Saudi Arabia’s government introduced the Personal Data Protection Law (PDPL) through Royal Decree M/19 on September 16, 2021, and amended on 27/03/2023 by Royal Decree M/148. This law, officially issued on September 14, 2023, regulates the collection and processing of personal data.
The Personal Data Protection Law (PDPL) protects two categories of data:
a) Personal Data
Any information, regardless of its format or origin, that can be used to directly or indirectly identify a person. This includes details like:
- Name
- Address
- Contact information
- Photos
- Bank details
- Voice recordings
b) Sensitive Data
This category encompasses specific types of personal data revealing:
- Racial or ethnic origin, religion
- Political or intellectual beliefs
- Criminal records
- Biometric or genetic data used for identification
- Health records
- Information indicating unknown parentage
Rights Guaranteed Under the PDPL
The PDPL grants individuals several rights regarding their data:
– Right to Know
It includes the knowledge of the legal or practical justification for data processing.
– Right to Access Personal Data
It includes access to personal data and obtaining a copy of them free of charge.
– Right to Request Personal Data Correction
The data subject has the right to request correction of their data that they deem to be inaccurate, incorrect, or incomplete.
– Right to Request Personal Data Destruction
The data subject has the right to request the destruction of their data as stipulated in the Law.
Punishment under the PDPL
Violating the PDPL, particularly by revealing or sharing sensitive data without authorization, can lead to penalties including imprisonment for up to two years and fines of up to SAR 3,000,000.
Supervision of the PDPL
To ensure the law’s effective enforcement, the Saudi government has entrusted the Saudi Data & Artificial Intelligence Authority (SDAIA) with overseeing its implementation.
Resource The Personal Data Protection Law