Saudi Arabia’s New Personal Data Protection Law: Key Considerations for Employers
Technology, Media & Telecoms Focus
In an era of transformative economic strategies, the Kingdom of Saudi Arabia (“KSA”) is steadfastly advancing towards achieving its Vision 2030 objectives.
Law Update: Issue 368 - Technology, Media & Telecoms Focus
Mohsin KhanPartner, Employment & Incentives
Hayat RafiqueAssociate,Employment & Incentives
Zeina AlbuainainAssociate,Digital & Data
Another significant part of these reforms are the changes introduced to the KSA’s personal data framework. The Saudi Data & Artificial Intelligence authority (“SDAIA”) published the KSA’s new Personal Data Protection Law issued by Royal Decree No (M/19) dated 9/2/1443H and amended by Royal Decree No. (M/148) dated 5/9/1444H (“PDPL”), which officially came into effect on 14 September 2023. Data controllers have a 12 month ‘grace period’ to ensure that their processing activities are compliant and in order by 14 September 2024. The PDPL applies to all personal data processing undertaken in the KSA, extending to personal data processing undertaken outside the KSA in respect of data subjects in the KSA.
The PDPL introduces a number of data processing principles which are broadly similar to principles found in other established data protection frameworks. One of these principles is that personal data must be processed ‘lawfully’. In this regard, the PDPL prohibits the collection / processing of personal data without the data subjects’ consent, unless certain exemptions (i.e., ‘legal basis’) can be relied upon in order to lawfully collect, use, store or otherwise process personal data.
In this article, we look at some of the data protection requirements that employers will need to adhere to in order to comply with the PDPL.
Employers are data controllers in respect of the employee data they hold. It will be important to ensure that employers are lawfully processing data. This includes having to be transparent about the data collection/processing, and ensuring its legitimacy.
In terms of transparency, employers may need to update their employment contracts to ensure that the contractual provisions allow them to operate in compliance with the PDPL. On legitimacy of processing, in most cases, unless the data processing activity is strictly necessary to perform the employment contract (in which case the legal basis of ‘contract performance’ can be relied upon), employers may need to either obtain consent or rely on a legitimate interest to process employee data:
Consent: The consent of the data subject is an important legal basis for personal data processing, which must be provided freely and without using misleading methods. The processing purposes must be explained to the data subject in a way that is clear and specific and there is a requirement to obtain independent consent in respect of each purpose of processing. Employers may need to obtain employees’ consent for certain processing activities, although this is typically only be appropriate in certain circumstances, depending on the data processing activity.
Importantly, the PDPL grants data subjects (i.e., employees) the right to withdraw their consent to the processing of their personal data at any time. The PDPL’s Implementing Regulations set out the procedure that must be followed to enable data subjects to exercise this right. Employers should explain the implications of withdrawing such consent to employees and the impact it may have on day-to-day operations (for example, how it may affect the provision of certain employee benefits).
Legitimate Interest: When relying upon the legitimate interest lawful basis for processing personal data, employers must adhere to specific conditions which are set out in the Implementing Regulations of the PDPL. Importantly, one of those conditions is that such processing must not include Sensitive Data. Employers may need to obtain explicit consent from employees for processing their health data, biometric data, or data revealing their racial or ethnic origin (essentially, ‘Sensitive Data’).
Of particular relevance for multinational employers who seek to transfer data outside KSA to streamline their operations, there are certain restrictions on the transfer of personal data outside the KSA; in particular, cross-border data transfers will only be permitted subject to satisfying a number of conditions. First, the transfer must be for one of the permitted purposes under the PDPL; these include, for example, where the transfer is necessary to ‘implement an obligation to which the data subject is a party’. Second, the transfer of personal data outside KSA is only be permitted if the recipient country is granted ‘adequacy status’ (i.e., it is deemed to have an adequate level of protection for personal data), or if the transfer is otherwise based on a transfer mechanism (these include established concepts such as Standard Contractual Clauses, and Binding Corporate Rules).
The PDPL’s framework on cross-border data transfers is currently not yet fully implemented; employers should continue to monitor developments in this regard, and in all cases review their current processes to ensure compliance with the relevant PDPL provisions.
Under the PDPL, employers will be required to implement a privacy policy and make it available to data subjects prior to the collection of their personal data. The PDPL sets out the minimum information that should be included in the privacy policy, including the purpose of collection, the content of the personal data to be collected, the method of collecting it, the means of storing it, how it will be processed, how it will be destroyed, the rights of its owner in relation to it, and how these rights will be exercised.
Employees should be provided with a privacy notice that explains the purpose and legal basis on which their data is processed, as well as containing the information required under the PDPL.
Similar to other jurisdictions, the PDPL gives data subjects the right to request access to their personal data by submitting a written request to the data controller. The data controller must respond to the request and provide the requested information free of charge within 30 days of receiving it. If the data controller is unable to respond within 30 days, they must provide the data subject with a reason for the delay and a new deadline for responding.
It is important that the data controller does not provide access to personal data if it is likely to cause harm to the data subject or to others (e.g., the request may be refused if it likely to jeopardize an investigation).
If the data controller refuses to provide access to personal data, they must provide the data subject with a reason for the refusal and the data subject may appeal the refusal to the SDAIA.
The KSA Labour Law requires employers to keep certain workplace records, but it is silent on specific period that the relevant employment records must be retained.
There are no specific retention periods provided under the PDPL, but the data should not be kept longer than necessary. Once the purpose for the collection of the data has been completed, the data should be destroyed without undue delay, unless there is a legal basis to retain the data for a specific period (e.g., due to litigation).
Failure to comply with PDPL requirements could result in monetary fines reaching up to SAR 5,000,000 (US$1,333,000) and, in certain cases, imprisonment of up to two years. The competent court may double the penalty in cases of repeated violations. The enforcement provisions under the PDPL will be effective from September 2024.
Compliance with the requirements under the new PDPL is crucial to ensure that employers’ operate compliantly and without disruption to their operations in the KSA.
All employers operating in KSA, or processing the data of individuals based in the KSA, should review their data processing activities and implement any required changes to ensure compliance with the PDPL. This would include a review of their employment contract terms as well as data privacy policy, and also considering the basis for their data processing and transfer requirements.
Al Tamimi & Company’s Employment and Digital and Data teams have lawyers based in Saudi Arabia who advise on the full range of employment-and data & digital related matters and issues, including in respect of the new PDPL compliance requirements. We are committed to guiding our clients through this evolving regulatory landscape, ensuring that they are well-positioned to benefit from the opportunities presented by the KSA’s dynamic and evolving economy.
For further information,please contact Hayat Rafique and Zeina Albuainain.
Published in May 2024
