How to prepare for the Saudi Personal Data Protection Law
EMME Advisory Services
Supporting business in emerging markets and the middle east
When the Saudi Personal Data Protection Law (KSA PDPL) goes into force in September, it will give Saudi residents new rights to their personal information and place new obligations on entities that collect and process their personal information.
The Regulations that will also be issued in September define the additional details, meanings, procedures, and controls companies must follow to legally collect and process personal data in Saudi Arabia.
Saudi residents will have the right to be informed about their personal data, access it, correct it, and request its destruction.[i]??In addition, companies that collect personal data in Saudi Arabia and from its residents will have until September 2024 to develop and implement the procedures and controls necessary to collect and process personal data.
Now is an excellent time for companies to start understanding the personal data they collect and process, the rights owners have to their personal data, and the procedures and controls they must follow to collect and process personal data in Saudi Arabia.?
This article focuses on understanding the personal data companies collect and process.??To understand personal data, companies need to know the following:
What is Personal Data and Sensitive Data?
Personal data[ii]?refers to any information that can be used to identify a specific individual directly or indirectly.??Direct information refers to any information or data that can identify an individual by itself.??Examples of direct information can include physical documents like iqamas, passports, and driver’s licenses; electronic identifiers like cell phone numbers and email addresses; and biometric data like thumbprints and facial recognition.??Indirect information refers to addresses, bank accounts, and credit card numbers that can be combined with other information to identify a specific individual.
Companies should use this time to identify the personal data they collect and process.??For example, human resource operations routinely collect and process contact information, resumes, and government IDs from applicants to identify qualified candidates and administer employee benefits and payroll.??Other functions also collect and process personal data to facilitate transactions with contractors, suppliers, and business partners and to identify and market to clients and customers.
After identifying the personal data collected, companies must determine if any of it is sensitive[iii]?and subject to additional processing controls.??For example, companies that provide financial services collect and process credit data that is subject to additional processing controls and procedures,[iv]?including credit data used to facilitate commercial transactions.??Similarly, Healthcare providers process Health Data, Genetic Data or provide Health Services that are subject to additional processing controls and procedures.[v]??Even the biometric data used for authentication purposes or location data used in operations will be subject to the additional processing controls and procedures that apply to sensitive data.
When do you collect Personal Data?
Starting in September, companies will have to provide notice to[vi]?and obtain approval from[vii]?personal data owners to collect their personal data.??
Personal data owners can include individuals seeking to establish an employment relationship, such as job applicants, employees, and retirees.??They can include individuals seeking to develop a commercial relationship, such as customers, clients, and business partners.??They can also include temporary relationships with visitors and guests.??
The methods for collecting personal data can include filling out paper forms and applications for employment, credit cards, and surveys to completing an online registration to attend an event or purchase tickets, goods, and services.??By identifying when companies collect personal data now, they will know where to place the notices and obtain the consent that will be required later.
How will Personal Data be used?
Going forward, companies will also have to limit personal data collection to the minimum appropriate and necessary amount required[viii]?to achieve processing purposes[ix]?that are directly related to the company’s operations.[x]
For example, healthcare and financial services providers require personal data and sensitive data to provide healthcare and financial services to their patients, clients, and customers.
Recruitment and human resource functions require personal data to recruit, mobilize, and relocate new hires, create employee agreements, administer work schedules and benefits, and comply with governmental reporting obligations.
Security operations require personal data to manage employee, contractor, and visitor access to company facilities.
Companies also require personal data to manage supplier relationships, engage in public relations activities, and protect their networks against cybersecurity threats.
Companies that collect and process personal data for marketing[xi]?and scientific, research, and statistical purposes[xii]?will also need to develop and implement specific procedures and controls to collect and process personal data for these purposes.
Companies that start identifying and defining their purposes for collecting and processing personal data now will be able to determine the minimum amount of personal data required for those purposes and establish the personal data collection and processing procedures that the PDPL and the Regulations will require.
Who do you share Personal Data with?
The PDPL also places several controls and obligations on transferring or disclosing personal data.??
First, companies must obtain approval from the personal data owner to transfer or disclose their personal data to other parties.[xiii]??Even with approval, the PDPL defines circumstances and characteristics under which personal data may not be transferred or disclosed.[xiv]??
Second, companies must obtain guarantees from the receiving party, that they will process Personal Data in compliance with the PDPL[xv]?and notify them of any corrections or updates to the personal data transferred.[xvi]??Finally, companies must follow specific procedures to transfer personal data to recipients outside the Kingdom of Saudi Arabia.[xvii]
领英推荐
Companies should use this time to identify instances where they may need to disclose or transfer personal data for operational, commercial, or legal purposes.??For example, companies may need to disclose personal data to service providers that administer their payroll and benefits programs.??They may need to disclose or share personal data with business partners to facilitate commercial transactions.??They may also need to disclose personal data to governmental authorities to comply with reporting requirements or respond to inquiries or investigations.
Understanding the personal data companies collect and process is an essential first step to being prepared for the enforcement of the PDPL coming in 2024.
[i]?KSA PDPL Article 4.??A personal data owner shall . . . have the following rights:
1.?The right to be informed, . . .?
2.?The right to have access to their personal data . . .?
3.?The right to request . . . their personal data . . .?
4.?The right to request correction . . . of their personal data . . .?
5.?The right to request the destruction of their personal data . . .?
[ii]?KSA PDPL Article 1, 4. Personal Data?means any statement, whatever its source or form, that specifically would lead to the individual’s knowledge or make it easy to identify him directly or indirectly, for example, the name, ID number, address, contact numbers, numbers of licenses, records, personal property, bank accounts and credit cards, and the individual’s still and moving pictures and other Personal Data.
[iii]?KSA PDPL Article 1, 11.??Sensitive Data means every personal data related to an individual’s ethnic or tribal origin or religious, intellectual, or political belief, or indicates his membership in nongovernmental association or institutions, as well security and criminal data, identifiable biometric data, genetic data, credit data, health related data, and data that indicates that both parents of an individual or one of them are/is known.
[iv]?KSA PDPL Article 24
[v]?KSA PDPL Article 23
[vi]?KSA PDPL Article 13. The controlling entity – in the case of collecting personal data directly from its owner – use adequate means to inform them of the following elements with their data is being collected:
[vii]?KSA PDPL Article 5, 1. . . . it is not allowed to process the Personal Data . . . unless obtaining the approval its owner.
[viii]?Article 5, 3.??The content of Personal Data shall be appropriate and limited to the minimum necessary for achieving the purpose of collecting the Personal Data.
[ix]?KSA PDPL Article 10. [personal data] may . . . be processed only to achieve the purpose for which it was collected.
[x]?KSA PDPL Article 11.??The purpose for collecting the Personal Data shall have a direct relationship with the purposes of the Controlling Entity.
[xi]?KSA Article 25.??. . . the Controlling Entity shall not use the personal communications media, including the mailing addresses and emails, of the Owner of Personal Data in order to send promotional materials or awareness-raising materials, unless in accordance with the following:
[xii]?KSA Article 27. The Personal Data may be collected or processed for scientific, research or statistical purposes, without obtaining the approval of its owner, in the following circumstances:
[xiii]?KSA PDPL Article 15, 1 . . . if the personal data owner agrees to disclose in accordance with the provisions of this law.
[xiv]?KSA PDPL Article 16.??The controlling entity shall not disclose data [with personal data owner agreement] if the disclosure is characterized by any of the following:
[xv]?KSA PDPL Article 8. The controlling entity shall – when choosing the processing party – choose an entity that provides the necessary guarantees for enforcing the provisions of the Law and the Regulations.
[xvi]?KSA PDPL Article 17.
[xvii]?KSA PDPL Article 29.