To answer the most prominent questions regarding the personal data protection system.
Initially, the system aims to protect individual privacy by regulating the collection, processing, disclosure and retention of personal data.
What personal data the Saudi regulator is keen to protect: any statement, whatever its source or form, would lead to the specific knowledge of the individual, or make it possible to identify him directly or indirectly, including: Name, personal ID number, addresses, communication numbers, license numbers, records and personal property, bank account numbers, credit cards, fixed or mobile photos of the individual, and other personal data.
Who is the competent authority? Saudi Data and Artificial Intelligence Authority oversees the implementation of this system in the first two years. Thereafter, the National Data Management Office oversees its implementation.
What are the sensitive data? Any personal statement that includes a reference to an individual’s ethnic origin, tribal origin, religious, intellectual or political belief or indicates his or her membership in community associations or institutions. as well as criminal and security data, biometric data identifying identity, genetic data, credit data, health data, location data and data indicating that the individual is unknown to the parents or one of them.
The scope of application of the system? The system applies to any processing of personal data relating to individuals conducted in the Kingdom by any means whatsoever, including the processing of personal data relating to individuals residing in the Kingdom by any means whatsoever from any entity outside the Kingdom.
Can personal data be collected without the owner’s consent? No, personal data can be collected only with the owner’s express or implied consent if their collection or processing is required to achieve systemic requirements, meet judicial requirements or fulfil an obligation.
Is there a fixed data retention period? Yes, the retention may be necessary for the specific purposes for which it was grouped or which were not required by the Kingdom’s regulations, regulations and policies only.
Can the entity disclose personal data?
Yes, in certain cases
– If the holder of personal data consents to disclosure in accordance with the provisions of the Regulations.
– If personal data have been collected from a publicly available source.
– If the entity requesting disclosure is a public entity, for security purposes or for the execution of another system or otherwise not meeting judicial requirements in accordance with the provisions established by the Regulations.
– If disclosure is necessary for the protection of health, public safety, the protection of the life of an individual or certain individuals, or the protection of their health.
– If the disclosure is to be processed only subsequently in a manner that does not lead to the identity of the personal data holder or any other individual specifically. ”
Can the entity keep personal data permanently?
The controller must destroy personal data immediately after the purpose of all. However, it may retain such data after the purpose of its collection has expired if everything that leads to the owner’s specific knowledge has been removed.
The controller shall retain personal data even after the purpose of their collection has been completed in the following two cases:
– If there is a systemic reason that must be kept for a fixed period, in which case it shall be destroyed after the expiration of this period or the purpose of its collection, whichever is longer
– If the data relate to a case before a judicial authority.
What are the violations and penalties for violators of the Personal Data Protection System? Maximum penalties of up to two years’ imprisonment, or a fine of up to five million riyals:
– Any person who violates a provision of the Regulations shall be punished by a warning or fine not exceeding 5 million riyals. The penalty may be doubled if the penalty is repeated.
– Anyone who violates the conditions of transfer and disclosure of personal data outside the Kingdom shall be liable to a term of up to one year’s imprisonment and/or a fine of up to 1 million riyals.
Does the Personal Data Protection System apply to entities outside the Kingdom’s geographical scope?
Yes, if third parties process individuals’ data, whether citizens or residents within the Kingdom.
What is the penalty for disclosing or publishing sensitive data?
Anyone who discloses or publishes sensitive data contrary to the provisions of the Regulations shall be liable to a term of up to two years’ imprisonment and/or a fine of up to three million riyals; If it is intended to prejudice the data holder or for personal benefit.
Who is responsible for receiving communications and complaints?
The Saudi Authority for Data and Artificial Intelligence receives all reports and complaints.
– The Personal Data Protection System was promulgated by Royal Decree No. M/19 of 09/02/1443 H. Containing three and four items, – Date of publication: 17/02/1443 H.
* Alert * Personal Data Protection System (PDPS) has been postponed until the date of 1,444/08/25 E. At the end of the trash, attach PDPS for information.
Regulations Link:
https://laws.boe.gov.sa/boelaws/laws/lawdetails/b7cfae89-828e-4994-b167-adaa00e37188/1