bakerxchange.com Open in urlscan Pro
46.51.168.103  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Client alert Alert | April 2023

Saudi Arabia - New amendments have been introduced to the Personal Data
Protection Law
In Brief 

The Personal Data Protection Law (“PDPL”) of Saudi Arabia (“KSA”) was recently
amended pursuant to Royal Decree No. M/148, dated 05/09/1444H (corresponding to
27 March 2023G) ("Amended PDPL"). These amendments were preceded by a public
consultation launched by the Saudi Data and Artificial Intelligence Authority
("SDAIA") in late 2022. 

The Amended PDPL expands the scope under which Controllers could collect
personal data from third parties, and process it for purposes other than that
for which it was originally collected. It also provides additional grounds for
Controllers to disclose personal data, and introduces an updated regime for
personal data transfers outside of KSA.

Key Takeaways 

The Amended PDPL settled an ongoing uncertainty regarding its date of entry into
force, which was most recently set for 17 March 2023G after being postponed from
the original date of 23 March 2022G. Article 43 of the Amended PDPL specifies
that it will come into force 720 days from the date of the original publication
of the PDPL in the Official Gazette (i.e., 24 September 2021G). Thus, the
Amended PDPL is expected to enter into force on 14 September 2023G, and its
implementing regulations should be published no later than that date. 

Controllers ("Controllers"), entities subject to the Amended PDPL, will have a
one-year grace period (per the Hijri calendar) from the date of its entry into
force (i.e., until 2 September 2024G) to comply with its requirements. Please
see the table below for a more detailed overview of the timeline.
 
The Amended PDPL addresses critical concerns that key stakeholders had with the
PDPL, some of which were raised in the public consultation. The Amended PDPL
includes, among others, the following changes:
 1. a broader regulatory framework for cross-border personal data transfers and,
    in particular, the introduction of the concept of adequacy. This concept
    requires a minimum level of adequate safety standards (no less than the
    national standard) for the transfer of data outside of KSA;
     
 2. the addition of Controllers' legitimate interests as legal grounds for
    processing personal data unless the data collected is sensitive, violates
    the rights of personal data owner, or goes against the data owners'
    interests;
     
 3. the removal of the national registry and, by extension, the obligation of
    Controllers to register in the national registry; and
     
 4. the removal of the requirement on foreign Controllers to appoint a KSA
    representative to be licensed by the competent authority to perform the
    Controller's obligations.

The Amended PDPL is a positive step towards harmonising KSA's data privacy
framework with the European General Data Protection Regulation ("GDPR"). This
represents a welcome development for organisations operating within the scope of
the Amended PDPL. Nonetheless, there remains to be some material differences
between the Amended PDPL and the GDPR. Specifically, the Amended PDPL places
more emphasis on the responsibilities of Controllers, much like GDPR's
predecessor (the European Directive 95/46 EC).
 

--------------------------------------------------------------------------------


Order of events of the KSA PDPL entry into force
 

Date (Gregorian) Event Effect 16 September 2021G The PDPL is promulgated by
Royal Decree No. M/19 dated 09/02/1443H. The PDPL stated that it shall enforce
180 days after its publication in the Official Gazette. 24 September 2021G The
PDPL is published in Official Gazette. The effective date of the PDPL was
originally set for 23 March 2022G. 11 March 2022G Royal Order No. 51627 dated
18/08/1443H is issued. The effective date of the PDPL was postponed 540 days
after its original publication in the Official Gazette, falling on 17 March
2023G. 27 March 2023G Royal Decree No. M/148 dated 05/09/1444H is issued. The
Amended PDPL states that it shall enter into force 720 days after its original
publication in the Official Gazette, falling on 14 September 2023G. Controllers
will still have a one Hijri year grace period from the date of entry into force
(ending on 02 September 2024G), to comply with its requirements, including its
implementing regulations which have not been published yet.



 

DOWNLOAD ALERT



Contact us


We are continuing to closely monitor developments related to the data privacy
framework in KSA. Should you require further assistance regarding the Amended
PDPL, or any data and technology-related matters, please feel free to contact
us.
 

Abdulrahman AlAjlan Partner
abdulrahman.alajlan
@legal-advisors.com

Zahi Younes zahi.younes
@legal-advisors.com

Yousef Bugaighis yousef.bugaighis
@bakermckenzie.com

 

Maher Ghalloussi maher.ghalloussi
@bakermckenzie.com

Lucrezia Lorenzini lucrezia.lorenzini
@bakermckenzie.com

Hala Redwan hala.redwan
@legal-advisors.com



Baker & McKenzie International is a global law firm with member law firms around
the world. In accordance with the common terminology used in professional
service organizations, reference to a “partner” means a person who is a partner
or equivalent in such a law firm. Similarly, reference to an “office” means an
office of any such law firm. This communication has been prepared for the
general information of clients and professional associates of Baker & McKenzie.
You should not rely on the contents. It is not legal advice and should not be
regarded as a substitute for legal advice. This may qualify as “Attorney
Advertising” requiring notice in some jurisdictions. Prior results do not
guarantee a similar outcome.


Unsubscribe  | 
Privacy Policy

© 2023 Baker McKenzie