Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Saudi Arabia’s Personal Data Protection Law (PDPL)

Saudi Arabia PDPL

Saudi Arabia’s Personal Data Protection Law (PDPL) is the first comprehensive national data protection law regulating personal data processing and collection. The law became enforceable in September 2023, and companies have until September 2024 to achieve full compliance.

What you need to know about PDPL

The PDPL is designed to protect personal data, regulate data transfers, and apply to any processing by businesses or public entities of personal data performed in Saudi Arabia by any means, including the processing of the personal data of Saudi residents by entities located outside the Kingdom.

Many of the features of the PDPL are consistent with concepts and principles contained in other international data protection laws like the EU’s General Data Protection Regulation (GDPR), with concepts like:

PDPL Obligations and Definitions

Some key concepts emphasize the PDPL’s commitment to aligning Saudi Arabia with international standards in safeguarding personal data and ensuring privacy rights.

Obtaining Valid Consent

Consent for data processing can be obtained through various methods, such as written, verbal, or electronic agreements.

The consent must be freely given, with a clear, specific purpose communicated to the data subject, and they have the right to withdraw consent easily, similar to the GDPR definition.

Controller Responsibilities

The controller is obligated to implement organizational, administrative, and technical measures to secure personal data and protect the privacy of data subjects.

Additionally, the controller must promptly respond to data access requests, whether verbal or written, ensuring clear documentation and storage of all requests.

Records of Personal Data Processing Activities

Controllers are required to maintain a Record of Processing Activities (ROPA) during their involvement in processing activities and for an additional five years after the conclusion of said processing activities and prescribe necessary details to be included in ROPA.

Personal Data Breach Notification

Controllers must promptly notify the Saudi Data & Artificial Intelligence Authority (SDAIA) within 72 hours of discovering a breach, including details such as the number of affected data subjects, types of personal data compromised, and associated risks. Data subjects must also be informed without undue delay.

Data Protection Officers (DPO)

The controller must appoint one or more Data Protection Officers in specific scenarios, including if the controller is a public entity with significant-scale data processing, engages in constant and systematic monitoring of data subjects or focuses on processing sensitive personal data.

Legitimate Interest

The PDPL allows data processing without consent under legitimate interest, ensuring compliance with Saudi Arabian laws and maintaining a balance between the rights of data subjects and the controller’s interests.

Processing under legitimate interest excludes sensitive data.

Privacy Impact Assessments

Data controllers are required to perform a well-documented privacy impact assessment in nine specific scenarios of personal data processing.

These scenarios include data processing involving anonymization, sensitive personal data, or new technologies.

PDPL Penalties

  • The disclosure of sensitive data contrary to the PDPL may result in penalties of imprisonment for up to two years and/or a fine of up to
    SAR 3,000,000 (€720,000)
  • Violation of the data transfer provisions could result in imprisonment for up to one year and/or a fine of up to SAR 1,000,000 (€ 240,000)
  • Regarding all other provisions of the PDPL, the penalties are limited to a warning notice or a fine of up to SAR 5,000,000 (€ 1,200,000)

Additionally, fines could increase to double the stated maximums for repeat offenses, and the court may order confiscation of funds gained due to breaching the law.

How DPM Responds to PDPL Requirements

Data Privacy Manager (DPM) is an Enterprise-grade software made and hosted in the EU and used by companies to automate all aspects of their privacy governance and compliance.

It is designed to improve the governance of personal data, centralize consents and preferences, automate compliance-related tasks, and minimize regulatory risks.

Data Subject Rights

PDPL: The PDPL grants certain rights to individuals, including a right to be informed about personal data processing, a right to access the data collected about them, a right to request correction, completion, or updating of their personal data, and destruction of their data if no longer needed.

DPM modules - Data subject request
Data Subject Request dashboard

SOLUTION: The Data Subject Request module allows companies to efficiently track, prioritize, and respond to requests related to data access, correction, deletion, and portability.

By maintaining a comprehensive record of these requests and their corresponding actions, the DPM solution empowers businesses to handle data subject requests effectively, ensuring adherence to the PDPL.

Impact assessments

PDPL: Organizations are required to evaluate the impact of processing personal data and to assess, identify, and mitigate data protection risks.

Assessment Automation PDPL
Assessment Automation dashboard for managing LIAs and DPIAs

SOLUTION: Assessment Automation module provides templates for Data Protection Impact Assessment (DPIA) and Legitimate Interest Assessment (LIA).

It enables easy collaboration and task assignment, allowing you to track the progress of specific assessments in real time. You can easily identify potential privacy risks and implement measures to address them.

Consent Collection and Management

PDPL: According to the PDPL, consent is the primary basis for processing personal data. Individuals can also withdraw their consent to process personal data at any time.

Therefore organizations will have to implement appropriate measures to verify that the data subject has given their explicit consent and keep records of consent to demonstrate opt-ins and opt-outs.

Consent management PDPL
Consent Management dashboard

SOLUTION: The Consent Management module irons out the operational consent management challenges and gives you real-time insight into the complete personal data lifecycle.

It represents a consent record with a clear view of processing activities and enables you to demonstrate compliance for any data subject on any level at any point in time.

Records of Processing Activities

PDPL: Organizations will be required to upload a record of processing activities to a new online portal that must include the purpose of the processing, entities to which the personal data will be disclosed, whether the personal data will be transferred outside of the Kingdom, and the expected retention period.

Data Privacy manager records of processing activities PDPL
Central management of all processing activities (ROPA)

SOLUTION: The Data Processing Inventory module is a one-stop solution for managing all data processing activities within an organization.

The easy-to-use interface gives you a clear overview of the current status of all your processing activities with real-time updates and information about the purpose of the processing, data categories, data transfers, and more.

Final Thoughts: The Significance of PDPL for Businesses

As the PDPL becomes an integral part of the data protection landscape in Saudi Arabia, businesses are urged to achieve initial compliance and stay adaptive.

For companies involved in cross-border data transfers with Saudi Arabia, strict compliance with the Personal Data Protection Law (PDPL) is paramount, and it will be crucial to demonstrate compliance.

Embracing a proactive approach to data protection will ensure legal compliance and foster trust with consumers and partners.

Stay informed about updates, advancements, and best practices in data protection to fortify your business against emerging challenges in the evolving digital landscape.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top