Implementing Regulations

Privacy notice

Building on top of the provisions in the PDPL, the Implementing Regulations provide further details regarding the privacy notice that controllers must provide to data subjects 'in an appropriate language.' This requires simple, clear, and organized wording and a language known to users, also considering consumer protection obligations.

The privacy policy must be provided 'before or when collecting' the personal data, if such data is collected directly from the data subject. If the data is collected from a person other than the data subject, the policy should be provided 'without undue delay and within a period of 30 days.'. In the latter case, the controller shall also convey the source of the collected data and, thus, this should be annotated upon collection.

Controllers will not have to provide a privacy policy if the information usually mandated for such purposes is already available to the data subjects or if providing it would conflict with any existing law in the Kingdom. The latter raises the question of the extent to which any existing law in the Kingdom conflicts with the provision of such information.

In the event of additional processing for purposes other than the one for which initially collected, the controller shall provide the necessary information 'before conducting the additional processing.'

Legal basis - consent

The Implementing Regulations set out the requirements for valid consent, including:

• freely given: for example, consent would not be valid in the context of an employment relationship and the employer shall rely on another legal basis;
• not obtained through misleading methods: thus, banning dark-pattern practices for obtaining consent, particularly common among digital services;
• informed: requiring clear and specific explanation of the processing purposes; and
• independent: requiring a specific consent for each processing purpose.

Businesses should thoroughly reassess their procedures for obtaining consent to ensure compliance. This will include ensuring that consent is obtained separately and in detail for each distinct processing purpose, as well as evaluating misleading factors in user interfaces, which may necessitate bringing UX designers and developers and developers on board to work on the perception of the user journey.

In three circumstances, consent must be explicit:

• processing of sensitive data;
• processing of credit data; and
• when decisions are made 'solely based on an automated processing of personal data.'

Data subjects might withdraw their consent at any time and controllers shall establish, before requesting consent, procedures for withdrawing consent 'similar to or easier than those for obtaining it.' On this basis, in line with international guidelines, the Saudi Data and Artificial Intelligence Authority (SDAIA) could decide to follow, it could be argued that scrolling or swiping through a webpage or any similar user activity will not be a valid method of obtaining consent. This is certainly true for circumstances where 'explicit consent' is necessary.

Although Article 12(5) of the Implementing Regulations reads, 'consent withdrawal shall not affect the processing of personal data that is based on other legal basis,' this should not be construed as permitting controllers to select more than one legal basis for the same processing purpose. Instead, Article 12(5) of the Implementing Regulations explains that the withdrawal of consent will not affect the processing for other purposes carried out with a different legal basis. Legal bases are not interchangeable, and controllers should identify one specific legal basis for the processing from the outset, rather than relying on multiple legal bases with the hope that the invalidity of one can be superseded by the validity of another. Swapping between legal bases at convenience is usually not considered compliant with data protection principles.

Legal basis - legitimate interest

When the legal basis is a legitimate interest, the Implementing Regulations lay down requirements, including:

• compliance of the processing purpose with laws in the Kingdom;
• a balance between the rights and interests of data subjects and the legitimate interest of the controller so that the latter does not negatively affect the former;
• the processing is within the reasonable expectations of the data subject; and
• exclusion of sensitive data.

The Implementing Regulations mandate that controllers assess and document the envisaged processing, including whether the processing is necessary to achieve their legitimate interests.

It is evident that the assessment of the validity of the legitimate interests should be done on a case-by-case basis, also considering the data subjects' perspective. This entails contemplating the specific services provided by the controller and its perceived offering.

Legal basis - actual interest

The Implementing Regulations define actual interest as 'any moral or material interest of the data subject that is directly linked to the purpose of the processing personal data and the processing is necessary to achieve that interest.' Controllers relying on this legal basis must retain evidence of the existence of such interest and that it is difficult to contact or communicate with data subjects.

Actual interest appears to be a residual legal basis available in limited circumstances. However, the requirements are notably vague, and reliance on this legal basis should be carefully considered in the absence of further guidance from the SDAIA.

Data subject rights

Data subjects enjoy several rights under the Implementing Regulation:

• right to be informed: generally satisfied by providing the privacy notice;
• right of access: also entails receiving a copy of their personal data in a readable and clear format;
• right to request correction: may result in a restriction of the processing when the accuracy of personal data is disputed; and
• right to request destruction: this includes obtaining the destruction of backup copies stored in the controller's systems, which should be noted by businesses when drafting internal data management policies and contracting with providers that process personal data.

Data processors

The relationship between a controller and a processor must be governed by a data processing agreement (DPA) that contains elements in line with best practices, including:

• processor's commitment to notify the controller 'without undue delay' in case of personal data breaches; and
• clarifications on whether the processor is subject to regulations in other countries and the extent of the impact on their compliance with the PDPL and the Implementing Regulations.

Businesses engaging in cross-border transfer should be particularly attentive to the latter, as it requires identifying in writing the extent to which any other applicable regulation affects compliance with the framework in the Kingdom.

The controller must periodically assess the processor's compliance. To this end, it is advisable to include in the DPA detailed clauses on audit rights, including the scope and allocation of costs.

Processors must notify controllers and obtain their consent before appointing subprocessors. Subject to clarifications from the SDAIA, it appears that a general authorization for the appointment of subprocessors is not permitted. Thus, processors should seek specific approval for each subprocessor. This could prove to be a burdensome requirement for businesses with a wide array of subcontractors.

If the processor does not abide by the controller's instructions or the DPA, the processor is considered an independent controller directly accountable for any consequences.

Key obligations

The Implementing Regulations contain the following key obligations relevant to businesses.

Notification of data breaches

In the event of a data breach, the controller must notify:

• the competent authority within 72 hours of becoming aware of the incident, if such incident potentially causes harm to the personal data, the data subjects, or conflict with their rights or interests; and
• data subjects without undue delay, and in a simple and clear manner, only if the breach may cause damage to their data or to their rights and interests.

Controllers must also keep a copy of the notification submitted to the competent authority and document any corrective measures taken.

Data Protection Impact Assessment (DPIA)

The controller must conduct a DPIA if:

• it processes sensitive data. It is worth noting that, unlike the General Data Protection Regulation (GDPR), there is no requirement for processing on a large scale, so the circumstances in which the DPIA is required are arguably broader;
• it collects, compares, or links two or more sets of personal data obtained from different sources. This will require businesses to implement tracking systems for datasets, especially in CRM, to make sure that these circumstances are flagged as triggering the requirement of a DPIA;
• the continuous and large-scale processing of personal data or data subjects without full legal capacity;
• the processing operations, by their nature, require continuous monitoring of data subjects;
• the processing involves using new technologies;
• decisions are made on automated processing. It should be noted that the DPIA will be required even if the decisions are not solely based on automated processing; or
• the processing is likely to cause serious harm to the privacy of data subjects.

It is expected that the SDAIA will provide further clarifications on the relevant circumstances.

Notably, the DPIA shall include a description of the geographical scope of the processing. In the event of processors based abroad, controllers should demand to processors full disclosure of their geographical footprint.

Data subjects' requests

The Implementing Regulations lay down the details and the procedure for the exercise of the rights granted to data subjects by the PDPL.

Notably, the controller must act within 30 days of receiving a request from data subjects pertaining to their rights. The timeframe may be extended for an additional 30 days, with notice to the data subject, in exceptional cases. This timeframe is shorter than the additional two months allowed by the GDPR, and international businesses should customize their data protection procedures to meet the requirements of the Kingdom. Before responding, the controller must also verify the identity of the requestor. Requests, including oral ones, must be recorded and documented.

Automated decision-making

Notably, if the processing involves automated decision-making, the privacy policy should indicate whether decisions will be made 'solely' on automated processing. In such a case, the data subject's consent to the processing should be explicit.

Direct marketing and advertising

Article 28 of the Implementing Regulations provides that, in the absence of a prior interaction between the controller and data subjects, the controller shall obtain the customer's consent before sending advertising and awareness materials.

Unlike data protection regulations in other parts of the world, the Implement Regulations, at least for now, do not require that the advertising materials be related to services or goods similar to those provided in the prior interaction. Therefore, it could be argued that marketing activities in the Kingdom of Saudi Arabia are somewhat less strict. It can be expected, however, that the SDAIA will clarify this point in future guidelines or enforcement actions.

Although Article 28 appears to open the legal basis of legitimate interest for the processing of personal data, Article 29 of the Implementing Regulations seemingly contradicts Article 28 and requires the customer's consent in any circumstances.

In the absence of clarifications from the SDAIA, businesses should cautiously rely on consent. There is no doubt that businesses will have to implement burdensome procedures to manage their advertising strategies, considering that legitimate interest, a much more business-friendly legal basis, appears not available. This has a material implication for those companies with a strong presence in other jurisdictions that have been more open with respect to legal bases for direct marketing. Notably, big techs that have been relying on legitimate interest and even the performance of an agreement for targeted advertising will have to adapt their procedures to the local market.

Finally, opt-out mechanisms should be provided in an easy and straightforward way and free of charge.

Data Protection Officer (DPO)

A DPO shall be appointed by private businesses whose principal activity consists of regular and continuous monitoring of individuals on a large scale or processing sensitive data.

The DPO may be an employee or an external contractor. Further guidance is expected from the SDAIA on the circumstances for the appointment of the DPO.

Records

The controller shall retain records of personal data activities for five years after their completion. Notably, the records should include, among others, a description of:

• disclosure operations, including processing activities, dates, methods, and purposes of disclosure;
• data subject's consent for processing operations, specifying the time and the mean of consent;
• all received requests including oral requests from data subjects;
• procedures and organizational, administrative, and technical measures in place that ensure the security of personal data; and
• cross-border transfers, including the legal grounds permitting the transfer, the recipients of personal data.

This will require a detailed annotation of processing activities throughout the processing period. If the controller has appointed a DPO, the DPO is responsible for the record-keeping obligations.

The SDAIA is expected to issue a template for these records.

Transfer Regulations

The Transfer Regulations set out the provisions for the cross-border transfer of personal data from the Kingdom. Overall, the requirements for the transfer of personal data resonate with global standards.

In addition to the circumstance set out in Article 29 of the PDPL, the Transfer Regulations permit the cross-border transfer for the purposes of:

• processing operations enabling the controller to carry out its activities, including central management operations;
• providing a service or benefit to the personal data subject; or
• conduct scientific research and studies.

These are very broad purposes that, arguably, provide a wide range of options to justify a cross-border transfer.

Preliminary conditions

Firstly, the controller should ensure that the cross-border transfer:

• does not impact national security or vital interest of the Kingdom or violate any other law in the Kingdom;

• involves only the minimum personal data necessary to achieve the purpose of the transfer; and
• does not impact the privacy of data subjects or the level of protection guaranteed for personal data under the PDPL and the Implementing Regulations.

Adequate level of protection

As in other data protection regulations globally, different mechanisms are available to ensure that the transfer offers a sufficient level of protection for personal data:

• Adequacy decisions: In the coming months, the SDAIA will evaluate the level of protection offered in jurisdictions outside the Kingdom and submit a recommendation to the prime minister for the adoption of an adequacy decision if the level of protection of any such jurisdictions is satisfactory.
• Appropriate safeguards: If an adequacy decision is not available for the jurisdiction of the data importer, the controller may transfer the data outside the Kingdom if appropriate safeguards are met. These include:
  • Binding Common Rules - relevant for transfers between companies of the same group and submitted to the SDAIA for approval;
  • Standard Contractual Clauses (SCC) - to be executed in accordance with the standard model that will be issued by the SDAIA;
  • Certifications of compliance with the PDPL and the Implementing Regulations - to be issued by an entity authorized by the SDAIA; and
  • Binding Codes of Conduct - to be approved by the SDAIA based on the requests submitted in each case separately.
• Exemptions: In case of inability for the controller to use any of the appropriate safeguards, the transfer is permitted for private businesses if:
  • it is necessary for the performance of an agreement to which the data subject is a party; or
  • it is necessary to protect the vital interests of a data subject who is unreachable.

While the latter is a residual and limited case, the former appears to introduce a useful exemption. Nevertheless, businesses should carefully consider the following:

• what constitutes an 'inability to use any of the appropriate safeguards': The SDAIA will hopefully clarify when businesses can, for example, simply opt not to rely on SCC;
• whether the transfer is 'necessary' or not: Taken to the extreme, this could potentially lead to evaluating the engagement of a provider in the Kingdom instead of a foreign provider. In more practical terms, the necessity test will likely limit the application of this exemption to transfers that have a direct and objective link between the performance of the contract and such transfer, as per guidelines issued in the GDPR;
• whether the data subject is party to the agreement: It is unclear if this agreement refers to the agreement between the data exporter and data subject or to an agreement between the data exporter and the data importer. In the first scenario, the transfer will be limited by the necessity requirement; a corporate group will not be able to rely on this exemption if it has centralized its payment and human resources management functions for all its staff in a third country, as there is no direct and objective link between the performance of the employment contract and such transfer. In the second scenario, it could mean that the data subject would need to be a party in the agreement between the controller and provider, which is almost never the case in the context of digital services. An app provider has Terms and Conditions with its users and separate agreements with its suppliers supporting its services. More likely than not, this exemption will apply to the extent that the performance of such agreement is in the interest of the data subject, as is the case with the GDPR, without requiring the data subject to be an actual party to that agreement. Hopefully, the SDAIA will clarify this point and the extent to which the user needs to be a party to the relevant agreement.

Notably, unlike the GDPR, these exemptions appear to apply to non-occasional transfers as well. If confirmed by enforcement actions and guidance from the SDAIA, this could significantly broaden the circumstances in which these exemptions are applicable.

Risk assessment

Controllers should conduct risk assessments if the transfer is:

• based on appropriate safeguards;
• based on an exemption; or
• involves a continuous or large-scale transfer of sensitive data.

Data importing

Regarding the import of data, interestingly, the Implementing Regulations provide comforting provisions in the case of public entities processing personal data for public interest purposes (Article 21). This is helpful for foreign businesses looking to transfer data in the Kingdom.

Next steps

As the Kingdom aims to be increasingly active in the international digital market fueled by the processing of personal data, the new regulatory framework is certainly a pivotal milestone that will boost trust and opportunities in the region.

Businesses have until September 2024 to comply with the new regulations. However, businesses should proactively start the process toward compliance at their earliest convenience. Changes required to ensure compliance often take several months to complete.

As a first step, businesses should gather all the necessary information regarding current data processing policies and procedures and, to this end, involve multiple departments within the company. To help businesses in this endeavor, checklists and gap analysis are essential tools to ensure a structured and smooth progress.

Secondly, businesses should start drafting the set of documents necessary to ensure compliance, including privacy policies, data processing agreements (including for existing contractors that have not been appointed as processors in accordance with the PDPL), internal policies and procedures covering data management, and remedial actions in case of data breaches.

Thirdly, businesses should carefully consider the allocation of roles and responsibilities within the company and the implementation of technical measures to abide by the commitments mandated by the regulation. Training is also essential, and it is usually customized for operational teams and management, emphasizing the different focuses of each team.

Gianluca de Feo Lawyer
[email protected]
AX Law, Dubai