TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Saudi Arabia publishes final Personal Data Protection Law Related reading: Israel's PPA to confirm databases are protected



On 7 Sept., the Saudi Data and Artificial Intelligence Authority formally released the Kingdom of Saudi Arabia Personal Data Protection Law. Enforcement of the law will begin 14 Sept. 2024, which gives organizations one year to prepare for compliance.

This law is the first privacy law in the KSA that aligns the kingdom with international privacy laws, in particular, the EU General Data Protection Regulation, along with some localization that addresses the Middle Eastern culture and adopts the latest guidelines and mechanisms toward the proper implementation of the law through its published regulations.

Personal data cross-border transfer regulation

Although the final wording of Cross-Border Data Transfer Article 29 in the final KSA PDPL was complicated, the regulation outlines the corresponding mandates to Article 29 in a simple and organized manner in line with the GDPR, where it allows the transfer of data on three grounds.

The transfer of data is allowed on:

  1. The adequacy decision for countries, other sectors and international organizations (Articles 3 and 4) shall be determined and issued by the competent authority and concerned entities, along with explaining the adequacy process, highlighting the assessment criteria and frequency or revision mandates.
  2. Transfers are subject to appropriate safeguards (Article 5) if there is no adequacy decision for the destination country, along with listing the different types of approved safeguards from the competent authority, e.g., binding corporate rules, standard contractual clauses, compliance certification mechanism, and the use of enforceable code of conduct.
  3. Derogations for specific situations (Article 6) where there is no adequacy decision meanwhile infeasibility to rely on appropriate safeguards per Article 5, different scenarios of derogations have been listed in line with Article 49 of the GDPR except for not explicitly requiring the data subject's consent. 

There are four scenarios when a transfer should be stopped or prohibited: if it impacts national security or the kingdom's interests, the results of a transfer impact assessment show a high risk to the privacy of data subjects, the invalidity of appropriate safeguards adopted by data controllers, or inability of data controllers to comply with the adopted appropriate safeguards. If one of those scenarios occurs, the transfer will need to be stopped, and the TIA must be redone. The regulation has considered the latest mechanisms introduced after the "Schrems II" decision, i.e., mandating a TIA to transfer data to countries without adequate decisions (Article 8).

PDPL implementing regulation

The PDPL implementing regulation is considered the main regulation besides the Cross-Border Data Transfer Regulation. It clarifies and adds further requirements in the law separate from Article 29 of data transfer.

Data subject rights

The regulation has included verbal requests to data subject request's under the authentication mandate. This is believed to be a burden on data controllers to comply with, especially regarding the operational and accountability aspects. Under the implementing regulation, there is no guidance on the definition of data scope under any of the rights that used to be one of the challenges faced with GDPR that may lead to data controllers receiving an infeasible amount of requests or complaints. Finally, there is no allowance under the new regulation for data controllers to charge data subjects for DSRs deemed excessive or repetitive. However, they can reject requests with justification.

The lawfulness of processing data

Article 16 of the implementing regulation provides guidance on the processing of data under legitimate interest, where it is now introduced with restrictions and precise criteria for using it as a lawful basis. Additionally, data controllers must conduct legitimate interest assessments before processing data in line with Articles 6 and 35 of the GDPR. 


Under the PDPL, data controllers are required to periodically conduct compliance assessments of selected data processors to ensure they are in compliance with the law. This may create a burden on data controllers as they will assume sole accountability for all data processing activities conducted by the data processor before the competent authority and the data subject.

Information security

Article 23 identifies the mandates of securing personal data by referring to National Cybersecurity Authority measures, standards, controls, or best cybersecurity international standards if the NCA does not regulate the data controller. Additionally, the regulations added a significant word to point (a) of the article not stated in the law — necessary. "Data Controllers to implement the necessary security and technical measures to mitigate potential risks on personal data." The addition is impactful as data controllers are mandated to implement information security controls defined by the NCA on all personal data processing activities equally, regardless of scope. Without the ability to prioritize, this may place undue cost and time implications for data controllers.

Data breach notification 

The regulation introduced almost equal criteria that organizations must notify the competent authority and data subject that a data breach has occurred within 72 hours and immediate notification, respectively. This may be a cause for concern with regards to notifying the data subject mandate as it would have been more relevant to be in case of confirmed impact or potentially high impact on the data subject to avoid the possible reputational effect on data controllers.

Privacy impact assessments

The implementing regulation mandates data controllers conduct documented privacy impact assessment in nine different scenarios of personal data processing including, whenever data processing involves anonymization, sensitive personal data, use of new technologies, etc. This is in line with Article 35 of the GDPR. 

Processing health and credit data 

Articles 26 and 27 add more restrictive and specific measures for processing health and credit data. For example, organizations must adopt a restrictive and limited "need to know basis" approach to minimize accessibility, documentation of all processing stages with specifying an owner for each stage when processing health data.

However, more challenging requirements require data controllers to adopt all relevant measures and standards issued by other competent authorities in the health and financial sectors when processing health and credit data. It is an additional responsibility for data controllers to cross-check data protection requirements from different laws and regulations from other authorities than the data protection competent authority.

Processing data for promotional awareness; direct marketing purposes 

Article 28 of the implementing regulation requires data controllers to collect consent from data subjects before processing their data for promotional and awareness purposes. Under the article, there is an important indirect exemption for data controllers if there was a previous interaction between the data controller and data subject. This is similar to Article 21 of the GDPR, allowing data controllers to rely on legitimate interest with the right to object for profiling and direct marketing purposes when data controllers promote their products and services.

On the other hand, Article 29 of the implementing regulation introduced similarities with Article 28 of the Implementing Regulation, which covers the processing of direct marketing purposes, including sending promotional communications to data subjects. However, Article 29 mandates data controllers collect consent from data subjects before processing data without including the indirect exemption mentioned in Article 28.

If Article 29 requires consent collection in direct marketing processing in terms of profiling and analytics, i.e., not for sending promotional communications to the data subject, then this is a more significant challenge as sending them will be allowed for the mass audience, while targeted audience won't be permitted without consent. Hence, this would require further clarification and guidance from the competent authority.

What is next? 

It is important to note the consequences of noncompliance per the law are intolerable in two instances: In the event of the deliberate unlawful disclosure of sensitive personal data, an individual could receive up to two years in prison and/or a fine of SAR3 million. An organization that violates the law could receive a warning or a fine of SAR5 million. If it receives a fine, the court or competent authority could require the organization's data controller to publish it in one or more local newsletters at their expense.

Organizations must design their privacy programs carefully to ensure compliance within the first year, while planning for advanced maturity levels in the following years. They should implement foundational principles and, when applicable, incorporate those requirements into their operational processes at the bare minimum to prove compliance before the competent authority. Finally, instead of prioritizing tooling and automation in the first year of compliance, they should become part of the maturity roadmap to achieve standardization and efficiency in subsequent years.

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment Natasa McAllister • Oct 24, 2023
    That is a very informative and greatly explained summary of the Saudi Data Protection Law.
  • comment Osama El-Masry • Oct 24, 2023
    Thanks Natasa! Glad that you found it useful...
  • comment Mohammad Hamza Saghir • Oct 25, 2023
    Osama, a really useful summary with focus on points of particular interest.  
    Would be useful to get further insights on how the competent authority would handle large volumes of incident notifications and focus on areas of high risk?  Notifying data subjects at the same time as the competent authority can be quite cumbersome and organisations wouldn't necessarily have the operational footprint to handle queries from worried data subjects.
    Also, any insights on how the legislation perceives the role and responsibility of the Personal Data Protection Officer vs. the Data Controller?
  • comment Osama El-Masry • Oct 26, 2023
    Thanks Mohammad Hamza for your comment, exactly that is another concern besides the reputational impact which is how to manage such amount of notifications by both the organizations and competent authority specially that the excessiveness in reporting is always believed to have a distractive impact not allowing to focus on the real incidents with the high impact, and in that regards we believe that some operational efficiencies can be introduced for certain types of incidents that are repetitive and don't entail significant impact on data subjects that would reduce the workload on both sides, on the other hand, what is assuring is that SDAIA is leading by example in all aspects of establishing the PDPL in the Kingdom and we can clearly see how they are adopting an understanding and considerate approach in enforcing this law as seen when they postponed the issuance of the law and releasing both the law and regulations for public consultation and considering majority of the concerns raised by experts and different business sectors, hence we are expecting a very collaborative environment driven by SDAIA that would include issuance of further guidance and to an extent (where permissible) some modifications to address such concerns as they arise during the actual implementation by organizations.
    As for the role and responsibility of the Personal Data Protection Officer vs. the Data Controller, KSA PDPL is pretty much inline with EU GDPR in that regards, where DPO is having more of a compliance monitoring role within the organization vs the full accountability of compliance with the law and its regulations imposed on the organization acting as data controller, this is for example is not the case in Egypt PDPL where DPO is going beyond compliance monitoring and held by law partial accountability of compliance and can be fined in his individual capacity up to EGP 2M.
  • comment Mary Han • Oct 31, 2023
    Hello, Osama. Great summary! Do you have any insight into when we can expect the competent authority to issue adequacy decisions under PDPL? Do you expect them to follow the EU's list of adequate countries?
  • comment Osama El-Masry • Nov 9, 2023
    Hi Mary, No confirmed information about the timeline but I would assume before end of year or maximum by first quarter of 2024. As for following the EU's list of adequate countries, I wouldn't think so specially that adequacy decision qualification criteria are not 100% the same as in EU but definitely there shall be common countries there.