SAUDI ARABIA Law and Practice Contributed by: Dana Halwani and Leanne Farsi, Derayah LLPC
determine why and how personal data is pro - cessed (whether they themselves are processing it or whether this is done through a processing entity), may only (with certain exceptions) collect personal data directly from the owner of the data in question, and process such data solely for the purpose for which the data was collected. Privacy policies need to be adopted by control - ling entities and made available to the owners of data. These privacy policies must inform data owners of: • the reason for their data’s collection; • the contents of the personal data that must be collected; • the method of data collection, storage and processing; • the means of deleting the data; and • the rights of the data owner in connection therewith, as well as the manner in which such rights may be exercised. A number of industries are also currently gov - erned by regulations that set out measures to protect data collected in those fields. Examples include the following. • The Health Profession Practice Regulation (Royal Decree No M/59 of 4 Dhul Qada 1426 Hejra corresponding to 6 December 2005), which provides that a medical practitioner must not disclose any confidential information obtained during the course of their work. The regulation lists a few exceptions to this rule, such as a court order requiring disclosure. • Article 5 of the E-Commerce Regulation (Royal Decree No M/126 of 7 Dhul Qada 1440 Hejra corresponding to 9 July 2019), which provides that online merchants may not retain consumer data beyond the period required for an electronic commerce transaction, and that online merchants must adopt the necessary
safeguards to protect consumer data while it is retained. The same regulation prohibits online retailers from the unauthorised disclo - sure and usage of consumer data. 8.2 Geographical Scope The PDPR applies to any processing of the personal data of individuals, carried out in the Kingdom by any means whatsoever, including the processing of personal data relating to indi - viduals resident in the Kingdom, by any means whatsoever, by any entity residing outside the Kingdom. Article 2 (b) of the 2018 E-Commerce Regulation details the provisions and sanctions in place to safeguard the protection of consumer data, and also applies to traders outside Saudi Arabia who provide products or services inside the country by offering them in a manner that enables the consumer to obtain them. 8.3 Role and Authority of the Data Protection Agency Although each government authority supervis - ing an activity is responsible for enforcing its specific data protection rules, the National Data Management Office is the national data regulator of Saudi Arabia, and creates laws, regulations and policies to facilitate the protection of data. The Saudi Authority for Data and Artificial Intel - ligence is the authority which supervises the implementation of the PDPR.
9. Looking Forward 9.1 Upcoming Legal Reforms
One of the key aspects of Saudi Vision 2030, a government programme launched with the goal of diversifying Saudi Arabia’s economy and cul -
732 CHAMBERS.COM
Powered by FlippingBook