KSA’s Personal Data Protection Law

Introduction

Privacy and data protection is becoming one of the most critical issues of an era that is characterized by the technological revolution and a paradigm shift in our interaction with each other and the digital world in general. Data protection is an essential element in protecting the rights of individuals, which is intrinsically tied to the Human Rights of Individuals. Privacy and data protection are not just the responsibility of a nation state, but the onus to have a robust privacy structure is the responsibility of organizations too. Several national laws to safeguard citizens’ privacy ights and the practical application of data protection rules in day-to-day businesses have been modelled after the European regime of data protection and privacy regulations. So, it is crucial to consider the Kingdom of Saudi Arabia’s new rules in light of the General Data Protection Regulation (GDPR). The cornerstone for the law’s effective implementation and operation in Saudi Arabia will be its main considerations, principles, and requirements.

DATA PROTECTION AND KINGDOM OF SAUDI ARABIA

The KSA’s New Personal Data Protection Law designed to systematically protect “personal data” of individuals. After a period of 180 from the date of publication, the law will come into effect on 23 March 2022., and thus data controllers would have to ensure compliance to the law. Vision 2030 programme in the Kingdom of Saudi Arabia brought about significant changes in the telecommunication, media and technology regulatory landscape. Saudi Data & Artificial Intelligence Authority (“SDAIA”) will be coordinating with the Central bank and other Information Technology ministries for the implementation of PDPL.On September 24, 2021, the PDPL was released in the Saudi Arabian Official Gazette. It goes into effect in full on March 23, 2022. After that, Data Controllers have an additional year to comply with the PDPL, though this time frame may be extended. The PDPL will be supplemented by rules, which must be published by 23 March 2022 and will probably give more context and direction for the PDPL’s actual use.

AIMS OF PDPL SAUDI ARABIA

Privacy of personal data of residents of Saudi Arabia
Streamline various sector-specific privacy laws under one single statute
Regulate data sharing
Prevent the abuse of personal data
Develop digital Infrastructure
Support innovation to grow a digital economy
Place Saudi Arabia aligned with the international standards

PROVISIONS OF PDPL

Consent

The PDPL requires that organizations not process personal data without the consent of its owner except for the cases stipulated under the Draft Regulation.

Data Controller :

1.The Controllers must adopt a data privacy policy, and the policy should be available to individuals to view before collecting their data.

2.If the Controller is collecting data directly from the data owner, it must inform him or her of:

a) the legal basis for collecting data
b) the purpose of collecting data,
c) the information of those who collect it, d) informing the data subjects
e) decision of cross border transfer of data Data controllers must prepare, Maintain and register data processing activities with SDAIA.
Breach incident must be notified ‘immediately’ to the SDAIA and data subjects.
Controllers must appoint at least one of their employees to be responsible for achieving compliance with the Law.
Controllers must conduct an evaluation of the effects of processing associated with any product or service provided to the public, in accordance with the requirements of the Regulations.

Cross Border Transfers

KSA’s Personal Data Protection Law strictly stipulates that a cross-border data transfer may only take place unless a strict impact assessment has been carried out to evaluate just how secure the external location is. Additionally, written consent from the regulatory authority is also required.

Data Subject Rights

Rights of the Data Subjects have been enumerated, inclusive of;

Right to be informed

Right to access
Right to rectification
Right to destruction

Penalties

The KSA PDPL provides that the penalty for disclosing or publishing sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000); both organizations and individuals can therefore be sanctioned. For violating the cross-border data transfer requirements, there may be imprisonment for up to one year and/or a fine not exceeding SAR 1 million ($267,000). For violations of other provisions of the Saudi PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million ($1.3 million). The court may double the penalty of the fine in case of repetition of offenses.

CHALLENGES FOR ORGANIZATIONS

Compliance of data sovereignty regulations in cross boarder transfer of. data
Compliance with sever other sectorial stakeholders and regulations (Eg. CITC,SAMA)
Operationalization and classification of data to mitigate any identified data sovereignty risks
The concepts of privacy and data protection have to be embedded in the approach of an organization
Vendor management
Compliance with international standardizations
Establishing robust Cybersecurity and privacy management

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.

KSA’s Personal Data Protection Law

Introduction

Checkout Other Whitepapers

PRIVACY COMPLIANCE CHALLENGES FOR GENERATIVE AI PLATFORMS

DIGITAL PERSONAL DATA PROTECTION ACT 2023

GENERATIVE AI AND DATA PRIVACY:NAVIGATING THE INTERSECTION

The EU Artificial Intelligence Act

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Tsaaro Pune Office

Tsaaro Noida Office

Tsaaro Bengaluru Office I

Tsaaro Bengaluru Office II

Call Our Experts:

+91 95577 22103

We’d love to help your organization achieve your Data Protection goals!