Saudi Arabia Confirms Amendments to the Personal Data Protection Law
Key changes to the PDPL:
- The controller may transfer personal data or disclose it to a party outside the Kingdom, to achieve any of the following purposes:
- If it is in implementation of an obligation under an agreement to which the Kingdom is a party.
- If it is to serve the interests of the Kingdom.
- If it is in implementation of an obligation to which the owner of the Personal Data is a party.
- If it is in implementation of other purposes as specified by the regulations.
Controllers will need a specific purpose to transfer or disclose data outside Saudi Arabia. It shall not prejudice national security or the vital interests of the Kingdom. There shall be an appropriate level of protection for personal data outside the Kingdom; not less than the level of protection stipulated in the law and regulations, in accordance with the results of an evaluation conducted by the competent authority in this regard. However, the executive regulations should determine the cases of exempting the controllers from compliance with this condition.
- The controller may disclose personal data if the processing is necessary to achieve his legitimate interests, unless it prejudices the rights of the owner of Personal Data or conflicts with his interests, and unless such data is not sensitive data.
- There is no requirement for a controller to register the processing activities. However, the Saudi Authority for Data and Artificial Intelligence (SDAIA) has been authorized to establish the requirements for practicing commercial, professional, or non-profit activities related to the data protection, in coordination with the concerned authorities. SDAIA may also license entities that undertake auditing or examination of personal data processing activities, according to the nature of the activity practiced by the controller. Moreover, SDAIA has the authority to create a national register if it determines that it would be an appropriate tool and mechanism for monitoring and following up the compliance of the controller with the provisions of the law and regulations.
- A penalty of imprisonment for a period not exceeding two years and/or a fine not exceeding three million SAR shall be imposed on anyone who discloses or publishes sensitive data in violation of the provisions of the law if it is made with the intention of harming the owner of the data or with the intention of achieving a personal benefit. The competent court may double the fine penalty for repeat offenses.