Decoding Saudi Arabia's Personal Data Protection Law
In an era where data privacy is increasingly paramount, the Kingdom of Saudi Arabia (KSA) has introduced its own Personal Data Protection Law (PDPL). Becoming fully enforceable from 14th September 2024, the PDPL represents a significant milestone in Saudi Arabia’s efforts to regulate the processing and protection of personal data within its borders and beyond.
Scope and Applicability of the PDPL
The PDPL is comprehensive in its coverage, applying to any personal data processing activities that occur within Saudi Arabia, as well as the processing of KSA residents' data outside the country. The law defines personal data broadly, encompassing any information that could directly or indirectly identify an individual. This includes, but is not limited to, names, personal identification numbers, addresses, contact numbers, and sensitive data such as health and financial information.
Significantly, the PDPL also extends its protections to data concerning deceased individuals, provided that the information can be used to identify the individual or their family members. This broad scope underscores the law’s rigorous approach to personal data protection.
Core Concepts and Roles
The PDPL introduces two primary roles for entities dealing with personal data: the Controller and the Processor.
Legal Bases for Data Processing
For data processing to be lawful under the PDPL, there must be a legitimate basis for it. The PDPL outlines several legal bases, including:
Data Subject Rights
The PDPL grants individuals robust rights regarding their personal data. These include the right to be informed about the purposes of data collection, the right to access their data, the right to request corrections or updates, and the right to request the deletion of their data. Additionally, individuals have the right to withdraw their consent for data processing at any time.
Controllers are obligated to respond to these requests within a maximum of 30 days, with the possibility of an extension under certain circumstances.
Compliance and Enforcement
Compliance with the PDPL is not merely advisory but mandatory, with substantial penalties for non-compliance. The Saudi Authority for Data and Artificial Intelligence (SDAIA) is the designated supervisory authority responsible for overseeing the implementation of the PDPL. SDAIA has the power to request documentation from entities to verify compliance, and breaches of the PDPL can result in fines of up to SAR 5 million (approximately $1.3 million). In cases of repeated violations, fines can be doubled, and severe breaches, such as the unlawful disclosure of sensitive data, can lead to imprisonment for up to two years.
Conclusion
The PDPL marks a pivotal development in Saudi Arabia’s legal landscape, aligning the Kingdom with global standards of data protection. For businesses operating within or with the KSA, understanding and complying with the PDPL is essential. As the law becomes fully enforceable by September 2024, entities must ensure they have the necessary frameworks in place to protect personal data, respect individual rights, and avoid the significant penalties associated with non-compliance.
If your organization is dealing with copious amounts of personal data, do visit www.tsaaro.com.
Check out our white paper on the KSA PDPL here.
?News of the Week
领英推荐
1.?US and German Authorities Shut Down Global Ransomware Group, Dispossessor
Authorities in the US and Germany have dismantled the globally active ransomware group Radar/Dispossessor, which has targeted at least 43 companies since August 2023. Servers and domains in multiple countries were taken down and 12 suspects have been identified. Investigations continue to identify additional suspects and uncover other victimized companies.
2. X Faces 9 GDPR Complaint Over AI Training
Austrian advocacy group NOYB filed a GDPR complaint against X, accusing the company of using EU users' personal data to train its AI without consent. NOYB has submitted GDPR complaints to nine EU authorities to increase pressure on Ireland's DPC. NYOB seeks to ensure complete adherence to EU law, which requires, at a minimum, obtaining user consent in this case.
3.?Texas Sues GM for Selling Driver Data Without Consent
Texas sued General Motors (GM), accusing it of installing technology on over 14 million vehicles to collect and sell drivers' data to insurers without consent. The lawsuit accuses GM of using this data to create "Driving Scores," potentially impacting insurance decisions. Texas seeks data destruction, driver compensation, and penalties for violating state law.
4.?Enzo Biochem Settles for $4.5 Million After Ransomware Attack
Enzo Biochem will pay $4.5 million to settle claims from New York, New Jersey, and Connecticut for failing to protect personal and private health information. The settlement follows a ransomware attack that compromised data of 2.4 million patients in 2023.
5.??UK Considers Stricter Online Safety Act After Riots
The British government is considering revisions to the Online Safety Act aimed at regulating social media companies, in response to a week of racist riots fuelled by false information spread online. The Act, passed in October but effective next year, allows the government to fine social media companies for failing to police illegal content. Proposed changes may extend penalties to companies that permit "legal but harmful" content, such as misinformation.
Thanks for sharing!.
16+ Years' Recruitment Experience for India and Africa | Executive Resume Writer | Talent Acquisition specialist since 2007 | LinkedIn Profile Optimisation | Podcast Host of Expert Talk Show by Vipul The Wonderful
1 个月Thanks for sharing