This is the second EMME Advisory Services® article to help companies operating in Saudi Arabia prepare for Saudi’s Personal Data Protection Law (PDPL). This article shares our thoughts on the PDPL’s requirements to identify the purposes for processing personal data.
What to expect from the PDPL?
When the PDPL goes into effect next year, companies in Saudi Arabia will have to identify and define their purposes for collecting personal data. The PDPL establishes the need for companies to specify their purposes for collecting personal data in:
· the rights of personal data owners,
· the requirements placed on the use of personal data, and
· obligations placed on companies that collect and use personal data.
The PDPL gives individuals, or personal data owners,[i] the right to be told how their personal data will be used[ii] and requires their consent to the processing purposes.[iii] It also prohibits companies from using personal data for any reason other than the purposes for which it was collected.[iv] So, for example, a company that collects personal data from applicants for employment purposes may not use that same personal data for marketing purposes.
The PDPL requires companies to:
· adopt a personal data privacy policy[v] that includes the purpose for collecting personal data,[vi]
· notify personal data owners of the purpose for collecting their personal data before collection, [vii] and
· keep records of their personal data processing activities that include the purposes for processing personal data.[viii]
The collection purposes must be lawful and directly related to the business objectives of the company collecting it.[ix] For example, companies that provide health care services need health and other sensitive data to provide health care services to their patients. Likewise, financial service providers require Credit data and other sensitive data to provide financial services to their clients and customers.
The content of personal data collected must be appropriate and limited to the minimum amount of data necessary to achieve the collection purpose[x] and destroyed as soon as its purposes for collection have been completed.[xi]
The PDPL also imposes specific requirements on processing for promotional or awareness purposes,[xii] marketing purposes,[xiii] and scientific, research, or statistical purposes.[xiv]
What can companies do now?
To define the purposes for processing personal data, companies in Saudi Arabia should start evaluating how their use of personal data relates to their business purposes and objectives.
How is your company using personal data
The PDPL requires companies to only use personal data that is necessary to achieve specified purposes and objectives. For example, as mentioned above, companies that provide healthcare services and financial services need to use sensitive data to provide healthcare and financial services to their patients, clients, and customers.
Even companies that are not service-based require personal data to achieve their purposes and objectives. For example, the recruitment, hiring, and administration of employees require the collection and processing of personal data for the purposes of:
· identifying, screening, assessing, and selecting applicants for employment,
· relocating or mobilizing applicants into the workforce,
· creating employment agreements and distributing salaries,
· managing work schedules and advancement,
· administering health and personnel benefits, and
· complying with other governmental requirements.
Companies that operate secure facilities may require personal data for security and visitor management purposes. Companies may also require personal data:
· to manage their supplier relationships,
· to engage in public relations activities, and
· for cybersecurity purposes.
Companies should also identify whether they need to process personal data for promotional or awareness purposes,[xv] marketing purposes,[xvi] and scientific, research, or statistical purposes.[xvii]
Companies that can identify and define their purposes for collecting and processing personal data today will be able to:
· determine the minimum amount of personal data required for their purposes and
· establish the personal data collection, processing, and destruction procedures that the PDPL will require.
EMME Advisory Services
EMME Advisory Services® (EMME) has the policies, procedures, controls, and training that companies doing business in Saudi Arabia need to comply with the Saudi Personal Data Protection Law. For more information contactus@emme-advisory.com or visit www.emme-advisory.com.
[i] Article One, Personal Data Protection Law (PDPL) – Personal Data Owner: An individual to whom the personal data belongs, his representative, or whoever has legal guardianship over him.
[ii] Article Four, PDPL – a personal data owner shall have . . . the right to be informed . . . of the valid legal or practical justification for collecting his personal data, and the purpose thereof.
[iii] Article Five, PDPL – personal data may not be processed or the purpose of processing it changed without the consent of its owner.
[iv] Article Four, PDPL – his data should not be processed later in a manner inconsistent with the purposes for which it is collected.
[v] Article Twelve, PDPL – The controlling entity must adopt a personal data privacy policy.
[vi] Article Twelve, PDPL – This policy shall include the purpose of its collection.
[vii] Article Twelve, PDPL – make [the privacy policy] available to personal data owners to review it before collecting their data. This policy shall include the purpose of its collection; Article Thirteen, PDPL – The controlling entity must – in the case of collecting personal data directly from its owner – use adequate means to inform him of . . . the purpose of collecting his personal data.
[viii] Article Thirty-One, PDPL.
[ix] Article Eleven, PDPL – The purpose of collecting personal data must be directly related to the purposes of the controlling entity, and not conflict with any provision of law.
[x] Article Eleven, PDPL – The content of the personal data must be appropriate and limited to the minimum necessary for achieving the purpose of collecting it.
[xi] Article Eleven, PDPL – If it becomes clear that the personal data collected is no longer necessary for achieving the purposes of its collection, the controlling entity must stop collecting it and immediately destroy the data that is has previously collected.
[xii] Article Twenty-Five, PDPL – the controlling entity may not use personal means of communication . . . of the personal data owner in order to send promotional or awareness materials, except in accordance with the following: 1. it shall obtain the consent of the target recipient to sending these materials to him; 2. The sender of the material shall provide a clear mechanism . . . that enables the target recipient to express his wish that the sending thereof to him is stopped when he so wishes.
[xiii] Article Twenty-Six, PDPL – personal data may be processed for marketing purposes, if it is collected directly from its owner and he agrees hereto in accordance with the provisions of the Law.
[xiv] Article Twenty-Seven, PDPL – Personal data may be collected or processed for scientific, research or statistical purposes, without the consent of its owner, in the following cases: 1. if the personal data does not specifically indicate the identity of its owner, 2. if everything indicating the identity of the personal data owner specifically will be destroyed during its processing and before disclosing it to any other party, and such data is not sensitive data, 3. if the collection or processing of personal data for these purposes is required by another law or in implementation of an earlier agreement to which its owner is a party.
[xv] Article Twenty-Five, PDPL – the controlling entity may not use personal means of communication . . . of the personal data owner in order to send promotional or awareness materials, except in accordance with the following: 1. it shall obtain the consent of the target recipient to sending these materials to him; 2. The sender of the material shall provide a clear mechanism . . . that enables the target recipient to express his wish that the sending thereof to him is stopped when he so wishes.
[xvi] Article Twenty-Six, PDPL – personal data may be processed for marketing purposes, if it is collected directly from its owner and he agrees hereto in accordance with the provisions of the Law.
[xvii] Article Twenty-Seven, PDPL – Personal data may be collected or processed for scientific, research or statistical purposes, without the consent of its owner, in the following cases: 1. if the personal data does not specifically indicate the identity of its owner, 2. if everything indicating the identity of the personal data owner specifically will be destroyed during its processing and before disclosing it to any other party, and such data is not sensitive data, 3. if the collection or processing of personal data for these purposes is required by another law or in implementation of an earlier agreement to which its owner is a party.