SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
1. Legal and Regulatory Framework 1.1 Overview of Data and Privacy- Related Laws Data protection and privacy issues in the King - dom of Saudi Arabia (KSA) are governed by a robust set of laws, regulations, policies, proce - dures, standards and guidelines. The most notable of these laws is the Personal Data Protection Law, issued by Royal Decree M/19, and its amendments (together with the Implementing Regulations, the PDPL), which came into force on 14 September 2023. Other significant laws and regulations related to the protection and privacy of data in KSA include: • Telecommunications and Information Technol - ogy Law No M/160 of 1443 (the “TCIT Law”); • Electronic Transactions Law No M/18 of 1428 (the “ET Law”); • Anti-Cyber Crime Law No M/17 of 1428 (the “ACC Law”); and • Electronic Commerce Law No 125 of 1440 (the “EC Law”). Also, in August and September 2024, the Saudi Data & AI Authority (SDAIA) issued several new regulations to enhance and streamline the data privacy framework in KSA. These regulations include: • regulation on personal data transfer outside KSA; • rules for appointing personal a data protec - tion officer; • a data sharing policy; • elaboration and developing privacy policy guidelines;
• minimum personal data determination guide - lines; • guidelines for binding common rules (BCR) for personal data transfer; • standard contractual clauses for personal data transfer; • personal data destruction, anonymisation and pseudonymisation guidelines; • guidelines on personal data disclosure cases; • guidelines on personal data-processing activities records; and • a procedural guide for personal data breach incidents. The PDPL covers processing of personal data that takes place in Saudi Arabia and that is relat - ed to individuals residing in KSA, by any means, and by any party outside KSA. The TCIT Law covers communication services and protection of client and customer data and privacy. The ET Law covers electronic transactions, and the creation and keeping of electronic records, elec - tronic signatures and electronic authentication certificates. The ACC Law addresses cyberse - curity crimes and their punishment. The EC Law covers the usage of customers’ data in electron - ic commerce transactions. The policies, procedures, standards and guide - lines are vast. However, the most relevant to data protection and privacy are: • general principles for protecting users’ per - sonal data privacy; • procedures for launching services or prod - ucts based on a customer’s personal data or regarding the sharing of personal data; • national data governance policies; • data management and personal data protec - tion standards; • general standards for personal data transfer beyond the geographical limits of KSA;
357 CHAMBERS.COM
Powered by FlippingBook