Critical Insights into Saudi Arabia Data Protection Law: What to Know Before 14 September 2024

The Saudi Personal Data Protection Law (“PDPL”) took effect on 14 September 2023, granting data processing entities a grace period until 14 September 2024 to achieve full compliance. As of 14 September 2024, the law shall be fully enforceable by the Saudi Data and Artificial Intelligence Authority (“SDAIA”).

SDAIA has issued guidelines and additional rules, which align closely with the European General Data Protection Regulation (“GDPR”). Key points to note include:

Territorial Scope

The PDPL has extraterritorial reach, applying to non-Saudi organizations that handle the personal data of individuals residing in Saudi Arabia. This far-reaching regulation necessitates that any entity, regardless of its location, must comply with the PDPL when processing the personal information of Saudi residents to avoid penalties.

Controller Registration Requirements

SDAIA has established regulations for the National Register of Controllers, requiring registration for:

i. Public bodies

ii. Controllers primarily engaged in personal data processing

iii. Controllers handling sensitive personal data that poses significant risks to individual rights (such as criminal or genetic information)

The registration procedures vary: public entities must complete a form provided by SDAIA, while private entities must register via the national platform. Certificates will be available for public viewing in the national register.

Appointing a Data Protection Officer

The Implementing Regulation mandates the appointment of a Data Protection Officer (“DPO”) in certain situations:

◼ When the Controller is a public entity processing large-scale personal data

◼ If the Controller’s main operations involve regular and ongoing monitoring of individuals

◼ When the Controller’s core activities include handling sensitive personal data

DPOs must possess relevant academic qualifications, expertise in data protection, and knowledge of risk management and security protocols. They can be internal staff members or external contractors. The DPO’s responsibilities include raising awareness of data protection regulations, assisting in policy formulation, and overseeing technological processes.

Cross-Border Transfers

Data transfer procedures closely follow those of the GDPR. Organizations must implement safeguards when transferring personal data to countries not yet recognized by SDAIA as providing adequate data protection. Currently, no list of such countries has been published.

Three approved methods for ensuring data protection during transfers are:

◼ Standard Contractual Clauses (SCCs)

◼ Binding Corporate Rules (BCRs)

◼ Accreditation Certificates

Additionally, companies must conduct risk assessments when transferring personal data outside Saudi Arabia, particularly for sensitive data that is frequently or widely shared.

Ensuring compliance by the deadline is crucial to avoid penalties.