1 / 2

Saudi Arabia’s Personal Data Protection Law — Tsaaro

If you are doing business in Saudi Arabia, it is important to know about the country's new personal data protection law.Read more to find out what you need to know to comply with the law.

tsaaro
Download Presentation

Saudi Arabia’s Personal Data Protection Law — Tsaaro

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Saudi Arabia’s Personal Data Protection Law — Tsaaro under Royal Decree No. M/148 dated 05/09/1444H. (corresponding to 27 March 2023) (Amended PDPL). These amendments were preceded by a public consultation launched by the Saudi Data and Artificial Intelligence Authority (SDAIA) in late 2022, not all the proposals have been implemented. Personal Data Protection Law Ksa amendments introduce several concepts that are more closely aligned with the international standard such as the EU General Data Protection Regulation (GDPR). EFFECT OF PDPL KSA The Personal Data Protection Law KSA will take effect 720 days after the publication of the original law in the Official Gazette, this means the effective date of 14 September 2023. Further, an important thing to be noted by the Organizations that fall within the ambit of the PDPL will have a one-year grace period to comply with the PDPL from the date it comes into force. THE PROPOSED AMENDMENTS TO PDPL The following are the proposed amendments to the Personal Data Protection Law Saudi Arabia. Definitions The definition of “Sensitive Personal Data” has now been narrowed down, which now solely refers to Personal data relating to an individual’s ethnic or racial origin, religious, intellectual, or political belief, criminal and security data, biometrics data, genetic data, and health data. The definition of “Owner of Personal Data” was also amended removing the previous extension to an individual’s legal representative or guardian which now refers only to the individual to whom the personal data relates. Legitimate interest as a legal basis for processing data Another significant amendment was the inclusion of legitimate interest as a lawful basis for processing data, but the term is not defined under the PDPL. In the original published version of PDPL, in certain circumstances, the requirement of consent is not needed in limited circumstances, where it remained as a criticism but the revision permits the processing can be carried out when there is a necessity to achieve a legitimate or lawful interest of the controller that does not affect the data subject rights. In accordance with the sensitive data, this legal basis will not be applied. Personal Data Protection Law Saudi Arabia (KSA) was recently amended

  2. And this legitimate interest remains the legal basis for the collection of personal data and also for the disclosure of personal data to third parties. The addition of legitimate interest seems to be beneficial. Previously, the data controller could only disclose personal data in five prescribed circumstances, the amendments now also permit the disclosure if it is necessary to achieve the legitimate interests of the controller, provided such disclosure does not prejudice the rights of the owner of the data, conflict with the interests or constitute sensitive personal data. International data transfers Further, significant amendments were made pertaining to international data transfers. The amendments now include the requirement that there shall be an appropriate level of protection for personal data outside of the KSA (which must not be less than the level of protection stipulated in the PDPL and the associated regulations). The executive regulations supplementing the PDPL shall specify the provisions, standards, and procedures including determining the circumstances in which a controller may be exempt from compliance with any of the prescribed conditions. Penalties in the case of non-compliance A penalty of imprisonment for a period of 2 years and/or a fine not exceeding 3,000,000 Saudi Riyals where a person discloses or publishes sensitive personal data in violation of the PDPL. Administrative fines of up to 5,000,000 Saudi Riyals may also be issued for any other violation of PDPL. Organizations must be aware of the proposed amendments to Saudi Arabia’s Personal Data Protection Law, and its effective date to comply to avoid the penalties. Are you an organization that wanted to comply with Saudi’s PDPL, reach out to our team of experts at Tsaaro to get assistance and compliance services. Click Here : Personal Data Protection Law Saudi Arabia (KSA)

More Related