Opinion
Saudi Arabia Finalised PDPL Regulations published in Official Gazette
The PDPL represents a comprehensive data protection law, adopting many familiar concepts and rules from the GDPR, including:
-
the concept of lawful grounds for processing
-
data subject rights
-
requirements for the appointment and control of processors
-
rules relating to data minimisation and data quality
-
data protection impact assessments
-
security requirements and data breach notification
-
specific rules on processing health data and credit data, and Government-IDs
-
specific rules on direct marketing and advertising
-
organisational requirements (such as a requirement to appoint a DPO, maintain records of processing, etc.)
The Transfer Regulations cover international transfers of personal data, incorporating the concepts of adequacy, appropriate safeguards and transfer risk assessment, and exemptions where transfers are permitted.
The regulations are available here and here (in Arabic), and the English version here.
Related capabilities