Insights

Insights into Saudi Arabia’s Evolving Laws & Regulations

Personal Data Protection Law

Mar 7, 2024

Personal Data Protection Law

 


Introduction 

In the era of digital transformation, Saudi Arabia leads with internet coverage over 73% and smartphone penetration exceeding 80%. With concerns arising, the Personal Data Protection Law aims to safeguard privacy rights among technological advancements

Boundaries of the Law

The Personal Data Protection Law’s applicability is clearly defined in Paragraph 1 of Article 2, which states:
“The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom.”
So while this law aligns with global trends in personal information protection, it mainly focuses on Saudi Arabia to ensure compliance with the country’s legal requirements. This is why the law exclusively applies to individuals residing in Saudi Arabia and covers data processing activities conducted both within and outside the Kingdom, as long as the data processed relates to Saudi Arabian residents.

Defining Terms

The Personal Data Protection Law identifies Personal Data as any information, regardless of its origin or format, that could be used to directly or indirectly identify a person. This data includes, among other things, names, personal identification numbers, addresses, contact details, license numbers, records, personal possessions, bank and credit card details, photos, videos, and other personal data.
In addition, the Law highlights the difference between Personal Data and Sensitive Data, which is more important due to its sensitive nature, and explicitly forbids the use of Sensitive Data for advertising purposes.
Examples of Sensitive Data, as classified by the Law, may include information on racial or ethnic background, religious, intellectual, or political beliefs, criminal records, biometric or genetic data for identification purposes, health records, and indications of anonymous parentage. Anyone who discloses or shares Sensitive Data with malicious intent or for personal gain is liable to face legal repercussions. These types of actions could lead to a maximum prison sentence of two years, a fine not exceeding three million Riyals, or both.
It’s also essential to clarify the term “Processing” in this context; it covers any activity involving Personal Data, whether manual or automated. This encompasses activities such as collection, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, utilizing, disclosing, transmitting, publishing, sharing, connecting, blocking, deleting, and destroying data. Understanding the extent of Processing is critical to ensuring compliance with data protection laws.

Individuals’ Rights

Individuals are afforded specific rights by the Law to protect their Personal Data, which consist of the following:

  1. Being informed about the collection and processing of their data.
  2. Accessing their collected data.
  3. Obtaining their data in a legible and clear format.
  4. Correcting or updating their data.
  5. Requesting the deletion of their data when no longer essential for its original purpose.

Prohibited Acts

Data controllers must follow numerous constraints, as outlined in the law, to prevent accidentally breaching its rules. These constraints include:

  1. Only collecting data directly from individuals.
  2. Not disclosing Personal Data.
  3. Avoiding the use of personal communication means for advertising purposes.
  4. Abstaining from duplicating identifiable official documents.

Exceptions

The law does, however, make exceptions to its standard provisions, as outlined in both the law itself and its implementing regulations. These exceptions include:

  1. Personal or family use.
  2. Instances where communication with the individual is impossible or difficult.
  3. Processing in implementation of a previous agreement.
  4. Disclosure of data collected from publicly available sources.

Case Study: Legality of Collecting CVs

When evaluating the legality of collecting CVs from candidates, certain criteria must be considered, including:

  1. The candidate’s residency.
  2. The data’s nature.
  3. The acquisition method.
  4. The intended use.
  5. The candidate’s rights concerning their data.

This evaluation process is crucial in ensuring compliance with legal standards and protecting individuals’ rights.

Legal Complaints

If an individual’s personal information is compromised, they have the right to seek compensation by filing a complaint with the Saudi Authority for Data and Artificial Intelligence within ninety days of the incident’s occurrence or upon becoming aware of the breach.

The designated authority maintains a register specifically for recording such complaints. Your complaint should include the following details:

  1. The time & location of the data breach.
  2. Your name, identification details, address, and contact number.
  3. Information regarding the party against whom the complaint is lodged.
  4. A clear and detailed description of the violation accompanied with supporting evidence and relevant information.
  5. Any additional requirements specified by the Saudi Authority for Data and Artificial Intelligence.

By following these guidelines, you can effectively declare your rights and contribute to the protection of personal data within the Kingdom.

Conclusion

This overview of the Personal Data Protection Law in Saudi Arabia emphasizes the significance of compliance with its regulations to protect individuals’ privacy rights and guarantee responsible data processing practices by entities operating within the Kingdom.


 

Are You Ready?

Let's Work Together

Let us help you conduct business with confidence. Contact our legal team today for immediate assistance.

Offices Across The Region

Dammam Office

AlGhazzawi Business Tower, 8th Floor
Prince Muhammad Street
P.O. Box 381, Dammam 31411
T: +966 13 8331611
F: +966 13 8331981

Jeddah Office

Jeddah Commercial Centre, 3rd Floor
Al Maady Street, Corniche Al Hamra
P.O. Box 7346, Jeddah 21462
T: +966 12 6531576
F: +966 12 6532612

Riyadh Office

King Faisal Foundation, North Tower, 4th Floor
King Fahd Road
P.O. Box 9029, Riyadh 11413
T: +966 11 4632374
F: +966 11 4627566

Representative Office - Cairo

Nile City Tower, North Tower, 23rd Floor
2005 Corniche El Nil, Ramlet Beaulac
Cairo, Egypt 11221
T: +202 2461 9647
F: +202 2461 9647