Legal Support

Yes, it does if they contain personal data. This means that PDPL applies to paper records as much as to automated processing of personal data

The conditions for using personal data for direct marketing purposes are the following:

1. Obtain consent of the Data Subject.
2. Provide a mechanism that enables the Data Subject to halt the reception of marketing material whenever desired.
3. Disclose the sender's identity to the data subject when sending the direct marketing material.
4. The Controller shall halt without undue delay sending marketing materials when the Data Subject withdraws their consent for Direct Marketing purposes.
   

PDPL does not specify the retention duration of personal data. However, the Entity shall destroy personal data once they are no longer necessary for the purpose they collected it.

Yes, unless any of the following circumstances apply:

1. If there is a legal basis for retaining the personal data for a specific period, in which case the personal data shall be destroyed upon the lapse of that period or when the purpose of the collection is satisfied, whichever is longer.
2. If the personal data is closely related to a case under consideration before a judicial authority and the retention of the personal data is required for that purpose, in which case the personal data shall be destroyed once the judicial procedures are concluded.
3. If the data does not contain anything, that may lead to specifically identifying the data subject.
   

Yes, based on the requirements stipulated in the Regulation on Personal Data Transfer outside the Kingdom.

No, Personal data can be processed without the consent of the data subject in the following cases:

1. If the processing serves the actual interests of the data subject but communicating with the data subject is impossible or difficult.
2. If the processing is pursuant to another law or in implementing a previous agreement to which the data subject is a party.
3. If the controller is a public entity and the processing is required for security purposes or to satisfy judicial requirements.
4. If the processing is necessary for the purpose of the legitimate interest of the controller, without prejudice to the rights and interests of the data subject, and provided that no sensitive data is to be processed.
   

The entity can disclose data if it’s based on the situations stated in Article 15 of the Personal Data Protection Law.

The right to access personal data is one of the rights guaranteed by the Personal Data Protection Law, yet there are some exceptions to it in the law, which are the following:

1. If it's necessary to protect the data subject or other parties from any harm.
2. If the controller is a public entity and the restriction is required for security purposes, required by another law, or required to fulfill judicial requirements.
3. If it represents a threat to security, harms the kingdom's reputation, or conflicts with its interests.
4. If it affects the kingdom's relations with any other state.
5. If it prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures.
6. If it compromises the safety of an individual.
7. If it violates an individual's privacy other than the data subject.
8. If it conflicts with a person's interests that fully or partially lacks legal capacity.
   

Within Article 3 of the PDPL, "any other law" refers to any other law within the Kingdom of Saudi Arabia. For example: if there was another law within the Kingdom of Saudi Arabia, that provides individuals with a higher standard of protection, then the provisions of that law will also need to be complied with in addition to the PDPL.

The Law considers that health data are sensitive data. It maintains the privacy of these data by limiting access to as few employees and workers as possible and restricting the processing of such data to the minimum number of health services employees and workers.

The entity should instruct the Data Subject to submit the complaint to SDAIA through the National Data Governance Platform

The entity is not obliged to report the breach to the personal data subject unless the incident causes damage to personal data or conflicts with the personal data’s rights or interests

It is possible to use personal data for scientific, research, or statistical purposes without the consent of the data subject in the following situations:

1. If it does not specifically identify the data subject.
2. If evidence of the data subject’s identity will be destroyed during the processing and before disclosure of such data to any other entity if it is not sensitive data.
3. If it is required by another law or in the implementation of a previous agreement to which the data subject is a party.

If the controllers will collect and process personal data for the situations above, they must commit to the following:

1. Clearly and accurately specify the scientific, research, or statistical purposes in the records of Personal Data Processing activities.
2. Take the necessary measures to ensure that only the minimum Personal Data required to achieve the specified purposes is collected.
3. Pseudonymise Personal Data that is being processed, provided when those purposes of the processing can be fulfilled.
4. Take the necessary measures to ensure that the processing does not negatively impact the rights and interests of the Data Subject.
   

The personal data protection officer is responsible for monitoring the implementation of the provisions of the Law and its Regulations, overseeing the procedures adopted by the Controller, and receiving requests related to Personal Data by the provisions of the Law and its Regulations. Specifically, their responsibilities include:

1. Acting as the direct point of contact with the Competent Authority and implementing its decisions and instructions regarding the application of the provisions of the Law and its Regulations.
2. Supervising impact assessment procedures, auditing and control reporting related to personal data protection requirements, documenting assessment results, and issuing necessary recommendations.
3. Enabling the Data Subject to exercise their rights as stipulated in the Law.
4. Notify the competent authority of personal data breach incidents.
5. Responding to requests from Data Subjects and addressing complaints filed by them by the provisions of the Law and its Regulations.
6. Monitoring and updating the records of personal data processing activities of the Controller.
7. Handling Controller’s violations related to Personal Data and taking corrective actions accordingly.
   

No, controllers shall appoint one or more individuals to be responsible for the protection of personal data in any of the following cases:

1. The controller is a public entity that provides services involving processing personal data on a large scale.
2. The controller’s primary activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects.
3. The core activities of the controller are based on processing sensitive personal data.
   

The controller shall keep a record of personal data processing activities during all the periods personal data is being processed and till five years after the end date of any personal data processing activity.

The controller shall take the necessary organizational, administrative, and technical measures to ensure personal data security and data subjects' privacy and shall comply with the following:

1. Implement necessary security and technical measures to limit security risks related to personal data breaches.
2. Adopt all relevant controls, standards, and rules issued by the National Cybersecurity Authority, or adopt recognized best practices and cybersecurity standards if the controller is not obligated to follow the controls, standards, and rules issued by the National Cybersecurity Authority.
   

1. Enforcement of law provisions.
2. If the request is by an authorized public entity.
   

1. The controller shall ensure that any processor selected provides sufficient guarantees to protect personal data.
2. The controller is responsible for periodically assessing the processor’s compliance with the law and its regulations and ensuring that all regulatory requirements are met, whether the processing is achieved by the processor or third parties acting on their behalf.
   

1. Consent of the Data Subject.
2. Provide a mechanism that enables the data subject to stop the reception of marketing material whenever desired and ensure that the procedure for stopping the reception of such material is as simple and easy as obtaining consent to receive the material.
3. The identity of the sender should be clarified.
   

The grace period ends one year after the issuance of the Personal Data Protection Law, which is on September 2024.

The required security measures may vary depending on the nature of personal data processed and risks associated with the Personal Data Owner. However, the entity should adopt appropriate technical security measures, e.g. encryption, secure deletion, and cybersecurity best practices and standards.

The entity shall take all necessary actions to ensure the accuracy of personal data. It may need to continuously update personal data if the purpose of collection requires so. for example: the entity must update the employee's payroll records in case of any increase in their salaries

Sanctions vary by the illegal act involved. If sensitive data is disclosed or published in violation of the provisions of the Law, a term of imprisonment of no more than two years and/or a fine not exceeding SAR three million will be imposed if the act is committed with the intent of causing harm to the Data Subject or for achieving personal benefit.

The PDPL distinguishes between two main roles‏‏:‏‏ the role of controller and the role of processor‏‏. This distinction is really important since the controller has a greater responsibility and must meet more obligations than that of the processor. ‏Data controllers and processors may be either natural or legal persons. For example‏‏:‏‏ a small and medium enterprise, an organization, a government entity, an association, etc.‏‏‏ The difference is that the Data Controller determines the purpose and method of data processing, while the Data Processor processes Personal Data for and on behalf of the Data Controller