Related Authors: Marc Saroufim, Managing Partner — Al Akeel & Partners
The Saudi Authority for Data and Artificial Intelligence (SDAIA) has published a draft version of implementing regulations ("Implementing Regulations") for the Saudi Personal Data Protection Law (issued by Saudi Arabia Cabinet Decision No. 98/1443) ("PDPL"). The SDAIA also published a separate draft version of regulations specifically addressing personal data transfers outside of the Kingdom ("Data Transfer Regulations"). Both the Implementing Regulations and the Data Transfer Regulations were made available for public feedback and comments.
Defined terms in this article have the definitions referenced in the Implementing Regulations or Data Transfer Regulations, as applicable.
Implementing Regulations
The Implementing Regulations provide further clarity on a range of areas covered in the PDPL, including the following:
- Introducing and defining three different types of interest:
- Vital Interest: Any interest necessary to preserve the life of a Data Subject or any other individual.
- Actual Interest: Any moral or material interest of a Data Subject that is directly linked to the purpose of processing personal data and that is necessary to achieve that interest.
- Legitimate Interest: Any necessary interest of a data Controller that requires the processing of personal data for a specific purpose.
- Introducing and defining Pseudonymisation and Anonymization and
providing the Controller compliance terms for Pseudonymisation and
Anonymization:
- Pseudonymization: A conversion of the main identifiers that indicate the identity of the Data Subject into codes that make it difficult to directly identify them without using additional data or information.
- Anonymization: A removal of direct and indirect identifiers that indicate the identity of the Data Subject in a way that "permanently" makes it impossible to identify the Data Subject.
- Providing clarity on the personal or family use of Personal Data: Article 2 of the Implementing Regulations provides that the provisions of the PDPL and the Implementing Regulation will not apply to an individual processing Personal Data for purposes that do not exceed personal or family use as referred to in the Article.
- Data Subject rights are further detailed in Articles 4, 5, 6, 7, 8 and 9 of the Implementing Regulations.
- Controller obligations and the legal basis when processing Health Data and Credit Data are also further detailed in Articles 27 and 28 of the Implementing Regulations.
Data Transfer Regulations
The Data Transfer Regulations provide further direction and clarity regarding the transfer of Personal Data outside the Kingdom. The following is a summary of the main clauses of the Data Transfer Regulations:
- Subject to the provisions of the PDPL and its Implementing Regulations, a Controller may Transfer Personal Data or disclose it to a party outside of the Kingdom, provided that such Transfer or Disclosure does not impact the national security or the Vital Interests of the Kingdom or violate any other law in the Kingdom.
- The Controller must limit the Transfer or Disclosure of Personal Data to a party outside the Kingdom to the minimum level necessary to achieve the purpose of such Transfer or Disclosure.
- When Transferring or Disclosing Personal Data to a party outside the Kingdom, a Controller must ensure that such Transfer or Disclosure does not impact the privacy of Data Subjects or the level of protection guaranteed for Personal Data under the PDPL and its Implementing Regulations.
- Subject to the provisions of Article 2 of the PDPL, the provisions of Data Transfer Regulations will not apply to the Transfer of Personal Data that does not directly or indirectly identify Data Subjects.
- Transfers based on an Adequate Level of Protection for Personal Data: Competent Authorities will establish rules and procedures for evaluating the level of protection for Personal Data outside the Kingdom pursuant to certain criteria.
- The Data Transfer Regulations also provide for certain exceptions under specific conditions in the absence of appropriate levels of protection or international agreements in the country to which the Personal Data will be transferred.
- A risk assessment of Transferring or Disclosing Data outside the Kingdom would be required in certain cases as provided in Article 9 of the Data Transfer Regulations.
- The Competent Authority will issue guidelines related to the provisions of the Data Transfer Regulations.
The Implementing Regulations and Data Transfer Regulations are expected to come into force on the date the PDPL takes effect, which is currently scheduled for September 2023.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
