SAUDI ARABIA Law and Practice Contributed by: Alex Saleh, Asad Ahmad, Shahad Al Humaidani and Khaled Al Khashab, GLA & Company
• children’s and incompetents’ privacy protec - tion policy; and • guidelines and specifications on data man - agement governance and personal data security. As mentioned, the PDPL and its corresponding Implementing Regulations entered into force on 14 September 2023. Data controllers, however, had a one-year grace period (ie, 14 September 2024) to comply with the PDPL. 1.2 Regulators The SDAIA is the regulatory body empowered to supervise and enforce the implementation of the PDPL in Saudi Arabia, for at least the first two years following promulgation. Consideration will be given to transferring supervising regulations and the application of the PDPL to the National Data Management Office (NDMO), the regulatory subdivision of the SDAIA. The Communications, Space and Technology Commission (CSTC, or the “Commission”) is responsible for the enforcement of both the TCIT Law and the ET Law. The Ministry of Commerce (MoC) is responsible for the enforcement of the EC Law. The National Cybersecurity Authority (NCA) is responsible for the enforcement of the ACC Law. Violations are reported to the Public Prosecution Office, which takes the necessary action to prosecute violators. 1.3 Enforcement Proceedings and Fines In respect of both the TCIT Law and the ET Law, CSTC inspectors investigate, examine and col - lect allegations of violations of the provisions of the TCIT Law. Inspectors are tasked with inspecting sites of suspected violators of the TCIT Law and with gathering evidence in sup - port of their investigations. Suspected violators may appeal a decision issued against them
before the Administrative Court, in accordance with the Law of Procedure before the Board of Grievances. Under the ACC Law, potential penalties for the violation of any of its articles range from impris - onment of up to ten years to fines of up to SAR5 million. The SDAIA is currently the competent author - ity and regulator in charge of administering the enforcement of the PDPL. Unless the SDAIA pro - vides exceptional approval, a data subject must submit a complaint within 90 days of an alleged incident to the SDAIA. Complaints must specify: • the place and time of the alleged violation; • the name, identification, address and tel - ephone number of the complainant; • relevant identifying information about the entity that the complainant is lodging the complaint against; • a clear and specific description of the viola - tion (together with any evidence and informa - tion provided with the complaint); and • any other requirements that may otherwise be specified by the SDAIA. The SDAIA is tasked with taking the necessary measures regarding processing and decisions related to any complaints as well as informing the complainant of the outcome. 1.4 Data Protection Fines in Practice The PDPL has been in full effect since 14 Sep - tember 2024, after the elapsing of the grace period mentioned in 1.1 Overview of Data and Privacy-Related Laws . The PDPL establishes a framework for data protection within KSA, outlin - ing specific penalties for non-compliance. Nota - bly, the PDPL prescribes fines of up to SAR3 million and potential imprisonment for up to two
358 CHAMBERS.COM
Powered by FlippingBook