Final KSA PDPL Law Amendments Comprehensive Analysis

After the approval and issuance of the final KSA PDPL Amendments, please find below comprehensive analysis of the final approved key changes in the law in comparison with the proposed amendments in Nov 22 version that was released by?SDAIA | ??????for public consultation. It's worth mentioning that the final version is not 100% matching the proposed amendments in Nov 22 version, yet the final version amendments still come as an overall positive change that makes the law now more inline with industrial best practices and international data protection legislations and presented as a well balanced and enforceable privacy law compared to the initial version.

Here you go below the key changes along with detailed analysis of the amendment in comparison to Nov 22 version:

• Article 1 Definitions?– Limited Data Subject definition to the individual whose personal data is being processed and removed the definition extension to his/her representatives/legal guardian which is now inline with international data protection legislation and shall clear any confusion about the applicability of Individual Rights to other natural persons than the concerned data subject
• Article 4 Data Subject Rights?– Added referencing to guidelines as set by executive regulations/bylaw compared to previously being tied to the law only which is crucial as they are stipulated high level and more guidelines, restrictions, conditions need to be issued for consistent implementation and common validation procedures of DSR requests from data subjects.
• Article 4 Data Subject Rights?– Amended the additional right “Right to Data Portability” that was added in the proposed amendment in Nov 22 to the previously 4 Rights to Be Informed, Access, Rectification, and Deletion in accordance to guidelines set by executive regulations/bylaw, to be limited to just obtaining a copy of his/her data in a clear and readable format and removing the mandate of the right to request transmitting his/her data to another data controller.
• Article 5 Lawfulness of Processing?– Changed the word “written consent” to “explicit consent” which on one side gives more flexibility towards the consent format to be digital and on the other side indicates the comprehensive consent conditions that may be introduced in the final PDPL Bylaw
• Article 6 Lawfulness of Processing -?Added Legitimate Interest as one of the lawful basis that can be relied on in cases of non-consent based processing, however with balance not to impact individual rights and exempting sensitive personal data from such legal basis, this comes in addition to the previously legal basis of Consent, Vital, Legal, and Contractual that were present in the original version of the PDPL, please note in Nov 22 Amendments the wording of the additional lawful basis of Legitimate Interest was permitted to the Data Controller or any other party while in the final version it’s limited to Data Controller only which is more accurate now. As for Public Interest, it is still not explicitly mentioned in the main lawfulness of processing article 6 as it’s the case in EU GDPR, alternatively Public Interest is added to other Lawfulness of Processing for specific activities e.g. repurposing, and data disclosure.
• Article 8 Sub-processing –?Amended the mandate of imposing an obligation on Data Controller to ensure the compliance of Data Processor to applicable Data Protection legislations per proposed wording in Nov 22 version, where now such mandate is not required frequently or continuously but rather required without specifying any frequency which is more in line with international data protections legislations.
• Article 9 Individual Rights Processing Time?– Added a clarification to the clause that specification of the processing time/service level of the Data Subject Rights requests by the Data Controller must be according to the executive regulation that will be issued in the PDPL Bylaw, which is considered a key change as previously it was open to the Data Controller to specify the processing time/service level and such change is important to ensure consistency in the implementation.
• Article 10 Lawfulness of Processing in case of repurposing or where personal data have not been obtained from the data subject?– Added Legitimate Interest as one of the lawful basis that can be relied on in case of repurposing or where personal data have not been obtained from the data subject, however with balance not to impact individual rights and exempting sensitive personal data from such legal basis, and this change is in line with Nov 22 version. However what comes as new changes that were not included in Nov 22 version is a) the removal of reference to executive regulations in PDPL Bylaw for all lawful bases in points 3 to 7 which is okay as it left specifying the criteria of the listed lawful basis to Data Controllers’ discretion however this comes with accountability on Data Controllers to assess properly and carefully decide when to use which scenario of lawfulness with which use case, and b) the removal of the added limitation (in Nov 22 version) to point 2 of not breaching the overall law mandates in case of repurposing of personal data processing when data is public or collected from a public source, and this is a bit critical as now with the new wording, it doesn’t consider the scenario of having inaccurate personal data in the public domain and hence allowing the use of such data without applying the accuracy aspect that should have been observed with the previous amendment in Nov 22 version.??
• Added Public Interest to the following articles instead of being generic in “Article 6 Lawfulness of Processing”:?Article 10 Lawfulness of Processing in case of repurposing or where personal data have not been obtained from the data subject?in point 3 (previously in Nov 22 version it was point 5) &?Article 15 Lawfulness of Data Disclosure?in point 3 (previously in Nov 22 version it was point 4)
• Article 13 Right to be Informed?– Changed the wording of the mandate to fulfil this right from “Before the starting of collecting his/her data” to “When collecting his/her data” which is more inline with international data protection legislations
• Article 15 Lawfulness of Data Disclosure?- Added Legitimate Interest as one of the lawful basis that can be relied on in case of repurposing or where personal data have not been obtained from the data subject, however with balance not to impact individual rights and exempting sensitive personal data from such legal basis, and this change is in line with Nov 22 version. However what comes as new changes that were not included in Nov 22 version is a) the removal of reference to executive regulations in PDPL Bylaw for all lawful bases in points 2 to 6 which is okay as it left specifying the criteria of the listed lawful basis to Data Controllers’ discretion however this comes with accountability on Data Controllers to assess properly and carefully decide when to use which scenario of lawfulness with which use case, and b) the removal of the added limitation (in Nov 22 version) to point 2 of not breaching the overall law mandates in case of data disclosure when personal data is collected from a public source, and this is a bit critical as now with the new wording, it doesn’t consider the scenario of having inaccurate personal data in the public domain and hence allowing the use of such data without applying the accuracy aspect that should have been observed with the previous amendment in Nov 22 version.?
• Article 20 Breach Notification?– Added reference to executive regulations that will be issued in the PDPL Bylaw for the mandate of notifying Supervisory Authority of any breach, destruction, or unauthorized access to personal data and added a condition to the mandate of notifying Data Subject to be only when the data breach/destruction/unauthorized access is entailing an impact/risk on individuals rights and interests plus the existing reference to executive regulations. This is somehow inline with Nov 22 version (with slight changes) but still comes as a major change to the initial version that mandated the immediate breach notification to both a) supervisory authority without any criteria and b) to data subject in case of high risk/impact on individual rights, where now it’s expected that the PDPL Bylaw will specify certain criteria of the data breaches and the time window for the breach notification mandate to both the supervisory authority and the data subject.
• Article 26 Marketing?–?Totally removed the proposed changes in Nov 22 version which was based on the addition of the Legitimate Interest as a legal basis to Article 6, introduced the Legitimate Interest as a legal basis for marketing activities with proper opt-out mechanism (i.e. Right to Object) so the balance of not impacting individual rights is achieved, meanwhile restricting marketing activities based on sensitive personal data processing to prior explicit consent only. This was critical change that made the law inline with international data protection legislations where it allows marketing activities based on legitimate interest plus applying the Right to Object through mandating an opt-out mechanism, however now with the total removal of the proposed change, there is two possibilities, either the intention of the removal is to a) introduce the change as clarity in the executive regulations in the PDPL Bylaw or b) to get back to the initial restriction of not using sensitive personal data in any marketing activities and allowing it in case of non-sensitive personal data with consent only and this will be a huge challenge for all tech organizations specially in Telco Industry.
• Article 28 Official Documents Copying Restrictions?–?Article returned again in the final version after being totally removed in Nov 22 version.
• Article 29 Cross-Border Transfers?– Previously in Nov 22 version, there was a switch from Cross-border Transfers restrictive approach with exceptional scenarios (i.e. extreme necessity, vital interest, contagious disease control, international agreements signed with KSA, KSA’s interests) to more of an open approach of allowing Cross-Border Transfer to Data Controllers as long as a) the destination country is having enforceable Data Protection Legislation that is not less restrictive than in KSA, b) there is consideration of applying data minimization principle, and c) it does not entail any impact on KSA National Security or KSA’s vital interests. There was also addition of listing Transfer Derogations that Data Controllers can rely on in case the destination country has less/no data protection legislation (i.e. Public Interest, Vital Interest, International Agreement signed with KSA, Contractual Agreement signed with the Data Subject), yet explicit consent was not one of the derogations as in EU GDPR.

However now in the final version, the scenarios that were considered as derogations previously in Nov 22 version (i.e. Public Interest, Vital Interest, International Agreement signed with KSA, Contractual Agreement signed with the Data Subject) have increased with one additional general scenario which is “Transfer for other purposes as specified in PDPL Bylaw” and all are now considered as additional conditions to the 3 main conditions listed in the previous Nov 22 version (i.e. a) the destination country is having enforceable Data Protection Legislation that is not less restrictive than in KSA, b) there is consideration of applying data minimization principle, and c) it does not entail any impact on KSA National Security or KSA’s vital interests), and in order to give room for exceptions, two additional points have been added to the clause as follows, 1) total exemption from the 3 main conditions in case cross border transfer is required for extreme necessity to protect individual’s life or vital interest, or contagious disease control, 2) Exemption from 2 out of the 3 main conditions which are a) the destination country is having enforceable Data Protection Legislation that is not less restrictive than in KSA, b) there is consideration of applying data minimization principle according to guidelines that will be clarified in the PDPL Bylaw where it will clearly specify the exact scenario where those 2 conditions can be relieved.

So now it might look a bit complicated to be interpreted however it can be seen as the same change as introduced in Nov 22 and still explicit consent is not one of the derogations as in EU GDPR.

• Article 30 Tasks of Supervisory Authority and Data Protection Officer?– Kept the same change as proposed in Nov 22 version which was mainly referring the mandate of designating DPO and the corresponding DPO Tasks to the guidance and procedures as set out in the executive regulations/bylaw, this comes as a substitution to the absolute general mandate of designating a DPO by all Data Controllers with no criteria. Also merged?Article 32 Supervisory Authority Tasks and Duties?by adding the following duties of the Supervisory Authority, 1) Authorizing Supervisory Authority to request cooperation from other entity to support with the compliance monitoring duty conducted by the supervisory authority in accordance the PDPL Bylaw, 2) Defining the compliance monitoring mechanisms that measure the compliance of the Data Controllers in addition to building National Register including all Data Controllers to serve this purpose, and 3) Providing Personal Data Protections related services through the above mentioned National Register or any other way according to SA’s discretion where such services can be charged on the benefited Data Controllers by the Supervisory Authority
• Article 31 Records of Processing Activities?–?Kept as is in the initial law version and removed the added mandate in Nov 22 version which was not clear “i.e. keep records of the personal data processing operations to restrict access to such data as set out in the PDPL Bylaw)”
• Article 32 Supervisory Authority Tasks and Duties?–?Totally removed and merged with Article 30, however worth mentioning that in Nov 22 version, there was expansion of Supervisory Authority tasks and duties to include more activities e.g. Compliance Monitoring, Guidance and Instructions Issuance, and Cooperation with other International Supervisory Authorities in Compliance Monitoring which is no longer exist in the final version.
• Article 33 Supervisory Authority Licensing Procedures?– As proposed in Nov 22, added the license type for Auditing Bodies in accordance to executive regulations in PDPL Bylaw and adding the responsibility on SA to define the relevant conditions, requirements, regulations, etc.. to issue such license type. Additionally in the final version, another point is added related to Data Controllers and Processors outside KSA which was removed in Nov 22 version, yet it was added in different wording and not placed under the right article as follows: The Supervisory Authority shall define the relevant compliance monitoring and law enforcement mechanisms and procedures for Data Controllers and Processors outside KSA who process personal data of KSA residents in any possible way, where this additional mandate fits more under Article 30 Tasks of Supervisory Authority and Data Protection Officer
• Article 34 Right to Lodge a Complaint?–?Removed the proposed change in Nov 22 version which was adding the Data Controller as one of the entities where the data subject can lodge a complaint in addition to the Supervisory Authority that was previously stated as the only entity available to the Data Subject.
• Article 37 Supervisory Authority Powers?–?Kept the proposed amendments in Nov 22 version which is mainly adding the Dawn Raid privilege to Supervisory Authority personnel in accordance to rules and procedures issued by Supervisory Authority Head that shall be in compliance with relevant laws and regulations in addition to requesting support from other relevant entities to support in the execution of dawn raid privilege,?however removed the amendment of imposing cooperation obligation with SA Personnel on all establishments covered under the law.

#sdaia?#ksa?#data?#law?#GDPR?#gdprcompliance?#publicpolicy?#dataprotection