This article uses the concepts discussed in the last three EMME Advisory Services® articles to help companies in Saudi Arabia prepare the privacy policy and notices required by the Saudi Personal Data Protection Law.

What to expect from the PDPL

The PDPL requires companies in Saudi Arabia to adopt a privacy policy[i] and provide notice[ii] to individuals before collecting their personal data. The privacy policy must explain:

·      why personal data is collected,

·      the personal data collected, and

·      how it is collected, stored, processed, and destroyed.

It must also explain the rights of personal data owners and how to exercise their rights. 

In addition to the information contained in the privacy policy, companies must also notify individuals:

·      which personal data is mandatory or optional,

·      who is collecting it, and

·      who the personal data will be shared with.

What can companies do now?

Why personal data is being collected?

The privacy policy should explain why the company is collecting personal data. As described in Identifying the Purposes for Processing Personal Data, the purposes for collecting personal data must be lawful and directly related to the company’s objectives. Purposes that are lawful and directly related to company objectives can include:

·      employee recruitment and administration,

·      managing supplier relationships,

·      public relations activities,

·      security and visitor management, and

·      cybersecurity purposes.

Personal data and processing

The privacy policy must also identify the personal data collected and how it is processed (e.g., collected, stored, processed, and destroyed). As explained in Preparing for the Saudi Personal Data Protection Law, personal data includes all types of data that can be used to identify an individual directly or indirectly. Accordingly, the privacy policy should identify personal identifiers such as names, contact numbers, email addresses, and electronic identifiers such as device IDs and log-in information. The privacy policy should also describe how personal data can be collected. For example, personal data is commonly collected when individuals complete paper and electronic forms and applications. However, personal data may also be collected through “cookies”[iii] when individuals use websites and online services.

Personal Data Owner Rights

In addition to listing the personal data owner rights as discussed in Personal Data Owner Rights under the Saudi Personal Data Privacy Law, the Privacy Policy must explain how individuals can exercise their rights. For example, how can individuals access or get copies of their personal data? How can they correct it, update it, and stop its collection and processing?

Additional Notice Requirements

Because the Privacy Policy must be presented to the individuals before collecting their personal data, the additional PDPL notice requirements could also be included in the Privacy Policy. The additional notice requires companies to identify the personal data that is mandatory or optional and the consequences of not providing it. For example, many paper and online forms and applications already identify data fields that are mandatory and optional. Typical consequences for not completing mandatory fields on paper and online processes include not being able to proceed with the desired transaction.

Companies must also inform individuals that their personal data will not be processed after collection for other purposes. Presumably to prevent companies from, for example, collecting applicant information for employment purposes and later using or selling it for marketing purposes.

The notice should identify who is collecting the personal data and identify a contact responsible for receiving and processing personal data owner requests. 

Finally, the notice must identify all parties who will access the personal data collected. This includes third parties and subcontractors that administer payroll or engagements with clients, customers, and business partners through cloud-based systems. The notice should also identify if personal data will be transferred, disclosed, or processed outside Saudi Arabia.

EMME Advisory Services

EMME Advisory Services® (EMME) can help you prepare the Privacy Policy, notice, and other procedures, controls, and training required to comply with the Saudi Personal Data Protection Law. For more information contactus@emme-advisory.com or visit www.emme-advisory.com



[i] Article Twelve, Personal Data Protection Law (PDPL).

[ii] Article Thirteen, PDPL.

[iii] Cookies are files that are automatically placed on devices that are used to make websites work, track movements within a website, to remember log in details, and other online activities.