The amended Personal Data Protection Law came into effect in Saudi Arabia on September 14

The revised Personal Data Protection Law (PDPL) came into force in Saudi Arabia, on Thursday, September 14. The Kingdom passed the legislation by royal proclamation, on September 16, 2021, with a 720-day grace period for its implementation following the publishing of the original law in the official gazette. Another royal proclamation published on March 27, 2023, amended the statute in five ways. One week before to the PDPL taking effect on September 14th, 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) issued the Executive Regulations of the legislation on September 7, 2023.

Legal professionals noted that this law, which aims to safeguard individual privacy by regulating the data collection, processing, disclosure, and preservation, is the first comprehensive data protection law in Saudi Arabia. They pointed out that the legislation offers a comprehensive framework for processing standards, data subject rights, processing requirements for relevant organisations, data sovereignty, and sanctions for breaking the law's rules.

The law defines personal data as any information, regardless of its source or format, that could be used to specifically identify an individual or that could allow for his direct or indirect identification. Examples include: name, personal identification number, date of birth, addresses, phone numbers, licence numbers, records, personal property, bank account and credit card numbers, still or moving images of the individual, and other information of a personal nature.

Sensitive data is defined by the PDPL as personal information that includes references to an individual's racial or ethnic origin, or religious, philosophical, or political beliefs, as well as criminal and security data, biometrics, genetic information, credit information, health information, and information indicating that one or both of the individual's parents are unknown.

Genetic data, as defined by the law, is any personal information about a natural person's genetic or acquired characteristics that can be used to identify that person specifically in terms of their physiological or health characteristics and that is gleaned from the analysis of a biological sample taken from that person, such as DNA or any other sample that can yield genetic data. Health data, as defined by the legislation, includes any personal information pertaining to a person's health status, including physical, mental, psychological, or service-related conditions.

According to Article 10 of the legislation, the governing authority may only get personal data about an individual from that individual directly, and that individual's data may only be handled in order to fulfil the purpose for which it was obtained.

In accordance with Article 13 of the Executive Regulations, the legal guardian of an incomplete or incapacitated person's data is required to act in the best interests of the person's data. In accordance with Article 16 of the law, the controlling agency has the right to process and obtain personal data on the basis of legitimate interests that include disclosing fraud operations and preserving network and information security. The situations under which the regulating authority may disclose personal data are specified in Article 15 of the legislation.

The executive regulations also outline the conditions under which the transfer of personal data beyond the Kingdom is permitted, as well as the restrictions and steps to be taken in this regard. By referring to a committee established by a decision of the head of the responsible authority, Article 36 of the legislation allocates competence to evaluate infractions and apply penalties stated in the law in the case of infringing the terms of the law and its executive rules.