Kingdom of Saudi Arabia’s Personal Data Protection Law

Article

In September 2023, the Saudi Authority for Data and Artificial Intelligence issued:

      the Implementing Regulations of the Personal Data Protection Law (“the Implementing Regulation”) and

      the Regulations on Personal Data Transfer outside the Geographical Boundaries of the Kingdom.

These regulations were developed in consultation with various government entities and mark an important development in the Kingdom of Saudi Arabia’s(“KSA”)  data protection landscape as they set out clarity and significant detail supplementing the KSA Personal Data Protection Law (“PDPL”).

The PDPL is the Kingdom of Saudi Arabia’s first comprehensive national data protection legislation. The PDPL and the Regulations entered into force on September 14, 2023, but data controllers have a one-year grace period to comply with the PDPL (until September 14, 2024).

Scope of Application

The PDPL is applicable to the processing of personal data within Saudi Arabia, encompassing any method of processing. Additionally, the PDPL has an extra-territorial reach, applying to non-Saudi entities processing the personal data of individuals residing in Saudi Arabia.

A distinctive feature of the PDPL, setting it apart from other data protection laws, is its inclusion of the processing of personal data of deceased individuals. This inclusion is applicable if the personal data can lead to the identification of the deceased person or their family members specifically.

Principles of the Law

1.     Consent and the Use of Legitimate Interest

 The PDPL prohibits the processing of personal data without the consent of the data subject, except in specific circumstances. Hence, consent is one of the main legal bases for processing personal data, for collecting personal data indirectly from a data subject, or using the data for any purpose other than the purpose for which the data was originally collected, and for disclosures.

However, there are situations where consent is not obligatory for providing unrelated services or benefits. Exceptions to the consent requirement, as outlined in the PDPL, include:

      when the processing activity is in the interest of the data subject, and it is impossible or difficult to contact them;

      when the processing activity is carried out pursuant to another law, or to implement a prior agreement to which the data subject is a party; and

      when the data controller is a public entity and the contemplated processing is required for national security or the administration of justice.

Additionally, the Implementation Regulation states that a data controller may process data on the basis of legitimate interests. Fraud operations disclosure and the protection of network and information security are, for example, a couple of 'legitimate interests' under Article 17(2) of the Implementing Regulation. The regulation stipulates the conditions for such a legal basis to be used, including that:

      the purpose must not violate any KSA laws,

      there be a balance between the rights and interests of the data subject and the legitimate interests of the data controller,

      such processing be within the “reasonable expectation” of the data subject, and

      sensitive data is excluded from such processing.

Before processing data on the basis of legitimate interests, the Implementing Regulation requires a data controller to conduct and document an assessment of the proposed processing and its impact on the rights and interests of data subjects. The assessment must address the following elements:

      purpose identification;

      legitimacy evaluation;

      necessity verification;

      reasonable expectations;

      potential harm assessment; and

      risk mitigation measures.

This is similar to the Legitimate Interest Assessment under GDPR. However, the three-part test in GDPR is there only to assess whether legitimate interest applies. It is not obligatory. This is a risk assessment based on the specific context and circumstances that ensures the data controller the processing is lawful. It can also help the data controller demonstrate compliance in line with their accountability obligations.

2.     Other Legal Bases

2.1. Contract with the Data Subject

The PDPL provides that the processing of personal data is not subject to consent in certain circumstances, which include the case where the processing is pursuant to the implementation of a previous agreement to which the data subject is a party. However, this appears to be based on a 'previous agreement' to which the data subject is party rather than 'for the performance of a contract' as under the GDPR. Hence, data controllers cannot process personal data without consent in order to take steps prior to entering into a contract, as opposed to GDPR.

2.2. Legal Obligations

In accordance with Article 6(2) of the PDPL, the processing of personal data is not subject to consent if the processing is pursuant to another law (i.e., legal obligation). Under the Implementing Regulation, when disclosing personal data in response to a request from a public authority for security purposes, to implement existing laws, fulfil legal requirements, or ensure public health, safety, or the well-being of specific individuals, the following measures must be observed:

      the request for disclosure should be documented; and

      the type of personal data required to be disclosed should be accurately defined.

2.3. Interests of the Data Subject

Consent is not required for processing personal data when it serves the 'actual interests' of the data subject, and communication with the data subject is either impossible or challenging. According to the Implementing Regulation, 'actual interests' are defined as 'any moral or material interest of a data subject that is directly linked to the purpose of processing personal data and that is necessary to achieve that interest.' In cases where processing is necessary to fulfil an actual interest of the data subject, the controller is obliged to maintain evidence confirming the existence of such an interest and demonstrating the difficulty or impossibility of contacting the data subject.

2.4. Public Interest

Although the PDPL lacks a direct equivalent to the specific public interest basis found in the GDPR, the concept of public interest is foundational to various provisions within the PDPL:

      Concerning the grounds for processing personal data, the PDPL specifies that a public entity can process personal data without the data subject's consent when the processing is necessary for security purposes or to meet judicial requirements.

      Regarding the collection of personal data, while the general rule mandates data collection directly from the data subject and restricts the use of personal data to the disclosed purposes at the time of collection, the legislation allows indirect collection or processing for other purposes when aligned with public interest objectives, security needs, law implementation, or judicial requirements.

      The PDPL also permits the disclosure of personal data if the requesting entity is a public entity, and the collection or processing is essential for public interest or security purposes, to implement another law, or to fulfil judicial requirements.

When a public entity collects personal data directly from someone other than the data subject, processes the data for a purpose other than the one for which the data was collected, or requests disclosure to achieve a public interest, it must comply with the following:

      ensure that such actions are imperative to achieve a well-defined public interest;

      confirm that the identified public interest aligns with the competencies prescribed for the public entity by law;

      implement suitable measures to mitigate potential harms, including establishing requisite administrative and technical controls to ensure employees comply with Article 41 of the PDPL. This article mandates that anyone involved in personal data processing must maintain the confidentiality of the data even after the termination of the employment contract;

      document these operations in the records of processing activities;

      collect and process only the minimum amount of personal data necessary to achieve the intended purpose.

3.     Disclosing Personal Data

The PDPL specifies that controllers may collect personal data from the data subject and any processing of such data must be done for the purpose for which the personal data was collected. In the following cases, however, a data controller may collect personal data from another source (other than the data subject) or process personal data for another purpose:

      the data subject consents to the collection of the personal data or the processing for a new purpose;

      the personal data is publicly available or collected from publicly available sources;

      the controller is a public entity, and the personal data was not directly received from the data subject or was processed for a purpose other than that for which it was collected, as required for public interest objectives, security purposes, or to implement another law or to fulfil judicial requirements;

      compliance with this restriction may cause harm to the data subject or affect the vital interests of the data subject;

      the collection or processing of personal data is necessary to protect the public health, public safety, or to protect the life or health of a specific individual;

      the personal data will not be recorded or stored in a form that makes it possible to directly or indirectly identify the data subject (i.e., anonymization); and

      the collection or processing of the personal data is necessary to achieve legitimate interests of the controller or any other party, without prejudice to the rights or interests of the data subject, and provided that the personal data is not sensitive data.

There are also circumstances when disclosures are not permitted. The controller may not disclose personal data if the disclosure:

      poses security risks, distorts the KSA's reputation, or works against the KSA's interests;

      impacts the KSA's relationships with other countries;

      prevents disclosure of a crime, impacts the rights of an accused to receive fair trial, or affects the integrity of ongoing criminal procedures;

      exposes people to danger;

      leads to violation of the privacy of a person other than the data subject, as set out by the Regulations;

      contradicts with the interest of a minor or incapacitated person;

      violates lawful professional standards;

      violates a judicial order, procedure, or obligation; or

      discloses a secret information source that should not be disclosed for the public interest.

4.     Rights of Data Subjects

Similar to the GDPR, data controllers are obligated to act on a request from a data subject within 30 days (except in certain instances in which this period may be extended by an additional 30 days, e.g., if the data controller receives multiple requests from the data subject) and to provide appropriate means for requests to be processed. While Article 4 of the PDPL outlines the various rights available to data subjects, the Implementing Regulation now provide further detail and clarity, including:

      Right to be Informed: The Implementing Regulation differentiate between instances in which data is collected (A) directly from a data subject and (B) from an individual other than the data subject.

      In respect of (A), a data controller is required to take the “necessary measures” to inform data subjects of prescribed information, including the legal basis and a “specific, clear, and explicit purpose” for the processing. The PDPL specifically requires that a data controller use a privacy policy to make certain information available to data subjects.

      In respect of (B), a data controller shall “without undue delay” and within 30 days take steps to inform the data subject of the prescribed information, in addition to the source from which the data controller obtained the data.

      Right of Access and to Request a Copy: The Implementing Regulation note that the right to access and to request a copy of personal data in a “readable and clear format” and a “commonly used electronic format” (although the data subject may request a printed hard copy if feasible) are subject to certain conditions, including that exercising the right should not negatively impact the rights of others. Data controllers are obligated to ensure that they do not disclose the identity of another individual when granting access to the data.

      Right to Restrict Processing: The Implementing Regulations stipulate that data subjects have a right to restrict the processing of their personal data when its accuracy is contested (for a period enabling the data controller to verify such accuracy), although the data controller may request supporting evidence.

      Right to Request Destruction: The Implementing Regulation set out circumstances in which a data controller shall be required to destroy personal data, such as upon the exercise of a data subject’s rights, where the personal data is no longer necessary to achieve the purpose for which it was collected, or if the data controller becomes aware that the data is being processed in violation of the PDPL. The Implementing Regulations also prescribe the steps a data controller must take when destroying personal data.

Personal Data in the Financial Industry

The Financial Consumer Protection Principles and Rules of the Saudi Arabian Monetary Agency ('SAMA') highlight the safeguarding of data and information as one of the 10 fundamental principles for consumer protection applicable across all financial institutions. Financial entities are required to establish suitable mechanisms in accordance with relevant regulations, instructions, and policies to ensure the privacy of consumers' financial, credit, insurance, or personal information. The rights outlined in the Personal Data Protection Law (PDPL) are established as a baseline standard.

SAMA has also issued regulations governing data exchange between creditors and borrowers, mandating the confidentiality of consumers' personal data, restricting its processing solely for credit borrowing purposes, and necessitating consultation with the Saudi Credit Bureau for information verification. Another regulation issued by SAMA safeguards the privacy of individuals' financial information, emphasising the obligation of finance companies and their employees to maintain the confidentiality of clients' data and transactions. Any disclosure is permitted only in accordance with relevant laws and instructions.

Furthermore, several regulations governing the insurance sector also include privacy and data protection obligations. For example, the Outsourcing Regulation for Insurance requires insurers and insurance service providers to establish proper safeguards to protect the integrity and confidentiality of policyholder data and financial data including by:

      entering into non-disclosure agreements;

      providing financial data and data of the insured to a third party on a need-to-know basis only; and

      requiring the third party to segregate their data from other data pools.

SAMA has also issued regulations that provide that companies must, at all times, ensure that customer personal data is protected. This means that the data:

      must be obtained and used only for specified and lawful purposes;

      must be kept by the company in Saudi Arabia;

      must be kept secure and up to date for a period of 10 years;

      must be provided to the customer upon their written request; and

      must not be disclosed to a third party without the prior authorization of the SAMA (other than the companies' auditors, actuaries, reinsurers, and co-insurers).

However, the implementing decree to the PDPL specifies that the Saudi Authority for Data and Artificial Intelligence will coordinate with the SAMA and other institutions to prepare a Memorandum of Understanding to regulate some of the aspects related to the application of the provisions of the PDPL and the Regulations on the entities regulated by the SAMA. This suggests that there will be some element of transition from the prior state of sector-specific regulation towards the PDPL as the overarching data legislation in Saudi Arabia.

Conclusion: PDPL vs. GDPR

There are some differences between the national data protection legislation set in the Kingdom of Saudi Arabia and GDPR, such as the legal bases (consent being the main legal basis) and scope of application (the regulation applies to the personal data of deceased peoplegd). Nonetheless, both PDPL and GDPR set out a number of principles which are very similar, such as:

      Purpose limitation: The purpose of collecting personal data shall be directly related to the purposes of the controller;

      Security: The methods and means of collecting personal data must be suitable to the circumstances of the data subject, direct, clear, safe, and free from any types of fraud, deceit, or blackmail;

      Data minimization: The content of the personal data must be relevant and restricted to the minimum extent required to achieve the intended purpose. Such content should not lead to the direct identification of the data subject, provided that the objective of data collection is achieved;

      Storage limitation: If it becomes clear that personal data being collected is no longer necessary to achieve the intended purpose of its collection, the controller must stop the data collection and destroy the data without delay;

      Accuracy: The controller may not process personal data without taking sufficient measures to ensure accuracy, completion, recency, and relevancy of the data based on the purpose of its collection.

 

For more information and guidance you can contact us at office@decalex.ro 

 

Diana Cojocaru

Privacy and information security consultant

Share:
DECALEX  TEAM
Autor: DECALEX TEAM We make privacy easy

PUNE O INTREBARE