Amended Saudi Personal Data Protection Law to come into force in September

  • 4/10/2023
  • 00:00
  • 6
  • 0
  • 0
news-picture

The amended Saudi Personal Data Protection Law (PDPL) will come into force on Sept. 14, 2023. This is 720 days after the publication of the original law in the official gazette in 2021. The executive regulations supplementing the PDPL shall be issued prior to this date, according to sources. The Council of Ministers approved a series of 27 amendments to the law. The new amendments have been implemented via a royal decree issued on March 27. The updated PDPL takes into account some of the amendments that were proposed in a consultation paper issued by the Saudi Data & Artificial Intelligence Authority (SDAIA) in November 2022, although not all of those proposals have been implemented. The amendments introduce several concepts that will align the PDPL more closely to international standards such as the EU General Data Protection Regulation. The amendments included those related to sensitive data and the rights of the owner of personal data, and the periods of exercising the right to access to that data. According to the amendments, controlling party will not be allowed to collect personal data except from its owner. However, there will be some exemptions for this. The amendments also included the need for the controlling authority to adopt a privacy policy and make it available to the owners of personal data for viewing, and not to disclose it except with the consent of its owner. There are also amendments with regard to the leakage of personal data or the need to transfer it outside the Kingdom. The amendments redefined some terms in the law, such as destruction, disclosure, and sensitive data. Article 4 of the law was amended to give the owner of personal data the right to access to his personal data in accordance with the controls and request to obtain it readable and clear. The owner has also the right to request its correction or update, as well as to request to the control authority for the destruction of those data that are no longer needed. The amendment in Article 20 of the law stresses the need for the control authority to notify the competent authority when it is aware of data leakage, damage, or illegal access to it, and to notify the data owner if that leak results in damage to his data or conflicts with his rights or interests.

مشاركة :