Personal Data Protection Law in Saudi Arabia

The Personal Data Protection Law in the Kingdom of Saudi Arabia is a set of legal rules regulating the protection of individuals' rights concerning data processing conducted by entities and institutions, whether from the private or public sector within the Kingdom. This processing may be carried out by domestic or foreign entities, including processing via the Internet. The Personal Data Protection Law excludes data processing for personal purposes from its provisions.

The Personal Data Protection Law in the Kingdom was issued on September 16, 2021, through a Royal Decree and a decision by the Council of Ministers. The law consists of forty-three articles, with some of these articles having undergone subsequent amendments. This law is not an extension of any previous law; it is the first of its kind in regulating personal data protection through the development of national strategies, policies, controls, and procedures.

The Personal Data Protection Law aims to regulate the digital processing of individuals' personal data. The law emphasizes clarity in its provisions regarding the entities engaged in data processing. For example, it mandates that these entities prepare a notice outlining their privacy policies and procedures. This notice must specify the purposes for which personal data is being processed, and it should be clear and concise in its content.

The law contributes to empowering the private sector and attracting foreign investments to the Kingdom by creating a regulatory environment that safeguards individuals' rights, making it conducive to business growth and development. The law guarantees individuals' rights by establishing specific regulations for the disclosure of personal data and also protects their rights by prohibiting the use of their data for marketing or awareness purposes without the consent of the data owners.

The Personal Data Protection Law grants individuals the right to access their personal data and to be informed of the purpose of its collection and processing. They have the right to access or obtain a copy of their data, request its correction, update, or deletion after the purpose of its collection has been fulfilled. Data owners may also request the restriction of the processing of their personal data for specific cases and for a limited period. The collection of personal data is restricted to the minimum necessary to achieve the specified purposes. Additionally, data owners have the right to object to the processing of their personal data or to withdraw their consent in cases defined by the law. The law prohibits making consent for data processing a condition for providing a service or benefit unless the service or benefit is directly related to the processing of the personal data for which consent has been granted.

The law outlines the process for disclosing personal data under specific regulations to ensure its optimal use. It also states that personal communication methods cannot be used to send marketing or awareness materials without the consent of the data owner or the existence of a mechanism allowing the owner to express their preference to receive or stop receiving such materials. Public entities, however, are exempt from this requirement when sending awareness materials.

The Personal Data Protection Law specifies penalties for violations of its provisions. Anyone who discloses or publishes sensitive data in violation of the law, with the intent to harm the data owner or for personal gain, is subject to a maximum prison sentence of two years and a fine of up to SAR3,000,000, or one of these two penalties. The Public Prosecution is responsible for investigating and prosecuting violations of the Personal Data Protection Law before the competent court. The court is responsible for handling cases arising from the application of this article and imposing the prescribed penalties. In the event of repeat offenses, the court has the authority to double the fine, even if it exceeds the maximum limit, provided it does not exceed twice that limit.

Any natural or legal person who violates the provisions of the law or its regulations is subject to a warning or a fine not exceeding SAR5,000,000. In case of repeated violations, the fine may be doubled, even if this exceeds the maximum limit, as long as it does not exceed twice that limit. One or more committees are formed by a decision of the head of the competent authority to review violations and impose warnings or fines, depending on the nature and severity of the violation and its impact. The decision of the committee must be approved by the head of the competent authority or their delegate. Anyone issued a decision by the committee has the right to appeal it before the competent court.

The law also grants the court the authority to order the confiscation of any proceeds obtained through the commission of violations. The court or the committee reviewing violations may include in their judgment or decision the stipulation that a summary of the ruling or decision is published at the expense of the convicted party or the violator in one or more local newspapers published in their place of residence, or through any other suitable medium. The publication must correspond to the nature, severity, and impact of the violation. This publication occurs only after the judgment becomes final or the decision becomes immune to appeal, either by the expiration of the appeal period or by the issuance of a final ruling rejecting the appeal.

The law grants individuals who have suffered harm due to the commission of any violations the right to seek compensation before the court for material or moral damages, in proportion to the extent of the harm caused.