šøš¦ Saudi Arabia
Informations
Extracts :
Extract :
"Personal data: Under the PDPIR, 'personal data' is defined as any element of data, regardless of source
or form, which independently or when combined with other available information could lead to the
identification of a person including but not limited to: first name and last name, Saudi national ID number,
address, phone, number, bank account number, credit card number, health data, and images or
videos of that person. Under the PDPL, 'personal data' is defined as every data, of whatever source or
form, that would lead to the identification of the individual specifically, or make it possible to identify
them directly or indirectly, including: name, personal identification number, address, contact number, license
number, records, personal property, bank account and credit card numbers, fixed or moving pictures
of the individual, and other data of personal nature."
Reference :
BLANK
BLANK
Extract :
No mention of the subject rignt related to Citizens outside their jurisdiction
Reference :
BLANK
BLANK
Extract :
rticle 2(1): The PDPL ap_x0002_plies to any processing of
personal data related to in_x0002_dividuals in the Kingdom by
any means, including pro_x0002_cessing personal data re_x0002_lated to individuals residing
in the Kingdom by any
means from any party out_x0002_side the Kingdom, inclusive
of personal data of de_x0002_ceased persons, if such data
is capable of identifying
him/her or a member of
their family
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"The PDPL includes similar core concepts as the GDPR and refers to data controllers, data processors, and data subjects. Like the GDPR, the PDPL also includes public bodies within its scope. The GDPR and the PDPL differ, however, in that the latter does not refer to the nationality or place of residence of data subjects and does not exclude the personal data of deceased persons from its scope. Moreover, the definition of 'data subject' in the PDPL extends to the representative or legal guardian of the personal to whom the personal data relates."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"Personal data: Under the PDPIR, 'personal data' is defined as any element of data, regardless of source
or form, which independently or when combined with other available information could lead to the
identification of a person including but not limited to: first name and last name, Saudi national ID number,
address, phone, number, bank account number, credit card number, health data, and images or
videos of that person. Under the PDPL, 'personal data' is defined as every data, of whatever source or
form, that would lead to the identification of the individual specifically, or make it possible to identify
them directly or indirectly, including: name, personal identification number, address, contact number, license
number, records, personal property, bank account and credit card numbers, fixed or moving pictures
of the individual, and other data of personal nature."
Reference :
BLANK
BLANK
Extracts :
Extract :
"The PDPL does not explicitly refer to goods and services from abroad."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extract :
"The PDPL does not explicitly refer to goods and services from abroad."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"Section 2: 'Data owner' is any physical person or legal entity having a legal domicile or local offices or branches in the country, whose data are subject to the processsing referred to in the Act."
2021
Reference :
Argentina Data protection overview |Ā DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Data controller: Under the PDPIR, 'data controller' is defined as any entity or any natural or legal person,
that collects personal data from a data subject and carries out the processing of that personal data,
directly or indirectly, through a processor, pursuant to a legal basis. Under the PDPL, there is no definition
of 'data controller'. However, the PDPL defines a 'controlling entity' as any public entity, and any
person of private natural or legal capacity, that specifies the purpose and manner of processing personal
data, whether they process the data by themselves or by a processing entity.
Data processor: Under the PDPIR, 'data processor' is defined as any independent governmental or
public entity, or any natural or legal person, which engages in the processing of personal data, on behalf
of a data controller, pursuant to a legal basis. Under the PDPL, there is no definition of 'data processor'.
However, the PDPL defines a 'processing entity' as any public entity and any private natural or legal person,
that processes personal data for the benefit of, and on behalf of, the controlling entity."
Reference :
BLANK
BLANK
Extracts :
Extract :
"The PDPL does not explicitly refer to monitoring from abroad."
2023
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The Law also identifies a sub-category of Personal Data of a more sensitive nature that must be afforded a greater degree of protection (or Sensitive Data). This includes Personal Data that includes a reference to an individualās:
ethnic or tribal origin
religious, intellectual or political beliefs
membership in civil associations or institutions
criminal and security data
bio-identifying and genetic data
health data
credit data
location data
data that indicates that one or both of the individualās parents are unknown"
2021
Reference :
Saudi Arabia: Personal Data Protection Law Enacted
Information on Saudi Arabia Data protection | BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"A PIC must make the following items readily accessible to each principal:
name of the PIC;
purpose of utilization of personal information retained;
the procedure for the principal to require access, correction, etc. of their personal data;
where to complain about the PIC's handling of personal data;
whether the purpose of utilization of the personal information it handles includes 'profiling';
the address of the PIC;
the name of the representative person of the PIC; and
the security measures taken by the PIC to protect personal information retained (including that a person has been appointed to be responsible for controlling how personal information is handled and that the scope of personal information to be handled by staff has been clarified)."
2023
Reference :
Japan Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
This is absent based on the present time.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Article 35(1): Without prejudice to a more severe penalty in another law, the penalty for committing the following violations shall be stated opposite to them: (a) the penalty in relation to disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million (approx. ā¬726,000); and (b) The penalty in relation to violations of the data transfer provision in Article 29 of the PDPL may result in imprisonment for up to one year and/or a fine not exceeding SAR 1 million (approx. ā¬242,000). Article 36(1): [ā¦] For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million (approx. ā¬1,211,390). [Note: Fines may be increased to up to double the stated maximums for repeat offences.]"
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
Does not exist as per present time.
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"Article 35(1): Without prejudice to a more severe penalty in another law, the penalty for committing the following violations shall be stated opposite to them: (a) the penalty in relation to disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million (approx. ā¬726,000); and (b) The penalty in relation to violations of the data transfer provision in Article 29 of the PDPL may result in imprisonment for up to one year and/or a fine not exceeding SAR 1 million (approx. ā¬242,000). Article 36(1): [ā¦] For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million (approx. ā¬1,211,390). [Note: Fines may be increased to up to double the stated maximums for repeat offences.]"
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Article 34: The data subject may file any complaint arising from the application of the Law and the Regulations with the competent authority. The Regulations specify the controls for the competent authority's handling of complaints filed by data subjects."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"Article 35(1): Without prejudice to a more severe penalty in another law, the penalty for committing the following violations shall be stated opposite to them: (a) the penalty in relation to disclosure or publication of sensitive personal data may include imprisonment for up to two years and/or a fine not exceeding SAR 3 million (approx. ā¬726,000); and (b) The penalty in relation to violations of the data transfer provision in Article 29 of the PDPL may result in imprisonment for up to one year and/or a fine not exceeding SAR 1 million (approx. ā¬242,000). Article 36(1): [ā¦] For violations of other provisions of the PDPL, penalties are limited to a warning notice or a fine not exceeding SAR 5 million (approx. ā¬1,211,390). [Note: Fines may be increased to up to double the stated maximums for repeat offences.]"
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Unlike the GDPR, the PDPL does not make explicit reference to either anonymisation or pseudonymisation."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"Article 20(2): The regulations shall determine in which circumstances controllers must inform data subjects of a security breach of their personal data. However, where such a breach may cause serious harm to the individual or their personal data, controllers must inform them immediately of the breach."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"Article 20(1): The controlling entity shall notify the competent authority as soon as it becomes aware of a data security breach."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"The PDPL does not provide for processor notification of data breaches."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under the PDPIR, data subjects have the right to withdraw consent at any time unless statutory or judicial requirements require otherwise."
Reference :
BLANK
BLANK
Extracts :
Extract :
"The right to data portability is not clearly tackled under the current regulations. We anticipate seeing this introduced once the Implementing Regulations of the PDPL is released."
Reference :
ICLG Website
Link to reference Extracts :
Extract :
"8.7. Right not to be subject to automated decision-making
Neither the PDPIR nor the PDPL specifically address rights in relation to automated decision-making."
Reference :
BLANK
BLANK
Extracts :
Extract :
"8.1. Right to be informed
Under the PDPIR, data subjects have the right to be informed of the legal basis and purpose for the collection
and processing of their personal data."
Reference :
BLANK
BLANK
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"8.2. Right to access
Under the PDPIR, a data subject has the right to access their personal data within the possession of the
data controller, including access to, request to correct, complete, or update personal data, request to
destroy unnecessary data, and get a copy of such data in a clear format."
Reference :
BLANK
BLANK
Extracts :
Extract :
"8.3. Right to rectification
Regarding the PDPIR, please see section on the right to access above.
Under the PDPL, the data subjects have the right to request correction, completion, or updating of their
personal data available to the data controller."
Reference :
BLANK
BLANK
Extracts :
Extract :
"8.4. Right to erasure
Regarding the PDPIR, please see section on the right to access above.
Under the PDPL, the data subjects have the right to request destruction of their personal data available
to the data controller, which is no longer needed, without prejudice to the provisions of Article 18 of the
PDPL. Article 18 of the PDPL addresses scenarios where the data controller may retain personal data."
Reference :
BLANK
BLANK
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Article 28 of the Amended Draft introduces the concept of adequacy, allowing personal data to be transferred to a recipient in a jurisdiction which ensures appropriate protection of personal data and the rights of individuals. The Amended Draft also introduces a number of other grounds for transferring personal data outside the Kingdom, notably if the transfer is carried out in performance of an obligation of the data subject, which appears similar to contractual necessity under the GDPR. However, other commonly relied-upon transfer mechanisms/derogations under international privacy laws, such as standard contractual clauses and data subject consent are not included. The transfer provisions in the Amended Draft represent the most significant change to the PDPL. The existing PDPL imposes strict data localization which requires Competent Authority approval to transfer personal data in the vast majority of cases, and allows possible imprisonment for non-compliance with transfer restrictions. Alongside the updated transfer provisions, the Amended Draft excludes possible imprisonment for non-compliance with transfer restrictions."
2022
Reference :
"Saudi Arabia Issues Amended Data Protection Law for Consultation"
Information on Saudi Arabia's data protection | International data transfer
Link to reference Extracts :
Extract :
"Article 28 of the Amended Draft introduces the concept of adequacy, allowing personal data to be transferred to a recipient in a jurisdiction which ensures appropriate protection of personal data and the rights of individuals. The Amended Draft also introduces a number of other grounds for transferring personal data outside the Kingdom, notably if the transfer is carried out in performance of an obligation of the data subject, which appears similar to contractual necessity under the GDPR. However, other commonly relied-upon transfer mechanisms/derogations under international privacy laws, such as standard contractual clauses and data subject consent are not included. The transfer provisions in the Amended Draft represent the most significant change to the PDPL. The existing PDPL imposes strict data localization which requires Competent Authority approval to transfer personal data in the vast majority of cases, and allows possible imprisonment for non-compliance with transfer restrictions. Alongside the updated transfer provisions, the Amended Draft excludes possible imprisonment for non-compliance with transfer restrictions."
2022
Reference :
"Saudi Arabia Issues Amended Data Protection Law for Consultation"
Information on Saudi Arabia's data protection | International data transfer
Link to reference Extracts :
Extract :
"Article 28 of the Amended Draft introduces the concept of adequacy, allowing personal data to be transferred to a recipient in a jurisdiction which ensures appropriate protection of personal data and the rights of individuals. The Amended Draft also introduces a number of other grounds for transferring personal data outside the Kingdom, notably if the transfer is carried out in performance of an obligation of the data subject, which appears similar to contractual necessity under the GDPR. However, other commonly relied-upon transfer mechanisms/derogations under international privacy laws, such as standard contractual clauses and data subject consent are not included. The transfer provisions in the Amended Draft represent the most significant change to the PDPL. The existing PDPL imposes strict data localization which requires Competent Authority approval to transfer personal data in the vast majority of cases, and allows possible imprisonment for non-compliance with transfer restrictions. Alongside the updated transfer provisions, the Amended Draft excludes possible imprisonment for non-compliance with transfer restrictions."
2022
Reference :
"Saudi Arabia Issues Amended Data Protection Law for Consultation"
Information on Saudi Arabia's data protection | International data transfer
Link to reference Extracts :
Extract :
"Article 28 of the Amended Draft introduces the concept of adequacy, allowing personal data to be transferred to a recipient in a jurisdiction which ensures appropriate protection of personal data and the rights of individuals. The Amended Draft also introduces a number of other grounds for transferring personal data outside the Kingdom, notably if the transfer is carried out in performance of an obligation of the data subject, which appears similar to contractual necessity under the GDPR. However, other commonly relied-upon transfer mechanisms/derogations under international privacy laws, such as standard contractual clauses and data subject consent are not included. The transfer provisions in the Amended Draft represent the most significant change to the PDPL. The existing PDPL imposes strict data localization which requires Competent Authority approval to transfer personal data in the vast majority of cases, and allows possible imprisonment for non-compliance with transfer restrictions. Alongside the updated transfer provisions, the Amended Draft excludes possible imprisonment for non-compliance with transfer restrictions."
2022
Reference :
"Saudi Arabia Issues Amended Data Protection Law for Consultation"
Information on Saudi Arabia's data protection | International data transfer
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The PDPL does not explicitly require consultation with the competent authority."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"The DPO requirements under the GDPR are similar to those of the PDPL, although the GDPR is more detailed and sets out a list of tasks to be undertaken by the DPO as well as notification requirements."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"The PDPL does not specify DPO qualifications."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"The PDPL does not make express reference to DPO tasks, however Article 30(2) provides that the Regulations shall set out further provisions relating to the appointment of a DPO."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
"The PDPL does not explicitly reference group appointments."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"At the time of writing, there is no such requirement."
Reference :
ICLG Website
Link to reference Extracts :
Extract :
"The PDPL does not specify exceptions to the breach notification requirement."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - SAU
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"It is envisaged that, in line with the GDPR, there might be SDAIA administrative exemptions for organisations with fewer than 250 employees."
2022
Reference :
Saudi Arabia: Data Protection Legislation
Information on Saudi Arabia Data protection
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Saudi Arabian General Investment Authority (SAGIA) | Regulator | Under the government authority | 2000 | |
| Saudi Arabian Monetary Authority (SAMA) | Regulator | Under the government authority | 1952 | |
| Communications and Information Technology Commission (CITC) | Regulator | Under the government authority | ||
| General Authority for Competition (GAC) | Regulator | Under the government authority | ||
| Ministry of Commerce and Investment | Regulator | Ministry | 1954 | |
| Ministry of Culture and Information | Regulator | Ministry | 2018 | |
| National Data Management Office (NDMO) | NDMO | Regulator | Under the government authority | 2020 |
| Saudi Authority for Data and Artificial Intelligence (SDAIA) | SDAIA | Regulator | Under the government authority | 2019 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| PDP Law | Personal Data Protection Law (PDPL), Personal Data Protection Interim Regulations (PDPIR) | General privacy/data protection law | 2021 | Active | 2021 | 2022 | Transfer, breach, bases, penalties, others | 2023 |