On September 24, 2021, the National Centre for Documents and Archives Royal Court published the new Personal Data Protection Law (‘PDPL’), implemented by Royal Decree M/19 of 17 September 2021 in the Official Gazette.
Applicability:
It is applicable to the processing of personal data by companies or public entities, by any means, that takes place in the Kingdom of Saudi Arabia, including the processing of personal data relating to residents of the Kingdom by companies located outside the Kingdom.
Data Protection Authority:
The Saudi Data & Artificial Intelligence Authority (‘SDAIA’) will be in charge of supervising and enforcing the implementation of the PDPL for the first two years, after which it may consider transferring the supervisory role to the National Data Management Office, the regulatory arm of SDAIA.
Effective date:
Article 43 of the PDPL provides that the law shall take effect 180 days after the date of its publication in the Official Gazette i.e. it will come into effect from 23 March 2022.
Note: The effective date shall be delayed for a period of up to five years, and as determined by SDAIA, for companies located outside the Kingdom that process personal data of Saudi Arabian residents.
Duties of Data Controller:
Controller is required to do the following:
- implement a privacy policy,
- ensure impact assessments,
- breach notification to authority and data subject,
- maintenance of data processing records;
Rights of Data subject:
- right to be informed,
- update, correct, or request destruction of their personal data,
- withdraw consent at any time;
Penalties:
Penalties for breach of the law, including imprisonment for up to two years and/or fines of up to SAR 5 million (approx. €1.1 million).
Law is available in Arabic HERE
hey loved your blog nice content thank you for the information