Introduction
In the era of digital transformation, Saudi Arabia leads with internet coverage over 73% and smartphone penetration exceeding 80%. With concerns arising, the Personal Data Protection Law aims to safeguard privacy rights among technological advancements
Boundaries of the Law
The Personal Data Protection Law’s applicability is clearly defined in Paragraph 1 of Article 2, which states:
“The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom.”
So while this law aligns with global trends in personal information protection, it mainly focuses on Saudi Arabia to ensure compliance with the country’s legal requirements. This is why the law exclusively applies to individuals residing in Saudi Arabia and covers data processing activities conducted both within and outside the Kingdom, as long as the data processed relates to Saudi Arabian residents.
Defining Terms
The Personal Data Protection Law identifies Personal Data as any information, regardless of its origin or format, that could be used to directly or indirectly identify a person. This data includes, among other things, names, personal identification numbers, addresses, contact details, license numbers, records, personal possessions, bank and credit card details, photos, videos, and other personal data.
In addition, the Law highlights the difference between Personal Data and Sensitive Data, which is more important due to its sensitive nature, and explicitly forbids the use of Sensitive Data for advertising purposes.
Examples of Sensitive Data, as classified by the Law, may include information on racial or ethnic background, religious, intellectual, or political beliefs, criminal records, biometric or genetic data for identification purposes, health records, and indications of anonymous parentage. Anyone who discloses or shares Sensitive Data with malicious intent or for personal gain is liable to face legal repercussions. These types of actions could lead to a maximum prison sentence of two years, a fine not exceeding three million Riyals, or both.
It’s also essential to clarify the term “Processing” in this context; it covers any activity involving Personal Data, whether manual or automated. This encompasses activities such as collection, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, utilizing, disclosing, transmitting, publishing, sharing, connecting, blocking, deleting, and destroying data. Understanding the extent of Processing is critical to ensuring compliance with data protection laws.
Individuals’ Rights
Individuals are afforded specific rights by the Law to protect their Personal Data, which consist of the following:
- Being informed about the collection and processing of their data.
- Accessing their collected data.
- Obtaining their data in a legible and clear format.
- Correcting or updating their data.
- Requesting the deletion of their data when no longer essential for its original purpose.
Prohibited Acts
Data controllers must follow numerous constraints, as outlined in the law, to prevent accidentally breaching its rules. These constraints include:
- Only collecting data directly from individuals.
- Not disclosing Personal Data.
- Avoiding the use of personal communication means for advertising purposes.
- Abstaining from duplicating identifiable official documents.
Exceptions
The law does, however, make exceptions to its standard provisions, as outlined in both the law itself and its implementing regulations. These exceptions include:
- Personal or family use.
- Instances where communication with the individual is impossible or difficult.
- Processing in implementation of a previous agreement.
- Disclosure of data collected from publicly available sources.
Case Study: Legality of Collecting CVs
When evaluating the legality of collecting CVs from candidates, certain criteria must be considered, including:
- The candidate’s residency.
- The data’s nature.
- The acquisition method.
- The intended use.
- The candidate’s rights concerning their data.
This evaluation process is crucial in ensuring compliance with legal standards and protecting individuals’ rights.
Legal Complaints
If an individual’s personal information is compromised, they have the right to seek compensation by filing a complaint with the Saudi Authority for Data and Artificial Intelligence within ninety days of the incident’s occurrence or upon becoming aware of the breach.
The designated authority maintains a register specifically for recording such complaints. Your complaint should include the following details:
- The time & location of the data breach.
- Your name, identification details, address, and contact number.
- Information regarding the party against whom the complaint is lodged.
- A clear and detailed description of the violation accompanied with supporting evidence and relevant information.
- Any additional requirements specified by the Saudi Authority for Data and Artificial Intelligence.
By following these guidelines, you can effectively declare your rights and contribute to the protection of personal data within the Kingdom.
Conclusion
This overview of the Personal Data Protection Law in Saudi Arabia emphasizes the significance of compliance with its regulations to protect individuals’ privacy rights and guarantee responsible data processing practices by entities operating within the Kingdom.