actual interests as 'any moral or material interest of the data subject directly related to the purpose of processing personal data, and the processing is necessary to achieve that interest.'

According to Article 14 of the Implementing Regulations, when processing is necessary to achieve an actual interest of the data subject, the controller must retain evidence that such an interest exists and that it is impossible or difficult to contact the data subject. Additionally, Article 10 specifies that personal data may not be indirectly collected or processed for another purpose unless compliance with this restriction may cause harm to the data subject or affect the vital interests of the data subject.

5.5. Public interest

While there is no equivalent specific public interest basis, as under the GDPR, the principle of public interest underlies numerous provisions in the PDPL, as amended.

First, in terms of bases for processing personal data, Article 6(3) of the PDPL, as amended, stipulates that personal data may be processed without the data subject's consent if the controller is a public entity and the processing is required for security purposes or to fulfill judicial requirements.

Second, in regard to the collection of personal data, although the general rule requires that data is only collected from the data subject and that the personal data is only used for the purposes disclosed at the time of collection, Article 10(3) of the PDPL, as amended, allows the indirect collection of personal data or for other purposes as required for public interest objectives, security purposes, to implement another law, or to fulfill judicial requirements. Furthermore, the same applies to cases where it is necessary to protect public health, public safety, or to protect the life or health of specific individuals, per Article 10(5) of the PDPL, as amended.

Finally, Article 15(3) of the PDPL, as amended, permits the disclosure of personal data if the entity requesting it is a public entity and the collection or processing is required for public interest or security purposes, to implement another law, or to fulfill judicial requirements. Article 15(4) of the PDPL, as amended, also permits disclosure if necessary to protect public health, public safety, or to protect the lives or health of specific individuals.

According to Article 21 of the Implementing Regulations, when a public entity collects personal data directly from someone other than the data subject, processes the data for a purpose other than the one for which the data was collected, or requests disclosure to achieve a public interest, it must comply with the following:

• ensure that this is necessary to achieve a clearly defined public interest;
• ensure that the public interest is related to the competencies prescribed for it by law;
• take appropriate means to limit the damages that may result from this, including setting the necessary administrative and technical controls to ensure that its employees comply with the provisions of Article 41 of the PDPL, as amended (i.e., whoever carries out any personal data processing business must keep the data secret even after termination of the employment contract);
• include these operations in the records of processing activities; and
• collect and process the minimum personal data necessary to achieve the purpose.

5.6. Legitimate interests of the data controller

Personal data may be processed, collected indirectly, or processed for other purposes, or disclosed in accordance with the legitimate interest basis as per Articles 6, 10, and 15 of the PDPL, as amended. The legitimate interest basis was introduced in the amended version of the PDPL, as amended, issued in March 2023.

According to Article 16 of the Implementing Regulations, except in cases where the controller is a public entity, the controller may process personal data to achieve a legitimate interest provided that the following conditions are met:

• the purpose of processing does not violate any Saudi laws;
• the rights and interests of the data subject and the legitimate interests of the controller are balanced so that the interests of the controller do not affect the rights and interests of the data subject;
• the processing does not include sensitive data; and
• the processing must be within the reasonable expectations of the data subject.

Article 1 of the Implementing Regulations defines legitimate interest as 'any necessary interest of the controller whose fulfillment requires the processing of personal data for a specific purpose, provided that it does not affect the rights and interests of the personal data subject.'

Under Article 16(2) of the Implementing Regulations, examples of legitimate interests include detecting fraud and protecting the security of networks and information, and other legitimate interests that meet the conditions specified in Article 16 of the Implementing Regulations.

As per Article 16(3) of the Implementing Regulations and in accordance with Article 6(4) of the PDPL, as amended (i.e., relying on legitimate interests to process personal data), before processing personal data for a legitimate interest, the controller must conduct and document an assessment of the proposed processing and its impact on the rights and interests of the data subject. The assessment should include the following:

• specifying the proposed processing, its purposes, the type of data, and the categories of data subjects;
• evaluating the purpose to ensure it is legitimate and compliant with Saudi laws;
• verifying the necessity to process personal data to achieve the legitimate purpose of the controller;
• evaluating whether the proposed processing will cause any harm to the interests of the data subjects or their ability to exercise their legally-established rights; and
• evaluating whether there are any measures that need to be taken to avoid potential risks or damages, in accordance with Article 25(2) of the Implementing Regulations (on Data Protection Impact Assessments (DPIAs)).

If the assessment demonstrates that the processing would, in any way, violate any laws, infringe upon data subjects’ rights or interests, or cause harm to them or any other party, the controller must modify the processing and carry out a new legitimate interest assessment or consider relying on another legal basis.

Finally, per Article 16 of the PDPL, as amended, there are certain circumstances when disclosure will not be permitted on the basis of legitimate interest. See the section on legal bases above.

5.7. Legal bases in other instances

Other legal bases that may apply to the indirect collection of personal data or use of the data for other purposes under Article 10 or for disclosures under Article 15 include:

• where the personal data is publicly available or collected from publicly available sources. Article 15 of the Implementing Regulations further specifies that the collection of data from publicly available sources must be lawful;
• if the collection or processing of personal data is necessary to protect the public health, public safety, or to protect the life or health of a specific individual; and
• if the personal data will not be recorded or stored in a form that makes it possible to directly or indirectly identify the data subject (i.e., in anonymized form). Article 9 of the Implementing Regulations sets out conditions for anonymizing data, including ensuring that the identity of the data subject cannot be re-identified after the identity has been concealed and, where required, evaluating the impact, including the possibility of re-identifying the data subject. In addition, the Pseudonymisation Guideline, states that the controller shall ensure that all direct and indirect personally identifiable information is irreversibly anonymized, rendering the data subject unidentifiable. Data that has been rendered anonymous shall no longer be considered personal data and, consequently, shall not fall within the scope of the PDPL. The controller, upon the anonymization of personal data, shall:
  • ensure that the anonymized data is rendered irreversibly anonymous, making it impossible to re-identify the data subject;
  • conduct an impact assessment, including an evaluation of the potential for re-identification under the circumstances specified in Paragraph (1) of Article 25 of the Implementing Regulation;
  • implement appropriate organizational, administrative, and technical measures to mitigate risks, ensuring that these measures are up-to-date and aligned with technological advancements and evolving anonymization techniques; and
  • evaluate the effectiveness of implemented anonymization techniques and implement requisite adjustments to ensure the sustained irreversibility of the anonymization process.

Pursuant to Article 16 of the PDPL, as amended, there are certain circumstances when disclosure will not be permitted on the bases of the data being publicly available or if the data is recorded or stored in anonymized form. See the section on legal bases above.

6. Principles

The PDPL, as amended, sets out a number of principles which are similar to the GDPR, such as:

Purpose limitation: The purpose of collecting personal data shall be directly related to the purposes of the controller and shall not contradict with the provisions of the PDPL, as amended (Article 11(1) of the PDPL, as amended). Please refer to the section above on legal basis for more information on the processing of personal data for another purpose.

Security: The methods and means of collecting personal data may not violate any provisions of the PDPL, as amended and must be suitable to the circumstances of the data subject, direct, clear, safe, and free from any types of fraud, deceit, or blackmail (Article 11(2) of the PDPL, as amended).

Data minimization: The content of the personal data must be directly relevant and restricted to the minimum extent required to achieve the intended purpose. Such content should not lead to the direct identification of the data subject, provided that the objective of data collection is achieved (Article 11(3) of the PDPL, as amended). In accordance with the Minimum Personal Data Determination Guideline, this entails avoiding the collection of unnecessary data and adhering to the following principles:

• actual need: each element of personal data should be evaluated to determine whether it is directly necessary to achieve the purpose of its collection and processing;
• purpose: the purpose for which personal data is collected should be directly linked to the data and relevant to the controller’s purposes;the purpose should not conflict with KSA laws. The controller should carry out due diligence in achieving the purpose of processing without collecting unnecessary personal data;
• collection methods: the methods by which controllers collect personal data must be direct, clear, secure, and appropriate to the data subject’s circumstances;controllers should not engage in collection methods which are deceptive, misleading or extortionate, nor should they contravene or conflict any applicable KSA laws;  
• content: the content of personal data should be adequate and limited to the minimum necessary to achieve the purpose of the data collection, whether it is collected directly from the data subjects or from other individuals or parties; if the controller achieves the purpose of the data collection, then the content of the personal data should be anonymized so that it does not link to the identification of the data subject;
• destruction: personal data that is no longer necessary to achieve the purpose for which it was collected should be destroyed using secure procedures to ensure the permanent removal of the data; and
• retention: controllers should retain the minimum amount of personal data necessary to achieve the purpose of processing, and they should limit access to the personal data to those individuals that have specific privileges or actual needs to view or process the data.

Article 19 of the Implementing Regulations further states that the controller must collect only the minimum amount of personal data necessary to achieve the purpose of the processing and ensure the following:

• collect only the necessary personal data that is closely and directly related to the purpose of processing the data, which is determined through the use of appropriate means, including maps that indicate the need for each collected data and linking it to each purpose of processing or other means; and
• provide necessary care to achieve the purpose of the processing without collecting unnecessary personal data.

The controller must also retain the minimum amount of personal data necessary to achieve the purpose of processing.

The Minimum Personal Data Determination Guideline sets out a number of additional data minimization obligations. These include the following:

• controllers must ensure that their data processing activities are designed to prevent the collection of any unnecessary personal data in relation to the specific purposes for which the personal data was collected. Then designing data processing activities, controllers should adopt appropriate data management software tools, including those that perform automated periodic reviews to ensure that data remains accurate and up-to-date and that any unnecessary data is destroyed;
• controllers should regularly audit and review their personal data processing activities to ensure compliance with the data minimization principle. They shall implement appropriate corrective measures through their employees or the personal data protection officer (DPO);
• when processing personal data for a purpose other than that for which it was collected, according to the conditions outlined in Article 10 of the PDPL, the controller should ensure that all procedures specifying content of the data to be collected are documented; this includes the operations taken to apply the data minimization principle. The controller should ensure that the purpose for collecting personal data are legitimate and specified. Accordingly, controllers should not collect personal data simply because it is convenient to retain it, as this will not be held to be a “necessary” purpose.
• controllers should ensure that their employees responsible for collecting personal data receive adequate training to understand regulatory obligations regarding data minimization. This includes, in particular, training those responsible for designing systems and tools directly involved in the collection and processing of personal data to ensure the implementation of the data minimization principle through a "privacy by design" approach.

The Minimum Personal Data Determination Guideline sets out a number of examples for controllers to use when assessing their compliance with the data minimization principle.

Storage limitation: If it becomes clear that personal data being collected is no longer necessary to achieve the intended purpose of its collection, the controller must stop the data collection and destroy the data without delay (Article 11(4) of the PDPL, as amended).

Accuracy: The controller may not process personal data without taking sufficient measures to ensure accuracy, completion, recency, and relevancy of the data based on the purpose of its collection in accordance with the provisions of the PDPL, as amended (Article 14 of the PDPL, as amended).

7. Controller and Processor Obligations

7.1. Data processing notification

Article 30(4) of the PDPL, as amended, states that in order to carry out its tasks related to supervising the implementation of the provisions of the PDPL, as amended, and the Regulations, the SDAIA may identify the appropriate tools and mechanisms for monitoring and tracking the compliance of controllers with the provisions of the PDPL, as amended and the Regulations, including the establishment of a national registry of controllers for this purpose.

Article 34 of the Implementing Regulations builds upon this and provides that the SDAIA shall issue the rules for registration in the National Register of Controllers.

On 18 July 2024, the SDAIA published the finalized version of its rules governing the 'National Register of Controllers' within the KSA. These mandate that controllers must register in any of the following instances:

• the controller is a public entity;
• the controller’s main activity is based on personal data processing;
• the controller processes sensitive data; or
• if the individual processes personal data for purposes exceeding personal or family use.

The drafting footnote also states that a controller could be any public entity, natural person, or private legal person that specifies the purposes and manner of processing personal data, whether the data is processed by that controller or by the processor.

Registration procedures differ by entity type: public entities complete a form provided by SDAIA, while private entities register through the National Data Governance Platform. Registration can be carried out by a "delegate," for example, an employee, who is responsible for completing the registration and regularly updating it as needed.

If the controller is required to appoint a DPO (please see section 7.5), details of the DPO will need to be filled in on the National Data Governance Platform.

Upon registration, controllers receive a certificate, including a QR code, as proof of registration. Registration must be renewed to maintain access to the platform’s services. Certificates will be publicly accessible on the National Register.

7.2. Data transfers

Disclosures of personal data

A separate basis is required when disclosing personal data. In accordance with Article 15 of the PDPL, as amended, and the Personal Data Disclosure Cases Guideline, controllers cannot disclose personal data except in the following cases:

• the data subject has consented to such disclosure;
• the personal data has been collected from a public source;

- where this basis is relied upon, the controller must ensure that the public source is not in violation of the PDPL and the Implementing Regulations. Controllers must also make sure that the disclosure complies with the purpose limitation and data minimization principles: the disclosure should be directly related to a specific and clearly defined purpose or subject matter, and it should be limited to the minimum personal data necessary to achieve the purpose. Controllers should exercise due diligence to protect the privacy of the data subject or any other individual. Where personal data relating to another individual (who is not the data subject) is disclosed, the controller must implement adequate safeguards to protect the privacy of that other individual. Adequate safeguards include balancing the rights of the data subject with those of the other individual on a case-by-case basis and, where possible, anonymizing personal data that directly identifies the other individual.

• the entity requesting disclosure of data is a public authority, and the disclosure is required for public interest purposes, security purposes, to comply with law, or to fulfil judicial requirements;
  • in addition, in accordance with the Pseudonymization Guideline, when a public entity requests personal data disclosure to serve a public interest, it must ensure that:
    • such disclosure is strictly necessary for a clearly defined public interest;
    • the public interest is related to its statutory powers and duties;
    • appropriate measures are taken to mitigate any potential harm, including the implementation of necessary administrative and technical controls to ensure compliance of its personnel with the provisions of Article (41) of the PDPL;
    • these processes are recorded in the personal data processing activities records; and
    • only the minimum amount of personal data necessary to fulfil the purpose is collected and processed;
• the processing is necessary to protect public health, safety, or lives or health of one or more persons; when relying on this basis, a controller should document the disclosure request and specify precisely the type of personal data to be disclosed;
• the personal data disclosure will be limited to subsequent processing in a way that does not directly or indirectly disclose the identity of the data subject or any other specific person - the same considerations apply to this basis as for the public source basis above; therefore, the controller should ensure that:
  • the disclosure meets the purpose limitation and data minimization principles;
  • it carries out due diligence to protect data subjects and other individuals; and
  • it implements appropriate safeguards when disclosing personal data relating to individuals who are not the data subjects; or
• the disclosure is necessary to achieve the legitimate interests of the controller, unless it prejudices the rights of data subjects or conflicts with their interests and provided that the personal data is not sensitive data.

There are circumstances when disclosures will not be permitted. The controller may not disclose personal data in the cases set out in Article 15(1), 15(2), 15(5), and 15(6) of the PDPL, as amended (see above) if the disclosure:

• poses a threat or security risks, distorts the KSA's reputation, or works against the KSA's interests;
• impacts the KSA's relationships with other countries;
• prevents disclosure of a crime, impacts the rights of an accused to receive fair trial, or affects the integrity of ongoing criminal procedures;
• exposes people or an individual to danger;
• leads to violation of the privacy of a person other than the data subject, as set out by the Regulations;
• contradicts with the interest of an incompetent person;
• violates lawful professional standards or obligations established by the PDPL;
• violates a judicial order, procedure, or obligation; or
• discloses a secret information source that should not be disclosed for the public interest.

Note that these restrictions do not apply to disclosure activities in the following cases:

• if the data disclosure request is made by a public entity, and the disclosure is required to serve a public interest, for security purposes, to implement another law, or to fulfil judicial requirements; or
• if personal data disclosure is necessary to protect public health, public safety, or the life or health of specific individuals.

Cross-border transfers of personal data

Article 29(1) of the PDPL  and Article 2 of the updated Data Transfer Regulation allow controllers to transfer or disclose personal data outside Saudi Arabia as long as they have a purpose for such transfer/disclosure. These purposes include where the transfer:

• relates to a performance of an obligation under an agreement to which the Kingdom is a party;
• serves the interests of the Kingdom; or
• is for the performance of an obligation to which the data subject is a party.
• is for the performance of necessary operations for central processing to enable the controller to conduct its activities;
• provides a service or benefit to the data subject of the personal data; and
• is for conducting scientific research and studies.

In addition to a purpose set out above, Article 29(2) of the PDPL, as amended, states that the controller must also meet the following conditions when transferring or disclosing personal data:

• the transfer or disclosure must not compromise national security or the vital interests of KSA;
• there is an appropriate level of protection of personal data outside the KSA, which must not be less than the level of protection established in the PDPL, as amended, and the Regulations, according to the results of an evaluation conducted by the SDAIA in this regard in coordination with whomever it deems appropriate among the designated authorities; and
• the transfer or disclosure shall be limited to the minimum amount of personal data that is necessary (a form of data minimization for data transfers).

Article 29(3) of the PDPL, as amended, states that the conditions shall not apply to cases of extreme necessity to preserve the life or vital interests of the data subject or to prevent, examine, or treat infectious diseases (e.g., relating to COVID-19).

Article 3 of the Data Transfer Regulation provides that SDAIA will publish on its official website a list of countries or international organizations that provide an appropriate level of protection for personal data not less than that prescribed by the PDPL and Implementing Regulations. SDAIA will review this list every four years, or as necessary, based on the following criteria:

• the existence of regulations that ensure the protection of personal data and the rights of data subjects, including the right to seek compensation for damages caused by violations of these rights. These regulations must meet at least the level of protection prescribed by the PDPL and Implementing Regulations;
• the existence of a supervisory body responsible for enforcing the provisions related to the protection of personal data;
• the supervisory authority is prepared to cooperate with SDAIA in the KSA on matters related to the protection of personal data;
• the regulatory requirements related to the disclosure of personal data under the relevant statutory provisions applicable in the third country or international organization must not conflict with the provisions for the disclosure of personal data set forth in the PDPL and Implementing Regulations, nor with any other statutory provisions in force in the KSA;
• obligations arising from international treaties or agreements binding on the third country or international organization, as well as those related to its membership in regional or multilateral organizations, which may require the transfer of personal data; and
• provisions related to subsequent transfers of personal data.

As of the time of publication, a list of adequate countries is not yet available. However, SDAIA now has the authority to publish adequacy decisions directly on its website, eliminating the need for approval from the Prime Minister. This change is expected to expedite the process of assessing and approving countries for adequacy.

Article 4 of the Data Transfer Regulations sets out exemption cases and appropriate safeguards required in the absence of an adequacy decision (or international agreement with the country). These include:

• SCCs that guarantee an adequate level of protection for personal data when transferring outside the KSA, according to the standard form issued by the SDAIA;
• Binding Corporate Rules (BCRs), which apply to each concerned party in a group of entities operating in a joint economic activity, including its employees, whose terms and conditions are approved by the SDAIA; and
• Certifications of accreditation with the PDPL, as amended, and the Regulations, issued by an authorized entity licensed by the SDAIA.

Note that the previous Data Transfer Regulation included derogations for transfers in the absence of an adequacy decision or the inability of the controller to use any appropriate safeguards. The derogations have been removed from the updated Data Transfer Regulation.

Subject to the rules on processors in the PDPL and Implementing Regulations, as well as the legal bases required for disclosures under Article 15 of the PDPL, the PDPL and the Implementing Regulations will apply to any subsequent transfers of personal data that has been transferred or disclosed to a party outside the KSA.

Controllers may be exempt from complying with the appropriate level of protection and data minimization requirements in Article 29(2)(b) and (c) if one of the following cases apply (and subject to the implementation of appropriate safeguards as specified below).

• If the transfer or disclosure of personal data is to be made between public bodies to implement an agreement to which the KSA is a party or to serve its interests. The controllers must include standard provisions for the protection of personal data in the relevant agreements or memoranda of understanding.
• If the transfer or disclosure is non-recurring or for a limited period and involves a limited number of data subjects. The controller must implement and comply with the standard contractual clauses. Alternatively, the transfer or disclosure is made to a body that has received an approval certificate from an entity licensed by SDAIA and the data is not sensitive.
• If the transfer or disclosure of personal data is necessary to perform, central operations and the controller is part of a group of multinational entities. The controller and its affiliates must comply with binding common rules or standard contractual clauses that ensure adherence to the requirements in the PDPL and the Implementing Regulations. Alternatively, the entity to which the personal data will be transferred or disclosed must obtain a certificate of approval issued by a body licensed by SDAIA.
• If the transfer or disclosure is made to provide a service or benefit directly to the data subject in a manner that does not violate their expectations or conflict with their interests, and the transfer or disclosure is to a party that has received an approval certificate from a body licensed by SDAIA, provided that the personal data transferred is not sensitive data.
• If the transfer or disclosure of personal data is necessary for conducting scientific research and studies. The transfer or disclosure must be limited to the minimum amount of data required. Additionally, the controller must either implement and comply with standard contractual clauses or ensure that the transfer or disclosure is made to a body that has received an approval certificate from an entity licensed by SDAIA authority, provided that the personal data transferred is not sensitive data.

The SDAIA has the discretion to review the exemption cases and amend them every two years or as often as is necessary.

Additionally, in accordance with Article 6 of the Data Transfer Regulation, the exemptions will not apply if any of the following situations arise:

• the controller has failed to implement the appropriate safeguards as specified for each exemption; or
• if SDAIA determines that the appropriate safeguards are inadequate for any specific case.

If any of the conditions above are met, the controller is required to cease the transfer or disclosure and notify the entities to whom the personal data was transferred or disclosed.

Under Article 7 of the Data Transfer Regulations, there is also a requirement for controllers to carry out a risk assessment in the following cases:

• a safeguard is applied for the transfer of the data (e.g., SCCs); and
• the transfer involves continuous or large-scale transfers of sensitive data outside the KSA.

The risk assessment should include the following elements as a minimum:

• the purpose and legal basis of the transfer/disclosure;
• a description of the nature of the transfer/disclosure and its geographic scope;
• appropriate safeguards and measures implemented for transferring personal data outside the KSA, and their adequacy in ensuring an appropriate level of protection for personal data not less than that prescribed by the PDPL and Implementing Regulations;
• measures taken to ensure that the transfer or disclosure is limited to the minimum amount of personal data necessary to achieve the purposes;
• the material or moral impact that may result from the transfer or disclosure, and the possibility of any harm to the data subjects; and
• measures that will be taken to prevent and mitigate identified risks to protect personal data.

In line with the updated Data Transfer Regulation, SDAIA has also released the following:

• SCCs: SDAIA has issued pre-approved agreements that bind both the data exporter (the sender) and the data importer (the recipient) to specific privacy and security obligations in compliance with the PDPL and the Implementing Regulations. The SCCs can be incorporated into a broader agreement or used as a standalone contract. Parties may also add supplementary conditions to the SCCs as long as they do not conflict with the requirements in the SCCs, and any changes made that go beyond completing blank fields will be considered invalid by SDAIA. The SCCs also govern onward transfers, requiring third parties to adhere to the same standards. Though similar to the EU SCCs, key differences mean organizations will need to incorporate SDAIA’s SCCs into their data transfer agreements, even if they already use EU SCCs.
• BCRs: SDAIA has also issued guidelines on implementing BCRs. BCRs are internal policies adopted by multinational organizations to govern cross-border transfers of personal data within their corporate group. They ensure compliance with the PDPL when transferring data from the KSA to countries that may not meet SDAIA’s adequacy standards. BCRs must address key data protection principles such as transparency, purpose limitation, data minimization, and storage limitation. They should also include commitments to staff training, internal audits, compliance reviews, and appointing a DPO to ensure accountability across the organization.

7.3. Data processing records

Article 31 of the PDPL, as amended, requires controllers to keep records of personal data processing activities for a period prescribed by Article 33 of the Implementing Regulations, i.e., for the duration of the processing activity in addition to five years starting from the date of the end of the personal data processing activity.

In addition, according to the Personal Data Processing Activities Records Guideline, controllers should ensure that the records of processing are maintained in written form and are accurate and up-to-date. 

The minimum data that should be included in the Records of Processing Activities (ROPA) are:

• the name and contact details of the controller;
• the information  of the DPO (where required);
• a description of the categories of personal data being processed, and the categories of data subjects;
• the purpose of personal data processing;
• categories of recipients of personal data;
• whether the personal data is or will be transferred outside the KSA or disclosed to a party outside the KSA, including a description of the transfer and the legal basis for the transfer and parties or whom the data is transferred;
• the retention period of personal data and, where possible, specific retention periods for each category of personal data; and
• a description of the organizational, administrative, and technical procedures and means that ensure the preservation of the personal data (as possible).

Controllers should make the ROPA available whenever requested by the SDAIA.

The Personal Data Processing Activities Records Guideline provides a template ROPA to assist entities in creating comprehensive and exhaustive records of their processing activities. The template is structured into mandatory, optional and “mandatory in cases requiring an impact assessment process” categories.

7.4. Data protection impact assessment

Article 22 of the PDPL, as amended, states that controllers must conduct an evaluation of the impacts of processing personal data for any product or service provided to the public in accordance with the activities carried out by the controller.

However, Article 25 of the Implementing Regulations then stipulates other circumstances when a 'written and documented assessment of the impacts and risks that may affect the data subject as a result of the processing personal data' should be conducted. Risk assessments should be conducted in the following cases:

• when processing sensitive data;
• when collecting, comparing, or linking two or more sets of personal data obtained from different sources;
• where the activity of the controller includes systematic, large-scale processing of personal data of those who fully or partially lack legal capacity;
• where the activity involves processing operations that, by their nature, require the continuous monitoring of data subjects;
• where the activity involves the processing of personal data using new technologies;
• where the activity involves making decisions based on the automated processing of personal data; and
• where the processing involves the provision of a product or service that involves the processing of personal data that is likely to cause serious harm to the privacy of data subjects.

Article 25(2) of the Implementing Regulations states that a risk assessment should include at least the following information:

• the purpose of the processing and the legal basis;
• a description of the nature of the processing to be conducted, the types and sources of personal data to be processed, and any entities to whom the personal data is to be disclosed;
• a description of the scope of the processing, which identifies the type of personal data and the geographical scope of the processing;
• a description of the context of the processing, which identifies the relationship between the data subjects, the controller, and the processors, as well as any other relevant circumstances;
• an assessment of the necessity and proportionality of the processing, which identifies the measures to be taken to enable the controller and processors to process the minimum personal data necessary to achieve the purposes of the processing;
• the impact of the processing, based on the severity of its impact, materially and morally, and the likelihood of any negative impact on data subjects, including any psychological, social, physical, or financial impact, and the likelihood of their occurrence;
• the measures that will be taken to prevent or limit the magnitude of identified risks; and
• an evaluation of the suitability of the measures envisaged to avoid identified risks.

Article 25(4) of the Implementing Regulations provides that where the results of the assessment indicate that the processing will harm the privacy of data subjects, the controller must address the reasons and re-conduct the assessment.  

7.5. Data protection officer appointment

Article 30(2) of the PDPL, as amended, states that the Regulations will specify the cases in which a controller must appoint or designate one or more persons to assume the role of Data Protection Officer (DPO).

Under Article 32 of the Implementing Regulations and Article 5 of the DPO, a controller must appoint one or more individuals to be responsible for the protection of personal data in any of the following cases:

• the controller is a public entity that provides services that involve the processing of personal data on a large scale;
• the primary activities of the controller consist of processing operations that require the regular and systematic monitoring of data subjects; and
• the core activities of the controller consist of processing sensitive personal data.

When determining whether the processing is on a large scale, controllers should consider the following criteria:

• number of data subjects;
• volume of personal data;
• type of personal data;
• geographical scope of processing; and
• different categories of data subject.

The term 'regular and systematic monitoring of data subjects' applies to situations where the collection of personal data is carried out through tracking or other technologies. Monitoring is considered 'regular' if it is continuous, occurs at specific intervals, or takes places periodically. Monitoring will be considered 'systematic' if it is conducted through technological systems, follows a specific methodology, or is implemented as part of a comprehensive strategy or general plan for collecting personal data.

The following activities are examples of regular and systematic monitoring:

• collecting personal health and fitness data through wearable devices;
• using behavioural analytics technologies for risk assessment purposes; and
• location tracking, the use of cookies, and surveillance cameras.

Activities are considered as 'core' if the controller cannot provide products or services without processing personal data. Examples of core activities as set out in the Rules include:

• insurance companies processing health data to provide health insurance to customers;
• finance companies processing credit data to offer products or services related to financing; and
• marketing companies processing personal data for marketing purposes.

Note that activities that support the controller's core business, such as processing employee data by the human resources department within the entity, do not constitute core activities.

Under Article 4 of the DPO Rules, a controller must ensure that the following requirements are met when appointing a DPO:

• the DPO has appropriate academic qualifications and experience in the field of personal data protection;
• the DPO has sufficient knowledge of risk management practices, including the management and handling of personal data breach incidents;
• the DPO has knowledge of regulatory requirements for personal data protection and other relevant regulatory requirements for performing DPO tasks; and
• the DPO should be honest and carry out its activities with integrity. He or she should not have been convicted of any offense involving or breach of trust.

A DPO may be an executive, an employee of the controller, or an external contractor.

Article 6 of the DPO Rules states that the DPO must be appointed in writing, and the controller must:

• document the appointment of the DPO if they are an employee of the controller;
• conclude an agreement with the external contractor when appointing a contractor outside the controller as the DPO; and
• the appointment of the DPO and their contact details must be promptly announced within the controller.

Article 7 of the DPO Rules further state that the controller must provide data subjects with a clear and accessible means of communication with the DPO. In addition, the controller must provide the SDAIA with the DPO's contact details immediately upon their appointment, through the National Data Governance Platform, and update these details when the DPO changes.

Article 8 of the DPO Rules sets out the roles and tasks of the DPO, in addition to those set out under Article 3(3) of the Implementing Regulations. These include:

• providing support and advice regarding all aspects of personal data protection, including contributing to developing policies and internal procedures related to personal data protection;
• participating in awareness activities, training, and transfer of knowledge to controller personnel regarding personal data protection and compliance with provisions of the PDPL, Implementing Regulations and ethics of data handling;
• contributing to reviewing plans of response to personal data breach incidents and ensuring that such plans are adequate and effective;
• preparing periodic reports regarding controller activities related to the processing of personal data, and providing recommendations to ensure compliance with provisions of the PDPL and its Implementing Regulations.
• following up on regulatory documents issued by SDAIA related to the protection of personal data, including any amendments, and inform the relevant departments to ensure compliance; and
• providing support and advice to those responsible for developing and operating modern technological systems to ensure compliance with the requirements of the PDPL and its Implementing Regulations.

7.6. Data breach notification

Notification to the SDAIA

Following Article 20(1) of the PDPL, as amended, and Articles 24(1) and 24(2) of the Implementing Regulations, controllers must notify the SDAIA within a period not exceeding 72 hours of becoming aware of any personal data leak, damage, or unauthorized access, if such breach may cause harm to the personal data or the data subject, or conflicts with their rights or interests unless the controller is not able to provide the required information. In this case, controllers shall provide the information as soon as possible with a justification for the delay.

Article 24(1) of the Implementing Regulations provides that the notification to the SDAIA should include the following:

• a description of the personal data breach incident, including the time, date of the breach, and the time when the controller became aware of it;
• data categories, actual or approximate numbers of impacted data subjects, and the type of personal data;
• a description of the risks of the personal data breach, including the actual or potential impact on personal data and data subjects, and the actions and measures taken by the controller to prevent or limit the impact of those risks and mitigate them, as well as the future measures that will be taken to avoid a recurrence of the breach;
• a statement if the data subject has been notified of the breach of their personal data; and
• the contact details of the controller or its DPO, if any, or any other official who has information regarding the reported incident.

Notification to the data subject

Under Article 20(2) of the PDPL, as amended, and Article 24(5) of the Implementing Regulations, controllers must also notify the data subject without undue delay in case of personal data leaks, damage, or unauthorized access that may result in damage to their personal data or conflict with their rights or interests, provided that the notification is in simple and clear language.

The notification should include the following:

• a description of the personal data breach;
• a description of the potential risks arising from the breach, and the measures taken to prevent or limit risks and their impact;
• the name and contact details of the controller and its DPO, if any, or any other appropriate means of communication with the controller; and
• any recommendations or advice that may assist the data subject in taking appropriate measures to avoid the identified risks or limit their impact.

7.7. Data retention

In addition to the storage limitation principle under Article 11(4) of the PDPL, as amended, whereby personal data should not be processed for longer than is necessary to achieve the intended purpose of processing, Article 18 of the PDPL, as amended, requires controllers to destroy personal data after achieving the purpose of collecting such data, without delay.

Controllers may retain personal data after the purpose of collection expires if all identifiers that could lead to the identification of the data subjects have been removed.

In the following circumstances, a controller may retain personal data after the purpose of collection has expired:

• if there is a legal justification for retaining personal data for a specific period, in which case the personal data shall be destroyed upon the lapse of that period; or
• if the personal data is closely related to a case under consideration before a judicial authority and its retention of personal data is required for that purpose, in which case the personal data shall be destroyed once the judicial procedures are concluded.

Therefore, controllers will need to consider their data retention policies or put such policies in place, and also consider how personal data will be deleted, destroyed, or anonymized once the retention periods expire.

Under the Minimum Personal Data Determination Guideline, controllers are required to conduct regular assessments to evaluate the personal data they retain. This involves the identification and destruction of personal data that is no longer necessary to fulfil the purposes for which it was collected. Similarly, personal data that is not relevant to the primary purpose of collection should also be destroyed. These assessments should consider the following:

• verify that the collected personal data is directly relevant or essential for a specific, justifiable purpose;
• ensure that the amount of personal data collected is limited to what is strictly necessary to achieve the identified and justified purpose;
• personal data is retained for a clearly defined period that is necessary to fulfil the purpose of its collection; and
• the controller deletes personal data upon the expiration of the purpose for which it was collected.

7.8. Children's data

Article 16 of the PDPL, as amended, provides that a controller may not disclose personal data if the disclosure contradicts the interest of a minor or incapacitated person.

Where a data subject is a minor or incompetent, their legal guardian can exercise their rights on the data subject's behalf (Article 3(3) of the Implementing Regulations).

In accordance with Article 13 of the Implementing Regulations, considering applicable legal requirements, a legal guardian of a data subject that lacks full or partial legal capacity (which may be a minor) must act in the best interests of the data subject, and for this purpose, they have the following options:

• exercise the rights granted to the data subject under the PDPL, as amended, and the Regulations; or
• consent to the processing of the data subject's personal data in accordance with the provisions of the PDPL, as amended, and the Regulations.

In addition to the consent requirements set out in Article 11 of the Implementing Regulations, in case of the processing of personal data of a data subject that lacks full or partial legal capacity, obtaining the consent of the legal guardian is conditional upon taking appropriate measures to verify guardianship validity over the data subject. When obtaining consent from the legal guardian of a data subject that lacks full or partial legal capacity, the controller must comply with the following provisions:

• consent given by the legal guardian should not cause any harm to the interests of the data subject; and
• the data subject must be allowed to exercise their rights stipulated in the PDPL, as amended, and the Regulations when they reach legal capacity.

7.9. Special categories of personal data

The PDPL, as amended, does not contain additional conditions for processing sensitive data, unlike international data protection laws, such as the GDPR. However, there are a number of restrictions with respect to processing sensitive data, as well as further requirements for certain categories of sensitive data.

Sensitive data is defined as personal data that reveals an individual's racial or ethnic origin, religious, intellectual, or political belief, data relating to security criminal convictions and offenses, biometric or genetic data for the purpose of identifying the person, health data, and data that indicates that one or both of the individual's parents are unknown.

Where consent is relied upon to process sensitive data, the consent must be explicit (Article 11(2) of the Implementing Regulations). The term explicit, however, is not specifically defined in the PDPL, as amended.

When relying on the legitimate interests basis to process personal data, controllers should note that this basis does not apply to sensitive data (Articles 6, 10, and 15 of the PDPL, as amended, and Article 16(1)(c) of the Implementing Regulations). Moreover, sensitive data may not be processed for marketing purposes (Article 26 of the PDPL, as amended).

Where a controller's activities require continuous or large-scale processing of personal data on individuals lacking full or partial legal capacity or whose parents are unknown, continuous monitoring of data subjects, adoption of new technologies, or making automated decisions, in addition to the information requirements in Article 4(1) of the Implementing Regulations, controllers must also provide the means and methods of collecting and processing sensitive data, where applicable (Article 4(5) of the Implementing Regulations).

Article 32(1)(c) of the Implementing Regulations requires a DPO to be appointed if the core activities of the controller consist of processing sensitive personal data.

The penalty for disclosing or publishing sensitive data in violation of the PDPL, as amended, with the intention of harming the data subject or achieving a personal benefit may be a fine or criminal sanctions. According to Article 35(1) of the PDPL, as amended, the offense carries imprisonment for a period not exceeding two years or a fine not exceeding SAR 3 million (approx. $800,000).

The PDPL, as amended, also governs the following sensitive data which require additional controls under the PDPL, as amended and, in some cases, other laws and regulations applicable in Saudi Arabia.

Health data

Health data includes any personal data relating to an individual's health conditions or related to health services received by that individual, as well as genetic data.

Article 23 of the PDPL, as amended, explains that the processing of health data is subject to additional requirements and procedures to ensure the privacy of data subjects and to protect their rights under the PDPL, as amended. This includes:

• the right of health data access, including medical records, must be restricted to the lowest number of staff and only for the purpose of offering necessary healthcare services; and
• health data processing operations and procedures shall be restricted to the lowest number of staff and only for the purpose of offering healthcare services or medical insurance programs.

Articles 26(1) to 26(6) of the Implementing Regulations build upon this and stipulate that the controller must take appropriate organizational, technical, and administrative measures to safeguard health data from any unauthorized use, misuse, use for purposes other than for which it was collected, or breach, and any procedures or means that guarantee the preservation of the privacy of its owners.

Credit data

Credit data includes personal data related to an individual's request for, or obtaining of, financing from a financing entity, whether for a personal or family purpose, including any data relating to that individual's ability to obtain and repay debts, and the credit history of that person.

Article 24 of the PDPL, as amended, explains that the processing of credit data is subject to additional requirements and procedures to ensure the privacy of data subjects and to protect their rights under the PDPL, as amended, and the Credit Information Law.

This shall include the following:

• taking the necessary action to verify the written explicit consent of the data subject for the collection of such data or to change the purpose of data collection, data disclosure, or publishing in accordance with the provisions of the PDPL, as amended and the Credit Information Law; and
• the data subject shall be informed upon receiving a request to disclose their credit data from any entity.

Article 27 of the Implementing Regulations builds upon this and stipulates that without prejudice to the provisions of the Credit Information Law and its implementing regulations, the controller must take organizational, technical, and administrative measures to safeguard credit data from any authorized use, misuse, access by unauthorized individuals, or use for purposes other than for which it was collected and disclosure. The controller must adopt the following controls and procedures:

• adopt and implement requirements and controls issued by the SAMA and other relevant authorities which define the roles and responsibilities of employees of establishments providing credit information services and of the parties that have contracts with such establishments to process credit data; and
• obtain the consent of the data subject and notify them of any request to disclose their credit data in accordance with the provisions of the Credit Information Law, taking into account the provisions of Article 11(1)(d) of the Implementing Regulations (relating to documenting consent). 

7.10. Controller and processor contracts

Article 8 of the PDPL, as amended, states that controllers, when appointing a processor, must be committed to choosing an entity that can provide necessary guarantees to implement the provisions of the PDPL, as amended, and the Regulations. Furthermore, the controller must verify the processor's compliance with the provisions of the PDPL, as amended, and Implementing Regulations, without prejudice to the controller's responsibilities towards the data subject or the SDAIA.

Article 17(1) of the Implementing Regulations supplements the PDPL, as amended, by stating that a controller must ensure that any data processor chosen provides sufficient guarantees to protect personal data, and that an agreement with the data processor includes the following:

• the purpose of processing;
• categories of personal data being processed;
• the duration of processing;
• the data processor's commitment to notify the controller in case of a personal data breach, in accordance with the PDPL, as amended, and the Regulations, and without undue delay;
• clarification of whether the data processor is subject to regulations in other countries and the impact on their compliance with the PDPL, as amended, and Regulations.
• not requiring the controller's prior consent for mandatory disclosure of personal data under applicable laws in the KSA, provided that the data processor notifies the controller of such disclosure; and
• identifies any subcontractors contracted by the data processor, or any other party to whom personal data will be disclosed.

The controller must issue clear instructions to the processor. In case of any violation of the controller's instructions or any applicable Saudi laws, the processor must notify the controller in writing without undue delay (Article 17(2) of the Implementing Regulations).

The controller is responsible for periodically assessing the processor's compliance with the PDPL, as amended, and the Regulations, and ensuring that all regulatory requirements are met, whether the processing is achieved by the processor or third parties acting on its behalf. The controller may appoint an independent third party to assess and monitor the processor's compliance on its behalf (Article 17(3) of the Implementing Regulations).

If a processor violates the instructions issued by the controller or the agreement regarding the processing of personal data, the processor will be considered as a controller and held directly accountable for any violation of the PDPL, as amended (Article 17(4) of the Implementing Regulations).

In accordance with Article 17(5) of the Implementing Regulations, before entering into subsequent contracts with sub-processors, the processor should abide by the following:

• take sufficient guarantees to ensure that such contracts would not impact the level of protection afforded to the personal data being processed;
• choose only sub-processors that provide necessary guarantees to comply with the PDPL, as amended, and the Regulations; and
• obtain prior approval from the controller, with the controller being notified before entering into such contracts and enabling the controller to object to them within a timeframe agreed upon between the control and processor.

8. Data Subject Rights

8.1. Right to be informed

Article 4(1) of the PDPL, as amended, provides data subjects with the right to be informed, which includes informing data subjects of the lawful basis and purpose of collecting personal data. This right ties in with Article 12 of the PDPL, as amended, the requirement for controllers to provide data subjects with notice of their data processing by way of a privacy policy.

The privacy policy must be made available to data subjects prior to commencing the collection of their personal data. As a minimum, the privacy policy must specify the purpose of collection, the personal data to be collected, the means used for collection, processing, storage, and destruction, and information about data subjects' rights and how to exercise them (as well as the information set out in Article 13 of the PDPL, as amended when collecting personal data directly from data subjects).

Article 4 of the Implementing Regulations supplements the right to be informed and the requirements in Articles 12 and 13 of the PDPL, as amended, by specifying the information that should be provided to data subjects when their data is collected directly or indirectly from data subjects, as well as additional information that should be provided under certain circumstances (e.g., if the controller engages in activities that involve the continuous monitoring of data subjects, the use of emerging technologies, or automated decision-making).

In addition, the Elaboration and Developing Privacy Policy Guideline aims to guide entities through the preparation and development of their privacy policy by setting out key elements required. This includes:

• entity name and activity;
• contact information and update record;
• personal data to be collected;
• collecting personal data methods and purposes;
• personal data processing;
• personal data sharing;
• personal data storage, retention period, and destruction;
• personal data subject rights;
• complaint and objection filing mechanisms; and
• availing and providing access to the privacy policy.

In addition, the Elaboration and Developing Privacy Policy Guideline provides a detailed model template for a privacy policy that controllers can use when developing their privacy policies.

8.2. Right to access

Article 4(2) of the PDPL, as amended, provides data subjects with the right to access their personal data held by the controller in accordance with the rules and procedures set out in Article 5 of the Implementing Regulations.

The Controller may set time frames for exercising the right to access personal data and may limit the exercise of this right in the following cases (Article 9 of the PDPL, as amended):

• if this is necessary to protect the data subject or other parties from any harm; and
• if the controller is a public entity and the restriction is required for security purposes, required by another law, or required to fulfill judicial requirements.

8.3. Right to rectification

Article 4(4) of the PDPL, as amended, provides data subjects with the right to request correction, completion, or updating of their personal data. When correcting the personal data, the controller must comply with the conditions specified in Article 22 of the Implementing Regulations.

Article 17 of the PDPL, as amended, further provides that if personal data is corrected, completed, or updated, the controller must inform any entity that received such data of such change, and it must allow the entity to make such change.

The data subject may, in the event that their personal data is not correct, request that the processing of the data is restricted for a period during which the controller can verify the validity of the data (Article 7 of the Implementing Regulations). The restriction will not apply if providing the data contravenes the PDPL, as amended, and the Regulations.

8.4. Right to erasure

Article 4(5) of the PDPL, as amended, provides data subjects with the right to request the deletion of personal data without prejudice to the provisions of Article 18 of the PDPL, as amended (concerning the destruction of personal data). Article 8 of the Implementing Regulations specifies the cases when a controller must destroy personal data as:

• upon the data subject's request;
• if the personal data is no longer necessary to achieve the purpose for which it was collected;
• if the data subject withdraws consent; or
• if the controller becomes aware that the personal data is being processed in a way that violates the PDPL, as amended.

When destroying personal data, the controller must take the steps specified in Article 8(2) of the Implementing Regulations, including taking appropriate measures to notify other parties to whom the controller has disclosed the personal data and request the destruction of such data.

In addition, the Pseudonymization Guideline states that in cases where the controller is required to destroy personal data, it should ensure that the data is permanently and irrevocably deleted, rendering it inaccessible, unrecoverable, and unidentifiable. Data archiving or backup processes should not be considered data destruction techniques. Such processes must be treated as personal data in accordance with the PDPL and the Implementing Regulations. Additionally, the controller has to comply with the requirements of Article 18 of the PDPL and other applicable data destruction regulations.

Note that the Pseudonymization Guideline does not relieve entities of their obligation to adhere to relevant controls, standards, and rules issued by the National Cybersecurity Authority or other competent authorities.

The Pseudonymization Guideline further states that the controller should destroy personal data in any of the following cases:

• upon the request of the data subject;
• if the personal data is no longer necessary to fulfill the purposes of its collection;
• if the data subject withdraws their consent to the collection of their personal data, where consent was the sole legal basis for data processing; or
• if the controller becomes aware that the personal data is being processed in a manner that violates the PDPL.

The controller, upon the destruction of personal data, should also:

• take appropriate measures to notify other entities to whom the controller has disclosed the relevant personal data and request that they destroy it;
• take appropriate measures to notify individuals to whom personal data has been disclosed by any means and request that they destroy it; and
• destroy all copies of the personal data stored in the controller's systems, including backups, taking into account any relevant regulatory requirements.

The Pseudonymization Guideline provides various examples of destruction techniques, including:

• data overwriting and secure erasure;
• data erasure (without physical media destruction); and
• shredding and distortion.

Other general guidelines include:

• all employees involved in data security shall be adequately trained on the importance of secure data pseudonymisation and anonymization;
• the controller should ensure that no personal data is lost, misplaced, or disclosed to any unauthorized third party during the destruction, anonymization, or pseudonymization process;
• all printed documents should be disposed of in a manner that renders the personal data irretrievable (e.g., shredding using secure shredding machines and disposing of the waste securely) in accordance with the regulatory requirements issued by relevant competent authorities;
• detailed records should be maintained of all data anonymization and destruction activities, including the techniques used, the justification for their selection, and ensuring that such records are available upon request from SDAIA.

With respect to pseudonymization, the Pseudonymization Guideline states that additional data or information should be maintained separately and subjected to adequate technical and administrative controls to ensure that it cannot be definitively linked to the data subject. Pseudonymized data is considered personal data under the PDPL because it may be used, in one way or another, to identify a specific individual. 'Pseudonymisation' serves as a protective measure for personal data and is deemed an appropriate technical safeguard against the risks associated with personal data processing. However, controllers should note that its effectiveness in safeguarding personal data is not equivalent to that of 'anonymization.' Pseudonymization should be applied for disclosures of personal data, including any personal data linked to an individual other than a data subject. In such instances, the personal data of the individual should be pseudonymized to ensure their privacy. Pseudonymization should also be applied when personal data is collected or processed for scientific, research, or statistical purposes without the data subject's consent, provided that the pseudonymization does not compromise the purpose for which the data is being processed. the Pseudonymization Guideline sets out a variety of pseudonymization examples and commonly used techniques.

The controller should regularly review and update its data anonymization, destruction, and pseudonymization techniques to address emerging risks and technological advancements.

8.5. Right to object/opt-out

Article 5(2) of the PDPL, as amended, provides data subjects with the right to withdraw consent at any time, in relation to consent which they previously gave to the processing of their personal data. Furthermore, Article 25 of the PDPL, as amended, provides for the right to object to direct marketing.

Article 12 of the Implementing Regulations specifies the conditions for withdrawing consent, including requiring a controller to establish procedures that allow for the withdrawal of consent as easily as it is to obtain the consent.

8.6. Right to data portability

Article 4(3) of the PDPL, as amended, provides data subjects with the right to request access to their personal data in a format that is readable and clear, in accordance with the rules and procedures set out in Article 6 of the Implementing Regulations.

8.7. Right not to be subject to automated decision-making

The PDPL, as amended, does not contain a specific provision on objecting to automated decision-making. Where consent is relied upon to process personal data for automated decision-making, such consent must be explicit (Article 11(2) of the Implementing Regulations). Additionally, where the controller relies on automated processing, it must clarify whether decisions will be based entirely on automated processing (Article 4(5) of the Implementing Regulations).

Moreover, an impact assessment is required in circumstances where the controller's processing activity involves making decisions based on the automated processing of personal data.

8.8. Other rights

Article 34 of the PDPL, as amended, provides that the data subject may approach the SDAIA to file a complaint relating to the application of the PDPL, as amended, and/or the Regulations.

In addition, where a controller receives a request from a data subject, it must implement the request within a period not exceeding 30 days without delay. The controller may extend this time period for no more than 30 additional days if implementation of the request requires an unexpected or unusual additional effort or if the controller receives multiple requests from the data subject, provided that the controller notifies the data subject in advance of the extension and its justifications (Article 3(1) of the Implementing Regulations).

Controllers can refuse to act on a request when it is unjustifiably repetitive or it requires extraordinary effort, in which case the data subject should be notified of the reason for the refusal (Article 3(2) of the Implementing Regulations).

9. Penalties

Article 35 of the PDPL, as amended, provides that, without prejudice to any stricter punishment provided for in another law, anyone who discloses or publishes sensitive data in violation of the provisions of the PDPL, as amended, whether with the intent of harming the data subject or with the intent of achieving a personal benefit, will be punished with imprisonment for a period not exceeding two years and/or a fine not exceeding SAR 3 million (approx. $800,000).

The public prosecution is responsible for investigating and prosecuting before the competent court any violations of sensitive data. The competent court will hear claims arising from the application of Article 35 of the PDPL, as amended, and issue the prescribed punishments.

The competent court may double the fine for breaches of sensitive data processing in case of repetitive violations, even if it results in exceeding the maximum limit, provided that it does not exceed double the limit. For repeat offenses, therefore, the courts may double the fines.

Article 36 of the PDPL, as amended, provides that, without prejudice to any stricter punishment provided for in another law (and unless it relates to sensitive data, in which case the above penalties apply), every natural or legal person governed by the PDPL, as amended, that violates any of the provisions of the PDPL, as amended, and the Regulations shall be punished by a warning notice or a fine of no more than SAR 5 million (approx. $1.33 million).

A committee shall be established with no fewer than three members, including a chair, a technical specialist, and a legal advisor. The committee shall consider violations of the PDPL, as amended, and impose penalties of warnings or fines as stipulated in Article 36 of the PDPL, as amended. The committee shall consider:

• the type of violations committed;
• the seriousness of the violation; and
• the impact of the violation.

The party against whom the committee issues a resolution shall have the right of grievance against such resolution before a competent court.

Article 38(1) of the PDPL, as amended, provides that without prejudice to the rights of bona fide third parties, the competent court may order the confiscation of funds obtained as a result of breaches of the PDPL, as amended.

Article 38(2) of the PDPL, as amended, states that the competent court or committee may also add to the punishment, judgment, or decision a provision requiring publication of the judgment or decision at the expense of the violating party in one or more newspapers or any other appropriate media, depending on the type, impact, and seriousness of the violation. The publication shall be carried out after the judgment becomes final.

Article 39 of the PDPL, as amended, provides that a public authority shall interrogate and discipline its staff who violate the provisions of the PDPL, as amended, and the Regulations in accordance with the legally established rules of accountability and discipline.

9.1 Enforcement decisions

There are no current decisions related to the enforcement of the provisions under the PDPL, as amended. However, given that the grace period has recently come to an end on September 14, 2024, we suspect SDAIA will start enforcing the PDPL and Implementing Regulations.