Personal Data Owner Rights under the Saudi Personal Data Protection Law

This is the third EMME Advisory Services® article to help companies in Saudi Arabia prepare for the Personal Data Protection Law (PDPL).  Our first article discussed how the PDPL applies to all companies operating in Saudi Arabia and all types of data used to identify individuals.  Our second article discussed the need for companies to identify their purposes for processing personal data.  This article discusses the rights given to Personal Data Owners and the obligations they place on companies doing business in Saudi Arabia.

What to expect from the PDPL?

The PDPL gives individuals rights to their personal data and requires companies to adopt a privacy policy and notify individuals of their rights.  It also gives individuals the right to make claims against companies that violate the PDPL.

Personal Data Owners

The rights individuals have to their personal data include:[i]

·      knowing the purposes for collecting their personal data,

·      getting access to, and copies of, their personal data,

·      correcting, completing, or updating it, and

·      destroying their personal data when it is no longer needed.

Company obligations

The privacy policy that companies must adopt needs to explain:[ii]

·      why personal data collected

·      the personal data collected,

·      how it is collected, stored, processed, and destroyed,

It must also explain the rights of personal data owners and how they can exercise their rights.

The notice[iii] that companies will have to provide before collecting personal data must also explain:

·      why personal data is collected,

·      which personal data is mandatory or optional,

·      who is collecting it, and

·      with whom the personal data will be shared.

What can companies do now?

To comply with the rights of personal data owners and the requirements of the privacy policy and notice, Companies in Saudi Arabia must first define and explain why they collect personal data.  As discussed in Identifying the purposes for processing personal data, the purposes for collecting personal data must be lawful and directly related to the purposes and objectives of the company.  Examples of valid purposes can include:

·      recruitment and hiring,

·      employee administration,

·      managing supplier relationships,

·      engaging in public relations activities, and

·      cybersecurity purposes.

To provide free copies of personal data[iv] in compliance with Personal Data Owner rights, companies need to understand how personal data is collected and where it is in their systems.  They will also need to develop procedures to allow individuals to correct, update, and delete their personal data or “unsubscribe” or otherwise stop its processing upon request.  At a minimum, companies should identify internal personnel or functions responsible for receiving and processing requests from personal data owners.

Enforcement

Companies that can inform personal data owners of their rights and allow the exercise of their rights will be able to comply with the PDPL and avoid claims for compensation from the personal data owners.[v]

EMME Advisory Services

EMME Advisory Services® (EMME) has the policies, procedures, controls, and training that companies doing business in Saudi Arabia need to comply with the Saudi Personal Data Protection Law.  For more information contactus@emme-advisory.com or visit www.emme-advisory.com.