On September 14, 2023, the Saudi Personal Data Protection Law (PDPL) as revised will go into effect. This is 720 days following the original law's publication in the official gazette in 2021. According to reports, the executive regulations that supplement the PDPL must be published before this date.
27 changes to the statute were approved by the Council of Ministers.
While not all of the suggestions made in the Saudi Data & Artificial Intelligence Authority's (SDAIA) November 2022 consultation paper have been incorporated, some of them have been taken into account in the amended PDPL. The modifications include a number of ideas that will bring the PDPL closer in line with international norms like the EU General Data Protection Regulation.
The modifications cover sensitive data, the rights of the owner of personal data, and the time frames for exercising those rights. The modifications state that the controlling party is not permitted to get personal data from anybody other than the owner. There will be a few exceptions to this, though.
In addition, the revisions mandate that the governing authority develop a privacy policy, make it available to the owners of personal data for reading, and refrain from disclosing it without the owners' permission. Additionally, there have been changes made regarding the disclosure of personal information or the requirement to transmit it outside the Kingdom. Some legal words, including destruction, disclosure, and sensitive data, were redefined as a result of the modifications.
The law's amendment to Article 4 now grants the owner of personal data the right to access that information in line with controls and a request for it to be made legible and clear. The owner also has the right to ask for its rectification or updating, as well as to ask the control authority to delete any outdated data.
The change to Article 20 of the law emphasises the requirement that the control authority notify the competent authority when it learns of data leakage, damage, or unauthorised access to it, as well as the data owner if the harm to the data results in a conflict with the data owner's rights or interests.
