Saudi Arabia has in the past few years taken strides to update its legislative frameworks to reflect technological advancements, and data protection laws are the latest iterations of such reform. Data protection issues were historically not codified as a standalone law in the country and instead dealt with under what is broadly known as the “sharia” judicial system, which includes the principle of individuals’ right to privacy and safety from encroachment into one’s personal affairs.[1] The spirit of this principle, along with modern interpretations of privacy as applied to personal data, carried over into the Kingdom’s Personal Data Protection Law (the “PDPL”), implemented by Royal Decree M/19 of 17 September 2021 and amended on 21 March 2023.[2] The amended PDPL was published in the official gazette on and formally effective as of September 14, 2023, and entities have an extended grace period of one year (i.e., until September of 2024) to comply.[3] In conjunction with the PDPL, two sets of related regulations were published on the same date – the PDPL Implementing Regulations (the “Implementing Regulations”) and the regulations on personal data transfer (the “Transfer Regulations” and together with the Implementing Regulations, the “Regulations”).[4]

Like many data protection regulations worldwide, the PDPL and Regulations are largely modeled after the General Data Protection Regulation (“GDPR”), particularly with regard to key concepts such as definitions and data subject rights (a summary of such definitions and the key differences between the PDPL and GDPR are provided below). The main takeaway is that while the PDPL largely tracks the GDPR and similar regulations, it contains some areas of ambiguity over which interpretations may differ. Furthermore, due to the novelty of the law and regulations, it is too early to determine the approach of the regulator when it comes to enforceability. The best course of action at this stage may thus be to ensure compliance with the GDPR, and to extend the scope of existing privacy programs to account for the most significant departures by the PDPL from the GDPR, as highlighted below.

How does the PDPL compare to the GDPR?

Applicable across the European Union (“EU”) as of 2018, the GDPR is hailed as the gold standard of data protection regulations worldwide, with many data protection laws and regulations modeled after it and many companies outside the EU investing heavily in GDPR compliance. It therefore comes as no surprise that the PDPL mirrors the GDPR in many respects. Some of the key elements of (and in particular, differences between) the PDPL and GDPR are as follows:

Territorial Scope: The PDPL applies to any processing of personal data related to individuals that takes place in the Kingdom, in addition to the processing of personal data related to individuals that reside in the Kingdom, by any means, from any party, outside the Kingdom.[5] This scope is very broad, and represents a departure from the GDPR, which mainly applies to the activities of data processors and controllers in the EU (regardless of whether the processing takes place in the EU), as well as the processing of the data of EU residents by processors and controllers outside the EU in limited circumstances.[6]

Material Scope and Applicability: The PDPL’s material scope is quite similar to that of the GDPR: the PDPL applies only to personal data processing, and defines personal data very similarly to the GDPR. However, there seem to be a few notable differences between the two. For example, unlike the GDPR, the PDPL’s scope is not limited to the processing of personal data wholly or partly by automated means (that is, information in electronic form), and personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system.’ Moreover, the PDPL’s coverage extends to the processing of deceased individuals’ personal data.

General Obligations: The PDPL introduces certain obligations, which are similar to some of the principles laid down in Article 5 of the GDPR.[7] These include purpose limitation and data minimization,[8] lawfulness of processing,[9] accuracy of personal data,[10] and storage limitation.[11] Controllers are also required to maintain records of processing activities in a manner similar to the GDPR,[12] which means that they will need to carry out data mapping exercises across their organizations to create such records and update them periodically. The PDPL requires controllers to ensure that their processors provide sufficient guarantees to protect personal data. They are also required to put in place agreements with processors that include certain mandatory provisions[13] (though they do not closely track the corresponding GDPR requirement that is set out in Art. 28 of the GDPR).[14]

Data Subject Rights: The rights afforded to data subjects by the PDPL are broadly similar to those under the GDPR; however, there are some significant differences. For example, the PDPL does not include a specific right to restrict the processing of personal data nor an explicit right to object to the processing of personal data for direct marketing purposes. The PDPL also significantly differs from the GDPR in terms of the scope of, and the conditions, in which data subjects can exercise the right to portability (i.e., a data subject’s right to use his or her data across different services) and the right to erasure and destruction (i.e., the right to be forgotten). 

Consent and lawful bases: Under the PDPL, personal data generally may not be processed (nor the purpose of personal data processing may be changed) without consent of the data subject, which consent can generally be withdrawn at any time.[15] The exceptions to this consent requirement are as follows:

  1. The processing serves the actual interests of the data subject, but communicating with the data subject is impossible or difficult;
  2. The processing is pursuant to another law or in implementation of a previous agreement to which the data subject is a party;
  3. The controller is a public entity and the processing is required for security purposes or to satisfy judicial requirements; or
  4. The processing is necessary for the purpose of legitimate interest of the controller (without prejudice to the rights and interests of the data subject), provided that no sensitive data is to be processed.[16]

The PDPL approach seems to deviate from the GDPR in a few significant ways. First, the lawful bases, which are alternatives to consent, do not strictly track the corresponding provisions of the GDPR; for example, unlike the GDPR, it seems that controllers can rely on an ‘agreement’ to process personal data only for existing agreements, which means that they may not be able to process data in order to take steps at the request of the data subject prior to entering into a contract (unless of course, they can rely on another lawful basis, such as the data subject’s consent). Second, the PDPL is based on the principle of primacy of consent in that consent is the rule and the other lawful bases are merely exceptions. Time will tell if the regulators will take a narrow interpretation of the other lawful bases due to them being exceptions only. The PDPL also states that consent may not be a requirement for the provision of a service or benefit unless such service or benefit is directly related to the processing of personal data for which consent is given. This will likely mean that controllers can obtain consent in a contract (which is not possible under GDPR) but only if the processing for which consent is obtained is for the benefit of the data subject. In addition, the PDPL and the Implementing Regulations require consent to be specific, freely given and informed, which may in practice make reliance on consent as a lawful basis impractical if not impossible in most use cases. As in the GDPR, consent can also be withdrawn at any time, even where it was validly obtained.[17] However, the PDPL seems to go beyond the GDPR in that, in the event of a withdrawal request (which does not necessarily have to accompany an erasure request), controllers are required take measures to notify third parties to whom personal data has been disclosed and request the destruction of the personal data.[18]

When relying on legitimate interests, controllers should comply with obligations that are similar to those under the GDPR. For example, they will need to balance the legitimate interests of the controller against those of the data subjects and record the outcome of the balancing assessment in a legitimate interest assessment.[19]

Health Data: The PDPL Regulations take the approach of limiting access to health data by limiting the conditions under which health data can be processed by controllers.[20] For example, the PDPL and its Regulations restrict the right to process health data only to when such access is necessary to provide the required health services (i.e., services related to the health of an individual, including preventive, curative, rehabilitative and hospitalizing services, as well as the provision of medications).[21] They also restrict health data access by employees and workers to the minimum extent possible as necessary to provide health services or offer health insurance programs.[22] While these may give rise to issues in practice (given that it seems that health data may only be processed for healthcare and health insurance purposes), the right to access and process health care data for other purposes may also be allowed under a broader, catch-all provision of the PDPL (for example, where the controller is a public entity and the collection is necessary for public health or safety, or pursuant to a judicial requirement).[23]

Privacy Policy: The PDPL requires controllers to maintain a privacy policy made available to data subjects. The notice must specify:

  1. The purpose of the collection,
  2. The personal data to be collected,
  3. The means for collection, processing, storage, and destruction, and
  4. Data subject rights and how to exercise such rights.

If the processor intends to process the data for a purpose other than the one disclosed, it must provide the data subject with the necessary information in accordance with the PDPL prior to conducting additional processing.[24]  Furthermore, in the case of continuous and large-scale processing or automated decision making, the PDPL mandates additional categories of data be disclosed, such as the means and methods of the collection and protection of personal data, and whether decisions will be made solely by automated processing of such data.

Information requirements are broadly similar to those under the corresponding provisions of the GDPR[25]; however, there are still some differences, some of which may prove significant and difficult to comply with in practice.[26]

Security: Similar to the GDPR, the PDPL requires controllers to implement technical, organizational and administrative measures (“TOMs”) to protect personal data. However, the wording of the obligation is slightly different but could have potentially significant ramifications in practice. The GDPR requirement is to implement “appropriate TOMs” whereas the PDPL seems to require controllers to implement “all the necessary TOMs” to protect personal data.[27] Because of the ‘appropriateness’ standard of under the GDPR, it is generally accepted that controllers might not be liable for security breaches provided they demonstrate that they have taken into account the risks of the processing and – based on such risks – have implemented those measures that are ‘appropriate’ to such risks. In other words, it is generally not expected from a controller that is engaged only in a low-risk processing to implement extensive TOMs that would be appropriate for higher risk activities. On the other hand, the standard under the PDPL (i.e., the requirement to implement ‘all the necessary TOMs’) may in practice mean that controllers may be liable for data breaches unless they can demonstrate that they have implemented all the TOMs that are available to them which were necessary for the protection of the data in question.

Data Breach: The PDPL’s personal data breach notification rules are also similar to the GDPR in that controllers are required to notify of certain breaches within 72 hours after becoming aware of them.[28] However, the materiality threshold on the basis of which the notification obligation will be triggered is slightly different: the PDPL requires controllers to notify the competent authority of those breaches that ‘potentially cause harm to the personal data or to data subject or conflict with their rights or interests’[29] whereas, under the GDPR, the obligation to notify supervisory authorities does not apply unless it is unlikely to result in a risk to the data subjects.[30] Controllers are also required under the PDPL to notify data subjects if the data breach ‘may cause damage to their data or conflict with their rights or interests’,[31] which similarly is different than the test under the GDPR, which mandates notification if the breach is likely to pose a ‘high risk to the rights and freedoms of natural persons.’[32]

Data Protection Officer: The PDPL requires controllers to appoint a data protection officer (“DPO”) in certain circumstances. These are very similar to the GDPR and, for private organizations, are: where primary activities consist of operations that require regular and continuous monitoring on a large scale, and where core activities consist of processing sensitive personal data. DPOs can be an external consultant and they have specific responsibilities under the PDPL.[33]

Some Additional Key Features of the PDPL

In addition to the comparative aspects highlighted above, below are some of the key features and terms of the PDPL.

Registration:

The Saudi Data and Artificial Intelligence Authority (“SDAIA”), as mandated by the PDPL, intends on creating a national register of controllers and charging an annual fee for the registration of controllers that are private entities.

Penalties:

The PDPL provides for two tiers of penalties depending on whether the violation resulted in the disclosure of sensitive data: (i) Intentional disclosure of sensitive data with the intent of harming the data subject can result in fines up to SAR 3 million (approximately US$800,000), up to two years’ imprisonment, or both, with repeating infringement potentially resulting in excess fines up to  SAR 6 million;[34] and (ii) for other violations, the violator may be issued a warning or a fine of no more than SAR 5 million, and repeat infringement can result in excess fines (but no more than SAR 10 million).[35] Further, the funds obtained as a result of the violation may be confiscated, and a court may order a summary of the judgment to be published in local newspapers or similar media in the violator’s area, at the violator’s expense.[36] [37]

Credit Data:

Article 24 of the PDPL provides “Credit Data,” defined as data “related to an individual’s request for, or obtaining of, financing from a financing entity, whether for a personal or family purpose, including the data relating to that individual’s ability to obtain and repay debts, and the credit history of that person,” with special protections. For example, the data subject’s “explicit consent” is required, defined by the Implementing Regulations as direct and explicit consent by the data subject given in a manner clearly indicating their acceptance of the processing in a way that cannot be interpreted otherwise.

Furthermore, the Implementing Regulations require controllers to take TOMs to protect credit data by (i) adopting and implementing requirements and controls issued by the Saudi Central Bank, and (ii) obtaining the explicit consent of the data subject and notifying them of any request to disclose their credit data.[38]

Advertising and Marketing:

Article 25 of the PDPL provides that a controller may not use personal means of communication to send advertising or awareness-raising materials unless (i) it obtains the prior consent of the target recipient, and (ii) provides the recipient with a clear opt-out mechanism. The Implementing Regulations provide that such prior consent must be given freely, with the targeted recipient being given the options for advertising or awareness-raising for which they consent, and such consent must be documented.[39] The regulations further provide that the controller must clearly identify the sender of the materials, and must cease sending the materials in a manner free of charge as soon as the targeted recipient so requires.[40]

In addition, personal data may be processed for marketing purposes only if (i) collected directly from the data subject and (ii) the data subject consents to the processing.[41]

Cross-Border Data Transfer:

The PDPL imposes transfer restrictions (some of which are stricter than comparable laws including, arguably, the GDPR), and has a set of Transfer Regulations pertaining specifically to the matter.  A controller may only transfer or disclose data to a party outside of the Kingdom if (1) it relates to the performance of an agreement to which the Kingdom is a party, (2) it “serves the interests of the Kingdom,” (3) it relates to the performance of an agreement to which the data subject is a party, or (4) to fulfill other purposes set out by the Regulations.[42]  The Transfer Regulations further provide that such transfer or disclosure may be pursuant to (i) processing operations that enable the controller to carry out its activities (including central management operations), (ii) provision of a service or benefit to the data subject, or (iii) scientific research and studies purposes.[43]

Such data transfer or disclosure must additionally meet the following conditions: (a) it will not cause prejudice to the national security or vital interests of the Kingdom, (b) there exists a level of protection in the recipient jurisdiction that is at least equal to the PDPL, and (c) the transfer or disclosure is limited to the minimum amount of personal data needed to achieve the purpose of the transfer or disclosure.[44]

In the absence of a finding of adequacy of data protection laws outside the Kingdom, the controller may nonetheless transfer data outside the Kingdom in the presence of appropriate safeguards. Such safeguards include binding common rules among entities engaged in a joint economic activity, contractual clauses, certifications of compliance with the Kingdom’s laws (including the PDPL and its regulations), or binding codes of conduct – all subject to the competent authority’s approval.[45]

Impact Assessment:

The PDPL requires controllers to conduct an impact assessment in relation to any product or service of a certain nature.[46] The regulations further provide that such assessment will be written and documented, and will be conducted in the following cases: (1) the processing involves sensitive data, (2) the collection or linking of sets of personal data from two different sources, (3) the activity of the controller involves large-scale and continuous processing of personal data of those who fully or partially lack legal capacity, that involves continuous monitoring of data subjects, or that involves automated decision-making, or (4) providing a product or service that involves processing personal data that is likely to cause harm to the privacy of the data subjects.[47]

The controller shall provide a copy of the impact assessment to any processor acting on its behalf, and if it concludes that the processing will harm the privacy of the data subjects, it will address the reason for such harm and re-conduct the assessment.

Conclusion

With the advent of data protection laws being implemented in the region such as the PDPL and its Regulations, entities operating in the region are well-advised to analyze their existing data protection processes and policies and to overhaul or otherwise bring them into compliance with the applicable regulations. It is unclear how strictly enforced the PDPL will be and how much leniency will be afforded once the entities’ compliance period begins, given the novelty of the law and its concepts to the region, but larger corporations may experience the most rigorous scrutiny.[48] However, the good news is that many of the various laws mirror one another and are modelled on their predecessors, such as the GDPR. As such, companies that adhere to and maintain sustainable, ongoing compliance with the most strict applicable law or regulation are likely to consequently achieve compliance with the remaining legal regimes.

Key Definitions

The concepts that the PDPL adopts are more or less the same as in the GDPR. Some of the key defined terms under the PDPL are as follows:

  • Collection: Collection of Personal Data by Controller (from the Data Subject directly, a representative or legal guardian of the Data Subject, or any other party).
  • Controller: any Public Entity, natural person or private legal person that specified the purpose and manner of Processing Personal Data (whether that data is processed by the Controller or Processor).
  • Competent Authority: The authority to be determined by a resolution of the Council of Ministers, which shall initially be the Saudi Data and Artificial Intelligence Authority.[49]
  • Data Subject: The individual to whom the Personal Data relate.
  • Genetic Data: Personal Data related to hereditary or acquired characteristics that uniquely identify the physiological or health characteristics of a natural person, derived from the biological material of such person.
  • Personal Data: Any data that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual (including name, personal ID number, address, contact number, license number, records, personal assets, bank and credit card numbers, photos/videos of an individual, etc.).
  • Processing: Any operation carried out on Personal Data (incl., collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing, and destroying data).
  • Processor: Any Public Entity, natural person or private legal person that processes Personal Data for the benefit of and on behalf of the Controller.
  • Public Entity: Any ministry, department, public institution or public authority, any  independent public entity in the Kingdom, or any affiliated entity therewith.
  • Sensitive Data: Personal Data revealing racial or ethnic origin or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual’s parents are unknown.

[1] Muhammed Aslam Hayat, Privacy and Islam: From the Quran to data protection in Pakistan, Information and Communications Technology Law, Vol. 16, Iss. 2, June 2007, pp 137–14, 8https://doi.org/10.1080/13600830701532043

[2] SDAIA, Saudi Arabia Personal Data Protection Law, 27/03/2023, https://sdaia.gov.sa/en/SDAIA/about/Documents/Personal%20Data%20English%20V2-23April2023-%20Reviewed-.pdf

[3] Usercentrics, Saudi Arabia Personal Data Protection Law (PDPL): An Overview, August 18, 2023, https://usercentrics.com/knowledge-hub/saudi-arabia-personal-data-protection-law-pdpl/

[4] Securiti, Understanding Saudi Arabia’s Personal Data Protection Law (PDPL), September 28, 2023, https://securiti.ai/saudi-arabia-personal-data-protection-law/#:~:text=The%20PDPL%20requires%20that%20organizations,for%20each%20purpose%20of%20processing.

[5] Art. 2 of the PDPL.

[6] Art. 3 of the GDPR.

[7] Art. 5 of the PDPL.

[8] Article 11 of the PDPL provides that “the purpose for which personal data is collected shall be directly related to the controller’s purposes” and “the content of the Personal Data shall be appropriate and limited to the minimum amount necessary to achieve the purpose of the collection”

[9] Article 11 of the PDPL provides that “the methods and means of personal data collection shall not conflict with any legal provisions”.

[10] Article 14 of the PDPL provides that “the controller may not process personal data without taking sufficient steps to verify the personal data accuracy, completeness, timeliness and relevance to the purpose for which it is collected”.

[11] Article 11 of the PDPL provides that: “if the personal data collected is no longer necessary for the purpose for which it has been collected, the controller shall, without undue delay, cease their collection and destroy previously collected personal data”.

[12] Art. 31 of the PDPL; Art. 33 of the Implementing Regulations.

[13] Such provisions must include, at a minimum, the purpose of the processing, the categories of personal data being processed, the duration of the processing, a commitment of notification in case of breach, regulations and laws to which the processor is subject in other jurisdictions and their effect on compliance, the non-requirement of the data subject’s consent for mandatory disclosures under applicable laws in the Kingdom, and identification of other parties to whom the data will be disclosed.

[14] Art. 17 of the Implementing Regulations.

[15] Art. 5 of the PDPL

[16] Art. 6 of the PDPL

[17] Art. 12 of the Implementing Regulation

[18] Art. 12 of the Implementing Regulation

[19] Art. 16 of the Implementing Regulation

[20] Art. 23 of the PDPL and Art. 26 of the Implementing Regulations.

[21] Id.

[22] Id.

[23] Art. 10 of the PDPL.

[24] Art. 4 of the Implementing Regulations.

[25] Art. 13 and Art. 14 of the GDPR.

[26] For example, the GDPR permits controllers to specify “categories of recipients” of personal data instead of requiring them to name each recipient; but the PDPL mandates that “the entities to which the personal data will be disclosed and the capacity of such entities” need to be provided to data subjects.

[27] Art. 19 of the PDPL. Also see Art. 23 of the Implementing Regulations.

[28] Art. 24 of the PDPL.

[29] Art. 24 of the Implementing Regulations.

[30] Art. 33 of the GDPR.

[31] Art. 24 of the Implementing Regulations.

[32] Art. 34 of the GDPR.

[33] Art. 32 of the Implementing Regulations.

[34] Art. 35 of the PDPL

[35] Art. 36 of the PDPL.

[36] Art. 37 of the PDPL.

[37] On the other hand, the GDPR provides for a flexible penalties regime, providing Member States with the right to set penalties for infringement beyond the administrative fines imposed by the GDPR (Article 84 of the GDPR). The GDPR sets out two tiers of administrative penalties: (i) The first, less severe, tier results in a maximum fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year (whichever is higher); (ii) and  the second, more severe, tier results in a maximum fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year (whichever is higher) (Article 83). As such, the most significant difference is that the GDPR itself imposes only administrative fines in a much higher amount than the PDPL, but does not provide for imprisonment (unless such penalty is imposed by the individual Member States).

[38] Art. 27 of the Implementing Regulations

[39] Art. 28 of the Implementing Regulations

[40] Id.

[41] Art. 26 of the PDPL

[42] Art. 29 of the PDPL.

[43] Art. 2 of the Transfer Regulations

[44] Id.

[45] Art. 5 of the Transfer Regulations

[46] Art. 22 of the PDPL.

[47] Art. 25 of the Implementing Regulations

[48] KPMG, The path towards robust personal data protection compliance: Practices for organizations in Saudi Arabia to comply with the new personal data protection law, August 2023,

[49] Usercentrics, Saudi Arabia Personal Data Protection Law (PDPL): An Overview, August 18, 2023, https://usercentrics.com/knowledge-hub/saudi-arabia-personal-data-protection-law-pdpl/