Amended Saudi Personal Data Protection Law to be in force from September

April 10, 2023

Saudi Gazette report

RIYADHThe amended Saudi Personal Data Protection Law (PDPL) will come into force on Sept. 14, 2023. This is 720 days after the publication of the original law in the official gazette in 2021. The executive regulations supplementing the PDPL shall be issued prior to this date, according to sources.

The Council of Ministers approved a series of 27 amendments to the law.

The updated PDPL takes into account some of the amendments that were proposed in a consultation paper issued by the Saudi Data & Artificial Intelligence Authority (SDAIA) in November 2022, although not all of those proposals have been implemented. The amendments introduce several concepts that will align the PDPL more closely to international standards such as the EU General Data Protection Regulation.

The amendments include those related to sensitive data and the rights of the owner of personal data, and the periods of exercising the right to access that data. According to the amendments, the controlling party will not be allowed to collect personal data except from its owner. However, there will be some exemptions to this.

The amendments also include the need for the controlling authority to adopt a privacy policy and make it available to the owners of personal data for viewing, and not to disclose it except with the consent of the owners. There are also amendments with regard to the leakage of personal data or the need to transfer them outside the Kingdom. The amendments redefined some terms in the law, such as destruction, disclosure, and sensitive data.

Article 4 of the law was amended to give the owner of personal data the right of access to his personal data in accordance with the controls and request to obtain it readable and clear. The owner has also the right to request its correction or update, as well as to request to the control authority for the destruction of those data that are no longer needed.

The amendment in Article 20 of the law stresses the need for the control authority to notify the competent authority when it is aware of data leakage, damage, or illegal access to it, and to notify the data owner if that leak results in damage to his data or conflicts with his rights or interests.

April 10, 2023
7 hours ago

Crown Prince: Saudi Arabia is biggest success story of 21st century

11 hours ago

Crown Prince urges Palestinian issue resolution as key condition for normalizing with Israel

14 hours ago

Boosting market reliability is among major benefits of new off-plan real estate law