Data protection in Saudi-Arabia – the countdown to the Personal Data Protection Law has begun

As with the GDPR, general basic and processing principles are anchored in the PDPL, from which the essential provisions for the processing of personal data can be derived. These include the principles of purpose limitation, data minimisation, storage limitation and the integrity and confidentiality of data processing. The various legal bases under which data may be processed (Articles 5, 6) and the rights of data subjects (Article 4) are similarly structured. The alignment of the PDPL with the GDPR is also reflected in the various data protection instruments and mechanisms provided for in the PDPL. For example, already familiar measures such as the record of processing activities (Article 31), the performance of data protection impact assessments (Article 25 of the Implementing Regulation) and the appointment of a data protection officer (Article 32 of the Implementing Regulation) can be found here.

  

The PDPL also has international practical relevance, particularly due to its extraterritorial scope of application. Based on the establishment and market place principle of the GDPR, the PDPL applies on the one hand to any processing of personal data that takes place in Saudi-Arabia and on the other hand to the processing of personal data of persons residing in the Kingdom. In the latter case, it does not matter whether the controller is based in Saudi-Arabia or outside, such as in the EU.

  

The sanctions provided by the PDPL for violations of data protection regulations should also not be neglected. Depending on the offence, the penal provisions (Article 35) provide for prison sentences of up to two years or fines of up to 5 million Saudi riyal, or even up to 10 million Saudi riyal, the equivalent of up to 2.5 million Euro, for repeated offences. 

  

The first draft of the PDPL dated 24 September 2021 was initially specified and partially modified by Decision No. 1516/1445 dated 23 March 2023 and again in September 2023 by the implementing regulation (Administrative Decision No. 1516/1445). Particular attention should be paid to the following amendments to the original version:

 

Despite the predominant and very obvious comparability of the PDPL with the GDPR, there are also some significant deviations from the European provisions in Saudi data protection law. Some of the differences are likely to have a significant impact on the data protection practices of the companies concerned. 

  

The biggest difference is probably in the area of the basis for processing. While the entire catalogue of Art. 6 GDPR is available to controllers under the GDPR, the PDPL is primarily limited to consent and, in addition to some special circumstances, only the legitimate interests of the data subject and the controller are sufficient as a legal basis. According to Article 1 No. 6 (Implementing Regulation), the legitimate interest of the controller is any necessary need of the controller that makes processing necessary for a particular purpose, provided that the rights and interests of the data subjects are not adversely affected. The narrowly defined Article 16 (2) can be used as an aid to interpretation, which sees such an interest in the detection of fraud and the protection of network and information security, among other things. It remains to be seen to what extent a legitimate interest of the controller can also be extended to other interests, in particular economic interests. In view of the requirement of a “necessary need”, this is likely to involve a great deal of argumentation. In the absence of specific consent, data processing for the purpose of fulfilling a contract between the controller and the data subject can only be justified on the basis of a legitimate interest of the data subject. This is likely to lead to increased effort and legal uncertainty for the companies concerned. 

  

Finally, from the perspective of data controllers, the basis for assessing penalties for data protection violations is favourable. In contrast to the GDPR, the PDPL does not have a fine based on a company's annual turnover. Even taking into account the PDPL's maximum fine of 10 million Saudi riyal for repeated data protection violations, a possible fine is far lower than a fine of up to 4 percent of the company's total annual global turnover under the GDPR.  

  

The import or export of personal data is part of everyday practice for companies with data protection links to the Kingdom of Saudi-Arabia. Regardless of whether this concerns customer data from a shared CRM system or employee data as part of shared services such as HR controlling or centralised payroll accounting, every data transfer constitutes processing and therefore requires a corresponding legal basis. Due to the extraterritorial areas of application of the PDPL and GDPR, it is first necessary to check which data protection law the company responsible is subject to. In particular, the establishment and market place principle of the GDPR must be taken into account. As the EU Commission has not yet issued an adequacy decision for the Kingdom of Saudi Arabia, it must then be clarified on which legal basis a data transfer can be based. In addition to the Binding Corporate Rules, which have only been used sporadically in practice to date, the Standard Contractual Clauses (SCCs) are likely to be used in most cases. When using SCCs, particular attention should be paid to the selection of the correct modules and a sufficiently specific description of the processing procedures. In addition, particular attention should be paid to the Transfer Impact Assessment (TIA), which must always be carried out before the transfer. Similar to data protection impact assessments, this measure serves to evaluate any risks associated with a data transfer to the destination country. 

  

In order to avoid severe sanctions, responsible companies should take the above considerations into account and thoroughly examine the individual circumstances of each transfer scenario. Offences in connection with cross-border data transfers can be punished with a prison sentence of up to one year and/or a fine of up to 1 million Saudi riyal (approx. 250,000 Euro).

  

Companies operating in the Kingdom of Saudi-Arabia should use the time remaining until the PDPL comes into force in September 2024 to review their data protection compliance with regard to the provisions of the PDPL. Due to the far-reaching similarities, companies that already effectively implement the provisions of the GDPR should also be well positioned with regard to the PDPL. The internal control and audit measures that have also proven to be effective for checking GDPR compliance are essentially suitable for this purpose. Particular attention must be paid to data transfer. Due to the still unresolved issues regarding transfers to third countries and uncertainties regarding the use of standard contractual clauses, many companies still face a certain degree of legal uncertainty in this area. It is also worth taking a look at the basis for processing. Where possible, companies should endeavour to obtain effective consent from the data subjects for data processing. 

  

It is also advisable to monitor further developments and take into account any opinions issued by the data protection authorities. The following handouts from the Saudi data protection authority can be particularly helpful: