Personal Data Protection Law

Introduction

In an era of digital change and widespread connection, personal data protection has emerged as a worldwide concern, within the Gulf Cooperation Council (hereinafter “GCC”), Saudi Arabia and the United Arab Emirates (UAE) are pioneers in establishing comprehensive legislation to enforce compliance on Entities for the protection of personal data. As data breaches and privacy issues continue to dominate worldwide headlines, understanding the details of Personal Data Protection Law (hereinafter “PDPL”) in Saudi Arabia and the UAE has become critical for both Business entities and individuals. This Article delves into the intricacies of Personal Data Protection Law in GCC, examining important concepts, applicability, compliance requirements, and the implications for businesses that operate there.

Princliples:

Key Terms in PDPL

1. Personal Data:
   • According to Article 1(4) of Royal Decree No. M/148 Personal Data Protection Law of Saudi Arabia, Personal Data refers to any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.
   • According to Article 1 of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data of UAE, Personal Data means any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes sensitive personal data and biometric data.
2. Controller:
   • Article 1(18) of Royal Decree No. M/148 Personal Data Protection Law of Saudi Arabia refers to a Controller as any Public Entity, natural person, or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.
   • Article 1 of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data of UAE defines Controller as an establishment or natural person who has personal data and who, given the nature of his/her activity, specifies the method, criteria, and purpose of processing such personal data, whether individually or jointly with other persons or establishments.
3. Processor:
   • Article 1(19) of Royal Decree No. M/148 Personal Data Protection Law of Saudi Arabia refers to a Data Processor as any natural or legal person, public authority, agency, or other body that processes personal data on behalf of a Data Controller.
   • Article 1 of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data of UAE refers to the term Processor as any Public Entity, natural person, or private legal person that processes Personal Data for the benefit and on behalf of the Controller.

Applicability of PDPL

In Saudi Arabia: As per Article 2 of Royal Decree No. M/148 Personal Data Protection Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom. This includes the data of the deceased if it would lead to them or a member of their family being identified specifically.

In UAE: As per Article 2 of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data applies to the Processing of Personal Data, whether totally or partially, through automatically operated electronic systems or other means, by:

1. Any Data Subject who resides or has a place of business in the State
2. Any Controller or Processor located in the State who carries out the activities of Processing Personal Data of Data Subjects inside or outside the State
3. Any Controller or Processor located outside the State who carries out the activities of Processing Personal Data of Data Subjects inside the State.

Exemptions of PDPL (UAE)

According to Article 3 of Federal Decree-Law No. 45 of 2021 of UAE, the provisions of this decree-law shall not apply to the following:

1. Government data
2. Government authorities that control or process Personal Data
3. Personal Data held with security and judicial authorities
4. Data Subject who processes his/her data for personal purposes
5. Health personal data that is subject to legislation regulating the protection and Processing thereof
6. Banking and credit personal data and information that is subject to legislation regulating the protection and Processing
7. Companies and institutions located in the free zones of the State are subject to special legislation on Personal Data Protection.

*Note: Saudi Arabia’s Royal Decree No. M/148 Personal Data Protection Law currently does not provide any exemption.

Compliance Requirements

Major compliance of PDPL for Entities operating in Saudi Arabia and the United Arab Emirates:

1. Collect Personal Data only for legal purposes to avoid misleading users and this data should be minimal for primary purposes only.
2. One must Develop a privacy policy detailing data handling and sharing.
3. Maintenance of accurate and up-to-date personal data.
4. Non-disclosure of Personal data to third parties unless specified.
5. Avoid transferring personal data outside the country without regulation-stated measures.
6. Collection or disclosure of personal data with user consent unless it is specified.
7. Proper Conduct of impact assessments on processing sensitive data.
8. Appointment of a Data Protection Officer.
9. Maintenance of:
   • A Personal Data Register.
   • Data Security by recording processing activities and reporting breaches.
10. Enforcement of Security mechanisms and embedding data privacy into systems.
11. Management of third parties and protection of personal data when transferring across borders.

Data Protection Law in Other GCC

Countries

Click on Map to know more

Country: Oman
Country:
Description	Regulator	Applicability
The Royal Decree No. 6/2022 Promulgating the Personal Data Protection Law of Oman serves as a cornerstone in protecting individuals' privacy rights in the digital age. Encompassing principles of consent, purpose limitation, and data security, the legislation regulates the collection, processing, and storage of personal data by entities operating within the country. By emphasizing transparency and accountability, the law aims to foster trust between individuals and data controllers, ensuring that personal information is handled responsibly and as per established guidelines.	Ministry of Transport, Communications and Information Technology	The DPL applies to personal data processing and protection, except in cases of public interest protection, legal obligation compliance, or contract performance.

Key Considerations

In order to mitigate the risk of penalties and safeguard against potential legal liabilities, entities should consider the following key measures:

1. Comprehensive Compliance Programs: Establish robust data protection compliance programs that encompass policies, procedures, and training initiatives tailored to the requirements of Saudi Arabian and UAE laws.
2. Data Security Measures: Implement robust technical and organizational measures to ensure the security and confidentiality of personal data, including encryption, access controls, and regular security assessments.
3. Risk Assessments and Audits: Conduct regular risk assessments and data protection audits to identify vulnerabilities, assess compliance gaps, and address potential areas of risk proactively.
4. Legal Counsel and Expert Guidance: Seek guidance from legal experts and consultants in Saudi Arabian and UAE data protection laws to ensure adherence to regulatory requirements and mitigate legal risks.
5. Incident Response Planning: Develop comprehensive incident response plans to effectively manage and mitigate data breaches or privacy incidents, including procedures for notification of breach and their remedy.
6. By Prioritizing compliance and adopting a proactive approach to data protection, entities can minimize the risk of penalties and demonstrate their commitment to respecting individuals' privacy rights in Saudi Arabia and the United Arab Emirates.

Penalties for Violation of law

The Royal Decree No. M/148 allows data subjects to file complaints and claim damages.

*Note: The UAE’s PDPL does not explicitly state the penalties that will be imposed on entities for non-compliance. Administrative fines can be imposed as part of a decision by the Council of Ministers in response to a violation or by its Executive Regulations. The number of fines will be determined in subsequent Executive Regulations published by the authority.

Conclusion:

Given the severe penalties associated with non-compliance, Entities operating in Saudi Arabia and UAE must prioritize their efforts in data protection and privacy compliance. Although UAE’s PDPL law does not provide specific penalties for violation but UAE’s Data Protection Authority has powers to impose penalties that are indistinct on the part of the Law as to how much penalty can be imposed until Executive Regulations are issued in this regard. Compliance with Personal Data Protection Laws not only helps to mitigate legal risks but also fosters trust and confidence among consumers, enhancing the entity’s reputation and long-term viability in the marketplace.

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.