SA-PDPL-2021 · المملكة العربية السعودية
Saudi Personal Data Protection Law (Royal Decree M/19)
نظام حماية البيانات الشخصية
- श्रेणी
- Data
लेख
⚠ AI-जनित सारांश — यह कानून का आधिकारिक पाठ नहीं है और गलत हो सकता है। कानूनी सलाह नहीं; आधिकारिक स्रोत से परामर्श करें।
المادة 1
Article One The following terms and phrases, wherever mentioned in this Law, shall have the meanings assigned thereto, unless the context requires otherwise: Kingdom: The Kingdom of Saudi Arabia. Competent Authority: Saudi Data and Artificial Intelligence Authority (SDAIA), or any other authority determined by a Royal Order. Controller: Any public or private entity or individual that controls personal data processing, whether alone or jointly with others. Processor: Any public or private entity or individual that processes personal data on behalf of the Controller. Data Subject: The natural person to whom the personal data relates. Personal Data: Any data—regardless of its source or form—that leads to identifying a natural person specifically, or that makes it possible to identify him directly or indirectly, including: name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank account numbers, credit card numbers, still and motion photographs, and other data of a personal nature. This excludes data relating to entities. Sensitive Data: Any personal data that directly or indirectly reveals racial or ethnic origin, religious, intellectual or political beliefs, security criminal records, biometric data, genetic data, credit data, health data, data disclosing the individual's private life, or data relating to children. Processing: Any operation performed on personal data by any means, whether manual or automated. This includes collection, recording, saving, indexing, organizing, formatting, storing, modifying, updating, merging, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing, or destroying data. Consent: Any explicit expression issued by the Data Subject indicating his agreement to the processing of his personal data for a specified purpose. Cross-Border Transfer: The transfer or disclosure of personal data from the Kingdom to a recipient outside the Kingdom, regardless of the medium used. Public Source: Any source that can be accessed by any person without restrictions, such as: public registers, official directories, websites, and platforms available to the public, as well as personal data published by the Data Subject himself.
المادة 2
Article Two This Law aims to: 1. Protect privacy and personal data of individuals. 2. Regulate the processing of personal data and specify the rules and conditions governing such processing. 3. Regulate the cross-border transfer of personal data. 4. Enable individuals to exercise their rights with respect to their personal data.
المادة 3
Article Three 1. This Law shall apply to any processing of personal data of residents of the Kingdom carried out by any means by any entity—whether public or private—operating within or outside the Kingdom, as well as any processing of personal data that is partially or wholly carried out within the Kingdom. 2. Processing of personal data of deceased individuals shall be subject to the provisions of this Law if such processing leads to identifying the deceased personally or identifying any of his living relatives. 3. Without prejudice to international agreements and treaties to which the Kingdom is a party, if a conflict arises between the provisions of this Law and any international agreement or treaty, the provision most protective of privacy and personal data shall be applied.
المادة 4
Article Four 1. Personal data may be processed if the processing is necessary to achieve a legitimate purpose that serves public interest, and in accordance with the Data Subject's legitimate interests. 2. Personal data may be processed in the following cases without obtaining the Consent of the Data Subject, provided that such processing does not prejudice his interests: a. If the Controller is a public entity and the processing is required to perform its duties or tasks, or if it is required for security purposes. b. If the processing is necessary to achieve legitimate interests of the Controller or the Data Subject, without prejudice to the rights of the Data Subject, and provided that Sensitive Data is not processed. c. If the processing relates to data that was previously published by the Data Subject himself, and such processing is consistent with the purpose for which it was published. d. If the Controller is required to fulfill any legal obligation, or to implement any agreement to which the Data Subject is a party. e. If the processing is necessary to protect life and safety interests of the Data Subject or third parties and the Data Subject is unable to express his Consent. f. If the processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare services or treatment, or management of healthcare services. g. If the processing is carried out for scientific, research, or statistical purposes, and such processing does not lead to identifying specific individuals, and is consistent with relevant regulatory requirements.
المادة 5
Article Five 1. Subject to the cases set out in Article Four of this Law, personal data may not be processed without obtaining the Consent of the Data Subject. The Consent of the Data Subject shall be explicit for Sensitive Data. 2. The Data Subject's Consent must meet the following requirements: a. The Consent must be issued through a statement or a clear affirmative action. b. The Consent must be specific and for a determined purpose. c. The Consent must be obtained prior to processing. d. The Consent must be free and given without compulsion. 3. The Controller must maintain a record proving that the Data Subject's Consent has been obtained, for a period to be specified by the regulations. 4. The Data Subject may withdraw his Consent at any time. Withdrawal of Consent does not affect the legality of any processing that was carried out prior to the withdrawal of Consent. The Controller shall cease processing the personal data upon withdrawal of Consent. 5. The Data Subject's Consent to process his personal data shall not be a condition for the provision of a service or a product by the Controller, unless such processing is necessary for the provision of that service or product.
المادة 6
Article Six Personal data shall be processed in accordance with the following rules and conditions: 1. The processing shall be for a specific, clear, and legitimate purpose. 2. The processed data shall be limited to the minimum required to achieve the purpose of processing. 3. The processed data shall be accurate, and updated when necessary. 4. The personal data shall not be used for purposes other than those for which it was collected, without obtaining the Consent of the Data Subject or in the cases provided in this Law. 5. The personal data shall be retained for the period required to achieve the purpose of processing, and shall be destroyed immediately after achieving such purpose, in accordance with the regulations. 6. The Controller shall implement appropriate technical and organizational measures to ensure an appropriate level of protection of personal data, commensurate with the risks arising from the nature and purposes of the processing.
المادة 7
Article Seven 1. Sensitive Data may only be processed in the following cases: a. If the Data Subject, or his legal guardian, has given his explicit Consent to such processing. b. If the processing is required to fulfill an obligation arising from the Kingdom's international agreements. c. If the processing is required to achieve the legitimate interests of the Controller for processing related to members, employees, or partners, and if the processing does not prejudice the interests of the Data Subject. d. If the processing relates to data that was previously published by the Data Subject himself. e. If the processing is required by a judicial or security authority. f. If the processing is for preventive medicine, medical diagnosis, provision of healthcare or therapeutic services, management of health systems and services, or for scientific, research, and statistical purposes, in accordance with the regulatory requirements and procedures. 2. Without prejudice to the provisions of clause (1) of this Article, biometric and genetic data may not be processed for the purpose of identifying individuals unless the processing is necessary to achieve a legitimate purpose or to protect public interest, and in accordance with the regulations.
المادة 8
Article Eight 1. Personal data may not be collected from a source other than the Data Subject, except in the following cases: a. If the Data Subject has previously consented to such collection. b. If the collection is from public sources. c. If the collection is necessary to achieve the legitimate interests of the Controller, without prejudice to the rights of the Data Subject. d. If the Controller is a public entity and the collection is required to perform its duties or tasks, or is required for security purposes. e. If the collection is necessary for preventive medicine, medical diagnosis, provision of healthcare services or treatment, or management of healthcare services, in accordance with the applicable regulations. f. If the collection is for scientific, research, or statistical purposes, in accordance with the applicable regulations and requirements. 2. The Controller shall, before collecting personal data, inform the Data Subject of the following: a. The name and contact information of the Controller or its authorized representative. b. The purposes of processing and the legal basis for such purposes. c. The categories of collected data and the sources from which it is collected, if collected from a source other than the Data Subject. d. The parties to whom the data will be disclosed, if any. e. The Data Subject's rights in relation to his personal data and the mechanism for exercising them. f. Whether the data will be transferred outside the Kingdom, and the safeguards that will be applied. 3. The Data Subject shall be provided with any information that enables him to exercise his rights under this Law.
المادة 9
Article Nine 1. The Controller shall provide all information necessary to enable the Data Subject to exercise his rights, including the following: a. The right to access his personal data and information related to the processing thereof. b. The right to request a copy of his personal data in a clear and readable format. c. The right to request the correction, completion, or updating of his personal data. d. The right to request the destruction of his personal data if the purpose of processing has been achieved, or if the legal basis for processing no longer exists, unless there is a legitimate reason to retain it. e. The right to request the restriction of processing of his personal data, or the objection to processing in cases defined by the regulations. f. The right to data portability in cases defined by the regulations. 2. The Controller shall respond to the requests mentioned in clause (1) of this Article within a period not exceeding thirty (30) days from the date of submission, and this period may be extended once for a similar period if necessary, provided that the Data Subject is notified of the reasons for the extension. 3. The Controller may reject requests mentioned in clause (1) of this Article, provided that the Data Subject is informed of the reasons for the rejection, in accordance with the regulations.
المادة 10
Article Ten 1. Subject to the cases set out in Article Four of this Law, the personal data of a Data Subject shall not be disclosed to others without obtaining his Consent. 2. The Controller shall not use the personal data it has processed for a purpose other than the purpose for which it was collected without obtaining the Consent of the Data Subject, or in the cases provided in this Law. 3. The Controller shall ensure that the Processor does not use the personal data it processes except for the purposes agreed upon with the Controller.
المادة 11
Article Eleven 1. The Controller may not transfer or disclose personal data outside the Kingdom unless the following requirements are met: a. The transfer or disclosure achieves a legitimate purpose. b. An adequate level of protection of personal data is ensured in the recipient country or entity, no less than the level provided for in this Law. c. The transfer or disclosure does not prejudice national security or the vital interests of the Kingdom. 2. The regulations shall specify the controls, rules, and procedures for cross-border transfers of personal data.
المادة 12
Article Twelve 1. The Controller shall take the necessary measures to ensure the accuracy of personal data and that it remains up-to-date throughout the period of processing. 2. The Controller shall take the appropriate technical and organizational measures to protect personal data from loss, damage, unauthorized access, or unlawful processing, commensurate with the nature of such data and the risks arising therefrom. 3. The Controller shall not retain personal data after achieving the purpose of processing, and shall destroy it in accordance with the mechanisms and procedures set out in the regulations. 4. If the purpose of processing can be achieved using anonymized or non-personally identifying data, such data must be used instead of personal data.
المادة 13
Article Thirteen 1. The Controller shall, in the event of a personal data breach that results or is likely to result in harm to the Data Subject, notify the Competent Authority of the breach within a period not exceeding seventy-two (72) hours from the time it becomes aware of the breach. 2. The Controller shall notify the Data Subject if the breach is likely to result in high risk to his rights or interests. 3. The regulations shall specify the details and procedures for notifying the Competent Authority and the Data Subject in the event of a personal data breach.
المادة 14
Article Fourteen 1. The Controller shall maintain a record of all personal data processing operations carried out by it, including at least the following: a. The name and contact information of the Controller and, where applicable, the Processor. b. The purposes of processing. c. The categories of Data Subjects and personal data. d. The categories of recipients of personal data, if any. e. Information on cross-border transfers of personal data, if applicable. f. The time limits for destroying different categories of data. g. A description of the technical and organizational security measures taken to protect the data. 2. The regulations shall specify the requirements for maintaining records of processing operations, and the Controller shall make such records available to the Competent Authority upon request.
المادة 15
Article Fifteen 1. The Controller shall appoint a Data Protection Officer in the cases specified by the regulations, with due regard to the qualifications necessary to enable him to perform his duties. 2. The Data Protection Officer shall have at least the following duties: a. Providing guidance and advice to the Controller and the Processor, and their employees, regarding their obligations under this Law and the regulations. b. Monitoring compliance with the provisions of this Law and the regulations. c. Cooperating with the Competent Authority. d. Acting as a contact point for the Competent Authority with respect to all matters relating to the processing of personal data. 3. The regulations shall specify the requirements for the appointment of the Data Protection Officer, his duties, and the cases in which his appointment is required.
المادة 16
Article Sixteen 1. The Controller shall implement the principle of data protection by design and by default, such that all processing operations comply with the provisions of this Law and the regulations. 2. The Controller shall conduct a personal data protection impact assessment prior to carrying out any processing operations that are likely to result in a high risk to the rights and interests of the Data Subject, and shall consult the Competent Authority before proceeding with such processing if the assessment indicates a high risk. 3. The regulations shall specify the cases in which conducting a data protection impact assessment is required, the content of such assessment, and the procedures for consulting the Competent Authority.
المادة 17
Article Seventeen 1. The Controller shall ensure that the Processor provides sufficient guarantees to implement the appropriate technical and organizational measures such that the processing will meet the requirements of this Law and the regulations and ensure the protection of the rights of the Data Subject. 2. The processing by the Processor shall be governed by a contract or other legal act under which the Processor is bound to the Controller and which sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of Data Subjects, and the obligations and rights of the Controller. 3. The Processor shall not engage another processor without prior written authorization from the Controller, and shall impose the same data protection obligations on that other processor by way of a contract or other legal act. 4. If a Processor determines the purposes and means of processing, it shall be considered a Controller in respect of that processing.
المادة 18
Article Eighteen 1. The Competent Authority shall be responsible for supervising the implementation of this Law and the regulations and overseeing compliance therewith. It shall, in particular, have the following powers: a. Receiving complaints relating to violations of the provisions of this Law and the regulations. b. Conducting investigations and inspections necessary to ensure compliance with the provisions of this Law and the regulations. c. Issuing binding decisions and guidance to Controllers and Processors to ensure compliance with the provisions of this Law and the regulations. d. Imposing sanctions in accordance with the provisions of this Law. e. Cooperating and coordinating with the relevant authorities and international bodies. 2. The Competent Authority may issue rules, guidelines, and technical standards relating to personal data protection. 3. The Competent Authority shall publish an annual report on its activities and the state of personal data protection in the Kingdom.
المادة 19
Article Nineteen 1. Without prejudice to any stricter penalty provided for in any other law, a violation of the provisions of this Law or the regulations shall be subject to a fine not exceeding (5,000,000) five million Saudi Riyals. 2. In cases involving Sensitive Data, the fine shall be doubled. 3. In the event of a repeat violation within two years from the date of the final penalty, the fine shall be doubled. 4. The regulations shall specify the violations and the corresponding fines within the limits set out in this Article. 5. Fines shall be imposed by a decision of the Competent Authority. 6. The penalties set out in this Article shall not preclude the Data Subject from claiming compensation for damage suffered as a result of the violation.
المادة 20
Article Twenty 1. Whoever discloses or publishes personal data in violation of the provisions of this Law with the intent to harm the Data Subject or to achieve personal gain shall be subject to imprisonment for a period not exceeding two (2) years and/or a fine not exceeding (3,000,000) three million Saudi Riyals. 2. A repeat violation within two years from the date of the final penalty shall be subject to a penalty of imprisonment for a period not exceeding four (4) years and/or a fine not exceeding (5,000,000) five million Saudi Riyals. 3. Prosecution for violations under this Article shall be initiated based on a complaint filed by the Data Subject or his representative, except in cases where the public interest so requires.
المادة 21
Article Twenty-One 1. Data Subjects may file complaints with the Competent Authority regarding violations of the provisions of this Law and the regulations. 2. The Competent Authority shall examine complaints filed by Data Subjects and take the necessary measures in this regard. 3. The regulations shall specify the procedures and time limits for filing and examining complaints.
المادة 22
Article Twenty-Two 1. The Controller and the Processor shall retain personal data for the period specified by the applicable laws and regulations, or for the period necessary to achieve the purpose of processing, and shall destroy it in accordance with the mechanisms and procedures set out in the regulations. 2. Notwithstanding clause (1) of this Article, personal data may be retained for longer periods if: a. The Data Subject has given his Consent to retain the data for a longer period. b. The retention is necessary for scientific, research, historical, or statistical purposes, in accordance with the applicable regulations. c. The retention is required to fulfill a legal obligation or to resolve a dispute.
المادة 23
Article Twenty-Three The provisions of this Law shall not apply to: 1. Personal data that is processed by a natural person for purely personal or household purposes. 2. Data of deceased individuals, unless such data leads to identifying any of their living relatives. 3. Data that has been anonymized and can no longer be associated with an identified or identifiable individual. 4. Personal data that is processed for journalistic, media, literary, or artistic purposes, to the extent necessary to achieve those purposes and within the limits permitted by the applicable laws. 5. Personal data that is maintained by government entities relating to their employees, which is subject to applicable civil service laws and regulations. 6. Personal data collected for personal credit purposes, which is subject to applicable laws and regulations.
المادة 24
Article Twenty-Four The regulations shall be issued within one hundred and eighty (180) days from the date of publication of this Law in the Official Gazette.
المادة 25
Article Twenty-Five This Law shall enter into force one hundred and eighty (180) days from the date of its publication in the Official Gazette, and the regulations shall be issued within the same period.