KSA Personal Data Protection Law (PDPL)

Authority:

National Data Management Office and Saudi Data and Artificial Intelligence Authority (SDAIA) (First Two years).

Date to be implemented by : 31.03.2023

-Draft Executive Regulation of Personal Data Protection Law (PDPL) dated 10 March 2022

-Personal Data Protection Law Suggested Amendments

Objective:

To ensure the privacy of personal data, regulate data sharing, and prevent the abuse of personal data.

Covers key principles such as purpose limitation and data minimisation, controller obligations, including registration and maintenance of data processing records, data subject rights, and penalties for breach of provisions.

Scope:

Material Scope: Processing of personal data by any data controller or data processor located in the KSA processing the personal data of data subjects residing or working within?or outside?the KSA. It covers the personal data of data subjects residing or working in the KSA.

Territorial Scope: Extraterritorial application- Any data controller or data processor established outside the UAE carrying out processing activities about data subjects in the KSA.

Audit and Compliance Process:

Does not explicitly state the penalties that will apply to organizations due to non-compliance with the PDPL within defined timelines. However SAMA has issued directives for completion befre due date 31 March 2023.

Administrative penalties can be imposed as part of a decision by the Council of Ministers in response to a breach of the PDPL or the Executive Regulations.

The amount for penalties have been specified in subsequent Executive Regulations issued by the KSA Data Office.