News
New Guidelines regarding Data Protection Law in Saudi-Arabia
Following the issuance of the Personal Data Protection Law (“PDPL”; Saudi Arabia Cabinet Decision No. 98/1443; Saudi Arabia Royal Decree No. M19/1443 on the Approval of the Personal Data Protection Law and Saudi Arabia Cabinet Decision No. 604/1444 on the Approval of the Amendments to the Personal Data Protection Law), the Implementing Regulations (Administrative Decision No. 1516/1445) and the Rules regarding Data Protection Officers (see also our article dated 13 September 2024), the Saudi Data & AI Authority (SDAIA) released further guidelines and regulations regarding the implementation of the PDPL.
These include regulations on data transfers outside of Saudi-Arabia, for example a list of countries which provide an appropriate level of data protection, exemptions to obligations of the PDPL for which controllers can apply and rules governing the national register of controllers. Further guidelines specify the mandatory content of privacy policies, such as the name of the entity collecting data, the explicit purpose of data collection, and the rights of individuals. They also emphasize the consideration of specific aspects during data collection and the regular assessment of collected data in terms of determining whether to retain or destruct the data. Non-compliance with these rules can be sanctioned with a fine (up to a maximum of SAR 6 million riyals) and/or imprisonment for up to 2 years.
Companies operating in the Kingdom should assess their data privacy policies and internal guidelines against the new rules and regulations.
For any questions related to Saudi Arabia please contact our dedicated KSA experts at SCHLÜTER GRAF.