The Kingdom of Saudi Arabia has recently issued its first comprehensive national data protection law.  The Personal Data Protection Law will enter into force on March 23, 2022 and regulates the collection, processing and use of personal data in the Kingdom.

Organizations with operations in the Kingdom or those processing data of Saudi residents will have one year to comply with the new requirements.

The Saudi Data & Artificial Intelligence Authority (“SDAIA”), the supervisory authority for the law’s application, will issue implementing regulations supplementing most aspects of the law by March 2022.  There have been no further regulatory developments at this stage – but businesses should note several important requirements contained in the new law:

  • Residency: The law applies to the personal data of all Saudi residents – both citizens and non-citizens.
  • Extraterritoriality: Any processing of Saudi resident data performed in the Kingdom or by entities located outside the Kingdom is subject to the law’s requirements.
  • Restrictions on Cross-Border Transfers: Transfers of data outside of the Kingdom may be made for limited explicit purposes, as set out in the law, or for “other purposes” subject to the forthcoming regulations. Even if the transfer falls into a permitted category, further conditions must be satisfied, including approval by the competent government authority, with exceptions granted on a case-by-case basis only.
  • Registration: Data controllers must register with SDAIA and pay an annual fee.
  • Consent: Consent is the primary legal basis for processing personal data, and must be obtained in writing (subject to further requirements in the forthcoming regulations). Personal data may only be processed without consent in very limited circumstances.
  • Local Representative: Any foreign company without a legal presence in the Kingdom that processes the personal data of Saudi residents must appoint a local representative, licensed for that purpose. SDAIA will determine when this requirement will come into effect.
  • Sensitive Data: All sensitive personal data, which includes genetic, health, and credit and financial data, will now be governed under the new law, but will also be subject to further regulation. The law contemplates a process of “reconciliation” with existing data regimes implemented by other regulators in the Kingdom.
  • Breach Notification: Breaches, leakages, or other unauthorized access to personal data must be notified to SDAIA “immediately,” as well as to data subjects.
  • Records of Processing Activities: Data controllers must prepare and register data processing activities with SDAIA.
  • Criminal Penalties: The law contains criminal penalties, including up to two years’ imprisonment and fines of up to SAR 3 million (approximately USD $800,000). Administrative penalties may be imposed with higher fines.

All businesses operating in the Kingdom or processing the data of Saudi residents should start assessing their activities and security systems in preparation of the law’s implementation.

We are monitoring further developments regarding the new law, and will post updates on Inside Privacy.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Tarek Khanachet Tarek Khanachet

Tarek Khanachet advises clients across a broad range of complex international regulatory, government affairs and corporate matters focused on Turkey, the Middle East and Gulf States.  From 2011 to 2013 he was resident in Saudi Arabia, advising the Economic Cities Authority of the…

Tarek Khanachet advises clients across a broad range of complex international regulatory, government affairs and corporate matters focused on Turkey, the Middle East and Gulf States.  From 2011 to 2013 he was resident in Saudi Arabia, advising the Economic Cities Authority of the Kingdom of Saudi Arabia on regulatory development, as well as outsourcing and licensing transactions.

Tarek has extensive experience with government affairs and regulatory matters in the region ‒ advising government entities as well as private companies on matters as diverse as treaty interpretation, trade policy and market access issues and blocks.

His corporate practice includes public-private partnerships, infrastructure projects, cross-border mergers and acquisitions, finance and commercial transactions.  In addition to corporate and government affairs, Tarek has assisted clients with complex regulatory and white collar enforcement and investigations.

Photo of Julie Teperow Julie Teperow

Julie Teperow’s practice focuses on international dispute resolution, frequently representing clients in arbitration and commercial disputes centering on property development and construction issues. She also advises U.S. and international companies on compliance with U.S. law, including export controls, with particular focus on economic…

Julie Teperow’s practice focuses on international dispute resolution, frequently representing clients in arbitration and commercial disputes centering on property development and construction issues. She also advises U.S. and international companies on compliance with U.S. law, including export controls, with particular focus on economic sanctions and anti-boycott restrictions, advises companies and individuals in white collar criminal matters, and conducts special and internal investigations.

Photo of Antonio Michaelides Antonio Michaelides

Antonio Michaelides advises clients in heavily regulated sectors on a broad range of cross-border regulatory and compliance matters, with a particular focus on Europe and the Middle East. He has particular expertise in helping clients navigate international HR-legal compliance issues—including labor laws, international…

Antonio Michaelides advises clients in heavily regulated sectors on a broad range of cross-border regulatory and compliance matters, with a particular focus on Europe and the Middle East. He has particular expertise in helping clients navigate international HR-legal compliance issues—including labor laws, international equity compliance and immigration matters—and frequently helps multinationals find solutions to their most complex global employment and benefits challenges.