Saudi Arabia issues its first standalone data protection law

The law will take effect on 23 March 2022, 180 days after its adoption. There will then be a one year grace period to comply. By Dino Wilkinson and Masha Ooijevaar of Clyde & Co.

The Saudi Government has issued its first comprehensive national data protection law which regulates the collection and processing of personal information. The Personal Data Protection Law (the law) was adopted by Royal Decree M/19 of 9/2/1443H (16 September 2021), approving Resolution No. 98 dated 7/2/1443H (14 September 2021). The law was published in the Official Gazette on 24 September 2021.

The Kingdom of Saudi Arabia is one of the latest countries in the Middle East to enact a standalone data protection law which reflects some of the well-known principles, requirements and best practices in line with international data protection laws, such as the European General Data Protection Regulation (GDPR). Examples include purpose limitation, data minimisation, accuracy and security principles, data subject rights, records of processing activities and impact assessments. However, the law sets itself apart from other data protection laws with the inclusion of unique aspects such as prohibitions on disclosures and limitations on cross-border transfers, the requirement to destroy data under certain circumstances and the application of the law to deceased persons, rather than just living individuals.

Continue reading

International Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.

Subscribe