0 likes | 36 Views
Learn all about Saudi Data Protection Law
E N D
PERSONALDATA PROTECTION LAW KingdomofSaudiArabia © 2022 Tsaaro. All rights reserved. © 2022 Tsaaro. All rights reserved.
TABLE OF CONTENTS Introduction 1 Scope and Application of PDPL 2 Structure 3 Provisions of PDPL 4 Key Considerations 5 Comparison with GDPR 6 Challenges for organisations 7 Conclusion 8 Tsaaro | KSA Personal Data Protection Law 01
INTRODUCTION Privacy and data protection have emerged to be one of the most critical issues of an era that is characterised by the technological revolution and a paradigm shift in our interaction with each other and the digital world in general. Data protection is an essential element in protecting the rights of individuals, which is intrinsically tied to the Human Rights of Individuals. Privacy and data protection are not just the responsibility of a nation state, but the onus to have a robust privacy structure is the responsibility of organizations too. Privacy and data protection constitute the core values of efficient legislation. The challenges of data collection, management and processing of personal data of individuals is one that can be effectively regulated by a robust data protection statute. Implementation and operation of a legislation can be arduous and precarious ordeal, but once in action it becomes the bedrock for a regimented and vigorous privacy protecting statute. In this White Paper we will enumerate and elucidate the various provisions of PDPL, the core principles of the legislation and what challenges the legislation will pose to businesses and organisations. In addition to the above the European regime of data protection and privacy laws have been the benchmark for many national legislations to protect the rights of individuals and the pragmatic implementation of the data protection laws in everyday businesses. Thus, it is essential to look at the new laws by Kingdom of Saudi Arabia in light of the General Data Protection Regulation (GDPR). The key considerations of the legislation, its principles and obligations will be the bedrock for smooth implementation and functioning of the law in Saudi Arabia. Tsaaro | KSA Personal Data Protection Law 02
DATA PROTECTION AND KINGDOM OF SAUDI ARABIA The Personal Data Protection Law (PDPL) is designed to systematically protect “personal data” of individuals. It was implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) approving Resolution No. 98 dated 7/2/1443H (14 September 2021). After a period of 180 from the date of publication, the law will come into effect on 23 March 2022., and thus data controllers would have to ensure compliance to the law. Vision 2030 programme in the Kingdom of Saudi Arabia brought about significant changes in the telecommunication, media and technology regulatory landscape. PDPL is not the first law that defines privacy for the Kingdom of Saudi Arabia, the Basic Law of Governance of 1992 (Royal Order No. A/91 of 1992) ('the Basic Law') defines privacy as a right related to the dignity of an individual, guarantees the privacy of communication, and generally prohibits surveillance unless an exception applies.It also includes Shari'ah principles against the invasion of privacy or disclosure of secrets. Other acts that speak about privacy are : The Anti-Cyber Crime Law of 2007 (Royal Decree No. M/17), The E-commerce Law of 2019, and other sectoral regulations contain privacy provisions. These laws give regulatory powers to the National Cybersecurity Authority and the Communications and Information Technology Commission ('CITC') in their respective sectors. The CITC has been responsible for publishing regulations on : General rules for maintaining the privacy of personal data of users in the telecommunications and information technology sector; The privacy guide for assessment of risk for telecommunications services providers and Criteria for determining the need to carry out privacy risk assessments. 02 03 Tsaaro | KSA Personal Data Protection Law
DATA PROTECTION AND KINGDOM OF SAUDI ARABIA Once PDPL is implemented it will become imperative for entities/ organisations to comply with the personal data protection laws, by appointing a representative in the Kingdom. This provision has to be complied with within 5 years from the effective date of implementation of the law. Saudi Data & Artificial Intelligence Authority (“SDAIA”) will be coordinating with the Central bank and other Information Technology ministries for the implementation of PDPL.Though, the supervisory role will be handed over National Data Management Authority (“NDMO”) an authority under SDAIA. Any processing by business or public entities of personal data of citizens of Saudi Arabia by any means, including processing of personal data of the residents of Saudi Arabia outside, including where the businesses have a foreign data controller, it is required by law to have a representative appointed and licensed by SDAIA in order to perform the data controller obligations under the law. In an age where data has become or is to become the most valuable commodity, the need for a robust data protection regime becomes imperative. Countries around the world have realised the importance of such a regime not only to protect the rights of its citizens, but also to showcase its economic prowess. Most countries in the middle east are realising the need for data protection and laws that prevent illegal personal data processing. The Kingdom of Saudi Arabia has taken a step towards establishing a mechanism for its citizens and cross border data processing comprehensive data protection 02 04 Tsaaro | KSA Personal Data Protection Law
AIM OF PDPL The PDPL bill aims to encapsulate the following: Privacy of personal data of residents of Saudi Arabia Streamline various sector-specific privacy laws under one single statute Regulate data sharing Prevent the abuse of personal data Develop digital Infrastructure Support innovation to grow a digital economy Place Saudi Arabia aligned with the international standards SCOPE AND APPLICATION OF PDPL Article 1(4) oF "PDPL" defines “personal data”- as: "any information, in whatever form, through which a person may be directly or indirectly identified. This expressly includes an individual’s name, identification number, addresses photographs and video recordings of the person.” and contact numbers, Thus, the legislation makes it clear for appointment of a controller in Kingdom of Saudi Arabia for processing of personal data of individuals who are citizens of the country, irrespective of where the business operates or where there is a foreign data controller. Article 2(2) of PDPL states that PDPL is not applicable for processing of personal data for family matters. 05 01 Tsaaro | KSA Personal Data Protection Law
STRUCTURE Below enumerated are the topics that will be covered by this white paper taking into consideration the problem statement:- # Preliminary Questions Applicability of the PDPL law and what is needed for processing of personal data? What are the key considerations in PDPL? What are the core principles of PDPL ? Can cross border transfers take place under PDPL? what are the obligations of a controller under the law? What are the rights of data subjects under PDPL? Who will be accountable for data breach and will they be penalized? How is PDPL different from GDPR? What are the challenges that an organization will face when complying with PDPL? What are the future expectations from PDPL? Tsaaro | KSA Personal Data Protection Law 06
PROVISIONS OF PDPL This section will elucidate various provisions in PDPL that are established to preserve the privacy of individuals 1 CONSENT Primary legal basis for processing to be obtained in writing, subject to further requirements. Processing without consent is only applicable under the following conditions: Definite interest In accordance with another law or implementation of a pre-existing agreement The controller is a public entity and processing is essential to meet security requirements 2 CROSS BORDER TRANSFERS Transfers of data outside of the Kingdom of Saudi Arabia may be made for limited purposes. Even if the transfer falls into a permitted category, it should further align with the following conditions for cross border transfer of data to take place lawfully'. Does not adversely affect the national security of the kingdom Guarantees are provided to safeguard the data transferred or disclosed Only limited, necessary data is transferred Consent of the SDAIA has been obtained in respect of the transfer/disclosure 07 Tsaaro | KSA Personal Data Protection Law
3 OBLIGATIONS OF CONTROLLERS Controller must adopt a data privacy policy, and the policy should be available to individuals to view before collecting their data. If the Controller is collecting data directly from the data owner, it must inform him or her of: a) the legal basis for collecting data b) the purpose of collecting data, c) the information of those who collect it, d) informing the data subjects and e) decision of cross border transfer of data Data controllers must prepare, maintain and register data processing activities with SDAIA. In case of a breach incident, it has to be notified ‘immediately’ to the SDAIA and data subjects.) Controllers must appoint or assign at least one of their employees to be responsible for achieving compliance with the Law. Controllers must conduct an evaluation of the effects of processing associated with any product or service provided to the public, in accordance with the requirements of the Regulations. 4 DATA SUBJECT RIGHTS Rights of the Data Subjects have been enumerated, inclusive of; Right to be informed Right to access Right to rectification Right to destruction 5 PENALTIES Fines of up to SAR 3m for disclosure or publication of sensitive data in breach of PDPL. Up to SAR 1m for breaches of data transfer rules, Offenders under the PDPL can be criminally prosecuted for a prison term not exceeding 2 years where sensitive data is disclosed or published contrary to the PDPL. General fine of SAR 5m for any violation of the PDPL. Tsaaro | KSA Personal Data Protection Law 08
KEY CONSIDERATIONS IN PDPL The key considerations of the data protection legislation are listed below: 01 01 ACCOUNTABILITY The data controller when processing personal data, should have measures that abide by the provisions of law that is in place and do regular checks so that the means of processing data is approved by PDPL principles (Article 8) 02 02 PURPOSE LIMITATION The collection of personal data should have a direct link to the controller's purpose to process it. The purpose should be specific and limited to only what is required to satisfy the purpose (Article 11, 11(2), 11(3)) 03 03 TRANSPARENCY A privacy policy must be in place that can be viewed by the data subjects before collection of their personal data setting the purposes for collection, the categories of personal data collected, the means of collection, means of storage, processing, erasure, as well as data subject rights and how to exercise them. ( Article 12) 04 04 ACCURACY Data should be up to date, complete, and specific to the purpose for which it was collected ( Article 14 ) The Data Subjects had Right to erasure which the controller has to abide by. (Article 18, exceptions to right to erasure under Article 18(2)) 01 09 Tsaaro | KSA Personal Data Protection Law
KEY CONSIDERATIONS IN PDPL PDPL KEY CONSIDERATIONS IN The key considerations of the data protection legislation are enumerated below: 05 05 APPOINTMENT OF DATA PROTECTION OFFICER Controllers are required to appoint a person (or several persons) to be responsible for implementing PDPL. A local representative should be appointed for controllers that operate outside the Kingdom and process personal data of Saudi Citizens. This is done for compliance of the applicable laws. the applicable laws (Article 33(2) of the PDPL). 06 06 RECORDS OF PROCESSING ACTIVITY The organisation/ company needs to keep records of processing activities for a time period determined by executive regulations (Article 31). The competent authority will establish an online portal to build a national database of controllers, to which each controller 1974 must register to and pay an annual fee not exceeding SAR 100,000 ( Article 32) 07 07 DATA PROTECTION IMPACT ASSESSMENT The organisation/ company needs to keep records of processing activities for a time period determined by executive regulations (Article 31). The competent authority will establish an online portal to build a national database of controllers, to which each controller must register to and pay an annual fee not exceeding SAR 100,000 (Article 32) 01 10 Tsaaro | KSA Personal Data Protection Law
Comparison between the Personal Data Protection Law and The General Data Protection Regulation Category PDPL GDPR Deceased Person Recital 27 confirms that the GDPR does not apply to the personal data of deceased persons – only natural living persons. (Art 4(1), Rec. 27) PDPL also applies to the data of deceased persons if it can lead to the identification of the deceased person or his or her family. ‘Deceased persons’ included in the definition of data subjects. specific Personal Data Breach Any element of data, alone or in connection available data, that would enable the identification of a Saudi citizen. The term is defined in Art. 4 (12). Personal data breach is "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" with other Under Article 33 of GDPR, controller must notify the supervisory authority within 72 hours of being aware of the breach. Breach Notifications Breach “immediately” within a specified period. must be rather notified than Caveat to Disclosure of personal data There is a caveat to the usual permitted disclosures personal data controller if the disclosure could pose a security risk, damage the reputation of the Kingdom or impact Saudi Arabia’s relationship other countries. Under Article 49 of GDPR states that personal data shall be transferred to a third country organization with protection level as determined by the EU Commission. of by the or international an adequate with Suppose there is no decision on an adequate protection level. In that case, a transfer is only permitted when the data controller or data processor provides appropriate safeguards that ensure data subject rights. Tsaaro | KSA Personal Data Protection Law 11
Category PDPL GDPR Caveat to Disclosure of personal data Appropriate safeguards include: There is a caveat to the usual permitted disclosures personal data controller if the disclosure could pose a security risk, damage the reputation of the Kingdom or impact Saudi Arabia’s relationship other countries. of BCRs with specific requirements (e.g., a legal basis for processing, a retention period, and complaint procedures) Standard data protection adopted by the EU Commission or by a supervisory authority An approved code of conduct or an approved certification mechanism. (Articles: 44-50, Recitals: 101, 112, Chapter V) by the clauses with Cross Boarder Transfer GDPR states that personal data shall be transferred to a third country or international organization adequate protection determined by the EU Commission. Controllers will not be able to transfer personal data outside Saudi Arabia unless required to comply with an agreement to which the Kingdom is a party, (this is to serve Saudi interests or for other purposes that will be set out in the executive regulations). with level an as In a case of no adequate protection level transfer is only permitted when the data controller or data processor provides appropriate safeguards that ensure data subject rights. There are requirements to ensure that the data transfer or disclosure outside the Kingdom does not impact national security or Saudi interests and to obtain the approval of SDAIA ie. Saudi Data & Artificial Intelligence Authority. Appropriate safeguards include: BCRs with specific requirements (e.g., a legal basis for processing, a retention period, and complaint procedures) Standard data protection adopted by the EU Commission or by a supervisory authority An approved code of conduct; or An approved certification mechanism. (Articles: 44-50, Recitals: 101, 112, Chapter V) to a party clauses Registration and RoPA Data register with SDAIA. There will be a fixed fee for private entities that controllers, which is yet to be published in the Regulations. Records of Processing Activity (RoPA) must also registered with SDAIA. Controllers must Article 30 of GDPR requires to have a record of processing activities. On demand of the authority the data controller or the provides the record of processing activities. But there is no obligation under GDPR to notify about RoPA or register data controllers with the data protection authority . are data data processor 12 Tsaaro | KSA Personal Data Protection Law
Category PDPL GDPR Registration Official documents must not be photocopied It is a common practice in the region for official documents such as passports or ID cards to be photocopied. The PDPL prohibits this unless it is for the implementation provisions of a law, or if a competent public requests these, in accordance with the PDPL regulations. No such condition laid down. of the authority No “directing services” or “monitoring” test for foreign business Only applies to non-EU established entities who are engaged in targeting, offering goods or services to or monitoring EU individuals. PDPL applies to any entity located outside of KSA who is processing the personal data of individuals residing in KSA. No particular quantitative threshold or qualitative tests are set out. Authority. Exceptions to Consent GDPR does not explicitly mention exceptions to consent to process personal data of individuals, rather it states the lawful basis for processing of personal data of individuals other than consent. Following are the lawful basis for processing of personal data of individuals : Data owner consent is not required where the processing: achieves a definite or certain interest for the data owner and it is impossible or difficult to contact them; As required by law or in application of agreement to which the data owner is a party]; or Is done by a public entity and such processing required for purposes or to meet judicial requirements a prior Processing is necessary to satisfy a contract to which the data subject is a party: You need to process the data to comply with a legal obligation. You need to process the data to save somebody’s life. Processing is necessary to perform a task in the public interest or to carry out some official function. You have a legitimate interest to process someone’s personal data. (Art. 6) is security Tsaaro | KSA Personal Data Protection Law 13
Category PDPL GDPR Need to obtain a license or appoint licensed representative Article 33 of the PDPL provides that the Authority shall be responsible for issuing licenses to commercial, professional or non-profit businesses under the PDPL, however it does not expressly state what, if any, additional licenses a business will need to obtain in order to process personal data. Non-KSA based data processing entities which process personal data related residing in KSA will have to appoint a representative in KSA, licensed by the Authority, to carry out its obligations under the law. Similar to the requirement under GDPR for non-European businesses which are subject to GDPR to appoint a representative in the union. established to individuals Data protection Officer Appoint a DPO (Article 37) and a representative conditions. Under Article 4(21) of GDPR: " ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with respective obligations Regulation" The Entity shall identify and appoint a Chief Data Officer to lead the Data Management and Personal Data agenda. The Chief Data Officer's (CDO) responsibilities shall be highlighted in a job description and aligned responsibilities defined in the “Organizational published by NDMO. under certain Protection with the Manual” regard to their this under Penalties Fines of up to SAR 3m (approx. GBP 590,000) for disclosure or publication of sensitive data in breach of PDPL -up to SAR 1m (approx. GBP 200,000) for breaches of data transfer rules, -Offenders under the PDPL can be criminally prosecuted for a prison term not exceeding 2 years where sensitive data is disclosed or published contrary to the PDPL. -General fine (approx. GBP 1,000,000) for any violation of the PDPL. GDPR has an upper cap on its monetary penalties, either: 2% of global annual turnover or €10 million, whichever is higher, or 4% of global annual turnover or €20 million, whichever is higher. This depends on the level of violation, which is decided by the member states and public authorities. (Articles: 83, 84 Recitals: 158, 149) of SAR 5m Tsaaro | KSA Personal Data Protection Law 14
CHALLENGES FOR ORGANISATIONS Complianceofdatasovereignty regulationsincrossboardertransferof data Compliancewithseverothersectorial stakeholdersandregulations (Eg. CITC, SAMA) Operationalizationandclassificationof datatomitigateanyidentifieddata sovereigntyrisks Theconceptsofprivacyanddata protectionhavetobeembeddedinthe approachofanorganization Vendormanagement Compliancewithinternational standardizations EstablishingrobustCybersecurityand Privacymanagement Tsaaro | KSA Personal Data Protection Law 15
CONCLUSION The vision behind PDPL is commendable and will usher in more countries to establish a data protection and privacy regime. The Kingdom has long-term goals to facilitate an emerging data driven economy. In the coming months there will further details and guidance on the law and its implementation. The business models that are set up in the Kingdom will have to ensure compliance and work towards establishing a privacy aware and protecting mechanism in functioning of their organisations. In addition to establishing a data protection law that protects the rights of individuals it is essential to understand the challenges that an organisation/ company will face in an effort to accelerate the drive towards an information organisations/ companies consideration compliance governance, training and development, and compliance programme so that they are not in breach of PDPL. based have audit, society. to gap The into take analysis, In conclusion the steps taken by Kingdom of Saudi Arabia is a welcome change which aligns the need of a robust privacy and data mechanism around the world. This will only lead to strengthening the basic Human Rights of Individuals. The kingdom of Saudi Arabia has paved the way for many other middle - eastern countries to move towards providing a system where personal data of individuals is of primary importance and protection of it is essential. 16 Tsaaro | KSA Personal Data Protection Law
WHYTSAARO? Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognized by IAPP. Our Team Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. CONTACTUS You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. Krishna Srivastava (Co-Founder & Head of Cyber Security, Tsaaro) Krishna is a xKPMG data security consultant. He has vast experience in Information Security and Data Privacy Compliance. Tsaaro Netherlands Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Srishti Tripathy (Senior Data Protection Consultant, Tsaaro) Srishti is a privacy professional with a Masters degree from Tilburg University in Law and Technology. Reviewer Anselmo Diaz Valiente (Senior Consultant|NCC Group) Anselmo is an experienced consultant involved in a variety of projects, requiring the application of expert knowledge in Information Security and Data Protection. Ample of experience in auditing and providing consultancy to organisations across diverse sectors. Netherlands P: +31-686053719 Tsaaro India Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 India P: +91-0522–3581 Emailus info@tsaaro.com