July 06, 2023

Key differences between Saudi Arabia’s PDPL and the EU’s GDPR

Key differences between Saudi Arabia’s PDPL and the EU’s GDPR

The need for accurate data to guide business decisions has pushed companies to acquire as much data as possible, thereby creating a fresh challenge of how these data are stored and managed to ensure they do not fall into the wrong hands.

To tackle this issue, the European Union (EU) developed the General Data Protection Regulation (GDPR) to establish a benchmark for data protection and privacy across EU countries. It was adopted in April 2016 and became enforceable in May 2018. Similarly, Saudi Arabia introduced the Personal Data Protection Laws (PDPL) in September 2021. Following amendments, this policy will become effective on September 14, 2023, and companies have until September 13, 2024, to achieve full compliance.

This article will discuss the similarities and differences between Saudi’s PDPL and the EU’s GDPR and then round up how to comply with these laws. Read this article if you want to learn more about Middle Eastern data residency.

How does GDPR compare with Saudi Arabia’s PDPL?

As you would expect, most data protection laws around the world have areas of similarity. After all, they all strive to achieve high data security within their jurisdiction. The same applies to PDPL and GDPR. Their similarities are as follows:

  • Data protection rights

The PDPL with GDPR agrees on data protection rights. They both protect the right of data owners to be informed about how their data will be processed. They also ensure that data owners have access to their data and can request the correction of their data and its deletion if needed.

  • Data protection principles

In line with the GDPR’s Article 5, the PDPL in Saudi Arabia presents data protection principles that data entities collecting must adhere to. One of these principles emphasizes that controlling entities should restrict the data they gather to what is relevant and essential for the intended processing purpose.

  • Personal data privacy policy

Comparable to the provisions found in articles 13 and 14 of the GDPR, the PDPL mandates that entities collecting data must furnish individuals with comprehensive information regarding the purpose of data processing, collection methods, and the data rights afforded to the individual.

  • Legal basis

Like the GDPR, Saudi’s PDPL provides that the personal data of individuals can only be processed when there is a lawful reason to do so. 

  • Notification of the data breach

The PDPL and the GDPR both provide that authorities should be notified about data breaches; however, the PDPL does not specify the timeline for reporting breaches.

Having reviewed some of the similarities shared between the PDPL and the GDRP, we will now discuss the differences between the PDPL and GDPR in the next section.

Key differences between the PDPL and the GDPR

Here are a few differences between the PDPL and the GDPR:

  • Transferring personal data

In contrast to the GDPR, the initial version of the PDPL imposes stricter criteria for transferring data outside of Saudi Arabia. The GDPR necessitates that the receiving location has data protection laws akin to its own. However, the PDPL in Saudi Arabia mandates obtaining approval from the Saudi Authority for Data and Artificial Intelligence (SDAIA) for such transfers.

Although the amended version of the PDPL relaxed some of these requirements a bit, personal data can only be transferred outside Saudi Arabia on a limited basis and must meet the following conditions:

  • Personal data should not undermine national security or jeopardize national interests.
  • The data transfer should only be to a location with similar data protection. The SDAIA will determine if the location meets this requirement.
  • The transfer should involve only the essential and minimal personal data required, avoiding any excessive or unnecessary sharing.

InCountry’s Data Residency-as-a-Service helps you resolve this challenge of data transfer without breaking a sweat.

  • Consent in marketing

To send promotional or awareness materials, the PDPL requires businesses to obtain consent from the data owners. Unlike the GDPR, there is no exception that allows businesses to send marketing materials without consent if the product or service is similar to what the customer previously purchased. As a business leader, you should keep this in mind when developing your marketing strategies for Saudi Arabia and ensure that they have proper consent in place from both existing and potential customers.

  • Legitimate interests’ legal basis

While the PDPL and GDPR have similarities in their rules for personal data usage, one significant difference stands out. Unlike the GDPR, the original version of the PDPL did not acknowledge the concept of processing personal data based on ‘legitimate interests’. Legitimate interests enable data controllers to balance their business interests with the rights of individuals when collecting and processing non-personal data.

While the updated PDPL permits data controllers to utilize the Legitimate Interest legal basis for processing non-sensitive data, it lacks specific guidelines on how to implement it. This ambiguity creates uncertainty for business leaders who are unsure about the appropriate steps to take.

  • Records of data processing

Although the PDPL and GDPR direct data-controlling entities to register with a central authority, the PDPL goes a step further to state that all controlling entities must upload their record of data processing activities to a designated electronic portal maintained by the SDAIA. This is different from the GDPR as there is no such regulation from the PDPL.

  • Obtaining a license & appointing licensed representatives

Similar to the GDPR’s requirement for non-European businesses subject to its regulations to appoint a representative in the European Union, non-Saudi-based entities that handle the personal data of individuals residing in Saudi Arabia will need to appoint a representative licensed by the Authority. This representative will be responsible for fulfilling the entity’s obligations under the law. Since these representatives require licensing, their status, and role may be subject to closer regulation and scrutiny compared to the GDPR.

It’s worth noting that the Council of Ministers resolution accompanying the PDPL grants the SDAIA the power to postpone the implementation of Article 33 for a maximum of five years. Since this policy is still being reviewed, there may yet be some amendments to this provision later.

  • Breach notification

For the GDPR, controllers are required to inform the regulating authority of a data breach less than 72 hours after they become aware of it. However, for the PDPL, no specific time was stated. It might have been omitted with the assumption that it should be reported immediately. Hopefully, this will be addressed before the policy goes into effect in September 2023.

  • Penalties

The penalties differ slightly from the PDPL to GDPR for malpractice. Under the PDPL, offenders can pay as much as $1.3 million for non-compliance. Disclosing sensitive personal data for personal benefit or to punish the data owner will attract a penalty of as much as $800,000, in addition to imprisonment of two years! Repeat offenders could pay up to double the normal fines, and the person whose personal data was abused could press for compensation from the offender. The SDAIA could also seize the controller’s means of committing this offense.

With the GDPR, offenders can pay as much as €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for certain severe violations.

How to comply with data localization laws in Saudi Arabia — InCountry’s approach

Like strange waters, complying with new data regulations can be a hassle without help. InCountry simplifies this process of compliance for you, so you don’t have to break a sweat. Here are a few reasons why you can trust us to help you get and stay compliant:

  • At InCountry, we stay informed about residency and localization regulations in different countries to ensure compliance. Our cloud infrastructure is both secure and certified, providing a reliable environment for your data. We offer the option to localize and store your data within high-quality facilities located within the country.
  • At InCountry, we prioritize the highest level of security and protection measures worldwide. This includes utilizing advanced encryption technologies such as SHA-256 and AES-256 and implementing robust security features like firewalling, network isolation, and intrusion detection. Security is paramount for InCountry, and we are committed to ensuring the utmost protection for our client’s data.
  • We work with only proven and efficient security-compliant cloud service providers to ensure that all stages in your data lifecycle are tightly secured.

You can reach our experts for a demo or learn how we can help your company comply with Data regulations.