pexels-shams-alam-ansari-4081675

Data Privacy Regulations in Saudi Arabia  

by Regulations

The Kingdom of Saudi Arabia has published its first-ever comprehensive data protection law. The Personal Data Protection Law (PDPL) aims to protect individuals’ personal data privacy and regulate organizations’ collection, processing, disclosure, or retention of personal data. 

One of the prominent features of the PDPL is that it does not prejudice any provision that grants a right to the data subject or stipulates better protection in any other law or an international convention to which Saudi Arabia is a party. 

The PDPL was originally set to be enforced on March 23, 2022. However, SDAIA submitted proposed amendments to the PDPL for public consultation from November 20, 2022, until December 20, 2022. On March 21st, 2023, the Saudi Council of Ministers passed amendments to the PDPL.  As per the timeline within the amended version, PDPL will officially come into force on September 14, 2023, and organizations will have until September 13, 2024, to comply. 

Who Needs to Comply with the Law 

Here’s how the new law applies to organization based on their jurisdiction as well as the kind of data involved:

  • Material Scope 

The PDPL applies to the processing of personal data and sensitive personal data related to individuals residing in Saudi Arabia. The PDPL also covers the deceased’s data, if it would lead to identifying the deceased or one of his/her family members specifically. The PDPL excludes the processing of personal data for domestic purposes from its application scope. 

  • Territorial Scope 

The PDPL applies to public or private organizations that process personal data related to individuals in Saudi Arabia by any means. If a foreign organization processes personal data associated with individuals residing in Saudi Arabia, then the PDPL will also apply. 

Responsibilities for Organizations Under that Specific Law 

The PDPL provides several obligations for the controlling authorities (data controllers). Before processing personal data, the data controllers (organizations) are required to ensure the accuracy, completeness, and relevancy of the personal data. The controlling authorities must also fulfil data protection principles (collection limitation, purpose limitation, data security, accountability, retention limitation, etc.). 

Following are the critical obligations provided under the PDPL that organizations must oblige to stay compliant: 

  • Consent Requirements 
  • Privacy Notification/ Privacy Policy Requirements 
  • Security Requirements 
  • Data Breach Requirements 
  • Data Protection Officer Requirement 
  • Vendor Assessment/Third-Party Processing Requirements 
  • Cross border data transfer Requirements 

Data Subject Rights 

Like most other data protection regulations globally, the PDPL ensures that all data subjects are guaranteed certain rights. These rights, known as data subject rights, ensure that all users retain control over their data once it has been collected. Different data protection laws offer various kinds of data subject rights. The ones guaranteed by the PDPL include the following: 

  • Right to Know/Information  

Data subjects have the right to know about the data controller’s contact details, the exact reason the data is being collected, the methods being used for data collection, and whether this collected data will be shared or sold. 

  • Right to Request Correction  

Data subjects have the right to request correction of any data collected on them if it is incomplete, inaccurate, or obsolete. 

  • Right to Request Destruction  

Data subjects have the right to request the destruction of data collected on them. The reasons can range from the user rescinding their consent for data collection to the data no longer serving the purpose for which it was collected. 

  • Right to Limit/Restriction of Processing  

Data subjects have the right to limit or refuse the processing of their personal information by the organization for special cases and a limited period. This right is not explicitly provided under the PDPL, however, the regulatory authority has released a set of FAQs that provides details of this right. 

  • Right to Data Portability 

The data subjects can obtain their data in a legible and clear format and request their data to be transferred to another controller. 

The data controller is required to ensure that all data subjects are appropriately informed about these rights and establish dedicated channels for data subjects to exercise these rights. The data controller must fulfil these requests within 30 days and record all data subject requests received. 

Regulatory Authority 

The Saudi Data & Artificial Intelligence Authority (SDAIA) will be the primary body responsible for enforcing the PDPL within Saudi borders. More than just imposing penalties on organizations found in violation of the PDPL, the SDAIA is also expected to advise organizations in internal data transfers and keep track of data subject rights requests received by organizations, among other responsibilities. 

However, the Saudi Data & Artificial Intelligence Authority (SDAIA) will supervise the implementation of the new legislation for only the first two years. A transfer of supervision to the National Data Management Office (NDMO) will be considered in 2024. 

Penalties for Non-compliance 

The PDPL provides that the penalty for disclosing or publishing sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million ($800,000); both organizations and individuals can therefore be sanctioned

For infringements of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million ($1.3 million). The court may double the penalty of the fine in case of repetition of offenses. 

How an Organization Can Operationalize the Law 

Organizations will be required to adjust their status per provisions of the PDPL within a period not exceeding one year from the date that it becomes effective. 

  • Catalogue their data inventories and classify sensitive personal data and personal data; 
  • Assess whether they need to appoint a representative in Saudi Arabia; 
  • Register themselves within Saudi Arabia; 
  • Disclose how personal data is being processed through transparent formal policies and privacy notices; 
  • Develop formal policies and procedures for data collection (consent framework etc.) and processing, and update privacy policies as needed; 
  • Have robust data breach notification mechanisms in place; 
  • Map their processes and discover cross-border data flows from Saudi Arabia to other countries, and fulfil strict cross-border requirements under the PDPL; 
  • Have a comprehensive data subject requests framework in place; 
  • Develop the capability to scan and track data processing activity and produce ROPA reports for compliance; 
  • Have technical and organizational security measures in place to protect their processing activities;  
  • Conduct personal information protection impact assessments, vendor assessments, and other risk assessments. 
pexels-marco-antonio-victorino-2771080

Data Privacy Regulations in Brazil 

by Marketing

On August 14, 2018, Brazil enacted its data privacy legislation, referred to as the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados), commonly known as LGPD. This legislation drew inspiration from the European Union’s General Data Protection Regulation (GDPR) and seeks to govern the handling of personal data within Brazil. Taking effect on September 18, 2020, subsequent to a transitional phase, LGPD applies to both individuals and legal entities involved in processing personal data within the nation. Additionally, it extends its jurisdiction to encompass the processing of personal data of individuals situated within the country, irrespective of whether the data processing is executed by entities located beyond its borders. 

Comparable to the GDPR, LGPD necessitates that entities establish legitimate grounds for processing personal data. These grounds comprise obtaining explicit consent from the data subject, fulfilling contractual obligations, adhering to legal mandates, safeguarding life or physical well-being, exercising rights in legal or administrative proceedings, and pursuing the lawful interests of the data controller. Furthermore, LGPD endows data subjects with several rights, encompassing access to their personal data, rectification of inaccurate information, data erasure, data portability, and the ability to object to specific data processing activities. 

Organizations that handle substantial data volumes, sensitive information, or consistently monitor data subjects are obligated to designate a Data Protection Officer entrusted with overseeing data protection efforts. The legislation necessitates organizations to promptly notify both the Brazilian Data Protection Authority (ANPD) and affected individuals in the event of a data breach that jeopardizes the rights and freedoms of data subjects. While cross-border transfers of personal data are permissible, the transmitting entity must ensure that the recipient country provides an adequate level of data protection. Alternatively, organizations can utilize approved safeguards such as standard contractual clauses or binding corporate rules to ensure compliance. Non-compliance with LGPD can entail severe repercussions and penalties.

Data privacy regulations, such as the Brazilian General Data Protection Law (LGPD), exist to set up rules for how personal information can be collected, used, and stored. The goal is to protect people’s rights and privacy. These rules try to find a fair balance between organizations’ need to use personal data and people’s rights to keep their information safe and respected. 

Data privacy regulations like the LGPD have the following key goals:

  • Protecting People’s Rights: These rules safeguard individuals’ rights and freedom when their data is used. This includes privacy, control over info, and knowing how data is used. 
  • Being Transparent: Organizations must be open about data practices. They need to explain why they collect data, what data, how it’s used, and who sees it.
  • Getting Permission: For data privacy, consent matters. Organizations must ask for clear permission before using personal data. Consent should be given freely, and people can change their minds.
  • Giving Control: People get rights with these rules. They can access, correct, delete, limit, and move their data.
  • Being Responsible: Organizations must follow data protection rules. They need security to prevent breaches, and they might have a Data Protection Officer to oversee things.
  • Managing Global Data: These rules cover data moving across borders. Organizations must keep data safe during transfers and respect people’s rights, even when data goes to other countries.

Data privacy rules usually cover different groups involved in handling personal data: 

  • Data Controllers: These can be entities or individuals who decide why and how personal data is used. They need to follow the rules and often collect data directly from people. 
  • Data Processors: These are entities or individuals who work with data for data controllers. They must do as the controller says and ensure data safety. 
  • Data Subjects: These are the people whose personal data is used. Rules give them rights and protection over their data. 
  • Data Protection Authorities: These are government groups that make sure data rules are followed. They guide, investigate complaints, and give penalties for not following the rules.

Enforcement Mechanisms or Penalties for Violations of the Regulations

  • Hefty Fines for Non-Compliance: A significant method to enforce these regulations involves imposing substantial fines on organizations found in breach of data protection standards. These fines can be substantial and are often determined based on factors such as the severity of the violation, the number of affected individuals, the type of data involved, the organization’s past compliance history, and the actions taken to address the violation. The fines can reach a maximum of 2% of a company’s annual revenue within Brazil, capped at a total of 50 million Brazilian reais (BRL) per violation. 
  • Providing Guidance and Corrective Measures: When minor or initial rule breaches occur, the ANPD can issue alerts to organizations, prompting them to address the problems. Additionally, the ANPD has the authority to enforce corrective measures, obligating organizations to take specific actions to align their data processing practices with the regulations. 
  • Halting Personal Data Processing: In cases of serious non-compliance, the ANPD can suspend or prohibit organizations from handling personal data. This action can have significant consequences, potentially disrupting the normal operations of the organization.
  • Public Disclosure of Violations: The ANPD is empowered to publicly reveal instances of data protection violations, disclosing the names of involved organizations and details about the violations. This measure can impact an organization’s reputation and encourage them to give higher priority to data protection.
  • Legal Recourse:  Individuals who believe their data protection rights have been violated can take legal action against organizations. They have the right to seek compensation for any harm resulting from breaches of the LGPD.

In summary, data privacy rules like the Brazilian General Data Protection Law (LGPD) exist to protect people’s details and ensure that organizations handle them responsibly. These rules grant individuals rights, like understanding how their data is used, correcting mistakes, and requesting data deletion. Organizations have important duties: being transparent about data use, getting permission before using data, and securing it from unauthorized access. Breaking these rules leads to penalties, pushing both people and organizations to value data privacy.