Opinion

Saudi Arabia Finalised PDPL Regulations published in Official Gazette

Published Date
Sep 21, 2023
Authored by
  • Image
    Nigel Parker
On 7 September 2023, the Saudi Data & Artificial Intelligence Authority (SDAIA) published the (i) Implementing Regulations of the Personal Data Protection Law (PDPL) and (ii) Regulation on Personal Data Transfer outside the Geographical Boundaries of the Kingdom (Transfer Regulations).

The PDPL represents a comprehensive data protection law, adopting many familiar concepts and rules from the GDPR, including:

  • the concept of lawful grounds for processing

  • data subject rights

  • requirements for the appointment and control of processors

  • rules relating to data minimisation and data quality

  • data protection impact assessments

  • security requirements and data breach notification

  • specific rules on processing health data and credit data, and Government-IDs

  • specific rules on direct marketing and advertising

  • organisational requirements (such as a requirement to appoint a DPO, maintain records of processing, etc.)

The Transfer Regulations cover international transfers of personal data, incorporating the concepts of adequacy, appropriate safeguards and transfer risk assessment, and exemptions where transfers are permitted.

The regulations are available here and here (in Arabic), and the English version here.

Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger

Related capabilities

Data privacy and data protectionAdvisory and regulatory

About the
authors

Image

Nigel Parker

Partner

Tokyo

Nigel specialises in intellectual property, technology and data.

His experience covers all stages of the product life cycle,...