Saudi Data Protection Law Updates on Implementing Regulations and Data Transfer: What You Need To Know

Related Authors:  Marc Saroufim, Managing Partner — Al Akeel & Partners

The Saudi Authority for Data and Artificial Intelligence (SDAIA) has published a draft version of implementing regulations (“Implementing Regulations”) for the Saudi Personal Data Protection Law (issued by Saudi Arabia Cabinet Decision No. 98/1443) (“PDPL”). The SDAIA also published a separate draft version of regulations specifically addressing personal data transfers outside of the Kingdom (“Data Transfer Regulations”). Both the Implementing Regulations and the Data Transfer Regulations were made available for public feedback and comments.

Defined terms in this article have the definitions referenced in the Implementing Regulations or Data Transfer Regulations, as applicable.

Implementing Regulations

The Implementing Regulations provide further clarity on a range of areas covered in the PDPL, including the following:

1. Introducing and defining three different types of interest:
   1. Vital Interest: Any interest necessary to preserve the life of a Data Subject or any other individual.
   2. Actual Interest: Any moral or material interest of a Data Subject that is directly linked to the purpose of processing personal data and that is necessary to achieve that interest.
   3. Legitimate Interest: Any necessary interest of a data Controller that requires the processing of personal data for a specific purpose.
2. Introducing and defining Pseudonymisation and Anonymization and providing the Controller compliance terms for Pseudonymisation and Anonymization:
   1. Pseudonymization: A conversion of the main identifiers that indicate the identity of the Data Subject into codes that make it difficult to directly identify them without using additional data or information.
   2. Anonymization: A removal of direct and indirect identifiers that indicate the identity of the Data Subject in a way that “permanently” makes it impossible to identify the Data Subject.
   The definitions of terminology above help provide further direction regarding the exceptions for the Transfer of Personal Data outside the Kingdom, as detailed in the next section further below.
3. Providing clarity on the personal or family use of Personal Data: Article 2 of the Implementing Regulations provides that the provisions of the PDPL and the Implementing Regulation will not apply to an individual processing Personal Data for purposes that do not exceed personal or family use as referred to in the Article.
4. Data Subject rights are further detailed in Articles 4, 5, 6, 7, 8 and 9 of the Implementing Regulations.
5. Controller obligations and the legal basis when processing Health Data and Credit Data are also further detailed in Articles 27 and 28 of the Implementing Regulations.

Data Transfer Regulations

The Data Transfer Regulations provide further direction and clarity regarding the transfer of Personal Data outside the Kingdom. The following is a summary of the main clauses of the Data Transfer Regulations:

1. Subject to the provisions of the PDPL and its Implementing Regulations, a Controller may Transfer Personal Data or disclose it to a party outside of the Kingdom, provided that such Transfer or Disclosure does not impact the national security or the Vital Interests of the Kingdom or violate any other law in the Kingdom.
2. The Controller must limit the Transfer or Disclosure of Personal Data to a party outside the Kingdom to the minimum level necessary to achieve the purpose of such Transfer or Disclosure.
3. When Transferring or Disclosing Personal Data to a party outside the Kingdom, a Controller must ensure that such Transfer or Disclosure does not impact the privacy of Data Subjects or the level of protection guaranteed for Personal Data under the PDPL and its Implementing Regulations.
4. Subject to the provisions of Article 2 of the PDPL, the provisions of Data Transfer Regulations will not apply to the Transfer of Personal Data that does not directly or indirectly identify Data Subjects.
5. Transfers based on an Adequate Level of Protection for Personal Data:  Competent Authorities will establish rules and procedures for evaluating the level of protection for Personal Data outside the Kingdom pursuant to certain criteria.
6. The Data Transfer Regulations also provide for certain exceptions under specific conditions in the absence of appropriate levels of protection or international agreements in the country to which the Personal Data will be transferred.
7. A risk assessment of Transferring or Disclosing Data outside the Kingdom would be required in certain cases as provided in Article 9 of the Data Transfer Regulations.
8. The Competent Authority will issue guidelines related to the provisions of the Data Transfer Regulations.

The Implementing Regulations and Data Transfer Regulations are expected to come into force on the date the PDPL takes effect, which is currently scheduled for September 2023.

Our team is closely monitoring these important developments. Please feel free to reach out to us if you have any questions. For additional information on this topic, please also refer to our earlier article titled "Saudi Data Protection Law Amendments".