Comprehensive examination of the implementing regulations of data protection laws in KSA

The Regulations allow the transfer or disclosure of personal data to an entity outside the Kingdom, with the condition that it is restricted to the minimum extent necessary to achieve the intended goal.

The forthcoming article will offer a comprehensive examination of the implementing regulations of data protection laws in KSA, providing insights into the Regulation on Personal Data Transfer Outside the Geographical Boundaries of the Kingdom. Additionally, it will draw a concise comparison with the General Data Protection Regulation (GDPR) to highlight key points of convergence and divergence.

The recently introduced Implementing Regulations for the Personal Data Protection Law entail a thorough analysis of the obligations applicable to all entities, with the exception of those utilizing personal data for personal or familial use.

The regulations meticulously outline the rights of Personal Data Subjects. For instance, upon receiving a request, the controller must respond within 30 days, with possible extensions for complex inquiries. Emphasizing key rights, the right to be informed, access, data copy, restriction, and destruction rights are specified. Additionally, consent is crucial for processing, it must be explicit, with the right to revoke. Consent serves as both the beginning and the end of the data processing journey. The Regulations cover as well incapacitated subjects, various data types, processing purposes, and disclosure of personal data.

The controller, overseeing the Personal Data process, bears significant responsibilities to ensure precise execution, safeguarding data privacy. The competent authority will regulate entities issuing accreditation certificates to controllers and processors to ensure that individuals are appropriately positioned in their respective roles. The controller’s key obligations include taking essential measures, to ensure concealing the identity of the Personal Data subject (anonymization) and minimal data collection. Additionally, the controller must refrain from reproducing official documents identifying the Personal Data Subject, except when requested by a competent public entity or as required by law.

Moreover, verification and inspection procedures ensure regular protection of personal data, allowing Personal Data Subjects to lodge complaints within 90 days, the competent authority will subsequently take the required actions to address the matter.

Furthermore, in September 2023, the Saudi Data and Artificial Intelligence Authority (SDAIA) released the Regulations on Personal Data Transfer Outside the Kingdom.

The Regulations allow the transfer or disclosure of personal data to an entity outside the Kingdom, with the condition that it is restricted to the minimum extent necessary to achieve the intended goal. This transfer or disclosure must not compromise national security, the vital interests of the Kingdom, or violate any other laws within the Kingdom.

The Data Transfer Regulation sets criteria for evaluating and assessing the level of personal data protection outside the Kingdom. These criteria encompass various factors, including the precedence of laws that guarantee the protection of personal data subjects' rights and the preservation of their privacy.

Findings are presented to the Prime Minister, reviewed every four years, or when needed, in respect of adaptability to digital evolution. To ensure that the regulation covers every possible scenario, guarantees for data transfer beyond the Kingdom are outlined in the regulations in cases excluding adequate level of protection. Additionally, in cases where guarantees aren't feasible, Article 6 of the Regulation authorizes transfer exclusively in specific situations.

Even though the Regulation permits the transfer or disclosure of personal data outside the Kingdom under specific guarantees, in instances where these guarantees are not applicable, and the mentioned situations in article 6 are not applicable such transfers must promptly cease. The controller is then required to re-evaluate the associated risks, particularly in cases where the transfer or disclosure process is deemed to affect national security or the vital interests of the Kingdom.

In addition, Article 8 of the Data Transfer Regulations requires the controller to assess risks linked to transferring data outside the Kingdom. The article specifies criteria for this assessment, covering measures to mitigate identified risks, along with outlining the purpose and legal justification for the transfer or disclosure process.

In conclusion, the Implementing Regulations for the Personal Data Protection Law establish a thorough and precise structure for safeguarding data in Saudi Arabia, eliminating any room for error and ambiguity.

This progress and proactive approach instill heightened confidence in the security of laws, nurturing the growth and safety of communities. The precision and specificity in the regulation are evident through the detailed obligations imposed on the controller, who bears significant responsibilities while directly handling personal data. This level of detail serves to reassure the data subject, fostering a sense of protection and security. In addition, the rights granted to the personal data subject, underscores the significance placed on safeguarding their rights, fostering a sense of security and protection ensured by the law.

Regarding the Data Transfer Regulation, its provisions consistently anticipate various scenarios, providing clear courses of action for each possibility. This approach aims to enhance protection during data transfers, with a primary focus on prioritizing the security of the data involved.

The GDPR outlines seven principles that are crucial considerations for the development and implementation of effective data protection laws. The specified principles are as follows: Lawfulness, Fairness, and Transparency, Data Minimization, Purpose Limitation, Accuracy, Storage Limitation, Integrity and Confidentiality and Accountability. Furthermore, the GDPR has significantly influenced worldwide data protection standards, acting as a blueprint for numerous countries in the formulation or enhancement of their own data protection laws.

The Implementing Regulation of the Personal Data Protection Law incorporates concepts and requirements akin to those found in the GDPR. These include fundamental notions for example, both regulations outline the procedures for maintaining records of personal data processing activities. Additionally, both regulations emphasize the rights of the personal data subject, underscoring the right to be informed, access information and communication, the right to rectify/correct, as well as the right of destruction/erasure of personal data.

Regarding the distinction, the Implementing regulation of data protection law in KSA provides a more detailed outline of the controller's responsibilities compared to the GDPR, additionally, another notable difference is the timeframe given for controllers to respond to data subject rights. In KSA's regulations, the response is required within 30 days and can be extended for a period not exceeding additional, while under the GDPR, this period can extend up to 3 months.

As highlighted earlier, the GDPR serves as an influential model for data protection laws, forming a foundation for various legislations worldwide. While we've discussed a few distinctions, there exist numerous points of convergence and divergence between the GDPR and the implementing regulations on personal data protection laws in KSA. This reflects the progressive evolution of data protection laws in KSA, evident in the emphasis on clarity, security, community development, and the establishment of elevated standards within the realm of data protection laws.

Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.