This page highlights the Kingdom's efforts to enhance the privacy and data protection system of all citizens, residents, and visitors.
Data Protection Regulation
The Personal Data Protection Interim Regulations sets the legal basis for the protection of the rights of the individuals regarding the processing of personal data by all entities in the Kingdom, as well as all entities outside the Kingdom that process personal data related to individuals residing in the Kingdom using any means, including online personal data processing. The Regulation also defines the Data Subject Rights, Data Controller Objectives, Key principles of data protection, and the roles and responsibilities of the Saudi Data and Artificial Intelligence Authority (SDAIA) and its sub-entities, such as the National Data Management Office (NDMO).
Key Data Protection Principles
- Principle 1- Accountability: Data Controller's privacy policies and procedures shall be identified, documented and approved by the head of entity(or his designee) and circulated to all concerned parties.
- Principle 2- Transparency: A notice of Data Controller's privacy policies and procedures – Privacy Notice – shall be drawn up indicating the purposes for which personal data will be collected in a clear, easy to understand language.
- Principle 3- Choice and Consent: The purpose for collection of any personally identifying data shall be shall be made clear to Data Subject and their (implicit / explicit) approval shall be obtained regarding collection, use and/or disclosure of personal data before collection.
- Principle 4- Limiting Data Collection: Collection of any personal data shall be limited to minimum data that enables fulfillment of purposes provided for in Privacy Notice.
- Principle 5- Use, Retention and Destruction: Personal data usage shall be restricted to purposes provided for in Privacy Notice, which the Data Subject has implicitly or explicitly approved. Moreover, Data shall be retained as long as necessary to achieve their intended purposes or as required by laws and regulations. Furthermore, data shall be destroyed it in a safe manner that prevents leakage, loss, theft, misuse or unauthorized access.
- Principle 6- Access to Data: Entities shall provide a means by which any Data Subject can review, update and correct their personal data.
- Principle 7- Data Disclosure Limitation: Disclosure of personal data to third parties shall be restricted to the purposes provided for in Privacy Notice, which was approved by Data Subject.
- Principle 8- Data Security: Personal data shall be protected from leakage, damage, loss, theft, misuse, modification, or unauthorized access – according to the controls issued by the National Cybersecurity Authority and the relevant authorities.
- Principle 9- Data Quality: Personal data shall be maintained after verification of its accuracy, completeness and timeliness, and such data shall be directly relevant to purposes provided for in Privacy Notice.
- Principle 10- Monitoring and Compliance: Compliance with Data Controller's privacy policies and procedures shall be monitored, and any privacy-related inquires, complaints, and disputes shall be addressed.
Data Management and Personal Data Protection Standards
The National Data Management and Personal Data Protection Standards covers 15 Data Management and Personal Data Protection domains. To support the development of the Data Management and Personal Data Protection standards, a set of international references, internal relevant policies and regulations, and guiding principles were defined. Government Entities must implement the standards, and compliance will be measured yearly to monitor progress and drive efforts towards a successful implementation.
Purpose and Scope
The standards are defined for 15 domains as per the Data Management and Personal Data Protection Framework and are intended to be adopted by all Public Entities within the Kingdom.
In addition to Public Entities, the scope of the National Data Management and Personal Data Protection Standards also extends to business partners handling government data. Such business partners are responsible to understand and apply the Data Management and Personal Data Protection standards to all government data assets within their control and custody. The Standards apply to all government data regardless of form or type including paper records, emails, data stored in electronic form, voice recordings, videos, maps, photos, scripts, handwritten documents, or any other form of recorded data.
Children and Incompetents’ Privacy Protection Policy
The Children and Incompetents’ Privacy Protection Policy sets the legal basis for preserving the children and protecting their rights in relation to collecting and processing their personal data by any means. The Policy is in accordance with the provision of the Data Protection Regulation and the UN Convention on the Rights of the Child and its optional protocols. The objectives are to protect children from the:
- Negative effects of inappropriate content and advertisements spread on the Internet.
- Helping the competent authorities protect children from potential risks - violence, abuse, abuse, threat, harm or exploitation, resulting from the collection and processing of their personal data through websites and digital applications.
- Finding a balance between negative effects, potential risks and the need to collect and process personal data children.
The policy provisions apply to all entities (public, private, and non-profit entities) in the Kingdom that collect and process personal data of children, whether manual or electronic. The provisions also apply to all entities outside the Kingdom that collect personal data of children residing in the Kingdom online.
General rules for transfer of personal data outside the Kingdom
The General rules for transfer of personal data outside the Kingdom set the rules and the standards for the transfer of personal data outside the geographical borders of the Kingdom to ensure the preservation of national sovereignty over this data, as well as maintaining the privacy of personal data owners and protecting their rights by defining the obligations of the controllers and processors regarding transfers of personal data outside the Kingdom. The provisions of this document apply to all entities (public, private, and non-profit entities) in the Kingdom which transfer personal data to other parties outside the geographical borders of the Kingdom for the purpose of processing.
Other relevant legislation and regulations
- Protecting data and privacy online: Anti-Cyber Crime Law
- Electronic transactions: Electronic Transactions Law
- Cybersecurity in the Kingdom of Saudi Arabia
- Freedom of Information
- Open Data
- Digital Transformation
- National Data Governance Policies
- National Data Management Office (NDMO)