Applicability of the Saudi Arabia Personal Data Protection Law (KSA PDPL)

Saudi Arabia has established a comprehensive legal framework for data protection to regulate the processing of personal data within the Kingdom. The Personal Data Protection Law (نظام حماية البيانات الشخصية) serves as the primary legislation governing personal data protection in Saudi Arabia.

The Personal Data Protection Law was adopted on September 16, 2021 and became effective on September 14, 2023. This timeline reflects the Kingdom's structured approach to implementing data protection regulations, allowing for adequate preparation and compliance measures before the law's enforcement.

The most recent amendments to the law were introduced through Royal Decree No. (M/147), which was adopted on March 27, 2023 and became effective on September 14, 2023. This amending decree updated the original Personal Data Protection Law to refine its provisions and ensure its continued relevance in the evolving data protection landscape.

Material Applicability

The KSA PDPL's material scope is defined by two key exemptions:

• Personal and Domestic Use Exemption
• Deceased Individuals Exemption

Personal and Domestic Use Exemption

KSA PDPL Article 2(2):

"The scope of applying the Law excludes the individual's Personal Data Processing for purposes that do not go beyond personal or family use, as long as the Data Subject did not publish or disclose it to others. The Regulations shall define personal and family use provided in this Paragraph."

This exemption applies when:

• Processing is conducted for strictly personal or family purposes
• The data subject has not published or disclosed the data to others
• The processing does not extend beyond private use

Deceased Individuals Exemption

KSA PDPL Article 2(1):

"The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom. This includes the data of the deceased if it would lead to them or a member of their family being identified specifically."

The law explicitly extends protection to deceased individuals' data when:

• The data can identify the deceased person
• The data can identify members of the deceased person's family

Territorial Applicability

The KSA PDPL's territorial scope is determined by:

• Processing location
• Data subject residence

KSA PDPL Article 2(1):

"The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom."

The law applies to:

• Any processing of personal data occurring within Saudi Arabia
• Processing of Saudi residents' personal data by entities outside the Kingdom