Okaz/Saudi Gazette

RIYADH — The amended Personal Data Protection Law (PDPL) came into effect on Thursday, Sept. 14 in Saudi Arabia.

The Kingdom had enacted the law on Sept. 16, 2021, by a royal decree, with a grace period of 720 days for its implementation after the publication of the original law in the official gazette. Five amendments were made in the law by another royal decree issued on March 27, 2023. The Saudi Data & Artificial Intelligence Authority (SDAIA) published the Executive Regulations of the law on Sept. 7, 2023, one week before the PDPL coming into effect on Sept. 14.

Speaking to Okaz/Saudi Gazette, legal experts pointed out that this is the first comprehensive data protection law in Saudi Arabia that aims to protect individual privacy by regulating the data collection, processing, disclosure and preservation. They noted that the law provides a detailed framework of processing standards, the rights of data subjects, the obligations of relevant bodies when processing, as well as data sovereignty, and penalties in the event of violating the provisions of the law.

According to the law, personal data is defined as every data – of whatever source or form – that would lead to the identification of the individual specifically or make it possible to identify him directly or indirectly, including: name, personal identification number, date of birth, addresses, contact numbers, license numbers, records, personal property, bank account and credit card numbers, fixed or moving pictures of the individual, and other data of personal nature.

The PDPL defines sensitive data as personal data that includes a reference to an individual’s racial or ethnic origin, or religious, intellectual or political belief, as well as criminal and security data, biometrics, genetic data, credit data, health data and data that indicates that one or both of the individual’s parents are unknown.

The law interpreted genetic data to mean every personal statement related to the genetic or acquired characteristics of a natural person, that uniquely identifies the physiological or health characteristics of that person, and is extracted from the analysis of a biological sample of the person, such as the analysis of DNA or the analysis of any other sample that leads to the extraction of genetic data. According to the law, health data means every personal statement related to an individual’s health condition, whether physical, mental, psychological, or related to his health services, is considered.

Article 10 of the law stipulates that the controlling authority may only collect personal data directly from its owner, and that data may only be processed to achieve the purpose for which it was collected.

Article 13 of the Executive Regulations obliges the legal guardian of the incomplete or incapacitated person’s data to act in the best interests of the data of the person, Article 16 of the law considers the disclosure of fraud operations and protecting network and information security are among the legitimate interests under which the controlling agency has the right to process and obtain personal data. Article 15 of the law details the circumstances in which the controlling authority may disclose personal data.

The executive regulations also stipulate the circumstances that allow the transfer of personal data outside the Kingdom, with specifying the controls, and procedures in this respect. Article 36 of the law assigns jurisdiction to consider violations and impose penalties stipulated in the law in the event of violating the provisions of the law and its executive regulations by referring to a committee formed by a decision of the head of the competent authority