The Personal Data Protection Law of Saudi Arabia (PDPL) was published in the Official Gazette on September 24, 2021(G). The PDPL gives "Data controllers" 18 months, or until March 23, 2023(G), to come into compliance with the provisions of the law.

   Because summaries of the new law can already be found here and here, this article focuses on the practices Saudi Arabian employers might adopt to process employee personal data in compliance with the PDPL. Until the Executive Regulations provide additional guidance, this article proposes solutions consistent with the international data protection laws and best practices reflected in the PDPL.

How does the PDPL apply to Saudi employers?

    During the 18-month implementation period, Cabinet Resolution 98 requires controlling entities (entities that specify the purpose and manner of processing personal data) to "take the necessary measures to hold work sessions and the like for its employees or workers, to introduce the terms and principles contained in the Law after it enters into force."

    The PDPL applies to any processing of personal data in the Kingdom of Saudi Arabia and the processing of personal data of individuals residing in the Kingdom by entities outside the Kingdom of Saudi Arabia. Thus, the processing of employee information by employers in Saudi Arabia and the processing of personal data of employees living in Saudi Arabia are subject to the requirements of the PDPL.

Privacy Policy

   Article 12 of the PDPL contains the requirements for Personal Data Protection Policies. It requires controlling entities to adopt a personal data protection policy that includes:

  • the purposes for collecting personal data
  • the methods for collecting personal data
  • the means for storing personal data
  • how personal data will be processed
  • how personal data will be destroyed
  • the personal data owners’ rights under the PDPL, and
  • how the personal data owner can exercise their rights

   A Personal Data Policy informs employees, officers, and directors, of a company’s commitment to comply with the PDPL and tells them how to process Personal Data in compliance with the PDPL. In addition to the requirement to adopt a personal data protection policy, it has become a best practice to make the personal data protection policy available on public-facing websites.

Notice and Consent

   Articles 5, 12, 13, and 4 of the PDPL define the requirements for notice and consent. Except for the cases stipulated by Law, Article 5 generally prohibits the processing of personal data without the personal data owners’ consent and prohibits controlling entities from conditioning the provision of a service or benefit on that consent. Article 12 specifically requires controlling entities to make their personal data protection policy available to personal data owners before collecting their data. In addition to the elements contained in the personal data protection policy, Article 13 also requires controlling entities to inform personal data owners of:

  • the valid legal or practical justification for collecting their personal data
  • the identity and address of the person collecting their personal data
  • with whom the personal data will be shared
  • the effects of not completing the personal data collection procedure, and
  • other elements to be defined in the Executive Regulations

Finally, Article 4 defines the rights of personal data owners, which includes the elements listed in Article 13, as well as the right:

  • to have their personal data protected
  • to access, correct, withdraw, and destroy their personal data, and
  • other rights to be defined by the Executive Regulations

   Employers should provide employees with a Personal Data Notice that contains the information required by Articles 12, 13, and 4 of the PDPL. To demonstrate the consent required by Article 5, it is a good practice to obtain written consent from new employees before collecting their personal data. For existing employees, it would be a good practice to obtain written consent as part of an annual or periodic certification process. It has also become a common practice to demonstrate consent by requiring the clicking of an accept button before collecting personal data online.

Additional requirements

   In addition to published policies, notice, and consent, the PDPL adopts several internationally recognized principles that controlling entities must follow to collect and process personal data in Saudi Arabia or from residents of Saudi Arabia. Article 11 provides that controlling entities:

  • may only collect personal data that is directly related to defined purposes
  • must use clear methods for collecting personal data that is not misleading or deceptive
  • may only collect personal data that is appropriate and limited to the minimum necessary to achieve the defined purposes, and
  • must stop the collection of personal data and destroy it after the defined purpose has been completed

   Various provisions of the PDPL also require controlling entities to:

  • take steps to verify the completeness, up-to-dateness, and relevance to the purpose of personal data (See Article 14)
  • take organizational, administrative, and technical measures to ensure the preservation of personal data, including when transferred (See Article 19)
  • notify the competent authority as soon as it becomes aware of a breach involving personal data (See Article 20)
  • respond to personal data owner requests regarding their rights (See Article 21)
  • evaluate the consequences of processing personal data according to the nature of the activity (See Article 22)
  • obtain approval to transfer personal data outside the Kingdom of Saudi Arabia (See Article 29), and
  • keep records of personal data processing activities (See Article 31)

   To completely cover the requirements of the PDPL, the high-level Personal Data Policy and notice should also be supported by detailed procedures that establish the guidelines and procedures for:

  • collecting and processing personal data,
  • sharing personal data, and
  • responding to a breach of personal data.

EMME

   EMME has developed the Personal Data Protection Policy, notices, and consents that meet the requirements of the PDPL by addressing:

  • Collection of Personal Data,
  • Accessing and Correcting Personal Data,
  • Processing Parties,
  • International Transfers,
  • Retention,
  • Withdrawing Consent, and
  • Processing Purposes

   EMME has also developed a comprehensive Personal Data Protection program to comply with the full requirements of the PDPL.

  1. 1.Personal Data Protection Policy
    1. Collecting and Processing Personal Data Procedure
      1. Record of Processing Activity
      2. Applicant and Employee Notice Form
      3. Applicant and Employee Consent Form
      4. Supplier Notice Form
      5. Commercial Notice Form
      6. Commercial Consent Form
      7. Website and Cookie Policy
      8. Website Cookie Banner
    2. Sharing Personal Data Procedure
      1. Personal Data Sharing Agreement
    3. Personal Data Breach Response Procedure
    4. On-Line Personal Data Protection Training

   Before establishing EMME, Granville Collins was responsible for building the Saudi Aramco programs necessary to comply with international regulatory compliance obligations, business partner requirements and expectations, and the Kingdom's developing regulatory regime. With the access, observations, and knowledge from twenty years of working for Saudi Aramco in Saudi Arabia, EMME has developed a deep understanding of the operational needs for compliance in the Middle East. For more information contactus@emme-advisory.com.