This “Kingdom of Saudi Arabia Personal Data Protection Law Series” addresses the following three aspects:
Part 1: A summary of the Personal Data Protection Law (“PDPL”);
Part 2: A summary of the Implementing Regulation of the PDPL (“Implementing Regulation”);
Part 3: A step-by-step guide to personal data transfers outside of the Kingdom of Saudi Arabia, based on the Regulation on Personal Data Transfer outside the Kingdom (“Data Transfer Regulation”).
On 14 September 2023, the Personal Data Protection Law (“PDPL”) came into force in the Kingdom of Saudi Arabia (“KSA”). The PDPL is the main law in KSA regulating the use of personal data. From 14 September 2023, entities have one year to achieve compliance with the PDPL and Regulations, which will all become fully enforceable from 14 September 2024. All public and private entities must comply with the PDPL and Regulations.
The Saudi Authority for Data and Artificial Intelligence (“SDAIA”) is the Competent Authority that shall supervise the implementation of the PDPL. The Competent Authority may request documents or information from entities to check their compliance.
The PDPL provides fines (up to SAR 5,000,000) for breach of its provisions. The competent court may double the amount of the fine for data breaches in case of repetitive violations. The PDPL also provides for imprisonment (up to two years) for disclosure or publication of sensitive data (done in violation of the PDPL) with the intention to harm an individual or to achieve personal gain.
Download the Kingdom of Saudi Arabia Personal Data Protection Law Series
