The KSA’s New Personal Information Protection Law has the objective of securing people’s “sensitive information” in a systematic manner. After 180 days from the date of publication, the legislation will take effect on March 23, 2022, and data controllers will be required to guarantee compliance. The Sultanate of Saudi Arabia’s 2030 Agenda responsibility resulted in substantial changes to the regulatory environment of communication, media, and technology. For the deployment of PDPL, the Saudi Information and Artificial Intelligence Authority (“SDAIA”) will work with the Central Bank of the Kingdom alongside other information technology departments. It was made available in the Saudi Official Gazette on September 24, 2021.
Numerous national laws have been based on the European structures of privacy and protection of data legislation in order to preserve people’s private rights and the actual execution of data protection standards in day-to-day operations. As a result, considering the Sultanate of Saudi Arabia’s revised regulations in light of the GDPR, or General Data Protection Regulation, is critical. The fundamental concepts, principles, and standards established by the legislation will serve as the foundation for its efficient operation and execution in Saudi Arabia.
GOAL AND CHANGES BROUGHT IN BY PDPL
The PDPL’s goal is to protect individual information privacy, regulate data exchange, and prevent personal misuse of information. Notably, the PDPL addresses essential concepts such as objective limitation and data minimization, controller requirements such as the registration and upkeep of information-processing records, the data subject’s rights, and penalties for violations.
The PDPL is going to bring Saudi Arabia more in line with its Middle Eastern neighbours as well as globally accepted standards. Meanwhile, the National Data Management Office has created the National Data Governance Interim Rules, which include the Personal Data Protection Interim Regulations and the Data Sharing Interim Regulations. The Data Security Interim Regulations address fundamental ideas such as transparency, responsibility, disclosure of information, and information subject rights, while the Data Cooperation Interim Regulations focus on data security, legal foundation, and responsible data usage.
FUNDAMENTAL PRINCIPLE OF PDPL
The Law on the Protection of Personal Data as well as its executive regulations determine the legal foundation for the safeguarding of one’s rights in relation to the absorbing of personal data by every organisation in the Kingdom, in addition to all entities outside the borders of the Kingdom who process private information related to individuals staying in the Kingdom through any method whatsoever, including electronically processed personal data.
The following are the fundamental features and concepts of PDPL guidelines that a firm needs to adhere to:
- Accountability by the organisation’s leader (or his designate) for the Privacy Controller’s protection policies and procedures is one of the core components of our data protection policy.
- Visibility is brought about by a privacy notice that outlines the objectives for which individual information is gathered.
- Before collection, choice and consent are requested through implicit or explicit permission for the collection, use, and dissemination of personal data.
- Limiting the gathering of data to only what is necessary to achieve the goals
- Use, retention, and destruction must be strictly in accordance with the purpose, retained for as long as necessary to fulfil the intended functions or as needed by laws and regulations, and destroyed safely to avoid leakage, loss, theft, abuse, or unauthorised access.
- Data access allows any data subject to inspect, update, and rectify their personal information.
- The data subject-approved data access restriction prohibits external parties for the reasons mentioned in the privacy notice.
- Data security is achieved by safeguarding personal data from rupture, harm, disappearance, misuse, modification, or illicit access in compliance with the National Cybersecurity Authority and all other applicable authorities.
- Data quality becomes apparent after the data has been verified for correctness, completeness, and timeliness.
- Reviewing and implementing the data controller’s protection policies and processes, as well as any security-related questions, grievances, and disputes.
- Arabia, who handle Saudi residents’ private information.
WHAT IS PERSONAL DATA AS PER PDPL?
Personal data is defined under the PDPL as any knowledge that directly identifies a person or potentially leads to their identity, including (but not limited to) name, driver’s licence number, cell phone number, website location, and social security card number. PDPL does not apply to sensitive information used for individual or domestic reasons. The legislation also safeguards deceased persons’ personal data if their information might lead to the identity of the person who died or their closest relatives in particular.
The PDPL, like the GDPR, classifies particular types of personal information as “sensitive.” According to the PDPL, sensitive personal data is any information derived from an individual’s “ethnic or tribal birth, religious, intellectual, or political orientation, or indicates his participation in civil associations or institutions.” It also contains criminal and security information. It also contains criminal and safety-related data, biometric information, genetic information, credit information, health information, location information, and information indicating that the person is unknown to either of their parents.
TO WHOM PDPL SHALL APPLY
The PDPL is applicable to organisations (both public and commercial) and their affiliates that handle personal data of Saudi residents with the goal of supplying them with goods or services. It also encompasses companies functioning outside of Saudi Arabia that handle Saudi residents’ private information.
Personal data is defined as knowledge that may be used to determine the identity of a natural person, including someone who has passed away or relatives of the deceased, and excludes knowledge used for home or personal purposes. The PDPL is applicable to organisations (both public and commercial) and their affiliates that handle personal data of Saudi residents with the goal of supplying them with goods or services. It also encompasses companies functioning outside of Saudi Arabia.
DATA SUBJECT RIGHTS AVAILABLE AS PER PDPL
PDPL gives Saudi residents various rights over their private information. Let’s have a look over them as well:
User’s right Every organisation that processes a user’s personal data must inform the user regarding the legal basis it uses to gather their individual information and its purpose. The user has an opportunity to be properly informed that this information will not be used for any other purpose in the future.
Users have the ability to access their personal data and have it made available to the controlling authority. According to the legislation, users have the right to get a free copy of their personal information in a readily understandable format.
Users have the right to demand that companies rectify, update, or complete private information about them within a reasonable time frame. The company must notify and give updated information to any third party with whom it shared or transferred the data.
Users have the right to request that personal data be deleted if it is no longer required by a company.
STEPS FOR THE COMPLAINT OF PDPL IN SAUDI ARABIA
Following is an 11-step protocol for adherence to the Personal Information Protection Law (PDPL) of Saudi Arabia:
- Do not gather personal data unless there is a legal reason to do so, and avoid deceiving people.
- Collect just the personal data required for an initial objective.
- Collect or communicate confidential information without authorization from users, unless otherwise indicated for those reasons listed.
- Establish a confidentiality agreement for your company that explains how you manage confidential data and why and when you share this information with third-party sources.
- Maintain the accuracy and timeliness of personal information.
- Personal data should not be disclosed to other individuals unless specifically requested for the reasons indicated.
- Do not transmit personal data outside of the Kingdom of Saudi Arabia unless the relevant procedures specified in the rule are followed.
- Take the necessary precautions to keep sensitive data safe.
- Keep a record of your own personal information processing procedures to submit to authorities if necessary.
- Notify authorities as quickly as feasible about data breaches, and notify impacted users promptly if the danger is serious.
- Conduct impact evaluations on the processing of personal data, particularly sensitive data.
PENALTY FOR NON COMPLAINCE
Following are the penalty provisions for non-compliance:
- Anyone who publishes or distributes sensitive data in contravention of the legislation faces a maximum punishment of two years in jail and a monetary penalty that cannot exceed SAR three million dollars (USD 800,000), or both.
- Anyone who breaches the regulations of cross-border data transmission faces up to a year in prison and a fine of up to SAR 1 million (USD 267K), or both of these punishments.
- Businesses that violate any of the other conditions are going to be issued a reprimand or a fine of up to SAR fifty million (USD 1.3 million). For repeated violations, the penalties may be quadrupled (up to SAR 10 million).
- The Public Prosecution’s Office is in charge of investigating and bringing charges against the violation.