Personal Data Protection Law
Issued pursuant to Royal Decree No. (M/19) dated 09/02/1443 AH corresponding to 16/09/2021 G
Amended pursuant to Royal Decree No. (M/148) dated 05/09/1444 AH corresponding to 27/03/2023 G
This Law provides for the protection of personal data processed within the Kingdom of Saudi Arabia, ensuring the privacy of individuals and regulating the collection, processing, and disclosure of personal data.
Article 1: Definitions
For the purpose of implementing this Law, the following terms shall have the meanings assigned thereto, unless the context requires otherwise:
- 1: Law - The Personal Data Protection Law.
- 2: Regulations - The Implementing Regulations of the Law.
- 3: Competent Authority - The authority to be determined by a resolution of the Council of Ministers.
- 4: Personal Data - Any data, regardless of its source or form, that may lead to identifying an individual specifically, or that may directly or indirectly make it possible to identify an individual, including name, personal identification number, addresses, contact numbers, license numbers, records, personal assets, bank and credit card numbers, photos and videos of an individual, and any other data of personal nature.
- 5: Processing - Any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.
- 6: Collection - The collection of Personal Data by Controller in accordance with the provisions of this Law, either from the Data Subject directly, a representative of the Data Subject, any legal guardian over the Data Subject or any other party.
- 7: Destruction - Any action taken on Personal Data that makes it unreadable and irretrievable, or impossible to identify the related Data Subject.
- 8: Disclosure - Enabling any person - other than the Controller or the Processor, as the case may be - to access, collect or use personal data by any means and for any purpose.
- 9: Transfer - The transfer of Personal Data from one place to another for Processing.
- 10: Publishing - Transmitting or making available any Personal Data using any written, audio or visual means.
- 11: Sensitive Data - Personal Data revealing racial or ethnic origin, or religious, intellectual or political belief, data relating to security criminal convictions and offenses, biometric or Genetic Data for the purpose of identifying the person, Health Data, and data that indicates that one or both of the individual's parents are unknown.
- 12: Genetic Data - Any Personal Data related to the hereditary or acquired characteristics of a natural person that uniquely identifies the physiological or health characteristics of that person, and derived from biological sample analysis of that person, such as DNA or any other testing that leads to generating Genetic Data.
- 13: Health Data - Any Personal Data related to an individual's health condition, whether their physical, mental or psychological conditions, or related to Health Services received by that individual.
- 14: Health Services - Services related to the health of an individual, including preventive, curative, rehabilitative and hospitalizing services, as well as the provision of medications.
- 15: Credit Data - Any Personal Data related to an individual's request for, or obtaining of, financing from a financing entity, whether for a personal or family purpose, including any data relating to that individual's ability to obtain and repay debts, and the credit history of that person.
- 16: Data Subject - The individual to whom the Personal Data relate.
- 17: Public Entity - Any ministry, department, public institution or public authority, any independent public entity in the Kingdom, or any affiliated entity therewith.
- 18: Controller - Any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.
- 19: Processor - Any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller.
Article 2: Scope
Section 1: The Law applies to any Processing of Personal Data related to individuals that takes place in the Kingdom by any means, including the Processing of Personal Data related to individuals residing in the Kingdom by any means from any party outside the Kingdom. This includes the data of the deceased if it would lead to them or a member of their family being identified specifically.
Section 2: The scope of applying the Law excludes the individual's Personal Data Processing for purposes that do not go beyond personal or family use, as long as the Data Subject did not publish or disclose it to others. The Regulations shall define personal and family use provided in this Paragraph.
Article 3: Other Laws
The provisions and procedures stated in this Law shall not prejudice any provision that grants a right to the Data Subject or confers better protection to Personal Data pursuant to any other law or an international agreement to which the Kingdom is a party.
Article 4: Data Subject Rights
Data Subject shall have the following rights pursuant to this Law and as set out in the Regulations:
- Section 1: The right to be informed about the legal basis and the purpose of the Collection of their Personal Data.
- Section 2: The right to access their Personal Data held by the Controller, in accordance with the rules and procedures set out in the Regulations, and without prejudice to the provisions of Article (9) of this Law.
- Section 3: The right to request obtaining their Personal Data held by the Controller in a readable and clear format, in accordance with the controls and procedures specified by the Regulations.
- Section 4: The right to request correcting, completing, or updating their Personal Data held by the Controller.
- Section 5: The right to request a Destruction of their Personal Data held by the Controller when such Personal Data is no longer needed by Data Subject, without prejudice to the provisions of Article (18) of this Law.
Article 5: Consent
Section 1: Except for the cases stated in this Law, neither Personal Data may be processed nor the purpose of Personal Data Processing may be changed without the consent of the Data Subject. The Regulations shall set out the conditions of the consent, the cases in which the consent must be explicit, and the terms and conditions related to obtaining the consent of the legal guardian if the Data Subject fully or partially lacks legal capacity.
Section 2: In all cases, Data Subject may withdraw the consent mentioned in Paragraph (1) of this Article at any time; the Regulations determines the necessary controls for such case.
Article 6: Consent Exceptions
In the following cases, Processing of Personal Data shall not be subject to the consent referred to in Paragraph (1) of Article (5) herein:
- Section 1: If the Processing serves actual interests of the Data Subject, but communicating with the Data Subject is impossible or difficult.
- Section 2: If the Processing is pursuant to another law or in implementation of a previous agreement to which the Data Subject is a party.
- Section 3: If the Controller is a Public Entity and the Processing is required for security purposes or to satisfy judicial requirements.
- Section 4: If the Processing is necessary for the purpose of legitimate interest of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed. Related provisions and controls are set out in the Regulations.
Article 7: Service Conditions
The consent referred to in paragraph (1) of Article (5) of this Law may not form a condition of providing a service or a benefit, unless such service or benefit is directly related to the Processing of Personal Data for which the consent is given.
Article 8: Processor Selection
Subject to the provisions of this Law and the Regulations regarding the Disclosure of Personal Data, the Controller shall only select Processors providing the necessary guarantees to implement the provisions of this Law and the Regulations. The Controller shall also monitor the compliance of said Processors with the provisions of this Law and the Regulations. This shall not prejudice the Controller's responsibilities towards the Data Subject or the Competent Authority as the case may be. The Regulations shall set out the provisions necessary in this regard, including provisions related to any subsequent contracts conducted by the Processor.
Article 9: Access Restrictions
Section 1: The Controller may set time frames for exercising the right to access Personal Data stated in Paragraph (2) of Article (4) herein as stipulated in the Regulations. The Controller may limit the exercise of this right in the following cases:
- a: If this is necessary to protect the Data Subject or other parties from any harm, according to the provisions set forth the Regulations.
- b: If the Controller is a Public Entity and the restriction is required for security purposes, required by another law, or required to fulfill judicial requirements.
Section 2: The Controller shall prevent the Data Subject from accessing Personal Data in any of the situations stated in Paragraphs (1, 2, 3, 4, 5) and (6) of Article (16) herein.
Article 10: Data Collection
The Controller may only collect Personal Data directly from the Data Subject and may only process Personal Data for the purposes for which they have been collected. However, the Controller may collect Personal Data from a source other than the Data Subject and may process Personal Data for purposes other than the ones for which they have been collected in the following situations:
- Section 1: The Data Subject gives their consent in accordance with the provisions of this Law.
- Section 2: Personal Data is publicly available or was collected from a publicly available source.
- Section 3: The Controller is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, or to fulfill judicial requirements.
- Section 4: Complying with this may harm the Data Subject or affect their vital interests.
- Section 5: Personal Data Collection or Processing is necessary to protect public health, public safety, or to protect the life or health of specific individuals.
- Section 6: Personal Data is not to be recorded or stored in a form that makes it possible to directly or indirectly identify the Data Subject.
- Section 7: Personal Data Collection is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.
The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (7) of this Article.
Article 11: Collection Requirements
Section 1: The purpose for which Personal Data is collected shall be directly related to the Controller's purposes, and shall not contravene any legal provisions.
Section 2: The methods and means of Personal Data Collection shall not conflict with any legal provisions, shall be appropriate for the circumstances of the Data Subject, shall be direct, clear and secure, and shall not involve any deception, misleading or extortion.
Section 3: The content of the Personal Data shall be appropriate and limited to the minimum amount necessary to achieve the purpose of the Collection. Content that may lead to specifically identifying Data Subject once the purpose of Collection is achieved shall be avoided. The Regulations shall set out the necessary controls in this regard.
Section 4: If the Personal Data collected is no longer necessary for the purpose for which it has been collected, the Controller shall, without undue delay, cease their Collection and destroy previously collected Personal Data.
Article 12: Privacy Policy
The Controller shall use a privacy policy and make it available to Data Subjects for their information prior to collecting their Personal Data. The policy shall specify the purpose of Collection, Personal Data to be collected, the means used for Collection, Processing, storage and Destruction, and information about the Data Subject rights and how to exercise such rights.
Article 13: Information at Collection
When collecting Personal Data directly from the Data Subject, the Controller shall take appropriate measures to inform the Data Subject of the following upon Collection:
- Section 1: The legal basis for collecting their Personal Data.
- Section 2: The purpose of the Collection, and shall specify the Personal Data whose Collection is mandatory and the Personal Data whose Collection is optional. The Data Subject shall be informed that the Personal Data will not be subsequently processed in a manner inconsistent with the Collection purpose or in cases other than those stated in Article (10) of this Law.
- Section 3: Unless the Collection is for security purposes, the identity of the person collecting the Personal Data and the address of its representative, if necessary.
- Section 4: The entities to which the Personal Data will be disclosed, the capacity of such entities, and whether the Personal Data will be transferred, disclosed or processed outside the Kingdom.
- Section 5: The potential consequences and risks that may result from not collecting the Personal Data.
- Section 6: The rights of the Data Subject pursuant to Article (4) herein.
- Section 7: Such other elements as set out in the Regulations based on the nature of the activity done by the Controller.
Article 14: Data Accuracy
The Controller may not process Personal Data without taking sufficient steps to verify the Personal Data accuracy, completeness, timeliness and relevance to the purpose for which it is collected in accordance with the provisions of the Law.
Article 15: Disclosure
The Controller may not Disclose Personal Data except in the following situations:
- Section 1: Data Subject consents to the Disclosure in accordance with the provisions of the Law.
- Section 2: Personal Data has been collected from a publicly available source.
- Section 3: The entity requesting Disclosure is a Public Entity, and the Collection or Processing of the Personal Data is required for public interest or security purposes, or to implement another law, to fulfill judicial requirements.
- Section 4: The Disclosure is necessary to protect public health, public safety, or to protect the lives or health of specific individuals.
- Section 5: The Disclosure will only involve subsequent Processing in a form that makes it impossible to directly or indirectly identify the Data Subject.
- Section 6: The Disclosure is necessary to achieve legitimate interests of the Controller, without prejudice to the rights and interests of the Data Subject, and provided that no Sensitive Data is to be processed.
The Regulations shall set out the provisions, controls and procedures related to what is stated in paragraphs (2) to (6) of this Article.
Article 16: Disclosure Restrictions
The Controller shall not disclose Personal Data in the situations stated in Paragraphs (1, 2, 5) and (6) of Article (15) if the Disclosure:
- Section 1: Represents a threat to security, harms the reputation of the Kingdom, or conflicts with the interests of the Kingdom.
- Section 2: Affects the Kingdom's relations with any other state.
- Section 3: Prevents the detection of a crime, affects the rights of an accused to a fair trial, or affects the integrity of existing criminal procedures.
- Section 4: Compromises the safety of an individual.
- Section 5: Results in violating the privacy of an individual other than the Data Subject, as set out in the Regulations.
- Section 6: Conflicts with the interests of a person that fully or partially lacks legal capacity.
- Section 7: Violates legally established professional obligations.
- Section 8: Involves a violation of an obligation, procedure, or judicial decision.
- Section 9: Exposes the identity of a confidential source of information in a manner detrimental to the public interest.
Article 17: Data Correction
Section 1: If Personal Data is corrected, completed or updated, the Controller shall notify such amendment to all the other entities to which such Personal Data has been transferred and make the amendment available to such entities.
Section 2: The Regulations shall set out the time frames for correction and updating of Personal Data, types of correction, and the procedures required to avoid the consequences of Processing incorrect, inaccurate or outdated Personal Data.
Article 18: Data Destruction
Section 1: The Controller shall, without undue delay, Destroy the Personal Data when no longer necessary for the purpose for which they were collected. However, the Controller may retain data after the purpose of the Collection ceases to exist; provided that it does not contain anything that may lead to specifically identifying Data Subject pursuant to the controls stipulated in the Regulations.
Section 2: In the following cases, the Controller shall retain the Personal Data after the purpose of the Collection ceases to exist:
- a: If there is a legal basis for retaining the Personal Data for a specific period, in which case the Personal Data shall be destroyed upon the lapse of that period or when the purpose of the Collection is satisfied, whichever longer.
- b: If the Personal Data is closely related to a case under consideration before a judicial authority and the retention of the Personal Data is required for that purpose, in which case the Personal Data shall be destroyed once the judicial procedures are concluded.
Article 19: Data Protection Measures
The Controller shall implement all the necessary organizational, administrative and technical measures to protect Personal Data, including during the Transfer of Personal Data, in accordance with the provisions and controls set out in the Regulations.
Article 20: Breach Notification
Section 1: The Controller shall notify the Competent Authority upon knowing of any breach, damage, or illegal access to personal data, in accordance with the Regulations.
Section 2: The Controller shall notify the Data Subject of any breach, damage or illegal access to their Personal Data that would cause damage to their data or cause prejudice to their rights and interests, in accordance with the Regulations.
Article 21: Responding to Requests
The Controller shall respond to the requests of the Data Subject pertaining to their rights under this Law within such period and in such method as set out in the Regulations.
Article 22: Impact Assessment
The Controller shall conduct an impact assessment of Personal Data Processing in relation to any product or service, based on the nature of the activity carried out by the Controller, in accordance with the relevant provisions of the Regulations.
Article 23: Health Data Controls
Without prejudice to this Law, the Regulations shall set out additional controls and procedures for the Processing of Health Data in a manner that ensures the privacy of the Data Subject and protects their rights under this Law. Such additional controls and procedures shall include the following:
- Section 1: Restricting the right to access Health Data, including medical files, to the minimum number of employees or workers and only to the extent necessary to provide the required Health Services.
- Section 2: Restricting Health Data Processing procedures and operations to the minimum extent possible of employees and workers as necessary to provide Health Services or offer health insurance programs.
Article 24: Credit Data Controls
Without prejudice to this Law, the Regulations shall set out additional controls and procedures for the Processing of Credit Data in a manner that ensures the privacy of the Data Subject and protects their rights under this Law and the Credit Information Law. Such controls and procedures shall include the following:
- Section 1: Implementing appropriate measures to verify that the Data Subject has given their explicit consent to the Collection of the Personal Data, changing the purpose of the Collection, or Disclosure or Publishing of the Personal Data in accordance with the provisions of this Law and the Credit Information Law.
- Section 2: Requiring that the Data Subject be notified when a request for Disclosure of their Credit Data is received from any entity.
Article 25: Advertising Materials
With the exception of the awareness-raising materials sent by Public Entities, Controller may not use personal means of communication, including the post and email, of the Data Subject to send advertising or awareness-raising materials, unless:
- Section 1: Obtaining the prior consent of the targeted recipient for such materials.
- Section 2: The sender of the material shall provide a clear mechanism, as set out in the Regulations, that enables the targeted recipient to request stopping receiving such materials if they desire so.
- Section 3: The Regulations shall set out the provisions concerning the aforementioned advertising and awareness-raising materials, as well as the conditions and situations concerning the consent of the recipient to receive aforementioned materials.
Article 26: Marketing Purposes
With the exception of Sensitive Data, Personal Data may be processed for marketing purposes, if it is collected directly from the Data Subject and their consent is given in accordance with the provisions of Law; the Regulations shall set out the controls in such regard.
Article 27: Research Purposes
Personal data may be collected or processed for scientific, research, or statistical purposes without the consent of the Data Subject in the following situations:
- Section 1: If it does not specifically identify the Data Subject.
- Section 2: If evidence of the Data Subject's identity will be destroyed during the Processing and prior to Disclosure of such data to any other entity, if it is not Sensitive Data.
- Section 3: If personal data is collected or processed for these purposes is required by another law or in implementation of a previous agreement to which the Data Subject is a party.
The Regulations shall set out the controls required by the provisions of this Article.
Article 28: Official Documents
It is not permissible to copy official documents where Data Subjects are identifiable, except where it is required by law, or when a competent public authority requests copying such documents pursuant to the Regulations.
Article 29: Data Transfer
Section 1: Subject to the provisions of Paragraph (2) of this Article, a Controller may Transfer Personal Data outside the Kingdom or disclose it to a party outside the Kingdom, in order to achieve any of the following purposes:
- A: If this is relating to performing an obligation under an agreement, to which the Kingdom is a party.
- B: If it is to serve the interests of the Kingdom.
- C: If this is to the performance of an obligation to which the Data Subject is a party.
- D: If this is to fulfill other purposes as set out in the Regulations.
Section 2: The conditions that must be met when there is a Transfer or Disclosure of Personal Data, according to what is stated in Paragraph (1) of this Article, are as follows:
- A: The Transfer or Disclosure shall not cause any prejudice to national security or the vital interests of the Kingdom.
- B: There is an adequate level of protection for Personal Data outside the Kingdom. Such level of protection shall be at least equivalent to the level of protection guaranteed by the Law and Regulations, according to the results of an assessment conducted by the Competent Authority in coordination with whomever it deems appropriate from the other relevant authorities.
- C: The Transfer or Disclosure shall be limited to the minimum amount of Personal Data needed.
Section 3: Paragraph (2) of this Article shall not apply to cases of extreme necessity to preserve the life or vital interests of the Data Subject or to prevent, examine or treat disease.
Section 4: The Regulations shall set out the provisions, criteria and procedures related to the implementing this Article, including applicable exceptions for Controllers regarding conditions referred to in Subparagraphs (b) and (c) of Paragraph (2) of this Article, as well as controls and procedures for such exemptions.
Article 30: Competent Authority
Section 1: Without prejudice to the provisions of this Law and the powers of the Saudi Central Bank pursuant to applicable legal provisions, the Competent Authority shall be the entity in charge of overseeing the implementation of this Law and the Regulations.
Section 2: The Regulations shall identify the situations where the Controller shall appoint one or more persons as personal data protection officer(s), and shall set the responsibilities of any such person in accordance with the provisions of this Law.
Section 3: The Controller shall cooperate with the Competent Authority in performing its duties to supervise the implementation of the provisions of this Law and the Regulations, and shall take such steps as necessary in connection with the related matters referred to the Controller by the Competent Authority.
Section 4: The Competent Authority, in order to carry out its duties related to supervising the implementation of the provisions of the Law and Regulations, may:
- A: Request the necessary documents or information from the Controller to ensure its compliance with the provisions of the Law and Regulations.
- B: Request the cooperation of any other party for the purposes of support in accomplishing supervisory duties and enforcement of the provisions of the Law and Regulations.
- C: Specify the appropriate tools and mechanisms for monitoring Controllers' compliance with the provisions of the Law and the Regulations, including maintaining a national register of Controllers for this purpose.
- D: Provide services related to Personal Data protection through the national register referred to in Subparagraph (c) of this Paragraph or through any other means deemed appropriate. The Competent Authority may collect a fee for the Personal Data protection services it may provide.
Section 5: The Competent Authority may, at its discretion, delegate to other authorities the accomplishment of some of its duties that are related to supervision or enforcement of the provisions of the Law and Regulations.
Article 31: Record Keeping
Without prejudice to Article (18) herein, the Controller shall maintain records, for such a period as required under the Regulations, of the Personal Data Processing activities, based on the nature of the activity carried out by the Controller. Such records are to be available whenever requested by the Competent Authority. The records shall contain the following information at a minimum:
- Section 1: Contact details of the Controller.
- Section 2: The purpose of the Personal Data Processing.
- Section 3: Description of the categories of Personal Data Subjects.
- Section 4: Any other entity to which Personal Data has been, or will be, disclosed.
- Section 5: Whether the Personal Data has been or will be transferred outside the Kingdom or disclosed to an entity outside the Kingdom.
- Section 6: The expected period for which Personal Data shall be retained.
Article 32: Repealed
Repealed.
Article 33: Licensing
Section 1: The Competent Authority shall set the requirements for practicing commercial, professional or non-profit activities related to Personal Data protection in the Kingdom, in coordination with the competent authorities, and without prejudice to the other requirements set by those authorities in their domain of competence.
Section 2: The Competent Authority may grant licenses to entities that issue accreditation certificates to Controllers and Processors. The Competent Authority shall set the rules to regulate the issuance of such certificates.
Section 3: The Competent Authority may grant licenses to entities that conduct audits or checks of Personal Data Processing activities related to the Controller's activity, in accordance with the provisions stipulated in the Regulations. The Competent Authority shall set the conditions and criteria to grant such licenses, and the rules regulating them.
Section 4: The Competent Authority shall specify the appropriate tools and mechanisms to monitor compliance of Controllers and Processors outside the Kingdom in regard with their obligations as stated in the Law and the Regulations when Processing personal data related to individuals residing in the Kingdom by any means, and shall define procedures to enforce the provisions of the Law and the Regulations outside the Kingdom.
Article 34: Complaints
A Data Subject may submit to the Competent Authority any complaint that may arise out of the implementation of this Law and the Regulations. The Regulations shall set out the rules for processing the complaints that may arise from implementing this Law and the Regulations.
Article 35: Penalties for Sensitive Data
Section 1: Without prejudice to any harsher penalty stipulated in another law, any individual discloses or publishes Sensitive Data, in violation of the provisions of the Law, with the intention of harming the Data Subject or achieving a personal benefit shall be punished with imprisonment for a period not exceeding (two years), or a fine not exceeding (three million) Riyals, or both.
Section 2: The Public Prosecution is responsible for investigating and prosecuting before the competent court for the violation stipulated in Paragraph (1) of this Article.
Section 3: The competent court shall be in charge of lawsuits arising from the implementation of this Article and issuing the prescribed penalties.
Section 4: The competent court may double the fine penalty stipulated in Paragraph (1) of this Article in the case of recidivism, even if it results in exceeding its maximum limit, provided that it does not exceed double this limit.
Article 36: General Penalties
Section 1: In cases that are not covered in Article (35) herein and without prejudice to any harsher penalty stipulated in another law, a warning or a fine not exceeding (five million) Riyals shall be imposed on every person with a special natural or legal capacity - covered by the provisions of the Law - who violates any of the provisions of the Law or the Regulations. The fine penalty may be doubled in the event of a repeat violation, even if it results in exceeding its maximum limit, provided that it does not exceed double this limit.
Section 2: A committee (or more) shall be formed by a decision of the president of the Competent Authority. The number of its members shall not be less than (three), and one of them shall be appointed as the committee head, and there shall be a technical specialist and a legal advisor among them. The committee is to examine violations and issue warnings or impose fines as stipulated in Paragraph (1) of this Article, considering the type of violation committed, its seriousness and the extent of its impact; provided that the decision of the committee is approved by the president of the Competent Authority or whomever they delegate. The president of the Competent Authority shall issue, by their decision, the rules of work of the committee, and the remunerations of its members shall be determined therein.
Section 3: Anyone against whom a decision has been issued by the committee mentioned in Paragraph (2) of this Article has the right to appeal against them before the competent court.
Article 37: Enforcement
Section 1: Employees and workers appointed by a decision of the president of the Competent Authority shall have the powers to control and inspect the violations stated in this Law or the Regulations. The president of the Competent Authority shall issue the rules and procedures in regard to the work of those employees and workers in accordance with the applicable laws.
Section 2: The employees and workers referred to in Paragraph (1) of this Article may seek assistance from criminal investigations authorities or other competent authorities to carry out their duties concerning control and inspection of violations stipulated in the Law or Regulations.
Section 3: The Competent Authority has the right to seize the means or tools used in committing the violation until a decision is made on it.
Article 38: Confiscation and Publication
Section 1: Without prejudice to the rights of bona fide third parties, the competent court may order the confiscation of funds obtained as a result of committing the violations stipulated in the Law.
Section 2: The competent court, or the committee referred to in paragraph (2) of Article (36), as the case may be, may include in their penalty judgment or decision a provision that a summary of such judgment or decision shall be published at the expense of the violator in one (or more) local newspapers distributed in their area of residence, or using any other proper means. This is based on the type, seriousness and impact of the violation; provided that the publishing shall be after the judgment becomes final, the lapse of the deadline for appeals, or the issuance of a final ruling dismissing the appeal against the judgement.
Article 39: Public Entity Discipline
Without prejudice to the provisions of Article (35) and Paragraph (1) of Article (36) of this Law, the Public Entity shall discipline any of its employees who violate any of the provisions of this Law and Regulations, in accordance with the disciplinary provisions and procedures prescribed by law.
Article 40: Compensation
Without prejudice to the penalties stated in this Law, any individual that suffers a damage as a result of any of the violations stated in this Law or the Regulations may apply to a competent court for proportionate compensation for the material or moral damage.
Article 41: Confidentiality
Any person that engages in the Processing of Personal Data shall protect the confidentiality of the Personal Data even after the end of such person's occupational or contractual relationship.
Article 42: Regulations
The president of the Competent Authority shall issue the Regulations within a period not exceeding (seven hundred and twenty) days commencing on the date of publishing the Law provided that the president must coordinate before issuing the Law with: (Ministry of Communications and Information Technology, Ministry of Foreign Affairs, Communications, Space & Technology Commission, Digital Government Authority, National Cybersecurity Authority, Saudi Health Council, and Saudi Central Bank), each in its own jurisdiction.
Article 43: Effective Date
This Law shall come into force after (seven hundred and twenty) days commencing on the date of its publication in the Official Gazette.
Penalties
| Article | Violation | Penalty |
|---|---|---|
| 35 | Disclosing or publishing Sensitive Data with intent to harm the Data Subject or achieve personal benefit. | Imprisonment not exceeding two years, or a fine not exceeding three million Riyals, or both. Fine may be doubled for recidivism, not exceeding twice the limit. |
| 36 | Any violation of the Law or Regulations not covered by Article 35. | Warning or a fine not exceeding five million Riyals. Fine may be doubled for repeat violations, not exceeding twice the limit. |