Update to Notice and Consent under the PDPL

The Saudi Personal Data Protection Law (PDPL) protects the rights of Saudi residents (i.e., Data Subjects) by requiring companies to tell Data Subjects that their personal data is being collected and prohibiting companies from using their personal data without the Data Subject’s Consent.?

Notice ensures that Data Subjects know when their personal data is being collected and how it will be used, and consent gives Data Subjects the ability to approve or disapprove of its use for proposed processing purposes.

This update incorporates the final Regulations and NDMO Guidance on when companies in Saudi Arabia must provide notice, the types of notice required for different processing activities, the requirements for legal consent, and the types of consent required for different processing activities.

Notice

Under the PDPL, companies in Saudi Arabia must provide information, or notice, to Data Subjects before collecting their personal data and before they can use their personal means of communication (e.g., addresses, emails, and phone numbers) to send advertising and marketing information.

Companies must provide basic information through a Privacy Policy[i] and additional information through appropriate measures,[ii] depending on the nature of the processing activity.?

The Privacy Policy must include:

• the purpose of collecting Personal Data,
• the Personal Data collected,
• the means used for collection, processing, storage, and destruction, and
• information about the Data Subject rights and how to exercise them.

The Regulations identify the additional information required to process Personal Data collected directly from Data Subjects,[iii]

• Controller’s identity, contact details, and any other details related to the channels established by the Controller for the purpose of communicating in relation to Personal Data Protection.
• Contact details of the data protection officer appointed by the Controller, where applicable.
• The legal basis and a specific, clear, and explicit purpose for collecting and Processing Personal Data.
• The period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period.
• Explanation about Data Subject’s rights, as stipulated in Article 4 of the Law and the mechanisms for exercising those rights.
• Explanation of how to withdraw the consent given to process of any Personal Data.
• Explaining whether collecting or Processing Personal Data is mandatory or optional.

and to engage in specified processing activities:[iv]

• Means and methods of collecting and Processing Sensitive Data, where applicable.
• Means and procedures taken to protect Personal Data.
• Indicate whether decisions will be made based solely on automated Processing of Personal Data.

Question 2.1 of NDMO PDPL Self-Assessment asks companies in Saudi Arabia:?

Are privacy notices clearly provided to data subjects informing them of the legal basis for processing and the purpose of processing as well as all other information, as set out in Articles 12 and Article 13 (including the rights of the data subjects in Article 4)?

The Guidance describes what must be included in the privacy notice:

• Legal basis for collecting personal data.
• The purpose of collecting the data subject’s personal data, and whether collecting all or some of it is mandatory or optional, and informing data subjects also that their data will not be processed later in a manner inconsistent with the purpose of its collection or in cases other than those stipulated in Article 10.
• Types of personal data to be collected.
• Means used for collection, processing, storage and destruction of personal data.
• The identity of the data controller, collecting the personal data and its address unless the collection is for security purposes.
• The entity(ies) to which the personal data will be disclosed, their role, and whether the personal data will be transferred, disclosed or processed outside the Kingdom.
• Possible effects and dangers of not completing the personal data collection procedure.
• The rights of data subjects stipulated in Article 4 of the PDPL, which are as follows:- The right to be informed of the legal basis and purpose for collecting your personal data.- The right to have access to your personal data.- The right to obtain a copy of your personal data in a readable and clear format.- The right to request correction, completion or updating of your personal data.- The right to request the erasure of your personal data if it is no longer needed.- The right to withdraw your consent to the processing of your personal data (when you give such).

Advertising & Marketing

The Self-Assessment asks companies:

Q14.1:? Do you use personal means of communication (such as post and/or email) for advertising and/or awareness)?

To send advertising[v] and marketing[vi] information through personal addresses, email and phone numbers, the first advertising and marketing communication sent must include:

• descriptions of the methods used to send advertising and marketing materials,
• the name of the company sending the advertising and marketing messages, and
• the mechanisms or procedures to stop receiving advertising and marketing information.

Companies must also allow Data Subjects to specify the methods for receiving the advertising and marketing materials[vii] and provide them with a clear mechanism to stop receiving such materials.[viii]

Additional Notice

Companies must notify Data Subjects of third-party requests for their Credit Data.[ix]

The Self-Assessment asks companies:

Q13.2:?????? If you process Credit Data, have you implemented the extra controls as set out in Article 24?

The Guidance explains that these extra controls,

Require that the Data Subject be notified when a request for disclosure of their Credit Data is received from any entity.

The PDPL gives companies in Saudi Arabia until September of 2024 to identify the Data Subjects they collect Personal Data from and the processing activities that will be performed on the Personal Data collected.? Information that is necessary to develop notices that are appropriate for the nature of the processing activities.

Consent

The Self-Assessment asks companies:

Q3.1:? Are you able to demonstrate that data subjects have consented to the processing of their data (where applicable)?

Subject to limited circumstances, the PDPL requires companies in Saudi Arabia to collect Personal Data directly from Data Subjects,[x] and the preferred legal basis for processing their Personal Data is consent.[xi]?Companies may obtain Data Subject consent through any means (e.g., oral, written, or electronic) that can be documented.[xii]

As the Guidance explains,

If you collect consents of data subject (where required by the PDPL), you must record and store all such consents in the systems of your organization.

For consent to be effective, the Data Subject must be competent and allowed to provide their consent freely[xiii] and without condition.[xiv]

Without Condition

The PDPL specifically prohibits companies from making a Data Subject’s consent a condition to receive any service or benefit not directly related to the processing purposes for which their consent was given.[xv]? However, companies may inform Data Subjects of the risks or consequences of not providing their Personal Data.[xvi]

For example, a company may not require Data Subjects to consent to processing their personal banking information for the purpose of hiring them as an employee.? However, a company may advise job applicants that it cannot directly deposit their pay if hired without their personal banking information and consent to use it for payroll and benefits administration.

Related to Purpose

The need for a direct relationship between the processing activities provided in the notice to Data Subjects and the language of the consent given by Data Subjects is evident through the:

• obligation for companies to only process personal data for the purposes for which consent was given,[xvii]
• requirement to obtain independent consent for each processing activity,[xviii] and
• prohibition against processing Personal Data for any other purpose without additional consent. [xix]

To prove this relationship, companies in Saudi Arabia should specifically identify each processing purpose in the notice provided to Data Subjects, and the language of the Data Subject’s consent should refer to all purposes contained in the notice.? Where the nature of the Personal Data processing, its purpose, and its activity require explicit consent,[xx] companies should use specific and separate language to obtain the Data Subject’s consent for each particular processing activity.[xxi]

The Self-Assessment asks companies:

Q3.2:? Are consent requests clearly distinguishable from other terms and conditions, prepared in an intelligible and accessible form, and written in clear and plain language?

The Guidance further explains:

In order to collect consent from a data subject, you must request such consent.? Such a request must not be combined with any other terms and conditions – e.g. conditions for sale of products or performance of services.? The request for consent must be presented to the data subject as a separate document which the data subject can easily find and review.? The consent requested must be concise and must be written in a language that any person can understand – e.g. without legal education.

Consistent with the separate notice required to send advertising and marketing materials through personal emails and phone numbers, companies must obtain consent from the targeted recipient[xxii] to use their personal communications to send advertising and marketing information.

The Self-Assessment asks several questions about advertising and marketing information:

Q14.2: Do you conduct such advertising and/or awareness in accordance with the requirements of Article 25 of the PDPL?

Q15.1:? If you process personal data for marketing purposes, do you collect consent for such marketing and do you ensure that no sensitive data is collected for such marketing purposes?

Q15.2:? When collecting consent for marketing purposes, is such collecting of consent in accordance with the PDPL?

The Guidance explains that, before sending awareness and advertisement materials, companies must obtain consent from the Data Subject for such processing.

Data Subjects must also be allowed to specify the methods for receiving the advertising and marketing materials to which their consent applies.[xxiii]

Additional Consent

The Self-Assessment asks:

Q5.1: When you want to use personal data for other purposes than for which it was collected, do you comply with the requirements under article 10?

The Guidance explains:

If you change the purpose of processing – you will need to comply with Article 10.

Consistent with the additional notice required to process Personal Data for other purposes than for which it was collected, companies must also obtain additional consent to process Personal Data for other uses.[xxiv]

Companies in Saudi Arabia must also obtain consent to disclose a Data Subject’s Personal Data to their affiliates and business partners.[xxv]

Withdrawing Consent

The Self-Assessment asks companies:?

Q3.3: Can data subjects at any time withdraw their consent to data processing?

Because Data Subjects may withdraw their consent at any time,[xxvi] companies in Saudi Arabia will need to develop procedures and mechanisms to:

• allow Data Subjects to withdraw their consent at any time,[xxvii]
• stop processing Personal Data after consent has been withdrawn, and
• notify affiliates and business partners who received Personal Data of the withdrawal and require the destruction of the Personal Data disclosed.[xxviii]

As the Guidance explains:

You must provide data subjects with an opportunity to withdraw their consent at any time.? The mechanism of such withdrawal must be easily and straightforward for the data subject – not more difficult as it was to give consent in the first place.

Identifying the Data Subjects they collect Personal Data from and the processing activities performed on the Personal Data collected will also help companies in Saudi Arabia develop the appropriate consent language, structure, and mechanisms to obtain and document the consent required in September 2024.

Next Steps

Now is the time for companies to start identifying the Data Subjects they collect Personal Data from and the processing activities that will be performed on the Personal Data collected to develop the notices and consents required:

• by their processing activities,
• to send advertising and marketing materials through personal communication and
• to disclose Personal Data to their affiliates and business partners.

and the procedures and controls necessary to:

• document consent that is appropriate for the processing activity,
• allow Data Subjects to withdraw their consent at any time, and
• notify third parties of the Data Subject’s withdrawal of consent.

Feel free to [email protected] for assistance reviewing and building the policies, procedures, controls, and training you will need to comply with the new Saudi Personal Data Protection Law.

[i] ???PDPL Article 12:? The Controller shall use a privacy policy and make it available to Data Subjects for their information prior to collecting their Personal Data.

[ii] ??PDPL Article 13:? When collecting Personal Data directly from the Data Subject, the Controller shall take appropriate means to inform the Data Subject of the following upon Collection:

[iii]? Regulation Article 4(1):? Right to be informed. . . . if the Personal Data is collected directly from the Data Subject, the Controller shall, before or when collecting the Personal Data, take the necessary measures to inform the Data Subject of the following:

[iv]? Regulation Article 4(5):? When a Controller whose activities require systematic and large scale processing of Personal Data on individuals that fully or partially lack legal capacity, or continuous monitoring of Data Subjects, adoption of new technologies, or making automated decisions based on Personal Data, shall take the necessary measure to inform the Data Subject of what is stipulated in paragraph 1 of this Article, in addition to the following:

[v]? Regulation Article 28(1):? Controller shall obtain the Consent from the targeted recipient before sending advertising or awareness materials in case of the absence of a prior interaction between the Controller and the targeted recipient.

[vi] ?Regulation Article 29: Direct Marketing:? . . . the Controller shall abide by the following: a) Obtain consent from Data Subject in accordance with the provisions of Article (11) of this Regulation.

[vii] Regulation Article 28(2)(b): Conditions for obtaining the target recipient’s consent for advertising or awareness materials shall . . . allow the targeted recipient [to be able] to specify the options related to advertising or awareness materials subject to consent.

[viii] Regulation Article 29:? Provide a mechanism that enables the Data Subject to opt out of receiving marketing materials when desired, and ensure that the procedures for opting out or receiving such materials are easy, straightforward, and at least as easy the procedures for giving consent to receive them.

[ix]? PDPL Article 24(2):? the Regulations shall set out additional controls and procedures for the Processing of Credit Data [that include] Requiring that the Data Subject be notified when a request for Disclosure of their Credit Data is received from any entity.

[x]?? PDPL Article 10:? The Controller may only collect Personal Data directly from the Data Subject.

[xi]? PDPL Article 5(1): Except for the cases stated in this Law, neither Personal Data may be processed nor the purpose of Personal Data Processing may be changed without the consent of the Data Subject.

[xii]? Regulation Article 11(d): Consent shall be documents in a way that allows verification in the future.

[xiii] Regulation Article 11(a): Consent shall be given freely and not obtained through misleading methods, and obtaining consent shall comply with the provisions of Article 7 of the Law.

[xiv] PDPL Article 7:? The consent referred to in paragraph 1 of Article 5 of this Law may not form a condition of providing a service or a benefit.

[xv] ?PDPL Article 7: The consent referred to in paragraph 1 of Article 5 of this Law may not be form a condition of providing a service or a benefit, unless such service or benefit is directly related to the Processing of Personal Data for which the consent is given.

[xvi]? PDPL Article 13(5): When collecting Personal Data directly from the Data Subject, the Controller shall take appropriate measures to inform the Data Subject of . . . The potential consequences of and risks that may result from not collecting the Personal Data.

[xvii]? PDPL Article 5(1): Except for the cases stated in this Law, neither Personal Data may be processed . . . without the consent of the Data Subject.

[xviii] Regulation Article 11(e): Independent consent shall be obtained for each processing operation if the purposes of processing are multiple.

[xix]? PDPL Article 5: Except for the cases stated in this Law, neither Personal Data may be processed nor that purpose of Personal Data Processing may be changed without the consent of the Data Subject.

[xx] ?Regulation Article 11(2): The Data Subject’s consent shall be explicit in the following cases:

a) When consent is the sole legal basis for processing Personal Data.

b) When the processing involves Sensitive Data.

c) When the processing involves Credit Data.

[xxi] ?PDPL Article 1(9):? Explicit Consent:? Direct and explicit consent given by the Data Subject in any form that clearly indicates the Data Subject’s acceptance of the Processing of their Personal Data in a manner that cannot be interpreted otherwise, and whose intention can be proven.

[xxii] Regulation Article 28(1):? Controller shall obtain the Consent from the targeted recipient before sending advertising or awareness materials in case there is no prior interaction between the Controller and the targeted recipients.

[xxiii] Regulation Article 28(2)(b): Conditions for obtaining the target recipient’s consent for advertising or awareness materials shall . . . [enable the targeted recipient] to specify the options related to advertising or awareness materials subject to consent.

[xxiv]? PDPL Article 5(1):? Except for the cases stated in this Law, neither Personal Data may be processed nor that purpose of Personal Data Processing may be changed without the consent of the Data Subject.

[xxv] ?PDPL Article 15(1): The Controller may not Disclose Personal Data except [when] Data Subject consents to the Disclosure in accordance with the provisions of the Law.

[xxvi]? PDPL Article 5(2): In all cases, Data Subject may withdraw the consent mentioned in Paragraph 1 of this Article at any time: the Regulations determines the necessary controls for such case.

[xxvii] PDPL Article 12(2): Consent withdrawal: Before requesting consent from the Data Subject, the Controller shall establish procedures that allow for the withdrawal of that consent and take the necessary measure to ensure their implementation, with the procedures for withdrawing consent being similar to or easier than those for obtaining it.

[xxviii] PDPL Article 12(4): Consent withdrawal: When the Data Subject withdraws their consent for processing their data, the Controller shall take appropriate measures to notify those to whom the Personal Data has been disclosed and request its Destruction through any available means.