PDPL – a Brief Overview

With the entry into force of the GDPR in 2018 as well as other international regulations on data collection, data processing, data storage and the continuous increase of personal data, data protection has become a top priority for companies. The GDPR defines a framework for companies to collect, store and process personal data in a legally compliant manner. Since its enactment, companies are obliged to provide information regarding their data processing activities at any time and to achieve the defined level of data protection.

In the course of the international economic rapprochement of the Gulf States with the EU, the reform of the legal system in Saudi Arabia represents an important component. With decision No. 98 of September 2021, the Kingdom of Saudi Arabia has now also confirmed the Personal Data Protection Law (PDPL), which previously existed in draft form, and published it in the Official Gazette. Comparable to other international data protection laws, this law also aims to ensure the protection of personal data, to regulate the sharing of data and to prevent the misuse of personal data. The primary objective is to align the law with the Kingdom’s Vision 2030 to develop a digital infrastructure and promote innovation for the growth of a digital world.

Comparable to the GDPR, the law introduces independent principles for the processing of personal data such as lawfulness, fairness, and transparency. As the competent authority, the SDAIA (Saudi Data & Artificial Intelligence Authority) is initially required to issue the final regulations before the law comes into force in March 2022. In future, supervision will be taken over by the National Data Management Office (NDMO). The data governance regulations already published provisionally in 2020 will now be superseded by the PDPL insofar as they relate to the protection of personal data.

Except for the processing of personal data for personal or domestic purposes, the Data Protection Law applies to all processing of personal data in Saudi Arabia. It also covers the processing of personal data that takes place outside Saudi Arabia in relation to data subjects in Saudi Arabia. The law requires companies outside Saudi Arabia that process personal data of data subjects in Saudi Arabia, to appoint a representative in Saudi Arabia to comply with their obligations under the law. Companies must comply with this obligation within five years of the law coming into force. The law provides for corresponding fines for violations. The processing of personal data of deceased persons also falls within the scope of the law, provided that the processing could lead to the identification of the person concerned or his or her family.

While the features of the law are consistent with the principles of other international data protection laws, it takes a stricter approach to data sovereignty, transfer, and disclosure of data outside Saudi Arabia than other similar laws. The details of the implementation of the PDPL will be set out in the regulation to be issued by the SDAIA, of which we will inform you, once issued.

Author: Christine Baltzer-Zacharias

Senior Lawyer