Personal Data Protection Law (PDPL)

What is PDPL? What are the objectives and purpose?

The PDPL is a law tailored to set rules and regulations on how personal data should be treated with regard to the privacy of citizens of this Kingdom.

Objectives and Purpose

Protect Privacy: Ensure that private information about people from personal data is kept confidential and secure.

Control Data Use: See that personal data is only collected, used, and shared for valid and legitimate purposes.

Provide Rights: Grant the faculties under which a person has the right of access, correction, and erasure of their personal data.

Be Transparent: Force companies and organizations to disclose the need for collecting and processing personal data.

Prevent Abuse: Prevent any abuse of personal data that may be brought about to harm a person's adverse effect.

In a nutshell, PDPL tries to strike a delicate balance between personal data protection and control across information given by persons.

Here’s a simplified explanation of PDPL Articles

1. Where the Law Applies: This law covers the handling of personal data in the Kingdom, even if it's processed by someone outside the Kingdom but about people in the Kingdom.
2. Exceptions: The law doesn't apply to personal data used for private or family purposes if it’s not shared or made public.
3. Other Laws Still Apply: This law doesn't replace other laws or international agreements that offer better protection or more rights regarding personal data.
4. Your Rights: You have the right to know why your data is collected, access it, get it in a readable format, correct it, or ask for it to be deleted.
5. When Consent Isn't Needed: Your data can be processed without your consent in certain cases, like for your best interest, legal requirements, or public security.
6. No Forced Consent: Consent for data processing can’t be forced unless the service directly involves the data processing.
7. Choosing Compliant Processors: Companies must choose service providers who follow the law and ensure they comply.
8. Access Limits: Companies can set time frames for accessing data and limit access in certain cases, like for security reasons.
9. Collecting Data from Others: Data can be collected from other sources and used for different purposes if there’s consent, it’s public, needed by a public entity, or anonymized.
10. Purpose Limitation: Data must be collected for specific reasons related to the company’s activities and must be stopped and deleted when no longer needed.
11. Privacy Policy: Companies must have a privacy policy explaining why they collect data, how it will be used, and your rights before collecting your data.
12. Information Requirements: Companies must tell you why they are collecting your data, what it will be used for, who will receive it, and the consequences if you don’t provide it.
13. Data Accuracy: Data must be accurate, complete, and up to date.
14. Data Disclosure: Data can be shared with consent, if it’s public, needed by a public entity, anonymized, or for legitimate interests without involving sensitive data.
15. Non-Disclosure Situations: Data must not be disclosed if it threatens security, affects international relations, hinders crime detection, endangers someone’s safety, or breaches legal obligations.
16. Updating Data: When data is corrected or updated, companies must inform all entities that received the data.
17. Data Deletion: Data must be deleted when no longer needed, unless anonymized or legally required to keep it.
18. Security Measures: Companies must protect data with proper measures, including during transfer.
19. Breach Notification: Companies must inform authorities and affected individuals about data breaches that could harm their data or rights.
20. Responding to Requests: Companies must reply to your requests about your data rights within specified time frames.
21. Impact Assessments: Companies must assess the impact of data processing on products or services.
22. Health Data Protection: Extra rules protect health data, limiting access to essential employees and minimizing the number of people handling it.
23. Credit Data Protection: Extra rules protect credit data, requiring consent for data collection, changes, or sharing, and notifying data subjects when their data is requested.
24. Marketing Communication: Companies can’t send ads without prior consent and must provide an opt-out option.
25. Marketing Data Use: Data can be used for marketing if collected directly from you with consent.
26. Scientific Data Use: Data can be used for research without consent if you’re not identified, identifying info is destroyed, or it’s required by law.
27. Copying Documents: Copying documents that identify you is not allowed, except by law or public authority request.
28. Transferring Data Abroad: Data can be transferred outside the Kingdom for obligations, Kingdom interests, legal compliance, or urgent cases protecting life or health, with adequate protection.
29. Authority Oversight: The Competent Authority oversees law implementation, appoints data protection officers, requests documents, and offers data protection services.
30. Record-Keeping: Companies must keep records of their data processing activities.
31. Licensing and Compliance: The Competent Authority sets requirements, issues licenses, and ensures compliance by entities inside and outside the Kingdom.
32. Complaints: People can complain to the Competent Authority about rights violations.
33. Penalties for Violations: Unlawful disclosure of sensitive data can lead to imprisonment or fines. Repeat offenses can double the penalties.
34. Fines for Other Violations: Other violations can result in warnings or fines. A committee assesses violations and issues penalties.
35. Inspection Authority: Competent Authority employees can inspect for violations and work with other authorities.
36. Confiscation and Publication: Courts can confiscate funds from violations and publish judgments, considering the type and impact of the violation.
37. Disciplinary Actions: Public entities will discipline employees who violate the law.
38. Compensation: People can seek compensation for harm caused by violations.
39. Confidentiality: Anyone handling personal data must keep it confidential, even after their job ends.
40. Issuing Regulations: The Competent Authority must issue regulations within 720 days after the law is published, coordinating with relevant ministries.
41. Law Effective Date: The law takes effect 720 days after publication in the Official Gazette.