Among the significant developments achieved by the Kingdom of Saudi Arabia in recent years is its focus on protecting the privacy of user data, whether for individuals, employers, companies, or institutions, through the launch of The Personal Data Protection Law (PDPL).
This law aligns with international standards such as GDPR to guarantee individuals' right to privacy and ensure their digital security. So, what is this system? And what are its objectives? This is what we will explore in this article.
What is the Personal Data Protection Law in Saudi Arabia?
The Personal Data Protection Law (PDPL) is a system issued to protect individuals' data and privacy in the digital world. It was issued by Royal Decree No. (M/19) of 1443 AH (2021 CE), and the Saudi Data & Artificial Intelligence Authority (SDAIA) was tasked with overseeing its implementation. In 1444 AH (2023 CE), the law was amended by Royal Decree No. (M/148).
The law helps provide digital security in the Kingdom of Saudi Arabia, especially in light of rapid technological advancements, by regulating the collection, exchange, processing, disclosure, and retention of personal data between individuals, companies, institutions, and other entities that process personal data of individuals residing in the Kingdom. This applies even if the entity is located outside the Kingdom, as these entities cannot process any personal data unless they have the legal basis granting them this authority and the consent of the data subjects themselves. The system aims to regulate all aspects of handling personal data, from its collection and processing to its disclosure and storage, emphasizing a fundamental principle: personal data may not be processed without the consent of its owner, except in cases specified by law.
The law requires companies to develop a privacy policy that details how they process personal data, explains the purpose behind collecting this data, and obligates them to destroy collected data when it is no longer necessary.
The Kingdom has also ensured that the Law is compatible with international standards, particularly the European Union's General Data Protection Regulation (GDPR), which is considered a global standard for data protection.
Objectives of the Personal Data Protection Law?
The main objectives of the Personal Data Protection Law are as follows:
Rights of Personal Data Subjects When Their Data Is Used
The Law stipulates the full protection of the rights of data subjects, which include:
1. The Right to Know: The data subject has the right to know how their data is processed, the purpose for which their personal data is requested, and that their data is not processed in a manner inconsistent with the purpose for which it was collected or in circumstances other than those stipulated in Article (10) of the system.
2. The Right to Access: The data subject has the right to access their personal data held by the data controller, to review it, and to obtain a copy of it free of charge.
3. The Right to Rectification: The data subject has the right to request the correction, completion, or updating of their personal data held by the data controller.
4. The Right to Request Deletion: The data subject has the right to request the deletion of their personal data when it is no longer needed, without prejudice to the provisions of Article (18) of the system.
5. The Right to Withdraw Consent to the Processing of Personal Data: Data subjects have the right to withdraw their consent to the processing of their personal data at any time and in all circumstances, except as stipulated in the Personal Data Protection Law and its Implementing Regulations.
What are the penalties for non-compliance with the Personal Data Protection Law?
To ensure that data controllers adhere to and implement the Personal Data Protection Law, the Kingdom has imposed penalties for non-compliance. These penalties may include restrictions on data processing activities, mandatory corrective actions, or damage to the controller's reputation, which can negatively impact its business.
The penalty may also be a financial fine. The fine is determined based on the nature of the violation, whether it involves sensitive personal data or a large amount of data, and whether the violation was due to negligence or deliberate intent.
To ensure full compliance, the law has established deterrent penalties for violators. The most severe penalty is stipulated in Article 35 of the Personal Data Protection Law, which states:
Anyone who discloses or publishes sensitive data in violation of the provisions of this law, with the intent to harm the data subject or to gain personal benefit, shall be punished by imprisonment for a period not exceeding two years and a fine not exceeding three million riyals, or by either of these penalties.
How to avoid privacy violations and protect your personal data?
It is essential to know how to protect your personal data, especially now that everything has gone digital.
Among the most important ways to protect your data are:
Finally;
If you wish to protect your personal data more effectively, or if you wish to file a lawsuit against any entity that has used your personal data without your permission, or incorrectly, or failed to safeguard your rights when using it, do not hesitate to contact us at Mohammed Al-Khalawi's office so we can assist you immediately in protecting your privacy and regaining full control over your data.
Disclaimer: The above content does not constitute legal advice, and the author of this article assumes no legal responsibility. For legal advice, please contact us.
Mohammed Alkhliwi Law Firm is a Saudi legal practice that serves individuals, institutions, and corporations, drawing on extensive experience in litigation and legal consultancy. The firm believes that law is not merely a set of regulations and procedures, but a powerful tool to protect rights and ensure justice. For this reason, the firm is dedicated to serving its clients with the utmost professionalism and responsibility.
