Privacy Law in Saudi Arabia

  • Post author:
  • Post category:Uncategorized

If personal data are collected directly from the data subject, certain information must be communicated to the data subject in advance as part of a data protection declaration. These include global privacy regulations that encourage companies to be responsible stewards of their consumers` data and automate privacy and security processes. To operationalize compliance, companies must integrate robotic automation to keep pace with today`s digital landscape. Several organizations offer software that helps organizations comply with global data protection regulations, but these solutions have been limited to primarily process-oriented tasks or rudimentary data-driven functions. In September 2021, the Kingdom of Saudi Arabia enacted its Data Protection Law to regulate the processing of personal data. The PDPL is Saudi Arabia`s first industry-independent federal data protection legislation. Companies are facing significant changes in their operations to ensure compliance. In addition, in this opinion, the Commissioner underlines the importance for controllers to adopt data protection directives, which should include, inter alia: controllers must provide their candidates and employees with a privacy policy to be reviewed before collecting their personal data and obtaining their consent to its use in a specific manner and for specific purposes. Data controllers are required to respond to requests from data subjects to exercise their rights in accordance with the time limit and means established by the regulations.

It is also necessary to indicate the rights of the data subject in the privacy statement, which must be communicated to the data subject before the personal data are collected and processed. The Kingdom of Saudi Arabia has issued its first comprehensive data protection law. Data Protection Act (DPA) aims to protect the privacy of individuals` personal data and to regulate the collection, processing, disclosure or storage of personal data by organizations. In addition to the PDPL, the Basic Law of Governance of 1992 (Royal Decree No A/91 of 1992, `the Basic Law`) defines privacy as a right to personal dignity, guarantees the secrecy of communications and generally prohibits surveillance, with some exceptions. The Basic Law also contains Sharia principles against invasion of privacy or disclosure of secrets. In addition, the Prevention of Cybercrime Act 2007 (Royal Decree No. M/17), the E-Commerce Act 2019 and other industry regulations contain provisions on data protection. These laws define the regulatory powers of the National Cybersecurity Authority and the Communications and Information Technology Commission (CITC) in their respective sectors. In particular, the CITC has published rules on general rules for the privacy of users` personal data in the telecommunications and information technology sector (only available in Arabic here) and the Data Protection Guide for Risk Assessment for Telecommunications Service Providers and criteria for determining the need for protection risk assessments. data (only available in Arabic here). The concept of “data protection impact assessment” takes the form of an obligation for the controller to assess the impact of a product or service provided by the controller on the protection of personal data. The Data Protection Act does not provide for regulatory measures regarding cookies.

Accordingly, the general data protection provisions of data protection law also apply to online privacy. The law imposes restrictions on disclosure that apply to some of these scenarios, including if the disclosure poses a risk to national security, compromises the integrity of ongoing criminal investigations, violates the privacy of another individual, or violates professional or other confidentiality obligations. The PDPL comes into force on September 17. March 2023, but this period can be delayed by up to five years for companies outside Saudi Arabia that process personal data of Saudi residents. The objective of the PDPL is to ensure the protection of personal data, regulate the exchange of data and prevent the misuse of personal data. In particular, the PDPL includes key principles such as purpose limitation and data minimisation, obligations of controllers including the recording and keeping of records of data processing, rights of data subjects and sanctions for breaches of regulations. Following a series of data protection developments in the Middle East, the most recent is Saudi Arabia`s first data protection law, namely the Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Decision No. 98 of 14 September 2021 (“PDPL”), published in the Official Journal on 24 September 2021. This article aims to summarize the key provisions of the HPPA, as well as key considerations and challenges for practitioners, in developing and advancing their privacy programs towards compliance with the HPPA. It should also be noted that, according to an opinion of the Commissioner on the protection of personal data on the websites of public and private controllers, data subjects have the right to be informed by the controller if their personal data has been compromised (lost or stolen data or if their online privacy is likely to be compromised). To our knowledge, the Commissioner`s view in this notice is for guidance purposes only and has no binding effect.

Automation can help both to examine previously collected data and to process data collected in the future. Manual processing can lead to errors, and data design technology can help optimize DPL compliance. The PDPL requires organizations to adopt a personal data privacy policy and make it available to data subjects for review before collecting their data. This policy covers the purpose of their collection, the content of the personal data to be collected, the way in which they are collected, the means of their storage, how they are processed, how they are destroyed, the rights of their owner in this regard and how these rights are exercised. Action: Companies are required to develop and share a privacy policy detailing their processing of personal data, including the purpose for which the data is collected and how the data may be processed. Overall, the more information it contains about the intended processing (by whom, for what, for how long, subject to what safeguards, what happens when it ends, how to access it, etc.), the better. “To be DPL compliant, organizations need to begin their HR data governance journey and work towards creating a privacy compliance framework,” Aghdoube said. “Establishing a standard ensures compliance with the DPL and provides a common approach to how employee and candidate data is handled, stored, used and protected. This minimizes the risk of breaches.

Combining reliability, intelligence and simplicity, Securiti is working on the PrivacyOps framework to enable end-to-end automation of businesses. Securiti can help you comply with the PDPL and other privacy and security regulations worldwide. See how it works. Request a demo today. In addition, in the event of a personal data breach, the entrepreneur providing publicly available electronic communications services shall immediately inform the Electronic and Postal Communications Authority (ECHA).