SDAIA logo icons
Skip Ribbon Commands
Skip to main content
Sign In
Saudi Data and Artificial Intelligence Authority

​ Data Protection
 

The Law protects individuals' personal data, guarantees their rights, and defines the obligations controllers must fulfill to comply with its provisions.

Implementation Scope of the Law:

The Law applies to any processing of personal data involving individuals within the Kingdom and conducted by any means. It also covers processing personal data related to individuals in the Kingdom by any entity outside the Kingdom, regardless of the method used. This includes the data of deceased individuals if it could lead to their identification or that of their family members.

Law Objectives:
  1. Protecting individuals’ privacy.
  2. Establishing controls for the processing of personal data.
  3. Enhancing confidence in electronic transactions.
  4. Reducing detrimental practices when handling personal data.
image  
 

Statutory Bases for Processing Personal Data in Accordance with the Personal Data Protection Law

  1. Lawfulness/legal basis, fairness, and transparency:
    This includes ensuring that the methods and means of collecting personal data do not conflict with any legally prescribed provisions, are appropriate to the circumstances of the data subject, are direct, clear, and secure, and are free from deception or extortion.
  2. Purpose limitation:
    The purpose of collecting personal data must be directly related to the controller’s objectives and must not conflict with any legally prescribed provisions.
  3. Data minimization:
    The controller must ensure that the content of personal data is limited to the minimum necessary to achieve the purpose of its collection. Additionally, the controller should avoid including data that leads to identifying the data subject when the purpose can be achieved without compromising the validity and integrity of the personal data.
  4. Data retention period:
    The controller must destroy the personal data without delay after the purpose of its collection has been fulfilled.
  5. Personal data protection:
    The controller must implement the necessary organizational, administrative, and technological measures to protect personal data, including during transfer.

Data Subject Rights and the Mechanism for monitoring compliance with the Personal Data Protection Law

Data Subject Rights in accordance with the Personal Data Protection Law:
  1. Right to be informed: This includes informing the data subject of the legal justification for collecting their personal data, the purpose of the collection, the identity and reference address of the data collector, the entities to which the personal data may be disclosed, and their capacity; whether the personal data will be transferred, disclosed, or processed outside the Kingdom, the potential risks and consequences of not completing the data collection process, and the rights of the data subject.
  2. Right to access personal data: This includes requesting a copy of their personal data from the controller in a clear and readable format. Right to request personal data correction: This includes requesting the correction, completion, or updating of personal data held by the controller.
  3. Right to request personal data correction: This includes requesting the correction, completion, or updating of personal data held by the controller.
  4. Right to request the destruction of personal data: The data subject has the right to request that the controller destroy any of their personal data that is no longer needed.
  5. Right to withdraw consent to processing personal data: The data subject may withdraw consent to process their personal data at any time, except in cases stipulated by the Personal Data Protection Law and its implementing regulations. 
Mechanism for ensuring compliance with the provisions of the Law

The compliance of entities covered by the Law is periodically evaluated through the National Data Governance Platform after the grace period ends. This evaluation is based on specific standards and requirements designed to monitor their compliance level, ensure the effectiveness of the measures they have implemented to comply with the Law and its implementing regulations and identify and rectify any improper practices.

National Data Governance Platform

It is a national e-platform designed for data governance by offering a suite of e-services aimed at protecting data as a national asset and securing individuals' rights from abuses and illegal violations.

What does the platform offer?

It offers a range of supporting services and tools

 

Privacy Impact Assessment

 

Legal Support

 

Personal Data Breach Notification

 

Reports and Complaints

 

Contact Us

 

Compliance Self-Assessment Tool

 

A tool designed to guide organizations in determining whether it is mandatory to appoint a Personal Data Protection Officer

 
Features
  1. Provide tools and mechanisms that enable entities to comply with the provisions of the Law easily and effectively.
  2. Provide support and advice to enhance the compliance level of entities with the Law. 
  3. Enable individuals to file complaints against those who violate the Personal Data Protection Law.
 
Objectives
Preserve the privacy of individuals and enable them to exercise their rights when their personal data is processed.
Contribute to the protection of data as a national asset from leaks and breaches
Enhance national data sovereignty and maintain the privacy of individuals when their personal data is processed outside the Kingdom.
Build a national register of controllers.
Enhance confidence in trading and commercial transactions in the Saudi market through the governance of national data that protects individuals' rights.

Content published regarding the Personal Data Protection Law and the Freedom of Information Policy

Data Protection Policy
#ContentTypeBeneficiaries
1 PDF document including the articles of the Personal Data Protection Law SDAIA WebsiteAvailable to the General Public
2 NDI SDAIA WebsiteAvailable to the General Public​
#6459a7
Small
Yes
Theme1
No